[noise] Query about the definition of CipherState.encryptWithAd

[Mike Hearn]

During a code review a colleague flagged an issue that I don't have a great
answer for.

The Noise spec requires that the EncryptWithAd operation might not actually
encrypt, if it's called before the key is set. This seems surprising and
potentially a source of subtle bugs. I'd have expected an error to be
signalled if you attempt an encryption or decryption operation without a
key.

It appears it's defined this way to make WriteMessage simpler when
processing an initial key in the first part of a handshake, before any DH
operation has run. Everything being written out can be passed through
EncryptAndHash without a special case for the position where no key is
available. But translated directly to code this results in a rather odd
exception inside the core encryption codepath which just looks all wrong.
My colleague was right to flag it, even though the overall protocol and
algorithm is correct.

Perhaps a future spec revision could adjust the definition of WriteMessage
to fork the codepath depending on if 'k' is set, before CipherState is
invoked?

thanks,
-mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20200501/9efe542c/attachment.html>