[noise] 5.8. Deriving a new session
Jason A. Donenfeld
Jason at zx2c4.com
Sun Jul 5 17:22:29 PDT 2015
On Sun, Jul 5, 2015 at 8:17 AM, Trevor Perrin <trevp at trevp.net> wrote:
> Yes, fixed.
Thanks. Some other questions on the nonce. You specify 32 bits of 0s
and 64 bits of counter. I'm going to be transmitting my nonce
alongside each ciphertext, due to udp, and allowing out of order
packets within a certain range of the greatest received nonce. Given
that, two questions:
1. Since I'm going to be transmitting the nonce anyway, might there be
any advantage of filling those 32 bits with random bits instead of 0s?
Perhaps it protects against potential bugs in counter reuse?
2. Can the nonce be considered authenticated, if the AE (ChaPoly)
successfully decrypts/authenticates? I read Rogaway write this in his
AEZ paper, but I wasn't sure if that was specific to AEZ's robustness
or if it's a general trait of all AE constructions.
More information about the Noise
mailing list