Ron Frederick ronf@timeheart.net writes:
One other thought on this: Since the sender and receiver of a message need to both know the nonce, I think it would be useful for Nettle to provide a get_nonce() function if it is going to auto-increment the nonce.
One can access it directly from the nonce field of the context struct, but it makes some sense to provide a more abstract method. If we want to do this consistently, the details are not entirely obvious, though:
1. Should it return a pointer to the nonce, assuming that it is present in raw form in the context, so that it can be returned cheaply, or should it make a copy into an area provided by the caller?
2. Should a get_nonce method be added to the nettle_aead struct?
If a receiver is receiving an explicit nonce with each message, there’s no reason for them to pay the cost of doing the increment function every time they call digest() to verify a message, as they’re just going to reset the nonce to something else when the next message arrives.
It's true that the auto-increment is unnecessary in that case, but it is such a small cost that I don't think it's a good tradeoff to optimize for. (It's an invocation of the INCREMENT macro in macros.h). I think it's going to be negligible compared to all other processing done by digest(). Making it optional (via a flag in the context, or an extra function) will increase the code size for a performance gain (in some use cases) which is hardly measurable.