diff --git a/hpke/aead_test.go b/hpke/aead_test.go
index a8f4de16..c3eec3f3 100644
--- a/hpke/aead_test.go
+++ b/hpke/aead_test.go
@@ -34,7 +34,7 @@ func setupAeadTest() (*sealContext, *openContext, error) {
 		return nil, nil, err
 	}
 
-	Nn := aead.NonceSize()
+	Nn := suite.aeadID.NonceSize()
 	baseNonce := make([]byte, Nn)
 	if n, err := rand.Read(baseNonce); err != nil {
 		return nil, nil, err
diff --git a/hpke/algs.go b/hpke/algs.go
index 835538a9..a9fbc661 100644
--- a/hpke/algs.go
+++ b/hpke/algs.go
@@ -196,7 +196,7 @@ func (a AEAD) IsValid() bool {
 	}
 }
 
-// KeySize returns the size in bytes of the keys used by AEAD cipher.
+// KeySize returns the size in bytes of the keys used by the AEAD cipher.
 func (a AEAD) KeySize() uint {
 	switch a {
 	case AEAD_AES128GCM:
@@ -210,6 +210,18 @@ func (a AEAD) KeySize() uint {
 	}
 }
 
+// NonceSize returns the size in bytes of the nonce used by the AEAD cipher.
+func (a AEAD) NonceSize() uint {
+	switch a {
+	case AEAD_AES128GCM,
+		AEAD_AES256GCM,
+		AEAD_ChaCha20Poly1305:
+		return 12
+	default:
+		panic(ErrInvalidAEAD)
+	}
+}
+
 // CipherLen returns the length of a ciphertext corresponding to a message of
 // length mLen.
 func (a AEAD) CipherLen(mLen uint) uint {
diff --git a/hpke/marshal.go b/hpke/marshal.go
index 9a0ddbf9..4ce02eed 100644
--- a/hpke/marshal.go
+++ b/hpke/marshal.go
@@ -69,7 +69,7 @@ func unmarshalContext(raw []byte) (*encdecContext, error) {
 		return nil, err
 	}
 
-	Nn := c.AEAD.NonceSize()
+	Nn := int(c.suite.aeadID.NonceSize())
 	if len(c.baseNonce) != Nn {
 		return nil, errors.New("invalid base nonce length")
 	}