Revert "Just use the sender data nonce"

This reverts commit 9bc3c70.
mlswg · Feb 17, 2020 · a7bd500 · a7bd500
1 parent bb805c0
commit a7bd500
Showing 1 changed file with 24 additions and 6 deletions.
diff --git a/draft-ietf-mls-protocol.md b/draft-ietf-mls-protocol.md
@@ -1584,13 +1584,18 @@ object of the following form:
 struct {
     uint32 sender;
     uint32 generation;
+    opaque reuse_guard[4];
 } MLSSenderData;
 ~~~~~
 
 MLSSenderData.sender is assumed to be a `member` sender type.  When constructing
 an MLSSenderData from a Sender object, the sender MUST verify Sender.sender_type
 is `member` and use Sender.sender for MLSSenderData.sender.
 
+The `reuse_guard` field contains a fresh random value used to avoid nonce reuse
+in the case of state loss or corruption, as described in
+{{content-signing-and-encryption}}.
+
 The Additional Authenticated Data (AAD) for the SenderData ciphertext
 computation is its prefix in the MLSCiphertext, namely:
 
@@ -1680,12 +1685,25 @@ deterministically, a client must keep persistent state as to where in the key
 schedule it is; if this persistent state is lost or corrupted, a client might
 reuse a generation that has already been used, causing reuse of a key/nonce pair.
 
-To avoid this situation, the sender or recipient of a message MUST generate XOR
-the nonce from the key schedule with the fresh, random sender data nonce before
-using the nonce for encryption.
-
-~~~~~
-enc_nonce = key_schedule_nonce XOR sender_data_nonce
+To avoid this situation, the sender of a message MUST generate a fresh random
+4-byte "reuse guard" value and XOR it with the first four bytes of the nonce
+from the key schedule before using the nonce for encryption.  The sender MUST
+include the reuse guard in the `reuse_guard` field of the sender data object, so
+that the recipient of the message can use it to compute the nonce to be used for
+decryption.
+
+~~~~~
++-+-+-+-+---------...---+
+|   Key Schedule Nonce  |
++-+-+-+-+---------...---+
+           XOR
++-+-+-+-+---------...---+
+| Guard |       0       |
++-+-+-+-+---------...---+
+           ===
++-+-+-+-+---------...---+
+| Encrypt/Decrypt Nonce |
++-+-+-+-+---------...---+
 ~~~~~
 
 The Additional Authenticated Data (AAD) input to the encryption