[noise] Boiled down noise implementation spec

Trevor Perrin trevp at trevp.net
Mon Aug 31 16:26:57 PDT 2015


On Mon, Aug 31, 2015 at 3:41 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
> On Aug 31, 2015 3:55 PM, "Trevor Perrin" <trevp at trevp.net> wrote:
>>
>> Why are 1-based nonces better than 0-based nonces, on x86?
>
> It just allows me to initialize the nonce at zero, and then when encrypting,
> call "increment and return" as opposed to "return and increment". There are
> various "programming things" that can work around this, but it makes the
> code marginally less obvious and clear cut. So, I'm opting for the atomic
> "increment and return" plus straightforwardness of the code, rather than
> zero-based nonces.

You could initialize n to -1 but I guess 0 is simpler.

Do other people prefer 1-based nonces?  Jason's argument, I think, is
that in kernel or maybe
multithreaded code it's easy to initialize n to 0 and use an atomic
increment instruction prior
to encryption, to prevent nonce reuse.

Trevor


More information about the Noise mailing list