[noise] Preferring 64bit nonces

Jason A. Donenfeld Jason at zx2c4.com
Mon Jul 20 05:43:44 PDT 2015


Hi,

Since we're padding 32bits of the 96bit nonce with zeros, there's
basically no difference between using the IETF 96bit nonce and the
original 64bit nonce, except the latter allows much bigger messages.
As pointed out elsewhere, they're basically compatible with each
other. A few minutes ago I just finished "downgrading" my RFC chapoly
implementation to the old style 64bit nonce one, and the result
everywhere in my codebase is that things are much much much simpler
and neater. Unless there are plans down the line to actually use those
top 32bits, it seems like it'd be much neater to specify a 64bit
nonce, and the include the note in the other direction ("if you're
using the IETF's 96bit nonce, just zero out the top 32bits"). What do
you think?

Jason


More information about the Noise mailing list