NaCL - should I keep track of expired nonces

Question

I store the ciphertext and the nonce in a SQL database.

If I decrypt the ciphertext change it and encrypt it again I generate a new nonce, so that I do not encrypt two different plaintexts with the same nonce. After encrypting the updated plaintext I store the ciphertext and the new nonce back to the database.

My question is: Should I keep track of the expired nonces so that no other plaintext is ever encrypted with the same nonce again?

I think about doing that because I assume that an attacker could have stolen a version of the database entries, and if he gets a newer version of the data and a nonce is reused because I do not keep track of expired nonces the attacker potentially gets two different ciphertext with the same nonce, and this could be a potential risk in my understanding of the NaCL library.

score 2 · Accepted Answer · answered May 03 '23 at 07:47

Storing all old nonces is definitely a way of achieving nonce re-use freedom, but it's of course quite costly.

You could also use a e.g. 64bit counter instead as a nonce:

start at 0
increment the nonce each time you encrypt something
check for overflows when incrementing (if the counter overflows: abort!)

that will also ensure that you don't re-use nonces, and you won't have to store all old nonces. This is also roughly what TLSv1.3 does: https://datatracker.ietf.org/doc/html/rfc8446#section-5.3

NaCL - should I keep track of expired nonces

1 Answers1