question about NonceSequence in AEAD #2726
Description
Hi, I'm a newbie in crypto, I have a question about the aead api. In aead, both OpeningKey and SealingKey requires a NonceSequence parameter, and it's required that A given NonceSequence must never return the same Nonce twice from advance().
However, opening requires using the same Nonce value from sealing. Thus when sealing, I need to remember the Nonce returned from the SealingNonceSequence; then to open the sealed data, I need to construct a OpeningNonceSequence that returns the exact Nonce generated by SealingNonceSequence before.
Then why the trouble? why not just use Nonce as the second parameter for OpeningKey and SealingKey? Once the NonceSequence is passed to SealingKey, there is no way to get the Nonce generated during sealing.
Then reason I'm asking this question is that I'm making a command-line program, I have no way to record the internal state of a NonceSequence, so I'm using a random nonce everytime the program is called. Currently I'm doing this way
struct ExactNonceSequence(pub [u8; NONCE_LEN]);
impl NonceSequence for ExactNonceSequence {
// called once for each seal operation
fn advance(&mut self) -> Result<Nonce, Unspecified> {
Nonce::try_assume_unique_for_key(&self.0)
}
}
// when sealing, store nonce along with the data
let mut nonce: [u8; 12] = [0; NONCE_LEN];
rand::fill_rand(&mut nonce);
let mut sealing_key = SealingKey::new(unbound_key, ExactNonceSequence(nonce.clone()));
// when opening, get the nonce from data
let mut nonce = [0; NONCE_LEN];
nonce.copy_from_slice(&in_out[0..NONCE_LEN]);
let mut opening_key = OpeningKey::new(unbound_key, ExactNonceSequence(nonce));