Can a zero nonce be safely used with AES-GCM if the key is random and never used again? Planned maintenance scheduled April 23, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?Multi-target attacks on AES-CTR with a random nonceAES-GCM and its IV/nonce valuenonce of AES-GCM in SSLCan we use the authentication tag as Nonce / IV for the next message?Is it acceptable to write the nonce to the encrypted file during AES-256 GCM?Using AES-CTR to generate AES subkeys from a master key and nonceNonce for AES GCM to prevent replay attacksSafety of random nonce with AES-GCM?Can I use a deterministic NONCE for AES-GCM file encryption if I generate “fresh” keys for each encrypted fileIs AES-GCM with static key and dynamic salt safe to reuse IV/nonceWhat Are the Risks of AES-GCM [Key, Nonce, Message] where Nonce = Message

AppleTVs create a chatty alternate WiFi network

Should there be a hyphen in the construction "IT affin"?

How do living politicians protect their readily obtainable signatures from misuse?

An adverb for when you're not exaggerating

Do I really need to have a message in a novel to appeal to readers?

What initially awakened the Balrog?

What order were files/directories outputted in dir?

How to run automated tests after each commit?

If Windows 7 doesn't support WSL, then what does Linux subsystem option mean?

Putting class ranking in CV, but against dept guidelines

How to draw/optimize this graph with tikz

Would it be easier to apply for a UK visa if there is a host family to sponsor for you in going there?

Why limits give us the exact value of the slope of the tangent line?

Most bit efficient text communication method?

Hangman Game with C++

Amount of permutations on an NxNxN Rubik's Cube

Did any compiler fully use 80-bit floating point?

How come Sam didn't become Lord of Horn Hill?

What is the meaning of 'breadth' in breadth first search?

How would a mousetrap for use in space work?

How to compare two different files line by line in unix?

Trademark violation for app?

How often does castling occur in grandmaster games?

One-one communication



Can a zero nonce be safely used with AES-GCM if the key is random and never used again?



Planned maintenance scheduled April 23, 2019 at 00:00UTC (8:00pm US/Eastern)
Announcing the arrival of Valued Associate #679: Cesar Manara
Unicorn Meta Zoo #1: Why another podcast?Multi-target attacks on AES-CTR with a random nonceAES-GCM and its IV/nonce valuenonce of AES-GCM in SSLCan we use the authentication tag as Nonce / IV for the next message?Is it acceptable to write the nonce to the encrypted file during AES-256 GCM?Using AES-CTR to generate AES subkeys from a master key and nonceNonce for AES GCM to prevent replay attacksSafety of random nonce with AES-GCM?Can I use a deterministic NONCE for AES-GCM file encryption if I generate “fresh” keys for each encrypted fileIs AES-GCM with static key and dynamic salt safe to reuse IV/nonceWhat Are the Risks of AES-GCM [Key, Nonce, Message] where Nonce = Message










8












$begingroup$


I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.



The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.



If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?






aes initialization-vector gcm nonce aes-gcm







share|improve this question









$endgroup$
















    8












    $begingroup$


    I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.



    The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.



    If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?






    aes initialization-vector gcm nonce aes-gcm







    share|improve this question









    $endgroup$














      8












      8








      8


      2



      $begingroup$


      I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.



      The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.



      If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?






      aes initialization-vector gcm nonce aes-gcm







      share|improve this question









      $endgroup$




      I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.



      The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.



      If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?






      aes initialization-vector gcm nonce aes-gcm




      aes initialization-vector gcm nonce aes-gcm






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Apr 14 at 22:52









      jnm2jnm2

      322310




      322310




















          3 Answers
          3






          active

          oldest

          votes


















          8












          $begingroup$

          Usually. However, if you are using 128-bit AES in CTR mode (remember that GCM is essentially just CTR with authentication), then a kind of attack called a multi-target attack can become possible. This attack is realistic when an attacker has a huge amount of stored ciphertext, each with a random key. While breaking a specific key requires performing up to 2128 operations, breaking any key is significantly easier. This attack can be mitigated either by using a larger key size, or by using a random nonce.



          From the above-linked blog post by DJB:




          What the attacker hopes to find inside the AES attack is a key collision. This means that a key guessed by the attack matches a key chosen by a user. Any particular guessed key has chance only 1/2128 of matching any particular user key, but the attack ends up merging costs across a batch of 240 user keys, amplifying the effectiveness of each guess by a factor 240.







          share|improve this answer









          $endgroup$












          • $begingroup$
            Good to know! I'm using a 256-bit key and there is not much ciphertext per key (a few kilobytes). It sounds like my particular situation is safe, but can you quantify "huge" to shed light on the decision-making process if I find myself in a similar but different scenario?
            $endgroup$
            – jnm2
            Apr 15 at 13:48











          • $begingroup$
            And the sole benefit of a random IV is that it avoids collisions using 256+96 random bits rather than just 256 random bits (or 128+96 instead of 128)?
            $endgroup$
            – jnm2
            Apr 15 at 14:09











          • $begingroup$
            @jnm2 How huge depends on how much advantage you are OK with the attacker getting. The attack starts to become significantly easier than brute force after around $2^40$ keys. And if you are using a 256-bit key, then there is no reason to use a random nonce, as long as the key is unique and always random.
            $endgroup$
            – forest
            Apr 16 at 1:46



















          5












          $begingroup$


          Am I missing anything?




          No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.



          BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.






          share|improve this answer









          $endgroup$












          • $begingroup$
            I'm not sure that this is entirely correct, due to the risk of multi-target attacks on AES128.
            $endgroup$
            – forest
            Apr 15 at 8:04



















          1












          $begingroup$

          Does your random generator guarantee (with sufficient confidence) that it won't generate the same random key a second time?



          As you correctly stated, as long as the same nonce and key are never re-used, everything is fine. But a randomly generated key does not by itself have such an assurance.



          There are two simple ways you can take:



          a) accept the risk. Make a quick calculation based on your RNG what the probability is that a key will be repeated and then decide that this chance is acceptable (or not).



          b) instead of using a zero nonce, use a simple counter. That's what many implementations actually do. The nonce can be predictable, that's ok.



          The decision in a) largely depends on the number of messages you are going to send. If the number is low, the risk is most likely acceptable. If we're talking millions-plus messages, you might find the probability of an identical key (remember the birthday paradox!) too high for comfort.






          share|improve this answer









          $endgroup$












          • $begingroup$
            The advantage of using a fixed nonce, is that you don't need to transmit it or store it. I presume this is enough of an advantage for the OP.
            $endgroup$
            – Martin Bonner
            Apr 15 at 9:52










          • $begingroup$
            @MartinBonner You can usually derive the nonce from the same master secret that the key is derived from.
            $endgroup$
            – forest
            Apr 15 at 9:53










          • $begingroup$
            @MartinBonner - as written: weigh the advantage against the risk and make a decision. The OP doesn't specify his use case, which makes it difficult to be specific on the threat level.
            $endgroup$
            – Tom
            Apr 15 at 9:56










          • $begingroup$
            Good reminder. I can't use a counter since there is no context saved from one encryption to the next. This is a standalone tool with no central server to house a counter. The only options I know of are fixed nonce (e.g. zeros) and random nonce. The key is 256 bits and encryption will be occasional. The generator is BCryptGenRandom with BCRYPT_USE_SYSTEM_PREFERRED_RNG on Windows and OpenSSL on Unix.
            $endgroup$
            – jnm2
            Apr 15 at 14:01











          • $begingroup$
            @jnm2 you could use a trivial counter, such as the timestamp (rounded to full seconds or even minutes, if both systems are time-synchronized) or even just the day-of-year (if not and the edge case of one message being not decryptable because it was sent at just the right second doesn't matter). This would already dramatically reduce the chances of a chance repetition.
            $endgroup$
            – Tom
            Apr 15 at 18:44











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "281"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68774%2fcan-a-zero-nonce-be-safely-used-with-aes-gcm-if-the-key-is-random-and-never-used%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          3 Answers
          3






          active

          oldest

          votes








          3 Answers
          3






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          8












          $begingroup$

          Usually. However, if you are using 128-bit AES in CTR mode (remember that GCM is essentially just CTR with authentication), then a kind of attack called a multi-target attack can become possible. This attack is realistic when an attacker has a huge amount of stored ciphertext, each with a random key. While breaking a specific key requires performing up to 2128 operations, breaking any key is significantly easier. This attack can be mitigated either by using a larger key size, or by using a random nonce.



