The plaintext length is ciphertext.len() - 16, and it will be decrypted in-place at the front
of ciphertext. If authentication succeeds, this function returns the plaintext as a slice. If
authentication fails, or if the ciphertext is shorter than TAG_LEN, it returns Err(()).
plaintext_and_tag contains the plaintext plus TAG_LEN extra bytes at the end. The plaintext
is encrypted in-place, and the auth tag is written to the extra bytes. The initial contents of
the extra bytes are ignored.