In the field of cryptography, it’s important that things that are supposed to be secret stay secret. One issue that is faced is precomputation. This is where an attacker can spend considerable processing power to determine what outputs a combination of inputs pre-emptively makes. With enough processing power and time, you could test what output you get with a selection of specified inputs and a bunch of different encryption keys.
You could then check vast swathes of encrypted transmissions to see if any of your known outputs ever cropped up and know the message and key used. Unfortunately, there’s no real way to prevent this scenario completely. It is possible to make it a lot harder, though.
It’s already tough to guess the exact contents of a message and the encryption key used to encrypt it. Even though single-character differences in the message would render the whole effort useless, it’s only really feasible for short and simple messages. Otherwise, there are just too many possible variations of phrasing and wording, and even the risk of typos and slang. But even this risk of the ability to guess things is too high. To make things even harder, most cryptography schemes require a third value called an “initialization vector,” or IV for short.
The IV is another value fed into the encryption and decryption algorithm. It’s a third variable for the equation, which by its very presence, massively increases the difficulty of correctly guessing the inputs needed to generate a specific output. Funnily enough, the IV doesn’t even need to be secret. What it does need to be is unique.
The whole issue with avoiding precomputation attacks is to make it even more infeasible to guess the content of messages. To that end, you can’t just pick one IV and stick with it; you must change it. Furthermore, using a different IV each time makes cryptanalysis of the resulting ciphertexts harder. To have a reliably unique value, you want to use a “nonce,” specifically a cryptographic nonce.
A cryptographic nonce is a value generated by a cryptographically secure PRNG or Pseudo Random Number Generator intended to be used precisely once. Typically, this is achieved by incorporating some form of time stamp within the value.
Tip: Especially when dealing with a native speaker of British English, it is essential to specifically use the phrase “cryptographic nonce” rather than just the word “once.”In the UK, “once” is a slang word for a pedophile. In general, to avoid any confusion, it is best to use the term cryptographic nonce specifically.
While most potential use cases for unique values don’t necessarily need a cryptographically secure random number, a cryptographic nonce does fit the requirements. For example, a replay attack is a web-based attack where an attacker repeatedly sends the same piece of traffic, replaying it often. Let’s say that this request tells the server to spend time generating a report. The attacker can multiply the amount of work needed by repeating the request multiple times.
Often the attacker can also slightly modify the request in an automated fashion too. For example, if an online store uses sequential product numbers in the page URL, the attacker can automate the process of requesting all of them.
To get around this, the server can supply the browser with a one-use token with each request it makes. The server keeps track of the used tokens and automatically drops traffic that doesn’t include a valid, unused token. In this scenario, the token needs to be unique and shouldn’t be reused. Thus, a cryptographic nonce fits the bill.
A cryptographic nonce is a cryptographically secure random number that should only be used once. Doing so renders precomputation attacks impossible while not requiring the cryptographic nonce itself to remain secret. Its primary use is as the initialization vector in encryption schemes.
The term is often claimed to mean “number used ONCE”; however, this is a false etymology. The word comes from Middle English to mean something used once or temporarily. Nevertheless, the “number used once” concept helps explain what a cryptographic nonce is intended for. To help with this aim, it often includes some form of a timestamp.