What is a Nonce?

The Number Used Once

A nonce (Number Used Once) is an arbitrary value that must never be repeated within the same cryptographic context. In symmetric encryption, a nonce is combined with the secret key to ensure that encrypting the exact same plaintext twice produces completely different ciphertext each time. Without a nonce, an attacker observing identical ciphertexts could immediately deduce that the underlying messages are identical, catastrophically leaking information.

Different algorithms demand different nonce sizes. AES-GCM uses a 96-bit nonce (12 bytes), while XChaCha20 uses a 192-bit nonce (24 bytes). The size matters enormously because of the Birthday Paradox: the probability of accidentally generating the same random nonce twice grows far faster than intuition suggests. With a 96-bit nonce, collisions become statistically dangerous after roughly 2⁴⁸ messages. With a 192-bit nonce, the safe threshold extends to an astronomic 2⁹⁶ messages.

Nonce reuse is one of the most catastrophic failures in cryptography. In AES-GCM, reusing a nonce with the same key completely destroys the authentication guarantee and leaks the secret authentication subkey. In stream ciphers like ChaCha20, nonce reuse causes two ciphertexts to be XORed against the identical keystream, allowing an attacker to trivially recover both plaintexts using simple frequency analysis.

Everyday Example

Think of a nonce like the unique serial number printed on every banknote. If the central bank accidentally printed two £20 notes with the same serial number, a counterfeiter could exploit that duplication to forge money. The uniqueness of each serial number is what makes the system trustworthy. In cryptography, every single encryption operation gets its own unrepeatable serial number to prevent exactly this kind of exploit.

The Deep Mathematics

For a random nonce of n bits, the Birthday Bound dictates that the probability of a collision reaches approximately 50% after 2^(n/2) samples. For AES-GCM's 96-bit nonce, this threshold is 2⁴⁸ ≈ 281 trillion messages. For XChaCha20's 192-bit nonce, the threshold is 2⁹⁶ ≈ 7.9 × 10²⁸ messages. The Birthday Bound follows from the generalized collision probability formula: P(collision) ≈ 1 - e^(-k²/2N), where k is the number of samples and N = 2ⁿ is the nonce space.