Sfrgttk

Communication vs. Technical skills ,which is more relevant for today's QA engineer positions?

Aligning matrix of nodes with grid

How is simplicity better than precision and clarity in prose?

Am I ethically obligated to go into work on an off day if the reason is sudden?

What to do with post with dry rot?

Using "nakedly" instead of "with nothing on"

Working around an AWS network ACL rule limit

Is it possible to ask for a hotel room without minibar/extra services?

Why don't the Weasley twins use magic outside of school if the Trace can only find the location of spells cast?

What do you call a plan that's an alternative plan in case your initial plan fails?

How does modal jazz use chord progressions?

Statistical model of ligand substitution

When is phishing education going too far?

Can smartphones with the same camera sensor have different image quality?

I'm thinking of a number

Stop battery usage [Ubuntu 18]

How can I make names more distinctive without making them longer?

How do I automatically answer y in bash script?

Two different pronunciation of "понял"

What is the electric potential inside a point charge?

Can a zero nonce be safely used with AES-GCM if the key is random and never used again?

How did the aliens keep their waters separated?

What's the point in a preamp?

Determine whether f is a function, an injection, a surjection

Can a zero nonce be safely used with AES-GCM if the key is random and never used again?

1

$begingroup$

I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.

The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.

If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?

aes initialization-vector gcm nonce aes-gcm

share|improve this question

asked 47 mins ago

jnm2jnm2

28938

$endgroup$

add a comment | 

1

$begingroup$

I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.

The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.

If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?

aes initialization-vector gcm nonce aes-gcm

share|improve this question

asked 47 mins ago

jnm2jnm2

28938

$endgroup$

add a comment | 

$begingroup$

I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.

The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.

If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?

aes initialization-vector gcm nonce aes-gcm

share|improve this question

asked 47 mins ago

jnm2jnm2

28938

$endgroup$

share|improve this question

asked 47 mins ago

jnm2jnm2

28938

share|improve this question

asked 47 mins ago

jnm2jnm2

28938

asked 47 mins ago

jnm2jnm2

28938

asked 47 mins ago

jnm2jnm2

28938

1 Answer
1

active

oldest

votes

2

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 42 mins ago

ponchoponcho

94.1k2148247

$endgroup$

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68774%2fcan-a-zero-nonce-be-safely-used-with-aes-gcm-if-the-key-is-random-and-never-used%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

2

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 42 mins ago

ponchoponcho

94.1k2148247

$endgroup$

add a comment | 

2

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 42 mins ago

ponchoponcho

94.1k2148247

$endgroup$

add a comment | 

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 42 mins ago

ponchoponcho

94.1k2148247

$endgroup$

share|improve this answer

answered 42 mins ago

ponchoponcho

94.1k2148247

answered 42 mins ago

ponchoponcho

94.1k2148247

answered 42 mins ago

ponchoponcho

94.1k2148247