          From the above-linked blog post by DJB:




          What the attacker hopes to find inside the AES attack is a key collision. This means that a key guessed by the attack matches a key chosen by a user. Any particular guessed key has chance only 1/2128 of matching any particular user key, but the attack ends up merging costs across a batch of 240 user keys, amplifying the effectiveness of each guess by a factor 240.







          share|improve this answer









          $endgroup$












          • $begingroup$
            Good to know! I'm using a 256-bit key and there is not much ciphertext per key (a few kilobytes). It sounds like my particular situation is safe, but can you quantify "huge" to shed light on the decision-making process if I find myself in a similar but different scenario?
            $endgroup$
            – jnm2
            Apr 15 at 13:48











          • $begingroup$
            And the sole benefit of a random IV is that it avoids collisions using 256+96 random bits rather than just 256 random bits (or 128+96 instead of 128)?
            $endgroup$
            – jnm2
            Apr 15 at 14:09











          • $begingroup$
            @jnm2 How huge depends on how much advantage you are OK with the attacker getting. The attack starts to become significantly easier than brute force after around $2^40$ keys. And if you are using a 256-bit key, then there is no reason to use a random nonce, as long as the key is unique and always random.
            $endgroup$
            – forest
            Apr 16 at 1:46
















          8












          $begingroup$

          Usually. However, if you are using 128-bit AES in CTR mode (remember that GCM is essentially just CTR with authentication), then a kind of attack called a multi-target attack can become possible. This attack is realistic when an attacker has a huge amount of stored ciphertext, each with a random key. While breaking a specific key requires performing up to 2128 operations, breaking any key is significantly easier. This attack can be mitigated either by using a larger key size, or by using a random nonce.



          From the above-linked blog post by DJB:




          What the attacker hopes to find inside the AES attack is a key collision. This means that a key guessed by the attack matches a key chosen by a user. Any particular guessed key has chance only 1/2128 of matching any particular user key, but the attack ends up merging costs across a batch of 240 user keys, amplifying the effectiveness of each guess by a factor 240.







          share|improve this answer









          $endgroup$












          • $begingroup$
            Good to know! I'm using a 256-bit key and there is not much ciphertext per key (a few kilobytes). It sounds like my particular situation is safe, but can you quantify "huge" to shed light on the decision-making process if I find myself in a similar but different scenario?
            $endgroup$
            – jnm2
            Apr 15 at 13:48











          • $begingroup$
            And the sole benefit of a random IV is that it avoids collisions using 256+96 random bits rather than just 256 random bits (or 128+96 instead of 128)?
            $endgroup$
            – jnm2
            Apr 15 at 14:09











          • $begingroup$
            @jnm2 How huge depends on how much advantage you are OK with the attacker getting. The attack starts to become significantly easier than brute force after around $2^40$ keys. And if you are using a 256-bit key, then there is no reason to use a random nonce, as long as the key is unique and always random.
            $endgroup$
            – forest
            Apr 16 at 1:46














          8












          8








          8





          $begingroup$

          Usually. However, if you are using 128-bit AES in CTR mode (remember that GCM is essentially just CTR with authentication), then a kind of attack called a multi-target attack can become possible. This attack is realistic when an attacker has a huge amount of stored ciphertext, each with a random key. While breaking a specific key requires performing up to 2128 operations, breaking any key is significantly easier. This attack can be mitigated either by using a larger key size, or by using a random nonce.



          From the above-linked blog post by DJB:




          What the attacker hopes to find inside the AES attack is a key collision. This means that a key guessed by the attack matches a key chosen by a user. Any particular guessed key has chance only 1/2128 of matching any particular user key, but the attack ends up merging costs across a batch of 240 user keys, amplifying the effectiveness of each guess by a factor 240.







          share|improve this answer









          $endgroup$



          Usually. However, if you are using 128-bit AES in CTR mode (remember that GCM is essentially just CTR with authentication), then a kind of attack called a multi-target attack can become possible. This attack is realistic when an attacker has a huge amount of stored ciphertext, each with a random key. While breaking a specific key requires performing up to 2128 operations, breaking any key is significantly easier. This attack can be mitigated either by using a larger key size, or by using a random nonce.



          From the above-linked blog post by DJB:




          What the attacker hopes to find inside the AES attack is a key collision. This means that a key guessed by the attack matches a key chosen by a user. Any particular guessed key has chance only 1/2128 of matching any particular user key, but the attack ends up merging costs across a batch of 240 user keys, amplifying the effectiveness of each guess by a factor 240.








