[noise] CipherState.EncryptWithAd and nonce increment

Trevor Perrin trevp at trevp.net
Mon Dec 4 08:33:01 PST 2017


On Mon, Dec 4, 2017 at 4:20 PM, Trevor Perrin <trevp at trevp.net> wrote:
>
> In the spec, CipherState.DecryptWithAd() says:
>
> "If an authentication failure occurs in DECRYPT() then n is not
> incremented and an error is signaled to the caller."
>
> Earlier the spec says:
>
> "If  DecryptWithAd() signals an error due to DECRYPT() failure, then
> the input message is discarded. The application may choose to delete
> the CipherState and terminate the session on such an error, or may
> continue to attempt communications."

(To be clear, this text was talking about the transport phase.  During
the handshake phase, behavior is different: "If any error is signaled
by the DECRYPT() or DH() functions then the handshake has failed and
the HandshakeState is deleted.").

Trevor


More information about the Noise mailing list