[noise] Variable-length handshake payloads?

David Fifield david at bamsoftware.com
Wed Dec 12 13:37:34 PST 2018


On Wed, Dec 12, 2018 at 02:28:40PM -0700, David Fifield wrote:
> > Below is a possible workaround that is a deviation from the spec. Here is what
> > it looks on the write side:
> > 
> > ---begin pseudocode---
> > Let:
> >   payload be a variable-length byte sequence
> >   zerolen be a zero-length byte sequence
> > 
> > // encrypt a blank, sort of like in REKEY()
> > lengthObfuscator = EncryptAndHash(zerolen)
> 
> This seems to be a bug. I think you want to be encrypting a fixed-length
> string of zeros, not a zero-length string. EncryptAndHash("") is defined
> to return "".
> https://noiseprotocol.org/noise.html#the-cipherstate-object
> 	EncryptWithAd(ad, plaintext): If k is non-empty returns
> 	ENCRYPT(k, n++, ad, plaintext). Otherwise returns plaintext.
> https://noiseprotocol.org/noise.html#the-symmetricstate-object
> 	EncryptAndHash(plaintext): Sets ciphertext = EncryptWithAd(h,
> 	plaintext), calls MixHash(ciphertext), and returns ciphertext.
> 	Note that if k is empty, the EncryptWithAd() call will set
> 	ciphertext equal to plaintext.

Sorry, this is my mistake. EncryptAndHash("") will return a 16-byte
authentication tag, not an empty string. Nevertheless, the REKEY
operation is encrypting a 32-byte string of zeros, not an empty string
(the empty string is the ad parameter).
https://noiseprotocol.org/noise.html#cipher-functions


More information about the Noise mailing list