          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Apr 15 at 7:56









          forestforest

          5,00211744




          5,00211744











          • $begingroup$
            Good to know! I'm using a 256-bit key and there is not much ciphertext per key (a few kilobytes). It sounds like my particular situation is safe, but can you quantify "huge" to shed light on the decision-making process if I find myself in a similar but different scenario?
            $endgroup$
            – jnm2
            Apr 15 at 13:48











          • $begingroup$
            And the sole benefit of a random IV is that it avoids collisions using 256+96 random bits rather than just 256 random bits (or 128+96 instead of 128)?
            $endgroup$
            – jnm2
            Apr 15 at 14:09











          • $begingroup$
            @jnm2 How huge depends on how much advantage you are OK with the attacker getting. The attack starts to become significantly easier than brute force after around $2^40$ keys. And if you are using a 256-bit key, then there is no reason to use a random nonce, as long as the key is unique and always random.
            $endgroup$
            – forest
            Apr 16 at 1:46

















          • $begingroup$
            Good to know! I'm using a 256-bit key and there is not much ciphertext per key (a few kilobytes). It sounds like my particular situation is safe, but can you quantify "huge" to shed light on the decision-making process if I find myself in a similar but different scenario?
            $endgroup$
            – jnm2
            Apr 15 at 13:48











          • $begingroup$
            And the sole benefit of a random IV is that it avoids collisions using 256+96 random bits rather than just 256 random bits (or 128+96 instead of 128)?
            $endgroup$
            – jnm2
            Apr 15 at 14:09











          • $begingroup$
            @jnm2 How huge depends on how much advantage you are OK with the attacker getting. The attack starts to become significantly easier than brute force after around $2^40$ keys. And if you are using a 256-bit key, then there is no reason to use a random nonce, as long as the key is unique and always random.
            $endgroup$
            – forest
            Apr 16 at 1:46
















          $begingroup$
          Good to know! I'm using a 256-bit key and there is not much ciphertext per key (a few kilobytes). It sounds like my particular situation is safe, but can you quantify "huge" to shed light on the decision-making process if I find myself in a similar but different scenario?
          $endgroup$
          – jnm2
          Apr 15 at 13:48





          $begingroup$
          Good to know! I'm using a 256-bit key and there is not much ciphertext per key (a few kilobytes). It sounds like my particular situation is safe, but can you quantify "huge" to shed light on the decision-making process if I find myself in a similar but different scenario?
          $endgroup$
          – jnm2
          Apr 15 at 13:48













          $begingroup$
          And the sole benefit of a random IV is that it avoids collisions using 256+96 random bits rather than just 256 random bits (or 128+96 instead of 128)?
          $endgroup$
          – jnm2
          Apr 15 at 14:09





          $begingroup$
          And the sole benefit of a random IV is that it avoids collisions using 256+96 random bits rather than just 256 random bits (or 128+96 instead of 128)?
          $endgroup$
          – jnm2
          Apr 15 at 14:09













          $begingroup$
          @jnm2 How huge depends on how much advantage you are OK with the attacker getting. The attack starts to become significantly easier than brute force after around $2^40$ keys. And if you are using a 256-bit key, then there is no reason to use a random nonce, as long as the key is unique and always random.
          $endgroup$
          – forest
          Apr 16 at 1:46





          $begingroup$
          @jnm2 How huge depends on how much advantage you are OK with the attacker getting. The attack starts to become significantly easier than brute force after around $2^40$ keys. And if you are using a 256-bit key, then there is no reason to use a random nonce, as long as the key is unique and always random.
          $endgroup$
          – forest
          Apr 16 at 1:46












          5












          $begingroup$


          Am I missing anything?




          No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.



          BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.






          share|improve this answer









          $endgroup$












          • $begingroup$
            I'm not sure that this is entirely correct, due to the risk of multi-target attacks on AES128.
            $endgroup$
            – forest
            Apr 15 at 8:04
















          5












          $begingroup$


          Am I missing anything?




          No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.



          BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.






          share|improve this answer









          $endgroup$












          • $begingroup$
            I'm not sure that this is entirely correct, due to the risk of multi-target attacks on AES128.
            $endgroup$
            – forest
            Apr 15 at 8:04














          5












          5








          5





          $begingroup$


          Am I missing anything?




          No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.



          BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.






          share|improve this answer









          $endgroup$




          Am I missing anything?




          No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.



          BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Apr 14 at 22:57









          ponchoponcho

          94.5k2151248




          94.5k2151248











          • $begingroup$
            I'm not sure that this is entirely correct, due to the risk of multi-target attacks on AES128.
            $endgroup$
            – forest
            Apr 15 at 8:04

















          • $begingroup$
            I'm not sure that this is entirely correct, due to the risk of multi-target attacks on AES128.
            $endgroup$
            – forest
            Apr 15 at 8:04
















          $begingroup$
          I'm not sure that this is entirely correct, due to the risk of multi-target attacks on AES128.
          $endgroup$
          – forest
          Apr 15 at 8:04





          $begingroup$
          I'm not sure that this is entirely correct, due to the risk of multi-target attacks on AES128.
          $endgroup$
          – forest
          Apr 15 at 8:04












          1












          $begingroup$

          Does your random generator guarantee (with sufficient confidence) that it won't generate the same random key a second time?



          As you correctly stated, as long as the same nonce and key are never re-used, everything is fine. But a randomly generated key does not by itself have such an assurance.



          There are two simple ways you can take:



          a) accept the risk. Make a quick calculation based on your RNG what the probability is that a key will be repeated and then decide that this chance is acceptable (or not).



          b) instead of using a zero nonce, use a simple counter. That's what many implementations actually do. The nonce can be predictable, that's ok.



          The decision in a) largely depends on the number of messages you are going to send. If the number is low, the risk is most likely acceptable. If we're talking millions-plus messages, you might find the probability of an identical key (remember the birthday paradox!) too high for comfort.






          share|improve this answer









          $endgroup$












          • $begingroup$
            The advantage of using a fixed nonce, is that you don't need to transmit it or store it. I presume this is enough of an advantage for the OP.
            $endgroup$
            – Martin Bonner
            Apr 15 at 9:52










          • $begingroup$
            @MartinBonner You can usually derive the nonce from the same master secret that the key is derived from.
            $endgroup$
            – forest
            Apr 15 at 9:53










          • $begingroup$
            @MartinBonner - as written: weigh the advantage against the risk and make a decision. The OP doesn't specify his use case, which makes it difficult to be specific on the threat level.
            $endgroup$
            – Tom
            Apr 15 at 9:56










          • $begingroup$
            Good reminder. I can't use a counter since there is no context saved from one encryption to the next. This is a standalone tool with no central server to house a counter. The only options I know of are fixed nonce (e.g. zeros) and random nonce. The key is 256 bits and encryption will be occasional. The generator is BCryptGenRandom with BCRYPT_USE_SYSTEM_PREFERRED_RNG on Windows and OpenSSL on Unix.
            $endgroup$
            – jnm2
            Apr 15 at 14:01











          • $begingroup$
            @jnm2 you could use a trivial counter, such as the timestamp (rounded to full seconds or even minutes, if both systems are time-synchronized) or even just the day-of-year (if not and the edge case of one message being not decryptable because it was sent at just the right second doesn't matter). This would already dramatically reduce the chances of a chance repetition.
            $endgroup$
            – Tom
            Apr 15 at 18:44















          1












          $begingroup$

          Does your random generator guarantee (with sufficient confidence) that it won't generate the same random key a second time?



          As you correctly stated, as long as the same nonce and key are never re-used, everything is fine. But a randomly generated key does not by itself have such an assurance.



          There are two simple ways you can take:



          a) accept the risk. Make a quick calculation based on your RNG what the probability is that a key will be repeated and then decide that this chance is acceptable (or not).



          b) instead of using a zero nonce, use a simple counter. That's what many implementations actually do. The nonce can be predictable, that's ok.



          The decision in a) largely depends on the number of messages you are going to send. If the number is low, the risk is most likely acceptable. If we're talking millions-plus messages, you might find the probability of an identical key (remember the birthday paradox!) too high for comfort.






          share|improve this answer









          $endgroup$












          • $begingroup$
            The advantage of using a fixed nonce, is that you don't need to transmit it or store it. I presume this is enough of an advantage for the OP.
            $endgroup$
            – Martin Bonner
            Apr 15 at 9:52










          • $begingroup$
            @MartinBonner You can usually derive the nonce from the same master secret that the key is derived from.
            $endgroup$
            – forest
            Apr 15 at 9:53










          • $begingroup$
            @MartinBonner - as written: weigh the advantage against the risk and make a decision. The OP doesn't specify his use case, which makes it difficult to be specific on the threat level.
            $endgroup$
            – Tom
            Apr 15 at 9:56










