Gdtyjr

Array/tabular for long multiplication

Need a suitable toxic chemical for a murder plot in my novel

Notation for two qubit composite product state

Limit for e and 1/e

Stars Make Stars

3 doors, three guards, one stone

Can I throw a sword that doesn't have the Thrown property at someone?

What's the point in a preamp?

Does a C shift expression have unsigned type? Why would Splint warn about a right-shift?

Cold is to Refrigerator as warm is to?

ELI5: Why do they say that Israel would have been the fourth country to land a spacecraft on the Moon and why do they call it low cost?

What do you call a plan that's an alternative plan in case your initial plan fails?

If A makes B more likely then B makes A more likely"

Why don't the Weasley twins use magic outside of school if the Trace can only find the location of spells cast?

When is phishing education going too far?

When communicating altitude with a '9' in it, should it be pronounced "nine hundred" or "niner hundred"?

What are the performance impacts of 'functional' Rust?

Was credit for the black hole image misattributed?

What would be Julian Assange's expected punishment, on the current English criminal law?

How are presidential pardons supposed to be used?

What was the last x86 CPU that did not have the x87 floating-point unit built in?

How can I make names more distinctive without making them longer?

Why does tar appear to skip file contents when output file is /dev/null?

Two different pronunciation of "понял"

Can a zero nonce be safely used with AES-GCM if the key is random and never used again?

1

$begingroup$

I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.

The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.

If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?

aes initialization-vector gcm nonce aes-gcm

share|improve this question

asked 26 mins ago

jnm2jnm2

28938

$endgroup$

add a comment | 

1

$begingroup$

I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.

The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.

If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?

aes initialization-vector gcm nonce aes-gcm

share|improve this question

asked 26 mins ago

jnm2jnm2

28938

$endgroup$

add a comment | 

$begingroup$

I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.

The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.

If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?

aes initialization-vector gcm nonce aes-gcm

share|improve this question

asked 26 mins ago

jnm2jnm2

28938

$endgroup$

share|improve this question

asked 26 mins ago

jnm2jnm2

28938

share|improve this question

asked 26 mins ago

jnm2jnm2

28938

asked 26 mins ago

jnm2jnm2

28938

asked 26 mins ago

jnm2jnm2

28938

1 Answer
1

active

oldest

votes

2

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 21 mins ago

ponchoponcho

94.1k2148247

$endgroup$

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68774%2fcan-a-zero-nonce-be-safely-used-with-aes-gcm-if-the-key-is-random-and-never-used%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

2

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 21 mins ago

ponchoponcho

94.1k2148247

$endgroup$

add a comment | 

2

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 21 mins ago

ponchoponcho

94.1k2148247

$endgroup$

add a comment | 

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 21 mins ago

ponchoponcho

94.1k2148247

$endgroup$

share|improve this answer

answered 21 mins ago

ponchoponcho

94.1k2148247

answered 21 mins ago

ponchoponcho

94.1k2148247

answered 21 mins ago

ponchoponcho

94.1k2148247