Can a zero nonce be safely used with AES-GCM if the key is random and never used again? ...

Single author papers against my advisor's will?

What LEGO pieces have "real-world" functionality?

What do you call a plan that's an alternative plan in case your initial plan fails?

Communication vs. Technical skills ,which is more relevant for today's QA engineer positions?

Why does this iterative way of solving of equation work?

Two different pronunciation of "понял"

Who can trigger ship-wide alerts in Star Trek?

How can I protect witches in combat who wear limited clothing?

Can the prologue be the backstory of your main character?

How to market an anarchic city as a tourism spot to people living in civilized areas?

Can a 1st-level character have an ability score above 18?

How are presidential pardons supposed to be used?

Is there a documented rationale why the House Ways and Means chairman can demand tax info?

When is phishing education going too far?

Windows 10: How to Lock (not sleep) laptop on lid close?

Stop battery usage [Ubuntu 18]

Would an alien lifeform be able to achieve space travel if lacking in vision?

How do I automatically answer y in bash script?

When communicating altitude with a '9' in it, should it be pronounced "nine hundred" or "niner hundred"?

Are my PIs rude or am I just being too sensitive?

What is the electric potential inside a point charge?

If I can make up priors, why can't I make up posteriors?

Can't figure this one out.. What is the missing box?

Replacing HDD with SSD; what about non-APFS/APFS?



Can a zero nonce be safely used with AES-GCM if the key is random and never used again?



Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Announcing the arrival of Valued Associate #679: Cesar Manara
Unicorn Meta Zoo #1: Why another podcast?AES-GCM and its IV/nonce valuenonce of AES-GCM in SSLCan we use the authentication tag as Nonce / IV for the next message?Is it acceptable to write the nonce to the encrypted file during AES-256 GCM?Using AES-CTR to generate AES subkeys from a master key and nonceNonce for AES GCM to prevent replay attacksSafety of random nonce with AES-GCM?Can I use a deterministic NONCE for AES-GCM file encryption if I generate “fresh” keys for each encrypted fileIs AES-GCM with static key and dynamic salt safe to reuse IV/nonceWhat Are the Risks of AES-GCM [Key, Nonce, Message] where Nonce = Message












1












$begingroup$


I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.



The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.



If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?






aes initialization-vector gcm nonce aes-gcm







share|improve this question









$endgroup$

















    1












    $begingroup$


    I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.



    The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.



    If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?






    aes initialization-vector gcm nonce aes-gcm







    share|improve this question









    $endgroup$















      1












      1








      1





      $begingroup$


      I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.



      The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.



      If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?






      aes initialization-vector gcm nonce aes-gcm







      share|improve this question









      $endgroup$




      I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.



      The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.



      If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?






      aes initialization-vector gcm nonce aes-gcm




      aes initialization-vector gcm nonce aes-gcm






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 31 mins ago









      jnm2jnm2

      28938




      28938






















          1 Answer
          1






          active

          oldest

          votes


















          2












          $begingroup$


          Am I missing anything?




          No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.



          BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.






          share|improve this answer









          $endgroup$














            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "281"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68774%2fcan-a-zero-nonce-be-safely-used-with-aes-gcm-if-the-key-is-random-and-never-used%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            2












            $begingroup$


            Am I missing anything?




            No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.



            BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.






            share|improve this answer









            $endgroup$


















              2












              $begingroup$


              Am I missing anything?




              No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.



              BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.






              share|improve this answer









              $endgroup$
















                2












                2








                2





                $begingroup$


                Am I missing anything?




                No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.



                BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.






                share|improve this answer









                $endgroup$




                Am I missing anything?




                No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.



                BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 26 mins ago









                ponchoponcho

                94.1k2148247




                94.1k2148247






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Cryptography Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    Use MathJax to format equations. MathJax reference.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68774%2fcan-a-zero-nonce-be-safely-used-with-aes-gcm-if-the-key-is-random-and-never-used%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Gersau Kjelder | Navigasjonsmeny46°59′0″N 8°31′0″E46°59′0″N...

                    Image
                    Tidlegare republikkarSkipingar i 1433Kommunar i SchwyzDistrikt i SchwyzNedleggingar i 1798Stader ved Vierwaldstättersee kommunekantonenSchwyzSveitskm²VierwaldstätterseeLauerz Gersau Kommunevåpenet til Gersau Plassering Styresmakter Land   Sveits Kanton kantonen Schwyz Distrikt Gersau Språk tysk Geografi Flatevidd  - kommune 23,70 km² Innbyggjarar  - kommune (desember 2010)    - folketettleik 2 094   88,4 /km² Koordinatar 46°59′0″N 8°31′0″E  Koordinatar: 46°59′0″N 8°31′0″E  Høgd over havet 435 moh Diverse annan informasjon Postnummer 6442 Nettstad: www.gersau.ch Freistaat und Republik Gersau Fristaten og republikken Gersau By-republikk og alliert protektorat i Det gamle sveitsiske eidsforundet ←   ← 1433–1798 1814–1818 →   → Hovudstad Gersau Styreform Republikk Historisk periode Tidleg moderne tid  - Kjøpte fridom frå
                    Read more

                    Hestehale Innhaldsliste Hestehale på kvinner | Hestehale på menn | Galleri | Sjå òg |...

                    Image
                    Frisyrar frisyrehårhårstrikkhårklemmerøyrethesthovudverkeuropeisk motejobbtreningfletterparykkarungdomsopprørmotkulturmusikararmotorsykkelentusiastarpolitietpolitiskforretningverksemdfiskeflette Hestehale sett bakfrå. Hestehale på ein mannleg indianarleiar. Hestehale er ein frisyre der ein samlar det meste eller alt av langt hår [1] i bakhovudet med ein hårstrikk eller liknande. Avhengig av mote kan det òg vere vanleg å sette opp hestehalen med hårklemmer eller å ha hestehalen hengande på den eine sida av hovudet ved å samle håret ved øyret. Hestehale er ein vanleg frisyre for jenter og for gutar med langt hår. Han har fått namnet sitt etter likskapen med halen på ein hest. For stramme hestehaler kan føre til hårtap, [2] i nokre høve også hovudverk. [3] Innhaldsliste 1 Hestehale på kvinner 2 Hestehale på menn 3 Galleri 4 Sjå òg 5 Bakgrunnsstoff 6 Kjelder Hestehale på kvinner | Ungjente med hestehale som held håret unna ansiktet
                    Read more

                    What is the “three and three hundred thousand syndrome”?Who wrote the book Arena?What five creatures were...

                    Image
                    What happens when the centripetal force is equal and opposite to the centrifugal force? Why is "la Gestapo" feminine? Nested Dynamic SOQL Query How are passwords stolen from companies if they only store hashes? Exposing a company lying about themselves in a tightly knit industry: Is my career at risk on the long run? Can "few" be used as a subject? If so, what is the rule? Why are there no stars visible in cislunar space? categorizing a variable turns it from insignificant to significant Do I need an EFI partition for each 18.04 ubuntu I have on my HD? What are the consequences of changing the number of hours in
                    Read more