Can a zero nonce be safely used with AES-GCM if the key is random and never used again? Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?AES-GCM and its IV/nonce valuenonce of AES-GCM in SSLCan we use the authentication tag as Nonce / IV for the next message?Is it acceptable to write the nonce to the encrypted file during AES-256 GCM?Using AES-CTR to generate AES subkeys from a master key and nonceNonce for AES GCM to prevent replay attacksSafety of random nonce with AES-GCM?Can I use a deterministic NONCE for AES-GCM file encryption if I generate “fresh” keys for each encrypted fileIs AES-GCM with static key and dynamic salt safe to reuse IV/nonceWhat Are the Risks of AES-GCM [Key, Nonce, Message] where Nonce = Message

Autumning in love

If I can make up priors, why can't I make up posteriors?

Why does tar appear to skip file contents when output file is /dev/null?

3 doors, three guards, one stone

Strange behaviour of Check

How should I respond to a player wanting to catch a sword between their hands?

What LEGO pieces have "real-world" functionality?

Losing the Initialization Vector in Cipher Block Chaining

ELI5: Why do they say that Israel would have been the fourth country to land a spacecraft on the Moon and why do they call it low cost?

Cold is to Refrigerator as warm is to?

When communicating altitude with a '9' in it, should it be pronounced "nine hundred" or "niner hundred"?

Am I ethically obligated to go into work on an off day if the reason is sudden?

Using "nakedly" instead of "with nothing on"

How to rotate it perfectly?

Is there folklore associating late breastfeeding with low intelligence and/or gullibility?

Can a zero nonce be safely used with AES-GCM if the key is random and never used again?

Estimate capacitor parameters

Slither Like a Snake

Can I throw a sword that doesn't have the Thrown property at someone?

Writing Thesis: Copying from published papers

Statistical model of ligand substitution

Fishing simulator

Estimated State payment too big --> money back; + 2018 Tax Reform

Limit for e and 1/e



Can a zero nonce be safely used with AES-GCM if the key is random and never used again?



Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Announcing the arrival of Valued Associate #679: Cesar Manara
Unicorn Meta Zoo #1: Why another podcast?AES-GCM and its IV/nonce valuenonce of AES-GCM in SSLCan we use the authentication tag as Nonce / IV for the next message?Is it acceptable to write the nonce to the encrypted file during AES-256 GCM?Using AES-CTR to generate AES subkeys from a master key and nonceNonce for AES GCM to prevent replay attacksSafety of random nonce with AES-GCM?Can I use a deterministic NONCE for AES-GCM file encryption if I generate “fresh” keys for each encrypted fileIs AES-GCM with static key and dynamic salt safe to reuse IV/nonceWhat Are the Risks of AES-GCM [Key, Nonce, Message] where Nonce = Message










1












$begingroup$


I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.



The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.



If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?










share|improve this question









$endgroup$
















    1












    $begingroup$


    I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.



    The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.



    If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?










    share|improve this question









    $endgroup$














      1












      1








      1





      $begingroup$


      I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.



      The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.



      If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?










      share|improve this question









      $endgroup$




      I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.



      The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.



      If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?







      aes initialization-vector gcm nonce aes-gcm






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 43 mins ago









      jnm2jnm2

      28938




      28938




















          1 Answer
          1






          active

          oldest

          votes


















          2












          $begingroup$


          Am I missing anything?




          No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.



          BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.






          share|improve this answer









          $endgroup$













            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "281"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68774%2fcan-a-zero-nonce-be-safely-used-with-aes-gcm-if-the-key-is-random-and-never-used%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            2












            $begingroup$


            Am I missing anything?




            No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.



            BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.






            share|improve this answer









            $endgroup$

















              2












              $begingroup$


              Am I missing anything?




              No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.



              BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.






              share|improve this answer









              $endgroup$















                2












                2








                2





                $begingroup$


                Am I missing anything?




                No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.



                BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.






                share|improve this answer









                $endgroup$




                Am I missing anything?




                No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.



                BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 39 mins ago









                ponchoponcho

                94.1k2148247




                94.1k2148247



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Cryptography Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    Use MathJax to format equations. MathJax reference.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68774%2fcan-a-zero-nonce-be-safely-used-with-aes-gcm-if-the-key-is-random-and-never-used%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Dapidodigma demeter Subspecies | Notae | Tabula navigationisDapidodigmaAfrotropical Butterflies: Lycaenidae - Subtribe IolainaAmplifica

                    Constantinus Vanšenkin Nexus externi | Tabula navigationisБольшая российская энциклопедияAmplifica

                    Gaius Norbanus Flaccus (consul 38 a.C.n.) Index De gente | De cursu honorum | Notae | Fontes | Si vis plura legere | Tabula navigationisHic legere potes