[noise] 5.8. Deriving a new session
Trevor Perrin
trevp at trevp.net
Sun Jul 5 17:57:49 PDT 2015
On Sun, Jul 5, 2015 at 5:22 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> On Sun, Jul 5, 2015 at 8:17 AM, Trevor Perrin <trevp at trevp.net> wrote:
>> Yes, fixed.
>
> Thanks. Some other questions on the nonce. You specify 32 bits of 0s
> and 64 bits of counter. I'm going to be transmitting my nonce
> alongside each ciphertext, due to udp, and allowing out of order
> packets within a certain range of the greatest received nonce. Given
> that, two questions:
>
> 1. Since I'm going to be transmitting the nonce anyway, might there be
> any advantage of filling those 32 bits with random bits instead of 0s?
I'm not sure how that would work, remember the nonce can be set
explicitly based on 64 bits. Anyways, the nonce just needs to be
unique, randomizing those bits adds complexity but little benefit.
> Perhaps it protects against potential bugs in counter reuse?
> 2. Can the nonce be considered authenticated, if the AE (ChaPoly)
> successfully decrypts/authenticates?
Successful decryption indicates the encryptor knew the same key + nonce.
You could put your explicit nonce in the prologue to get additional
authentication, but it's not necessary.
Trevor
More information about the Noise
mailing list