0

I'm generating a new random symmetric key and want to pass that to multiple people using crypto_box_easy. Is it okay to reuse the same (random) nonce for the same message and same sender but for different recipients? Can the same nonce be used for a symmetric encryption with the random key and crypto_secretbox_easy?

As the nonce has to be served along with the encrypted message it can't be hidden anyway, but is reuse across multiple different recipients a problem? If they provide a badly generated public key, can that weaken encryption in a way that other peoples' secret keys could be extracted?

Thanks a lot.

Improve this question
2
  • 1
    Welcome to Stackoverflow. Kindly see en.wikipedia.org/wiki/Cryptographic_nonce for a definition of a nonce or in short: "nonce" means one time so a nonce should be used only one time for whatsoever encryption (regardless for one person or multiple persons). Generate a random nonce for every single encryption and pass it together with the ciphertext to the recipient. Commented Oct 22, 2020 at 11:23
  • 1
    @MichaelFehr, actually crypto_box_easy will perform ECDH with the recipients public key and your private key to generate a shared secret, which is then hashed to a symmetric key. Thus it's acceptable to use the same nonce once for each recipient as each Diffie Hellman process will generate a unique key. Commented Oct 22, 2020 at 11:36

1 Answer 1

Reset to default
3

A nonce can be reused as long as a (key, nonce) tuple is not reused.

You're right that reusing a nonce with the same key would result in a catastrophic loss of privacy with a stream cipher like XSalsa20.

The thing is, crypto_box_easy uses the recipients public key to generate a shared secret that is then used with a nonce.

Thus even with a static nonce, the (nonce, key) pair for each recipient will be different.

Although, it's not acceptable to use the same (nonce, key) pair twice, you can use the same nonce for each recipient, but only once.

It's acceptable to use the same nonce once for each recipient using the crypto_box_easy construct ONCE.

It even states this in the libsodium documentation:

The nonce doesn't have to be confidential, but it should be used with just one invocation of crypto_box_easy() for a particular pair of public and secret keys.

i.e. for one message per recipient.

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Thanks. And reusing the same nonce for a symmetric encryption operation should be okay then, too, right?
so, to clarify, when you use crypto_box_easy with a recipient, you use their public key in the call to crypto_box_easy... this will generate a symmetric key. Each additional recipient (all have different public keys), and thus crypto_box will generate different symmetric keys per recipient. You can use the same nonce ONCE, per recipient (PER KEY). If you go to send another message to the same recipient you need a NEW nonce. The only reason its ok to use the SAME nonce ONCE with different recipients, is because each recipients Sym key will be different, i.e different (key, nonce) pair.
Why does the documentation call a private key a "secret key"?
Absolutely. It's the (nonce, key) pair that must be unique, not the nonce. But I always think of the code and not just the crypto, and it seems like it would be clumsy to share a nonce between recipient keys, which makes me wonder what OP is really doing.
@PresidentJamesK.Polk totally agree on the code. Bad architecture to do this, I just like to give an answer which is technically accurate rather than the carte blanche "don't reuse ever", so folks understand deeper, why...
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.