Rrerku

Can the prologue be the backstory of your main character?

Losing the Initialization Vector in Cipher Block Chaining

Am I ethically obligated to go into work on an off day if the reason is sudden?

Autumning in love

Direct Experience of Meditation

Problem when applying foreach loop

What is the electric potential inside a point charge?

Can I throw a sword that doesn't have the Thrown property at someone?

What computer would be fastest for Mathematica Home Edition?

How can I protect witches in combat who wear limited clothing?

Windows 10: How to Lock (not sleep) laptop on lid close?

Two different pronunciation of "понял"

Are my PIs rude or am I just being too sensitive?

What was the last x86 CPU that did not have the x87 floating-point unit built in?

How do I automatically answer y in bash script?

How to market an anarchic city as a tourism spot to people living in civilized areas?

How to colour the US map with Yellow, Green, Red and Blue to minimize the number of states with the colour of Green

Can a 1st-level character have an ability score above 18?

Estimated State payment too big --> money back; + 2018 Tax Reform

Classification of bundles, Postnikov towers, obstruction theory, local coefficients

Do working physicists consider Newtonian mechanics to be "falsified"?

How to retrograde a note sequence in Finale?

What items from the Roman-age tech-level could be used to deter all creatures from entering a small area?

How is simplicity better than precision and clarity in prose?

Can a zero nonce be safely used with AES-GCM if the key is random and never used again?

1

$begingroup$

I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.

The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.

If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?

aes initialization-vector gcm nonce aes-gcm

share|improve this question

asked 1 hour ago

jnm2jnm2

28938

$endgroup$

add a comment | 

1

$begingroup$

I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.

The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.

If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?

aes initialization-vector gcm nonce aes-gcm

share|improve this question

asked 1 hour ago

jnm2jnm2

28938

$endgroup$

add a comment | 

$begingroup$

I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.

The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.

If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?

aes initialization-vector gcm nonce aes-gcm

share|improve this question

asked 1 hour ago

jnm2jnm2

28938

$endgroup$

share|improve this question

asked 1 hour ago

jnm2jnm2

28938

share|improve this question

asked 1 hour ago

jnm2jnm2

28938

asked 1 hour ago

jnm2jnm2

28938

asked 1 hour ago

jnm2jnm2

28938

1 Answer
1

active

oldest

votes

2

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 59 mins ago

ponchoponcho

94.1k2148247

$endgroup$

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68774%2fcan-a-zero-nonce-be-safely-used-with-aes-gcm-if-the-key-is-random-and-never-used%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

2

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 59 mins ago

ponchoponcho

94.1k2148247

$endgroup$

add a comment | 

2

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 59 mins ago

ponchoponcho

94.1k2148247

$endgroup$

add a comment | 

$begingroup$

Am I missing anything?

No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.

BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.

share|improve this answer

answered 59 mins ago

ponchoponcho

94.1k2148247

$endgroup$

share|improve this answer

answered 59 mins ago

ponchoponcho

94.1k2148247

answered 59 mins ago

ponchoponcho

94.1k2148247

answered 59 mins ago

ponchoponcho

94.1k2148247