Questions tagged [nonce]
A "nonce" is an arbitrary number or string used only once within the context of a specific cryptographic scheme. Nonces are used e.g. in authentication protocols to prevent replay attacks, as well as in stream ciphers (including CTR mode) to avoid keystream reuse.
223 questions
3 votes
0 answers
111 views
Circumventing birthday bounds in AES-GCM?
I'm looking at using AES-256-GCM to encrypt data at rest (in a database) with logged-in user id's (among possibly other things) as the authenticated data. I'd like the application to (eventually) ...
- 373
1 vote
0 answers
92 views
Is it possible to get the parity of nonce used in ECDSA signature without knowing k?
This question stems up from my recent research work, I've tried different methods. Is it possible to accurately know or get the parity (even or odd) of k (nonce) using r, s and z? If yes, please ...
- 43
0 votes
0 answers
95 views
What’s the minimal size of a nonce leakage so that the private key can be recovered from a single signature in practice?
There are a lot of papers on how to recover a private key from a nonce leakage in an ecdsa signature given a signed message. The fewer bits are known the more signatures are required. If I don’t know ...
- 283
0 votes
1 answer
157 views
Is it possible to recover the private keys if 2 signature share a common nonce?
It’s well known that in ECDSA, if two signatures are created using the same private key and the same nonce k, the private key can be recovered due to the linear ...
- 283
1 vote
0 answers
111 views
How do you improve the multi-user security of an AEAD scheme using the nonce?
There have been a few Q&As on this site regarding whether fixed (e.g., all-zero) nonces are safe with key rotation every encryption and some mention of protocols, like TLS, incorporating ...
- 2,270
1 vote
1 answer
210 views
What are the other cases of nonce reuse in ECDSA?
We do know about the common case or vulnerability of the nonce reuse in two signatures of an address transaction which leads to calculation of $k$ and retrieval of the private key. Apart from that ...
- 43
0 votes
1 answer
154 views
Given five different addresses with a common r, How do I eliminate k and solve for d1 precisely?
I'm kind of confused about this issue of nonce reuse, don't mind me cuz I'm a newbie, ok first let me explain in details my case, I have a peculiar scenario of a nonce reuse different from the normal ...
- 43
0 votes
1 answer
210 views
Nonce (r) Reuse and Private Key Security: A Risk for P2PKH Addresses?
I have a question regarding nonce (r) reuse in ECDSA signatures and the potential risk of private key leakage. Specifically, I'm looking into transactions using P2PKH addresses and whether reusing the ...
1 vote
3 answers
306 views
Can I iteratively generate AES GCM nonce? Encrypting nonce? Use nonce to prevent replay attacks?
I'm creating a protocol for securely sharing files peer to peer. I will use RSA OAEP to perform a handshake between peers, then use AES GCM to share the files. I watched this video about how GCM works ...
- 11
1 vote
1 answer
240 views
AES-GSM-SIV nonce reuse
I'm trying to understand exactly what nonce-misuse AES-GCM-SIV mode mitigates. Wikipedia says, "In the event a nonce is misused (i.e., used more than once), nothing is revealed except in the ...
- 4,051
1 vote
0 answers
65 views
Tweakable Block Ciphers, Nonces and KDF Key Schedules
What is the point of having dedicated tweakable block ciphers in lieu of XEX which does the same? Does this have something to do with why no one uses XEX with a simple counter? The tweak schedule is ...
- 11
4 votes
2 answers
467 views
Ascon-128 cipher for 64-bits unique nonces
I'm looking for a way to encrypt nonces that include a timestamp, to prevent them from leaking information. The nonces are uniquely generated in 64/96/128 bits variants. I would like the encryption to ...
- 43
2 votes
1 answer
155 views
Why is nonce and counter always seperate?
In every stream cipher (where applicable) that I know of the counter is always separate from the nonce. What is the reason for why the counter is not just part of the nonce and addition is modulo 64? ...
2 votes
3 answers
745 views
Why is there no AES-512 for CTR & variants to have good large nonces?
AES-CTR and authenticated variants tend to have a 'problem' with lacking bit real-estate for nonce & counter. Why hasn't an AES-512 variant been standardized at some point? It would allow moving ...
- 21
1 vote
0 answers
36 views
Necessary collision resistance of a nonce for replay protection
In request/response communication, replay protection can be implemented by exchanging a random number. For example, in its secure request, a client sends a random UID (nonce) to the server in addition ...
- 143