Ggthjy

Stop battery usage [Ubuntu 18]

What do you call the holes in a flute?

How do I keep my slimes from escaping their pens?

Writing Thesis: Copying from published papers

How can players take actions together that are impossible otherwise?

What is the largest species of polychaete?

Can the prologue be the backstory of your main character?

Active filter with series inductor and resistor - do these exist?

Estimate capacitor parameters

Am I ethically obligated to go into work on an off day if the reason is sudden?

Single author papers against my advisor's will?

What's the difference between (size_t)-1 and ~0?

How to politely respond to generic emails requesting a PhD/job in my lab? Without wasting too much time

Do we know why communications with Beresheet and NASA were lost during the attempted landing of the Moon lander?

If A makes B more likely then B makes A more likely"

Limit for e and 1/e

What's the point in a preamp?

Area of a 2D convex hull

Passing functions in C++

Can I throw a sword that doesn't have the Thrown property at someone?

3 doors, three guards, one stone

How does modal jazz use chord progressions?

What computer would be fastest for Mathematica Home Edition?

Notation for two qubit composite product state

Can a zero nonce be safely used with AES-GCM if the key is random and never used again?

1

$begingroup$

I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.

The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.

If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?

aes initialization-vector gcm nonce aes-gcm

share|improve this question

asked 2 hours ago

jnm2jnm2

28938

$endgroup$

add a comment | 

1

$begingroup$

I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.

The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.

If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?

aes initialization-vector gcm nonce aes-gcm

share|improve this question

asked 2 hours ago

jnm2jnm2

28938

$endgroup$

add a comment | 

$begingroup$

I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.

The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.

If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?

aes initialization-vector gcm nonce aes-gcm

share|improve this question

asked 2 hours ago

jnm2jnm2

28938

$endgroup$

share|improve this question

asked 2 hours ago

jnm2jnm2

28938

share|improve this question

asked 2 hours ago

jnm2jnm2

28938

asked 2 hours ago

jnm2jnm2

28938

asked 2 hours ago

jnm2jnm2

28938

1 Answer
1

active

oldest

votes

2

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 2 hours ago

ponchoponcho

94.1k2148247

$endgroup$

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68774%2fcan-a-zero-nonce-be-safely-used-with-aes-gcm-if-the-key-is-random-and-never-used%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

2

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 2 hours ago

ponchoponcho

94.1k2148247

$endgroup$

add a comment | 

2

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 2 hours ago

ponchoponcho

94.1k2148247

$endgroup$

add a comment | 

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 2 hours ago

ponchoponcho

94.1k2148247

$endgroup$

share|improve this answer

answered 2 hours ago

ponchoponcho

94.1k2148247

answered 2 hours ago

ponchoponcho

94.1k2148247

answered 2 hours ago

ponchoponcho

94.1k2148247