Skip to main content

Nonce

Type Alias Nonce 

Source
pub type Nonce<A> = Array<u8, <A as AeadCore>::NonceSize>;
Expand description

Nonce: single-use value for ensuring ciphertexts are unique.

AEAD algorithms accept a parameter to encryption/decryption called a “nonce” which must be unique every time encryption is performed and never repeated for the same key. The nonce is often prepended to the ciphertext, a.k.a. an explicit nonce, but may also be an implicit counter.

AEAD decryption takes the nonce which was originally used to produce a given ciphertext as a parameter along with the ciphertext itself.

§Generating random nonces

Nonces don’t necessarily have to be random, but it is a simple strategy which can be implemented as follows using the Generate trait (requires getrandom feature):

use aead::{Nonce, Generate};

let nonce = Nonce::<AeadAlg>::generate();
AEAD algorithms often fail catastrophically if nonces are ever repeated (with SIV modes being an exception).

Using random nonces runs the risk of repeating them unless the nonce size is particularly large, e.g. 192-bit extended nonces used by the XChaCha20Poly1305 and XSalsa20Poly1305 constructions.

NIST SP 800-38D recommends the following:

The total number of invocations of the authenticated encryption function shall not exceed 232, including all IV lengths and all instances of the authenticated encryption function with the given key.

Following this guideline, only 4,294,967,296 messages with random nonces can be encrypted under a given key. While this bound is high, it’s possible to encounter in practice, and systems which might reach it should consider alternatives to purely random nonces, like a counter or a combination of a random nonce + counter.

See the aead-stream crate for a ready-made implementation of the latter.

Aliased Type§

#[repr(transparent)]
pub struct Nonce<A>(pub <<A as AeadCore>::NonceSize as ArraySize>::ArrayType<u8>);

Tuple Fields§

§0: <<A as AeadCore>::NonceSize as ArraySize>::ArrayType<u8>