Nonce

cryptography

Definition

Nonce

A nonce is a value that is intended to be used only once in a given cryptographic setting.

Role

A nonce is usually not required to be secret. Its main purpose is to ensure that repeated use of the same key does not also repeat the same cryptographic input.

In modes such as CTR and GCM, the nonce determines the keystream or authentication state. Reusing a nonce under the same key can therefore break security.

Uniqueness without secrecy

In CTR mode, the nonce may be sent together with the ciphertext. This does not by itself cause a problem. The crucial requirement is uniqueness under the same key, not secrecy.

Reuse

Nonce reuse is dangerous because it destroys the assumption that each encryption instance is fresh.

Reuse in CTR mode

Suppose

$$C=P\oplus K\text{and}{C}^{\prime }=P^{\prime }\oplus K$$

because the same key and nonce produced the same keystream $K$. Then

$$C\oplus C^{\prime }=P\oplus P^{\prime }.$$

The keystream cancels out, so the relation between the two plaintexts is exposed.