diff --git a/crypto/crypto.go b/crypto/crypto.go
index 3e7aedf07..4a1a66bed 100644
--- a/crypto/crypto.go
+++ b/crypto/crypto.go
@@ -276,11 +276,6 @@ func Decrypt(ks *Key, plaintext []byte, ciphertextWithMac []byte) ([]byte, error
 		panic("trying to decrypt invalid data: ciphertext too small")
 	}
 
-	if cap(plaintext) < len(ciphertextWithMac) {
-		// extend plaintext
-		plaintext = append(plaintext, make([]byte, len(ciphertextWithMac)-cap(plaintext))...)
-	}
-
 	// extract mac
 	l := len(ciphertextWithMac) - macSize
 	ciphertextWithIV, mac := ciphertextWithMac[:l], ciphertextWithMac[l:]
@@ -293,6 +288,11 @@ func Decrypt(ks *Key, plaintext []byte, ciphertextWithMac []byte) ([]byte, error
 	// extract iv
 	iv, ciphertext := ciphertextWithIV[:ivSize], ciphertextWithIV[ivSize:]
 
+	if cap(plaintext) < len(ciphertext) {
+		// extend plaintext
+		plaintext = append(plaintext, make([]byte, len(ciphertext)-cap(plaintext))...)
+	}
+
 	// decrypt data
 	c, err := aes.NewCipher(ks.Encrypt[:])
 	if err != nil {
diff --git a/crypto/crypto_test.go b/crypto/crypto_test.go
index 321461a46..8468b6c0f 100644
--- a/crypto/crypto_test.go
+++ b/crypto/crypto_test.go
@@ -107,10 +107,10 @@ func TestCornerCases(t *testing.T) {
 		"wrong length returned for ciphertext, expected 0, got %d",
 		len(c))
 
-	// this should decrypt to an empty slice
+	// this should decrypt to nil
 	p, err := crypto.Decrypt(k, nil, c)
 	OK(t, err)
-	Equals(t, []byte{}, p)
+	Equals(t, []byte(nil), p)
 
 	// test encryption for same slice, this should return an error
 	_, err = crypto.Encrypt(k, c, c)