Mrthfx

Stars Make Stars

Can the prologue be the backstory of your main character?

When is phishing education going too far?

What are the performance impacts of 'functional' Rust?

Strange behaviour of Check

How does modal jazz use chord progressions?

How are presidential pardons supposed to be used?

How should I respond to a player wanting to catch a sword between their hands?

When communicating altitude with a '9' in it, should it be pronounced "nine hundred" or "niner hundred"?

Working around an AWS network ACL rule limit

How can I make names more distinctive without making them longer?

Slither Like a Snake

Can I throw a sword that doesn't have the Thrown property at someone?

Replacing HDD with SSD; what about non-APFS/APFS?

Why does this iterative way of solving of equation work?

How do I keep my slimes from escaping their pens?

Losing the Initialization Vector in Cipher Block Chaining

Is it possible to ask for a hotel room without minibar/extra services?

How to politely respond to generic emails requesting a PhD/job in my lab? Without wasting too much time

3 doors, three guards, one stone

Was credit for the black hole image misattributed?

Stop battery usage [Ubuntu 18]

Single author papers against my advisor's will?

Active filter with series inductor and resistor - do these exist?

Can a zero nonce be safely used with AES-GCM if the key is random and never used again?

1

$begingroup$

I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.

The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.

If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?

aes initialization-vector gcm nonce aes-gcm

share|improve this question

asked 2 hours ago

jnm2jnm2

28938

$endgroup$

add a comment | 

1

$begingroup$

I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.

The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.

If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?

aes initialization-vector gcm nonce aes-gcm

share|improve this question

asked 2 hours ago

jnm2jnm2

28938

$endgroup$

add a comment | 

$begingroup$

I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.

The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.

If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?

aes initialization-vector gcm nonce aes-gcm

share|improve this question

asked 2 hours ago

jnm2jnm2

28938

$endgroup$

share|improve this question

asked 2 hours ago

jnm2jnm2

28938

share|improve this question

asked 2 hours ago

jnm2jnm2

28938

asked 2 hours ago

jnm2jnm2

28938

asked 2 hours ago

jnm2jnm2

28938

1 Answer
1

active

oldest

votes

2

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 1 hour ago

ponchoponcho

94.1k2148247

$endgroup$

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68774%2fcan-a-zero-nonce-be-safely-used-with-aes-gcm-if-the-key-is-random-and-never-used%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

2

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 1 hour ago

ponchoponcho

94.1k2148247

$endgroup$

add a comment | 

2

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 1 hour ago

ponchoponcho

94.1k2148247

$endgroup$

add a comment | 

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 1 hour ago

ponchoponcho

94.1k2148247

$endgroup$

share|improve this answer

answered 1 hour ago

ponchoponcho

94.1k2148247

answered 1 hour ago

ponchoponcho

94.1k2148247

answered 1 hour ago

ponchoponcho

94.1k2148247