[noise] CipherState.EncryptWithAd and nonce increment

Nazar Mokrynskyi nazar at mokrynskyi.com
Mon Dec 4 14:18:55 PST 2017


04.12.17 18:33, Trevor Perrin пише:
> On Mon, Dec 4, 2017 at 4:20 PM, Trevor Perrin <trevp at trevp.net> wrote:
>> In the spec, CipherState.DecryptWithAd() says:
>>
>> "If an authentication failure occurs in DECRYPT() then n is not
>> incremented and an error is signaled to the caller."
>>
>> Earlier the spec says:
>>
>> "If  DecryptWithAd() signals an error due to DECRYPT() failure, then
>> the input message is discarded. The application may choose to delete
>> the CipherState and terminate the session on such an error, or may
>> continue to attempt communications."
> (To be clear, this text was talking about the transport phase.  During
> the handshake phase, behavior is different: "If any error is signaled
> by the DECRYPT() or DH() functions then the handshake has failed and
> the HandshakeState is deleted.").
>
> Trevor

Wow, I was somehow confused with functions names, must have looked at DecryptWithAd().

Will submit PR with fix for noise-c. Thanks!

04.12.17 16:00, David Wong пише:
>> However, in my use case I need to avoid nonce increment if decryption fails,
>> as this is a valid and acceptable behavior in my case.
>>
>> So should nonce be incremented immediately like it is done in `noise-c`
>> already or should it only be incremented on successful decryption?
>>
> It should not matter because if the decryption is unsuccessful you are
> supposed to abort the protocol.
> Can I ask why you are not doing this?
>
>> I'm aware that latest versions of the spec give optional control over nonce
>> and my use case can be implemented using it.
> If you have good reasons not to use a counter, this is probably what
> you should do.
>
> David
My use case involves anonymous routing. Noise is used for end-to-end encryption and multi-layer non-authenticated wide block cipher is used on top of that.
Each node decrypts one layer of non-authenticated encryption and tries to decrypt the result with DecryptWithAd(). If that fails - message is forwarded to the next node.
This way the number of nodes doesn't affect total size of the encrypted packet.

Sincerely, Nazar Mokrynskyi
github.com/nazar-pc



More information about the Noise mailing list