          • $begingroup$
            Good reminder. I can't use a counter since there is no context saved from one encryption to the next. This is a standalone tool with no central server to house a counter. The only options I know of are fixed nonce (e.g. zeros) and random nonce. The key is 256 bits and encryption will be occasional. The generator is BCryptGenRandom with BCRYPT_USE_SYSTEM_PREFERRED_RNG on Windows and OpenSSL on Unix.
            $endgroup$
            – jnm2
            Apr 15 at 14:01











          • $begingroup$
            @jnm2 you could use a trivial counter, such as the timestamp (rounded to full seconds or even minutes, if both systems are time-synchronized) or even just the day-of-year (if not and the edge case of one message being not decryptable because it was sent at just the right second doesn't matter). This would already dramatically reduce the chances of a chance repetition.
            $endgroup$
            – Tom
            Apr 15 at 18:44













          1












          1








          1





          $begingroup$

          Does your random generator guarantee (with sufficient confidence) that it won't generate the same random key a second time?



          As you correctly stated, as long as the same nonce and key are never re-used, everything is fine. But a randomly generated key does not by itself have such an assurance.



          There are two simple ways you can take:



          a) accept the risk. Make a quick calculation based on your RNG what the probability is that a key will be repeated and then decide that this chance is acceptable (or not).



          b) instead of using a zero nonce, use a simple counter. That's what many implementations actually do. The nonce can be predictable, that's ok.



          The decision in a) largely depends on the number of messages you are going to send. If the number is low, the risk is most likely acceptable. If we're talking millions-plus messages, you might find the probability of an identical key (remember the birthday paradox!) too high for comfort.






          share|improve this answer









          $endgroup$



          Does your random generator guarantee (with sufficient confidence) that it won't generate the same random key a second time?



          As you correctly stated, as long as the same nonce and key are never re-used, everything is fine. But a randomly generated key does not by itself have such an assurance.



          There are two simple ways you can take:



          a) accept the risk. Make a quick calculation based on your RNG what the probability is that a key will be repeated and then decide that this chance is acceptable (or not).



          b) instead of using a zero nonce, use a simple counter. That's what many implementations actually do. The nonce can be predictable, that's ok.



          The decision in a) largely depends on the number of messages you are going to send. If the number is low, the risk is most likely acceptable. If we're talking millions-plus messages, you might find the probability of an identical key (remember the birthday paradox!) too high for comfort.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Apr 15 at 7:49









          TomTom

          24716




          24716











          • $begingroup$
            The advantage of using a fixed nonce, is that you don't need to transmit it or store it. I presume this is enough of an advantage for the OP.
            $endgroup$
            – Martin Bonner
            Apr 15 at 9:52










          • $begingroup$
            @MartinBonner You can usually derive the nonce from the same master secret that the key is derived from.
            $endgroup$
            – forest
            Apr 15 at 9:53










          • $begingroup$
            @MartinBonner - as written: weigh the advantage against the risk and make a decision. The OP doesn't specify his use case, which makes it difficult to be specific on the threat level.
            $endgroup$
            – Tom
            Apr 15 at 9:56










          • $begingroup$
            Good reminder. I can't use a counter since there is no context saved from one encryption to the next. This is a standalone tool with no central server to house a counter. The only options I know of are fixed nonce (e.g. zeros) and random nonce. The key is 256 bits and encryption will be occasional. The generator is BCryptGenRandom with BCRYPT_USE_SYSTEM_PREFERRED_RNG on Windows and OpenSSL on Unix.
            $endgroup$
            – jnm2
            Apr 15 at 14:01











          • $begingroup$
            @jnm2 you could use a trivial counter, such as the timestamp (rounded to full seconds or even minutes, if both systems are time-synchronized) or even just the day-of-year (if not and the edge case of one message being not decryptable because it was sent at just the right second doesn't matter). This would already dramatically reduce the chances of a chance repetition.
            $endgroup$
            – Tom
            Apr 15 at 18:44
















          • $begingroup$
            The advantage of using a fixed nonce, is that you don't need to transmit it or store it. I presume this is enough of an advantage for the OP.
            $endgroup$
            – Martin Bonner
            Apr 15 at 9:52










          • $begingroup$
            @MartinBonner You can usually derive the nonce from the same master secret that the key is derived from.
            $endgroup$
            – forest
            Apr 15 at 9:53










