Nonce Reuse Misuse Resistance

Tony Arcieri edited this page Jan 5, 2018 · 8 revisions

A nonce is a single-use value which enables securely encrypting multiple messages under the same key. Nonces need not be random: we can use a counter, so long as the values are never repeated under the same key.

Repeated use of the same nonce under the same key causes most ciphers to fail catastrophically, e.g. if a nonce is reused with AES-GCM, the resulting ciphertexts can be XORed together and the keystream will cancel out, leaving the XOR of the two plaintexts. But even worse, repeating a nonce under AES-GCM leaks the cipher’s authentication key, allowing an attacker to perpetrate chosen ciphertext attacks including message forgeries and even potentially full plaintext recovery. The XSalsa20Poly1305 and ChaCha20Poly1305 constructions, found in NaCl-family libraries such as libsodium, fail in a similarly spectacular way (despite these libraries often being described as “misuse resistant”).

Ciphers with nonce reuse misuse resistance, such as the AES-SIV and AES-PMAC-SIV ciphers provided by this library, do not fail catastrophically in this case: the only information these ciphers leak is that if the same message is encrypted with the same nonce twice under the same key, we obtain the same ciphertext. Though this information is still potentially useful to attackers and thus we should still avoid reusing nonces if possible, it is not nearly as catastrophic as what happens with ciphers like AES-GCM, Salsa20Poly1305, or ChaCha20Poly1305.

Visual Example

Non-SIV-mode ciphers based on AES-CTR (including AES-GCM) leak the XORs of plaintexts when nonce reuse occurs (taken from this @angealbertini tweet):

CTR Penguin

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.