[noise] Preferring 64bit nonces
Trevor Perrin
trevp at trevp.net
Mon Jul 20 11:51:58 PDT 2015
On Mon, Jul 20, 2015 at 5:43 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> Hi,
>
> Since we're padding 32bits of the 96bit nonce with zeros, there's
> basically no difference between using the IETF 96bit nonce and the
> original 64bit nonce, except the latter allows much bigger messages.
We limit payloads to 4 GB, so there's no difference.
> As pointed out elsewhere, they're basically compatible with each
> other. A few minutes ago I just finished "downgrading" my RFC chapoly
> implementation to the old style 64bit nonce one, and the result
> everywhere in my codebase is that things are much much much simpler
> and neater. Unless there are plans down the line to actually use those
> top 32bits, it seems like it'd be much neater to specify a 64bit
> nonce, and the include the note in the other direction ("if you're
> using the IETF's 96bit nonce, just zero out the top 32bits"). What do
> you think?
I expect the RFC 7539 version to make its way into TLS and OpenSSL and
become more widely available, eventually, which is why I used that
version.
But it should be easy to use the older ChaChaPoly version if that's
what your library has, and I hope the spec is clear enough about that.
Trevor
More information about the Noise
mailing list