0

I'm generating a new random symmetric key and want to pass that to multiple people using crypto_box_easy. Is it okay to reuse the same (random) nonce for the same message and same sender but for different recipients? Can the same nonce be used for a symmetric encryption with the random key and crypto_secretbox_easy?

As the nonce has to be served along with the encrypted message it can't be hidden anyway, but is reuse across multiple different recipients a problem? If they provide a badly generated public key, can that weaken encryption in a way that other peoples' secret keys could be extracted?

Thanks a lot.

Woodstock
  • 22,184
  • 15
  • 80
  • 118
fl64738
  • 11
  • 2
  • 1
    Welcome to Stackoverflow. Kindly see https://en.wikipedia.org/wiki/Cryptographic_nonce for a definition of a nonce or in short: "nonce" means **one time** so a nonce should be used **only one time** for whatsoever encryption (regardless for one person or multiple persons). Generate a random nonce for every single encryption and pass it together with the ciphertext to the recipient. – Michael Fehr Oct 22 '20 at 11:23
  • 1
    @MichaelFehr, actually `crypto_box_easy` will perform ECDH with the recipients public key and your private key to generate a shared secret, which is then hashed to a symmetric key. Thus it's acceptable to use the same nonce once *for each recipient* as each Diffie Hellman process will generate a unique key. – Woodstock Oct 22 '20 at 11:36

1 Answers1

3

A nonce can be reused as long as a (key, nonce) tuple is not reused.

You're right that reusing a nonce with the same key would result in a catastrophic loss of privacy with a stream cipher like XSalsa20.

The thing is, crypto_box_easy uses the recipients public key to generate a shared secret that is then used with a nonce.

Thus even with a static nonce, the (nonce, key) pair for each recipient will be different.

Although, it's not acceptable to use the same (nonce, key) pair twice, you can use the same nonce for each recipient, but only once.

It's acceptable to use the same nonce once for each recipient using the crypto_box_easy construct ONCE.

It even states this in the libsodium documentation:

The nonce doesn't have to be confidential, but it should be used with just one invocation of crypto_box_easy() for a particular pair of public and secret keys.

i.e. for one message per recipient.

Woodstock
  • 22,184
  • 15
  • 80
  • 118
  • Thanks. And reusing the same nonce for a symmetric encryption operation should be okay then, too, right? – fl64738 Oct 22 '20 at 12:12
  • so, to clarify, when you use `crypto_box_easy` with a recipient, you use their public key in the call to `crypto_box_easy`... this will generate a symmetric key. Each additional recipient (all have different public keys), and thus crypto_box will generate different symmetric keys per recipient. You can use the same nonce ONCE, per recipient (PER KEY). If you go to send another message to the same recipient you need a NEW nonce. The only reason its ok to use the SAME nonce ONCE with **different** recipients, is because each recipients Sym key will be different, i.e different (key, nonce) pair. – Woodstock Oct 22 '20 at 12:50
  • Why does the documentation call a private key a "secret key"? – President James K. Polk Oct 22 '20 at 14:26
  • @PresidentJamesK.Polk I guess it's just an oversight. Either way, you agree it's OK to a reuse a nonce, across invocations of EDCH with *different recipients*, as the (nonce, key) pairs will be unique right? (caveated that you can only use the same nonce, key pair once. In this context `ECDH(pubA,PrivB) == SecretKey` – Woodstock Oct 22 '20 at 14:28
  • 1
    Absolutely. It's the (nonce, key) pair that must be unique, not the nonce. But I always think of the code and not just the crypto, and it seems like it would be clumsy to share a nonce between recipient keys, which makes me wonder what OP is really doing. – President James K. Polk Oct 22 '20 at 14:33
  • 1
    @PresidentJamesK.Polk totally agree on the code. Bad architecture to do this, I just like to give an answer which is technically accurate rather than the carte blanche "don't reuse ever", so folks understand deeper, why... – Woodstock Oct 22 '20 at 14:35
  • I've got a single message that I need to make available for multiple recipients at once. I have more trust in the randomness/entropy if I only have to generate one symmetric key and one nonce instead of a key and N nonces. – fl64738 Oct 23 '20 at 09:14
  • So that's fine to do, once each recipient has a different public key. I hope I've answered your question – Woodstock Oct 23 '20 at 09:17