[noise] Query about the definition of CipherState.encryptWithAd
Justin Cormack
justin at specialbusservice.com
Fri May 1 14:08:36 PDT 2020
This is a specification, your code does not have to do exactly this so long
as it is equivalent.
Obviously staying close is useful and you should reference the differences
in comments, but
you don't have to be literal.
Justin
On Fri, 1 May 2020 at 16:35, Mike Hearn <mike at plan99.net> wrote:
> During a code review a colleague flagged an issue that I don't have a
> great answer for.
>
> The Noise spec requires that the EncryptWithAd operation might not
> actually encrypt, if it's called before the key is set. This seems
> surprising and potentially a source of subtle bugs. I'd have expected an
> error to be signalled if you attempt an encryption or decryption operation
> without a key.
>
> It appears it's defined this way to make WriteMessage simpler when
> processing an initial key in the first part of a handshake, before any DH
> operation has run. Everything being written out can be passed through
> EncryptAndHash without a special case for the position where no key is
> available. But translated directly to code this results in a rather odd
> exception inside the core encryption codepath which just looks all wrong.
> My colleague was right to flag it, even though the overall protocol and
> algorithm is correct.
>
> Perhaps a future spec revision could adjust the definition of WriteMessage
> to fork the codepath depending on if 'k' is set, before CipherState is
> invoked?
>
> thanks,
> -mike
>
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20200501/68e8d196/attachment.html>
More information about the Noise
mailing list