[noise] CipherState.EncryptWithAd and nonce increment

Nazar Mokrynskyi nazar at mokrynskyi.com
Mon Dec 4 14:18:55 PST 2017

04.12.17 18:33, Trevor Perrin пише:
> On Mon, Dec 4, 2017 at 4:20 PM, Trevor Perrin <trevp at trevp.net> wrote:
>> In the spec, CipherState.DecryptWithAd() says:
>> "If an authentication failure occurs in DECRYPT() then n is not
>> incremented and an error is signaled to the caller."
>> Earlier the spec says:
>> "If  DecryptWithAd() signals an error due to DECRYPT() failure, then
>> the input message is discarded. The application may choose to delete
>> the CipherState and terminate the session on such an error, or may
>> continue to attempt communications."
> (To be clear, this text was talking about the transport phase.  During
> the handshake phase, behavior is different: "If any error is signaled
> by the DECRYPT() or DH() functions then the handshake has failed and
> the HandshakeState is deleted.").
> Trevor

Wow, I was somehow confused with functions names, must have looked at DecryptWithAd().

Will submit PR with fix for noise-c. Thanks!

04.12.17 16:00, David Wong пише:
>> However, in my use case I need to avoid nonce increment if decryption fails,
>> as this is a valid and acceptable behavior in my case.
>> So should nonce be incremented immediately like it is done in `noise-c`
>> already or should it only be incremented on successful decryption?
> It should not matter because if the decryption is unsuccessful you are
> supposed to abort the protocol.
> Can I ask why you are not doing this?
>> I'm aware that latest versions of the spec give optional control over nonce
>> and my use case can be implemented using it.
> If you have good reasons not to use a counter, this is probably what
> you should do.
> David
My use case involves anonymous routing. Noise is used for end-to-end encryption and multi-layer non-authenticated wide block cipher is used on top of that.
Each node decrypts one layer of non-authenticated encryption and tries to decrypt the result with DecryptWithAd(). If that fails - message is forwarded to the next node.
This way the number of nodes doesn't affect total size of the encrypted packet.

Sincerely, Nazar Mokrynskyi

More information about the Noise mailing list