The AEAD nonce, N, is formed by combining the AEAD IV with the 96 bit unique token number. The 96 bits of the unique token number are left-padded with zeros to the size of the IV. The exclusive OR of the padded unique token number and the AEAD IV forms the AEAD nonce.

Why do we need to XOR IV to build nonce? I'd thought a nonce ideally would be used only once and having XOR operator here reduce the confidence? I haven't found where suggesting that using IV to build nonce so including a reference here would be great.

The properties of XOR are such that two unique numbers XORed by the same IV will produce unique results.

More importantly, the unique number is transmitted in cleartext. Without a secure component, the IV, the encryption is less secure.

But isn't the IV already used for decrypting/authenticating with AEAD? My question is why is it different to AEAD in QUIC packets which nonce is purely packet number?

Thanks for the questions!

The token key/IV are different from the QUIC packet key/IV, since we don't want the Retry service to read the packets.

QUIC AEAD does not simply use the packet number. Sec 5.3 of RFC 9001:
The nonce, N, is formed by combining the packet protection IV with the packet number.

Thank you.