What a Nonce Promises
A nonce is a number used once. Many ciphers and modes assume each nonce appears only a single time under a given key. This assumption is load bearing: violate it and strong encryption can collapse.
Why Reuse Is Catastrophic
In counter style and stream constructions, the cipher turns the key and nonce into a keystream that is combined with plaintext. If the same key and nonce produce the same keystream twice, an attacker who captures both ciphertexts can combine them to cancel the keystream and recover relationships between the plaintexts.
In authenticated modes like GCM, nonce reuse is even worse: it can leak the internal authentication value and let an attacker forge valid tags, defeating integrity entirely.
Defenses are concrete:
- Generate nonces from a counter or a strong random source sized to avoid collisions.
- Track and rotate keys so the nonce space is never exhausted.
- Consider misuse resistant modes when reuse is hard to prevent.
Key idea
A nonce must never repeat under the same key, because reuse can recover plaintext relationships and even forge authentication tags, so derive nonces from a counter or strong randomness and rotate keys before the space runs out.