          • $begingroup$
            @MartinBonner - as written: weigh the advantage against the risk and make a decision. The OP doesn't specify his use case, which makes it difficult to be specific on the threat level.
            $endgroup$
            – Tom
            Apr 15 at 9:56










          • $begingroup$
            Good reminder. I can't use a counter since there is no context saved from one encryption to the next. This is a standalone tool with no central server to house a counter. The only options I know of are fixed nonce (e.g. zeros) and random nonce. The key is 256 bits and encryption will be occasional. The generator is BCryptGenRandom with BCRYPT_USE_SYSTEM_PREFERRED_RNG on Windows and OpenSSL on Unix.
            $endgroup$
            – jnm2
            Apr 15 at 14:01











          • $begingroup$
            @jnm2 you could use a trivial counter, such as the timestamp (rounded to full seconds or even minutes, if both systems are time-synchronized) or even just the day-of-year (if not and the edge case of one message being not decryptable because it was sent at just the right second doesn't matter). This would already dramatically reduce the chances of a chance repetition.
            $endgroup$
            – Tom
            Apr 15 at 18:44















          $begingroup$
          The advantage of using a fixed nonce, is that you don't need to transmit it or store it. I presume this is enough of an advantage for the OP.
          $endgroup$
          – Martin Bonner
          Apr 15 at 9:52




          $begingroup$
          The advantage of using a fixed nonce, is that you don't need to transmit it or store it. I presume this is enough of an advantage for the OP.
          $endgroup$
          – Martin Bonner
          Apr 15 at 9:52












          $begingroup$
          @MartinBonner You can usually derive the nonce from the same master secret that the key is derived from.
          $endgroup$
          – forest
          Apr 15 at 9:53




          $begingroup$
          @MartinBonner You can usually derive the nonce from the same master secret that the key is derived from.
          $endgroup$
          – forest
          Apr 15 at 9:53












          $begingroup$
          @MartinBonner - as written: weigh the advantage against the risk and make a decision. The OP doesn't specify his use case, which makes it difficult to be specific on the threat level.
          $endgroup$
          – Tom
          Apr 15 at 9:56




          $begingroup$
          @MartinBonner - as written: weigh the advantage against the risk and make a decision. The OP doesn't specify his use case, which makes it difficult to be specific on the threat level.
          $endgroup$
          – Tom
          Apr 15 at 9:56












          $begingroup$
          Good reminder. I can't use a counter since there is no context saved from one encryption to the next. This is a standalone tool with no central server to house a counter. The only options I know of are fixed nonce (e.g. zeros) and random nonce. The key is 256 bits and encryption will be occasional. The generator is BCryptGenRandom with BCRYPT_USE_SYSTEM_PREFERRED_RNG on Windows and OpenSSL on Unix.
          $endgroup$
          – jnm2
          Apr 15 at 14:01





          $begingroup$
          Good reminder. I can't use a counter since there is no context saved from one encryption to the next. This is a standalone tool with no central server to house a counter. The only options I know of are fixed nonce (e.g. zeros) and random nonce. The key is 256 bits and encryption will be occasional. The generator is BCryptGenRandom with BCRYPT_USE_SYSTEM_PREFERRED_RNG on Windows and OpenSSL on Unix.
          $endgroup$
          – jnm2
          Apr 15 at 14:01













          $begingroup$
          @jnm2 you could use a trivial counter, such as the timestamp (rounded to full seconds or even minutes, if both systems are time-synchronized) or even just the day-of-year (if not and the edge case of one message being not decryptable because it was sent at just the right second doesn't matter). This would already dramatically reduce the chances of a chance repetition.
          $endgroup$
          – Tom
          Apr 15 at 18:44




          $begingroup$
          @jnm2 you could use a trivial counter, such as the timestamp (rounded to full seconds or even minutes, if both systems are time-synchronized) or even just the day-of-year (if not and the edge case of one message being not decryptable because it was sent at just the right second doesn't matter). This would already dramatically reduce the chances of a chance repetition.
          $endgroup$
          – Tom
          Apr 15 at 18:44

