2

Suppose:

  • The "counter field" is about: NONCE || CTR-VALUE.
  • I have multiples messages $M_a, M_b, M_c, \dots$

  • Each message can be divided into x-bits blocks ($M_{a1}, M_{a2}, M_{a3}, \dots$).

    1. Each message $M$ (for instance $M_a$) is encrypted following a randomly and uniquely generated key. In this case, does I really need the NONCE part of the "counter field" ?

    2. If I really need a nonce, and knowing that each key is again unique-per-message, is there a secure way to derivate the nonce from the key ?

e-sushi
  • 17,891
  • 12
  • 83
  • 229
Kingland
  • 97
  • 3

1 Answers1

2

The once part inside of the nonce in CTR mode means effectively "once for this particular key".

If you use a fresh key for each message (e.g. by encrypting it using public-key crypto or similar), you can use the same nonce for all the messages (or a size-zero nonce).

The important part is that the combination of nonce and ctr-value (i.e. what is input into the block cipher) is not repeated while using the same key.

Paŭlo Ebermann
  • 22,656
  • 7
  • 79
  • 117