Can a zero nonce be safely used with AES-GCM if the key is random and never used again? Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?AES-GCM and its IV/nonce valuenonce of AES-GCM in SSLCan we use the authentication tag as Nonce / IV for the next message?Is it acceptable to write the nonce to the encrypted file during AES-256 GCM?Using AES-CTR to generate AES subkeys from a master key and nonceNonce for AES GCM to prevent replay attacksSafety of random nonce with AES-GCM?Can I use a deterministic NONCE for AES-GCM file encryption if I generate “fresh” keys for each encrypted fileIs AES-GCM with static key and dynamic salt safe to reuse IV/nonceWhat Are the Risks of AES-GCM [Key, Nonce, Message] where Nonce = Message
Who can trigger ship-wide alerts in Star Trek?
Why use gamma over alpha radiation?
Unable to start mainnet node docker container
Can't figure this one out.. What is the missing box?
Windows 10: How to Lock (not sleep) laptop on lid close?
Why is there no army of Iron-Mans in the MCU?
Two different pronunciation of "понял"
Why does this iterative way of solving of equation work?
How can I protect witches in combat who wear limited clothing?
What would be Julian Assange's expected punishment, on the current English criminal law?
What computer would be fastest for Mathematica Home Edition?
Keep going mode for require-package
If A makes B more likely then B makes A more likely"
Determine whether f is a function, an injection, a surjection
Is there a documented rationale why the House Ways and Means chairman can demand tax info?
Is above average number of years spent on PhD considered a red flag in future academia or industry positions?
Statistical model of ligand substitution
Estimate capacitor parameters
Is there folklore associating late breastfeeding with low intelligence and/or gullibility?
How is simplicity better than precision and clarity in prose?
How to colour the US map with Yellow, Green, Red and Blue to minimize the number of states with the colour of Green
How does modal jazz use chord progressions?
I'm thinking of a number
Estimated State payment too big --> money back; + 2018 Tax Reform
Can a zero nonce be safely used with AES-GCM if the key is random and never used again?
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Announcing the arrival of Valued Associate #679: Cesar Manara
Unicorn Meta Zoo #1: Why another podcast?AES-GCM and its IV/nonce valuenonce of AES-GCM in SSLCan we use the authentication tag as Nonce / IV for the next message?Is it acceptable to write the nonce to the encrypted file during AES-256 GCM?Using AES-CTR to generate AES subkeys from a master key and nonceNonce for AES GCM to prevent replay attacksSafety of random nonce with AES-GCM?Can I use a deterministic NONCE for AES-GCM file encryption if I generate “fresh” keys for each encrypted fileIs AES-GCM with static key and dynamic salt safe to reuse IV/nonceWhat Are the Risks of AES-GCM [Key, Nonce, Message] where Nonce = Message
$begingroup$
I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.
The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.
If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?
aes initialization-vector gcm nonce aes-gcm
asked 1 hour ago
jnm2jnm2
28938
$endgroup$
add a comment |
$begingroup$
I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.
The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.
If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?
aes initialization-vector gcm nonce aes-gcm
asked 1 hour ago
jnm2jnm2
28938
$endgroup$
add a comment |
$begingroup$
I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.
The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.
If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?
aes initialization-vector gcm nonce aes-gcm
asked 1 hour ago
jnm2jnm2
28938
$endgroup$
I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.
The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.
If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?
aes initialization-vector gcm nonce aes-gcm
aes initialization-vector gcm nonce aes-gcm
asked 1 hour ago
jnm2jnm2
28938
asked 1 hour ago
jnm2jnm2
28938
asked 1 hour ago
jnm2jnm2
28938
asked 1 hour ago
jnm2jnm2
28938
asked 1 hour ago
jnm2jnm2
28938
28938
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
Am I missing anything?
No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.
BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.
answered 1 hour ago
ponchoponcho
94.1k2148247
$endgroup$
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68774%2fcan-a-zero-nonce-be-safely-used-with-aes-gcm-if-the-key-is-random-and-never-used%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Am I missing anything?
No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.
BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.
answered 1 hour ago
ponchoponcho
94.1k2148247
$endgroup$
add a comment |
$begingroup$
Am I missing anything?
No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.
BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.
answered 1 hour ago
ponchoponcho
94.1k2148247
$endgroup$
add a comment |
$begingroup$
Am I missing anything?
No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.
BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.
answered 1 hour ago
ponchoponcho
94.1k2148247
$endgroup$
Am I missing anything?
No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.
BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.
answered 1 hour ago
ponchoponcho
94.1k2148247
answered 1 hour ago
ponchoponcho
94.1k2148247
answered 1 hour ago
ponchoponcho
94.1k2148247
answered 1 hour ago
ponchoponcho
94.1k2148247
94.1k2148247
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68774%2fcan-a-zero-nonce-be-safely-used-with-aes-gcm-if-the-key-is-random-and-never-used%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown