[noise] formatting of AES-GCM ciphertext

Naveen Nathan naveen at lastninja.net
Sat May 7 17:35:54 PDT 2016

I'm in implementing the Noise spec in Python.

To start, I'm working on getting the crypto primitives in order, and had a question about AES-GCM.

Before that, are there any known efforts of implementing Noise in Python? Otherwise, if anyone
is interested, I'm working on it here: https://github.com/nnathan/noiseprotocol

>From the spec it reads:

ENCRYPT(k, n, ad, plaintext) / DECRYPT(k, n, ad, ciphertext):
    AES256-GCM from NIST SP 800-38D with 128-bit tags.
    The 96-bit nonce is formed by encoding 32 bits of zeros followed by big-endian encoding of n.

In DECRYPT() the tag is not passed in, however the NIST SP 800-38D KAT (known answer tests)
separate the tag and the ciphertext. Is it tacitly implied that the ciphertext is prefixed
with the authentication tag, which is then split appropriately in the DECRYPT function?


More information about the Noise mailing list