Questions tagged [nonce]
A "nonce" is an arbitrary number or string used only once within the context of a specific cryptographic scheme. Nonces are used e.g. in authentication protocols to prevent replay attacks, as well as in stream ciphers (including CTR mode) to avoid keystream reuse.
205
questions
1
vote
1
answer
124
views
AES-CTR Mode, Predictability of Nonce
I'm trying to rebuild AES-CTR mode and have some questions concerning the generation of the nounce.
I've comonly seen the nonce be distributed like this $Nonce_{128\,bits} = IV_{64\,bits} \mathbin\...
1
vote
0
answers
58
views
ECDSA biased nonce with biased middle bits
The paper "Biased nonce sense" (https://eprint.iacr.org/2019/023.pdf) covers key recovery for MSB and LSB, the latter case being handled by doing modular inverse of 2 to the power of the ...
0
votes
0
answers
75
views
Simple and efficient auth scheme to prevent replay attacks
This is a machine-to-machine authentication proposal with the following requirements:
Avoid replay attacks. Leaked or intercepted auth tokens cannot be reused at all.
Impersonation resistant. The ...
0
votes
1
answer
47
views
Is shared secret and SKEYID are same in the IPSec?
I want to know that, is shared secret and SKEYID are same in the IPSec? I knew that from SKEYID, three further keys are generated (derivative, authentication and encryption). But from where this ...
5
votes
3
answers
829
views
CVE-2024-31497, nonces and random numbers: Can someone explain, please?
Regarding CVE-2024-31497 a German article "Nur NIST P-521 betroffen: PuTTY-Lücke kompromittiert private SSH-Schlüssel" wrote something about a vulnerability in PuTTY.
The issue was claimed ...
0
votes
1
answer
355
views
Encrypting the nonce in AES-CCM
I'm working on a network where nodes communicate using AES-CCM encryption, within a context of tight bandwidth limitations, making every bit count. The setup uses a nonce that combines a 16-bit node ...
0
votes
0
answers
87
views
Exposing the vulnerability of CTR mode of operation
In the CTR mode of operation, the plaintext block is treated as a stream cipher, where each byte of the plaintext gets XOR-ed with each byte of the key (which is generated using a nonce and a counter) ...
0
votes
1
answer
56
views
JavaScript PKCE Code Verifier (random string nonce) alternatives
I'm creating a PKCE Code Verifier (a random string).
Solution 1 from a StackOverflow answer. (You can copy/paste these code examples into a browser's inspector.)
...
0
votes
1
answer
685
views
How do bad actors manipulate game results in real time within 'provably fair' gaming systems?
Ive been assigned research involving online gaming companies and their use of cryptographic algorithms to produce 'provably fair' results. The largest player in the industry uses a method involving a ...
1
vote
0
answers
65
views
Where do we put known bits of nonce when performing lattice attack on ECDSA?
I have read so many papers and posts about lattice attacks on ECDSA but none of them used an example of different MSB values for k but instead they all used fixed MSB.
So here i am trying to ...
0
votes
1
answer
106
views
Nonce reuse in GMAC without ciphertext (only AAD)
As we all know, nonce reuse in AES/GCM can easily be catastrophic.
However, I'm wondering if the same risks are present if an adversary has access to:
Ciphertext and corresponding MAC of one message
...
2
votes
1
answer
300
views
AES GCM iv/nonce length under 12 bytes in java [duplicate]
I'm developping an Swift app that communicate with a Java legacy backend using AES GCM, my biggest problem is that Java let you use a 8 bytes iv/nonce (and the legacy code is written with 8 bytes ...
2
votes
1
answer
199
views
48-bit nonce reuse with ChaCha20
The situation:
I have a group with 20 members, each member broadcasting 1 message per second. Communicating one on one is possible, but 1 message per member per second is the absolute limit and every ...
2
votes
1
answer
274
views
Does RFC 6979 unconditionally prevent nonce-reuse attacks?
Is RFC 6979 guaranteed to prevent the reuse of nonces for different signed hashes?
6
votes
1
answer
210
views
What's the current status of development of hedged ECDSA and EdDSA?
In the IETF Draft Deterministic ECDSA and EdDSA Signatures with Additional Randomness, methods had been specified to seed RNG deterministically with external input, to securely obtain a nonce for use ...