From 4f6800851d4413b0ab8a3e9421480492d3b6da98 Mon Sep 17 00:00:00 2001
From: Aaron Feickert <66188213+AaronFeickert@users.noreply.github.com>
Date: Thu, 21 Dec 2023 05:30:14 -0600
Subject: [PATCH] Speed up AEAD on wrong prekey (#1369)

---
 src/libspark/aead.cpp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/libspark/aead.cpp b/src/libspark/aead.cpp
index 6f31038da4..ced7aac7b1 100644
--- a/src/libspark/aead.cpp
+++ b/src/libspark/aead.cpp
@@ -48,15 +48,15 @@ AEADEncryptedData AEAD::encrypt(const GroupElement& prekey, const std::string ad
 // NOTE: This uses a fixed zero nonce, which is safe when used in Spark as directed
 // It is NOT safe in general to do this!
 CDataStream AEAD::decrypt_and_verify(const GroupElement& prekey, const std::string additional_data, AEADEncryptedData& data) {
-	// Derive the key and commitment
-	std::vector<unsigned char> key = SparkUtils::kdf_aead(prekey);
-	std::vector<unsigned char> key_commitment = SparkUtils::commit_aead(prekey);
-
 	// Assert that the key commitment is valid
+	std::vector<unsigned char> key_commitment = SparkUtils::commit_aead(prekey);
 	if (key_commitment != data.key_commitment) {
 		throw std::runtime_error("Bad AEAD key commitment");
 	}
 
+	// Derive the key
+	std::vector<unsigned char> key = SparkUtils::kdf_aead(prekey);
+
 	// Set up the result
 	CDataStream result(SER_NETWORK, PROTOCOL_VERSION);