[noise] Boiled down noise implementation spec
John-Mark Gurney
jmg at funkthat.com
Mon Aug 31 18:04:53 PDT 2015
Jason A. Donenfeld wrote this message on Tue, Sep 01, 2015 at 00:41 +0200:
> On Aug 31, 2015 3:55 PM, "Trevor Perrin" <trevp at trevp.net> wrote:
> >
> > On Mon, Aug 31, 2015 at 9:38 AM, Jason A. Donenfeld <Jason at zx2c4.com>
> wrote:
> > > Nonces for transport messages begin at 1, not at 0! This is because I
> take
> > > advantage of x86 primitives for "increment and return" as an atomic
> > > operation, so I don't need locks for preventing nonce-reuse.
> >
> > Why are 1-based nonces better than 0-based nonces, on x86?
>
> It just allows me to initialize the nonce at zero, and then when
> encrypting, call "increment and return" as opposed to "return and
> increment". There are various "programming things" that can work around
> this, but it makes the code marginally less obvious and clear cut. So, I'm
> opting for the atomic "increment and return" plus straightforwardness of
> the code, rather than zero-based nonces.
I hope that you're using the lock prefix on the xadd op code, because
if you aren't, then you are only marginally safer than increment and
return, but not entirely safe...
I only bring this up since you mention not needing locks above...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the Noise
mailing list