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Cryptography Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          Use MathJax to format equations. MathJax reference.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68774%2fcan-a-zero-nonce-be-safely-used-with-aes-gcm-if-the-key-is-random-and-never-used%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Helsingborg Esperantistoj el Helsingborg | Vidu ankaŭ | Navigada menuo1 ŝanĝostabila versiopatrolita1 ŝanĝostabila versiopatrolita56°03′N 12°42′O  /  56.05°N, 12.7°O / 56.05; 12.7 (Helsingborg)56°03′N 12°42′O  /  56.05°N, 12.7°O / 56.05; 12.7 (Helsingborg)Helsingborg en la Vikimedia KomunejoKategorio Helsingborg en la Vikimedia KomunejoHelsingborg en la Vikimedia KomunejoKategorio Helsingborg en la Vikimedia Komunejo

          Image
          12° E56° NSkanioUrboj de Svedio SvedioSkanioÖresunddanaHelsingør (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u003Eu003Cdiv class="mw-dismissable-notice-close"u003E[u003Ca tabindex="0" role="button"u003EKaŝiu003C/au003E]u003C/divu003Eu003Cdiv class="mw-dismissable-notice-body"u003Eu003Cdiv id="localNotice" lang="eo" dir="ltr"u003Eu003Ctable style="text-align:center; width:100%; background:#90EE90; border:1px solid #ccc; margin-bottom:12px; -webkit-border-radius:7px; -moz-border-radius:7px; border-radius:7px; padding:6px;"u003Ennu003Ctbodyu003Eu003Ctru003Enu003Ctd style="text-align:center; width:30px; padding:5px"u003Eu003Ca href="/wiki/Helpo:Enhavo" title="Helpo:Enhavo"u003Eu003Cimg alt="Wiki-help.png" src="//upload.wikimedia.org/wikipedia
          Read more

          Linux Checkpoint SNX tool configuration issuesgetting Checkpoint VPN SSL Network Extender working in the command lineL2TP IPsec VPN client configurationOpenvpn stops respondingIssues with getting a tun0 connection to route any and all connections from eth0 to be made to this interface and if not working dropHow to setup port forwarding properly in FreeBsd 11?Getting certificate verify failed error in a Python applicationssh is unable to connect to server in VPNVPN SSL Network Extender in Firefoxgetting Checkpoint VPN SSL Network Extender working in the command lineisc-dhcp-server configurationUsing Checkpoint VPN SSL Network Extender CLI with certificate

          Image
          How can I prevent hyper evolved versions of regular creatures from wiping out their cousins? Why are electrically insulating heatsinks so rare? Is it just cost? Has there ever been an airliner design involving reducing generator load by installing solar panels? What to put in ESTA if staying in US for a few days before going on to Canada What about the virus in 12 Monkeys? How do conventional missiles fly? Brothers & sisters Why is Collection not simply treated as Collection<?> Is there a hemisphere-neutral way of specifying a season? Is it unprofessional to ask if a job posting on GlassDoor is real? What is the intuition behind short exact sequences of groups; in particular, what is the intuition behind group extensions? Why doesn't H₄O²⁺ exist? Why is it a bad idea to hire a hitman to eliminate most corrupt politicians? Theorems that impeded progress How to draw the figure with four pentagons? What is the most common color to indicate the i
          Read more

          NetworkManager fails with “Could not find source connection”Trouble connecting to VPN using network-manager, while command line worksHow can I be notified about state changes to a VPN adapterBacktrack 5 R3 - Refuses to connect to VPNFeed all traffic through OpenVPN for a specific network namespace onlyRun daemon on startup in Debian once openvpn connection establishedpfsense tcp connection between openvpn and lan is brokenInternet connection problem with web browsers onlyWhy does NetworkManager explicitly support tun/tap devices?Browser issues with VPNTwo IP addresses assigned to the same network card - OpenVPN issues?Cannot connect to WiFi with nmcli, although secrets are provided

          Image
          What typically incentivizes a professor to change jobs to a lower ranking university? Reorder a Master List Based on a Reordered Subset How does one intimidate enemies without having the capacity for violence? Is it possible to do 50 km distance without any previous training? Java Casting: Java 11 throws LambdaConversionException while 1.8 does not How much RAM could one put in a typical 80386 setup? Is it legal for company to use my work email to pretend I still work there? Are astronomers waiting to see something in an image from a gravitational lens that they've already seen in an adjacent image? How is it possible to have an ability score that is less than 3? Why does Kotter return in Welcome Back Kotter? Can I ask the recruiters in my resume to put the reason why I am rejected? Why is consensus so controversial in Britain? Which country benefited the most from UN Security Council vetoes? Do infinite dimensional systems make sense? What's the poi
          Read more