As a cryptographic primitive, what does a nonce provide? It seems like, at least in my understanding of it, a nonce by itself would not provide any sort of cryptographic usefulness, compared with primitives such as digital signatures or symmetric key crypto.
Asked
Active
Viewed 109 times
1 Answers
4
A nonce is not a cryptographic primitive. Cryptographic primitives are algorithms that are part of a cryptographic scheme. For instance, a block cipher can be a cryptographic primitive in a block cipher mode of operation. AES is a primitive in AES-GCM. Nonces are numbers-used-once; they are just a description of unique integer values (usually with a specific encoding in bytes).
AES as a block cipher is not cryptographically secure as a generic cipher (this may surprise you). The reason for this is that once the key is reused with the block cipher it will output the same value for the same input. To be IND_CPA secure the cipher should not output any indication about the plaintext, and outputting the same value clearly indicates that the same plaintext was used.
For this a block cipher mode-of-operation can be used. Some modes of operation such as CBC require input indistinguishable from random. CTR and many modes derived from it such as AES-GCM however just require a nonce. So this is - among possibly other uses in other schemes - what a nonce provides: it makes sure that a mode-of-operation is secure even if the same key is used.
In general a nonce is used in cryptography to provide uniqueness within a function even when the other inputs remain identical.
Maarten Bodewes
- 92,551
- 13
- 161
- 313