 | This articleneeds additional citations forverification. Relevant discussion may be found on thetalk page. Please helpimprove this article byadding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Cryptographic nonce" – news ·newspapers ·books ·scholar ·JSTOR(November 2013) (Learn how and when to remove this message) |
Incryptography, anonce is an arbitrary number that can be used just once in a cryptographic communication.[1] It is often arandom orpseudo-random number issued in anauthentication protocol to ensure that each communication session is unique, and therefore that old communications cannot be reused inreplay attacks. Nonces can also be useful asinitialization vectors and incryptographic hash functions.
A nonce is an arbitrary number used only once in a cryptographic communication, in the spirit of anonce word. They are oftenrandom orpseudo-random numbers. Many nonces also include atimestamp to ensure exact timeliness, though this requiresclock synchronisation between organisations. The addition of a client nonce ("cnonce") helps to improve the security in some ways as implemented indigest access authentication. To ensure that a nonce is used only once, it should be time-variant (including a suitably fine-grained timestamp in its value), or generated with enough random bits to ensure an insignificantly low chance of repeating a previously generated value. Some authors define pseudo-randomness (or unpredictability) as a requirement for a nonce.[2]
Nonce is a word dating back toMiddle English for something only used once or temporarily (often with the construction "for the nonce"). It descends from the construction "then anes" ("the one [purpose]").[3] Afalse etymology claiming it to stand for "number used once"[4] or similar is incorrect.
| This sectiondoes notcite anysources. Please helpimprove this section byadding citations to reliable sources. Unsourced material may be challenged andremoved. Find sources: "Cryptographic nonce" – news ·newspapers ·books ·scholar ·JSTOR(July 2025) (Learn how and when to remove this message) |
Authentication protocols may use nonces to ensure that old communications cannot be reused inreplay attacks. For instance, nonces are used inHTTPdigest access authentication to calculate anMD5 digest of thepassword. The nonces are different each time the 401 authentication challengeresponse code is presented, thus makingreplay attacks virtually impossible. The scenario of ordering products over the Internet can provide an example of the usefulness of nonces in replay attacks. An attacker could take the encrypted information and—without needing to decrypt—could continue to send a particular order to the supplier, thereby ordering products over and over again under the same name and purchase information. The nonce is used to give 'originality' to a given message so that if the company receives any other orders from the same person with the same nonce, it will discard those as invalid orders.
A nonce may be used to ensure security for astream cipher. Where the same key is used for more than one message and then a different nonce is used to ensure that thekeystream is different for different messages encrypted with that key; often the message number is used.
Secret nonce values are used by theLamport signature scheme as a signer-side secret which can be selectively revealed for comparison to public hashes for signature creation and verification.
Nonces are used inproof-of-work systems to vary the input to acryptographic hash function so as to obtain a hash for a certain input that fulfils certain arbitrary conditions. In doing so, it becomes far more difficult to create a "desirable" hash than to verify it, shifting the burden of work onto one side of a transaction or system. For example, proof of work, using hash functions, was considered as a means to combatemail spam by forcing email senders to find a hash value for the email (which included a timestamp to prevent pre-computation of useful hashes for later use) that had an arbitrary number of leading zeroes, by hashing the same input with a large number of values until a "desirable" hash was obtained.
Similarly, theBitcoinblockchain hashing algorithm can be tuned to an arbitrary difficulty by changing the required minimum/maximum value of the hash so that the number of bitcoins awarded for new blocks does not increase linearly with increased network computation power as new users join. This is likewise achieved by forcing Bitcoin miners to add nonce values to the value being hashed to change the hash algorithm output. As cryptographic hash algorithms cannot easily be predicted based on their inputs, this makes the act of blockchain hashing and the possibility of being awarded bitcoins something of a lottery, where the first "miner" to find a nonce that delivers a desirable hash is awarded bitcoins.
Middle English: from then anes 'the one (purpose') (from then, obsolete oblique form of the + ane 'one' + -s), altered bywrong division