diff --git a/include/psa/crypto_compat.h b/include/psa/crypto_compat.h
index 04a4f30c8..5dabbd25f 100644
--- a/include/psa/crypto_compat.h
+++ b/include/psa/crypto_compat.h
@@ -337,10 +337,11 @@ MBEDTLS_PSA_DEPRECATED static inline psa_status_t psa_asymmetric_verify( psa_key
  *                            algorithm.
  *                            If the AEAD algorithm is not recognized, return 0.
  */
-#define PSA_AEAD_DECRYPT_OUTPUT_SIZE_2_ARG( alg, ciphertext_length ) \
-    MBEDTLS_DEPRECATED_CONSTANT( size_t,                             \
-        PSA_ALG_IS_AEAD( alg ) ?                                     \
-        (ciphertext_length) - PSA_ALG_AEAD_GET_TAG_LENGTH( alg ) :   \
+#define PSA_AEAD_DECRYPT_OUTPUT_SIZE_2_ARG( alg, ciphertext_length )   \
+    MBEDTLS_DEPRECATED_CONSTANT( size_t,                               \
+        PSA_ALG_IS_AEAD( alg ) &&                                      \
+            (ciphertext_length) > PSA_ALG_AEAD_GET_TAG_LENGTH( alg ) ? \
+            (ciphertext_length) - PSA_ALG_AEAD_GET_TAG_LENGTH( alg ) : \
         0 )
 
 /** A sufficient output buffer size for psa_aead_update().
diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h
index 709ae6ec9..b56b34645 100644
--- a/include/psa/crypto_sizes.h
+++ b/include/psa/crypto_sizes.h
@@ -323,8 +323,9 @@
  *                            return 0.
  */
 #define PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext_length) \
-    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                       \
-     (ciphertext_length) - PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :          \
+    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&                      \
+         (ciphertext_length) > PSA_ALG_AEAD_GET_TAG_LENGTH(alg) ?      \
+         (ciphertext_length) - PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :      \
      0)
 
 /** A sufficient output buffer size for psa_aead_decrypt(), for any of the