0Pricing
Cryptology Academy · Lesson

Replay Attacks and Nonce Reuse Vulnerabilities

Understand how nonce reuse in GCM and other modes can completely compromise ciphertext confidentiality.

Nonce Purpose in Cryptography

A nonce (number used once) ensures that the same plaintext message encrypted twice produces different ciphertexts. This is essential for semantic security: an attacker observing multiple ciphertexts gains no information about whether they encrypt the same or different plaintexts. In stream ciphers and CTR-mode block ciphers, the nonce seeds the keystream generation, making the nonce critically important for security.

GCM Nonce as Counter Initialization

In AES-GCM, the 96-bit nonce is used to initialize a counter for CTR mode encryption and also contributes to the GHASH authentication computation. The counter value for each AES block is derived by incrementing from the nonce. If two encryptions use the same nonce and key, they generate the same keystream, making the XOR of their ciphertexts equal to the XOR of their plaintexts.

All lessons in this course

  1. Padding Oracle Attacks in Detail
  2. Replay Attacks and Nonce Reuse Vulnerabilities
  3. Timing Attacks in Application-Level Code
  4. Top Cryptographic Misuse Patterns
← Back to Cryptology Academy