[Question] Nonce Length
LuoZijun opened this issue · 1 comments
LuoZijun commented
Line: https://github.com/miscreant/miscreant/blob/master/rust/src/aead.rs#L144
Some IV_LEN(NONCE_LEN)
code:
- https://github.com/miscreant/miscreant/blob/master/rust/src/ctr.rs#L15 ( 16 Bytes )
- https://github.com/miscreant/miscreant/blob/master/rust/src/bench.rs#L11 ( 12 Bytes )
Can you add document for that nonce length ?
tarcieri commented
Miscreant supports a variable-length nonce. This is for two reasons:
- A nonce in Miscreant is just a variable-length header input to the S2V function, which is effectively just a chained PRF construction. There are no restrictions on the lengths of the inputs to S2V, and therefore there are no restrictions on the lengths of Miscreant's nonces
- In my observations placing artificial restrictions on the lengths of nonces that aren't actually required in the underlying construction has lead people to do things which actually weaken the security of the system. For example, I've seen people who wish to bind all relevant cryptographic parameters hash them all with RIPEMD160 in order to create a 24-byte Salsa20 nonce, when the very first thing XSalsa20 does is run them through the variable-length HSalsa20 PRF.
The code snippets you found are as follows:
ctr.rs
: 16-bytes is the size of the SIV tag, which has a dual role as an authentication tag / MAC and also as the AES-CTR IV. However, this is distinct from the nonce you pass into the construction by way of S2V (in fact, it is the output of S2V, rather than an input).bench.rs
: this is actually a 96-bit AES-GCM nonce, which is used by the AES-GCM benchmark for comparing relative performance.