Skip to content
This repository has been archived by the owner on Feb 5, 2021. It is now read-only.

Nonce Reuse Misuse Resistance

Tony Arcieri edited this page Dec 30, 2017 · 8 revisions

A nonce is a single-use value which enables securely encrypting multiple messages under the same key. Nonces need not be random: we can use a counter, so long as the values are never repeated under the same key.

Repeated use of the same nonce under the same key causes most ciphers to fail catastrophically, e.g. if a nonce is reused with AES-GCM, the resulting ciphertexts can be XORed together and the keystream will cancel out, leaving the XOR of the two plaintexts. But even worse, repeating a nonce under AES-GCM leaks the cipher’s authentication key, allowing an attacker to perpetrate chosen ciphertext attacks including message forgeries and even potentially full plaintext recovery. The XSalsa20Poly1305 and ChaCha20Poly1305 constructions, found in NaCl-family libraries such as libsodium, fail in a similarly spectacular way (despite these libraries often being described as “misuse resistant”).

Ciphers with nonce reuse misuse resistance do not fail catastrophically in this case: the only information these ciphers leak is that if the same message is encrypted with the same nonce twice under the same key, we obtain the same ciphertext. Though this information is still potentially useful to attackers and thus we should still avoid reusing nonces if possible, it is not nearly as catastrophic as what happens with ciphers like AES-GCM or ChaCha20Poly1305.

Visual Example

Non-SIV-mode ciphers based on AES-CTR (including AES-GCM) leak the XORs of plaintexts when nonce reuse occurs (taken from this @angealbertini tweet):

CTR Penguin

Another example of a "CTR Penguin" (from this @Sc00bzT tweet):

CTR Penguin 2

Clone this wiki locally