[noise] CipherState.EncryptWithAd and nonce increment

Nazar Mokrynskyi nazar at mokrynskyi.com
Mon Dec 4 04:10:09 PST 2017

Hi folks,

I have implementation-specific question.

Here is a quote from Noise spec:

>  *
>     *|EncryptWithAd(ad, plaintext)|*: If |k| is non-empty returns |ENCRYPT(k, n++, ad, plaintext)|. Otherwise returns |plaintext|.
Since there might be an error during decryption (MAC is incorrect as an example), when should `n` be incremented?

`noise-c` library does this immediately after decryption independently from decryption result:

> /* Encrypt the plaintext and authenticate it */
> err = (*(state->encrypt))(state, ad, ad_len, buffer->data, buffer->size);
> ++(state->n);
> if (err != NOISE_ERROR_NONE)
>     return err;
However, in my use case I need to avoid nonce increment if decryption fails, as this is a valid and acceptable behavior in my case.

So should nonce be incremented immediately like it is done in `noise-c` already or should it only be incremented on successful decryption?

I'm aware that latest versions of the spec give optional control over nonce and my use case can be implemented using it.

Sincerely, Nazar Mokrynskyi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20171204/dfba5744/attachment.html>

More information about the Noise mailing list