I read the paper "Designing the API for a Cryptographic Library" (http://link.springer.com/chapter/10.1007/978-3-642-30598-6_6), which only contains a few bits of the code. This repository is referenced from the paper and I assume that it already contains the proposed changes (at least the AE/AEAD API looks similar).
As someone who is not used to Ada (though I learned it in first semester), I am having trouble to understand how the decryption routine can use the same nonce as was used by the encryption. It is my understanding that the same nonce must be supplied to encryption and decryption, but it must never be reused for different ciphertexts.
Init_Encrypt (https://github.com/cforler/Ada-Crypto-Library/blob/master/src/crypto-symmetric-aead_ocb3.adb#L437) calls Nonce.Update, retrieves the nonce as a block and stores it in the Nonce_Value. That field is in the private section, so I assume it's not accessible from outside?
When I encrypt something and want to send it to another machine to be encrypted there, the secret key is there already. The way it usually works with the nonce is that you send it along with the ciphertext. But how do I obtain the nonce from the API? For the receiving/decrypting end, I can see that Init_Decrypt accepts the nonce as a block, so that makes sense. But where do I get it from at the sending/encrypting end?
Even if it was possible to keep sender and receiver in sync after loading a common nonce.txt, that wouldn't work with random nonces. So I guess my question is: Does the user of the AE/AEAD API need to access the nonce, or is it included in the ciphertext (I couldn't confirm that when reading the code and it wouldn't explain how to fill the nonce parameter at the decrypting end)? If so, how can they access it?
Hi,
I read the paper "Designing the API for a Cryptographic Library" (http://link.springer.com/chapter/10.1007/978-3-642-30598-6_6), which only contains a few bits of the code. This repository is referenced from the paper and I assume that it already contains the proposed changes (at least the AE/AEAD API looks similar).
As someone who is not used to Ada (though I learned it in first semester), I am having trouble to understand how the decryption routine can use the same nonce as was used by the encryption. It is my understanding that the same nonce must be supplied to encryption and decryption, but it must never be reused for different ciphertexts.
Init_Encrypt(https://github.com/cforler/Ada-Crypto-Library/blob/master/src/crypto-symmetric-aead_ocb3.adb#L437) callsNonce.Update, retrieves the nonce as a block and stores it in theNonce_Value. That field is in theprivatesection, so I assume it's not accessible from outside?When I encrypt something and want to send it to another machine to be encrypted there, the secret key is there already. The way it usually works with the nonce is that you send it along with the ciphertext. But how do I obtain the nonce from the API? For the receiving/decrypting end, I can see that
Init_Decryptaccepts the nonce as a block, so that makes sense. But where do I get it from at the sending/encrypting end?I found this example/test, which initializes and finalizes a nonce
N, but I don't see it used anywhere: https://github.com/cforler/Ada-Crypto-Library/blob/c0d2ea41391dce4339fa6f4b631def09993d6d2d/test/test-siv.adbMight be a copy-paste error from this example/test: https://github.com/cforler/Ada-Crypto-Library/blob/c0d2ea41391dce4339fa6f4b631def09993d6d2d/test/test-ae_ocb.adb And this test only seems to work because the
Incfunction returns a constant value. So the test hard-codes the nonce.Even if it was possible to keep sender and receiver in sync after loading a common nonce.txt, that wouldn't work with random nonces. So I guess my question is: Does the user of the AE/AEAD API need to access the nonce, or is it included in the ciphertext (I couldn't confirm that when reading the code and it wouldn't explain how to fill the nonce parameter at the decrypting end)? If so, how can they access it?