GCM Nonce Reuse

GCM Nonce Reuse is a catastrophic cryptographic failure where the same nonce (number used once) is used twice with the same key in AES-GCM encryption. This completely breaks both confidentiality and authentication guarantees.

Why It's Critical

AES-GCM generates a keystream by encrypting counter values. If the same nonce is reused, the same keystream is generated. XORing two ciphertexts with the same keystream reveals the XOR of the plaintexts.

Attack

// Two messages encrypted with same key and nonce:
C1 = P1 XOR Keystream
C2 = P2 XOR Keystream

// XORing ciphertexts:
C1 XOR C2 = P1 XOR P2

// If P1 is known (or guessable):
P2 = C1 XOR C2 XOR P1

// Also: authentication tags can be forged!

Real-World Example

// Common mistake: random nonce generation
nonce = random_bytes(12)

// Problem: With 96-bit nonce, birthday collision
// ~2^48 messages = 50% chance of collision
// At scale, this happens!

// Worse: Counter starting at 0 each session
nonce = 0  // Reused every restart!

Authentication Bypass

With two messages using the same nonce, the authentication key (H) can be recovered through polynomial math, allowing forgery of authentication tags for arbitrary messages.

Prevention

• Use deterministic nonce construction (counter + random prefix)
• Never use random-only nonces at scale
• Consider AES-GCM-SIV (nonce-misuse resistant)
• Track used nonces to detect reuse
• Rotate keys before nonce space exhaustion

PentesterLab Exercises

• GCM Nonce Exercises

See Also

• Galois/Counter Mode (GCM)
• Cryptographic Nonce
• Initialization Vector (IV)