[noise] CipherState.EncryptWithAd and nonce increment

Trevor Perrin trevp at trevp.net
Mon Dec 4 08:20:17 PST 2017

On Mon, Dec 4, 2017 at 12:10 PM, Nazar Mokrynskyi <nazar at mokrynskyi.com> wrote:
> Hi folks,
> I have implementation-specific question.
> Here is a quote from Noise spec:
> EncryptWithAd(ad, plaintext): If k is non-empty returns ENCRYPT(k, n++, ad,
> plaintext). Otherwise returns plaintext.
> Since there might be an error during decryption (MAC is incorrect as an
> example), when should `n` be incremented?

Hi Nazar,

In the spec, CipherState.DecryptWithAd() says:

"If an authentication failure occurs in DECRYPT() then n is not
incremented and an error is signaled to the caller."

Earlier the spec says:

"If  DecryptWithAd() signals an error due to DECRYPT() failure, then
the input message is discarded. The application may choose to delete
the CipherState and terminate the session on such an error, or may
continue to attempt communications."

Does that answer the question, or are there other cases you're thinking about?


More information about the Noise mailing list