<p dir="ltr"><br>
On Aug 31, 2015 3:55 PM, "Trevor Perrin" <<a href="mailto:trevp@trevp.net">trevp@trevp.net</a>> wrote:<br>
><br>
> On Mon, Aug 31, 2015 at 9:38 AM, Jason A. Donenfeld <<a href="mailto:Jason@zx2c4.com">Jason@zx2c4.com</a>> wrote:<br>
> > Nonces for transport messages begin at 1, not at 0! This is because I take<br>
> > advantage of x86 primitives for "increment and return" as an atomic<br>
> > operation, so I don't need locks for preventing nonce-reuse.<br>
><br>
> Why are 1-based nonces better than 0-based nonces, on x86?</p>
<p dir="ltr">It just allows me to initialize the nonce at zero, and then when encrypting, call "increment and return" as opposed to "return and increment". There are various "programming things" that can work around this, but it makes the code marginally less obvious and clear cut. So, I'm opting for the atomic "increment and return" plus straightforwardness of the code, rather than zero-based nonces.</p>