There have been a few Q&As on this site regarding whether fixed (e.g., all-zero) nonces are safe with key rotation every encryption and some mention of protocols, like TLS, incorporating randomness into the nonce to improve multi-user security.
However, there seems to be limited guidance (outside of a few papers) on how these randomness approaches are implemented in practice/compare, whether the randomness needs to be secret (derived) or can be public (randomly generated), whether terms like key identifiers and nonce masking are referring to the same concept, and when these approaches should be used (e.g., with only 128-bit keys or 256-bit keys as well).
I appreciate that's a lot to answer about, but I think it would be beneficial to have a good summary that can be referenced in one go. The reason being that there's much more discussion of single-user security despite multi-user attacks providing more bang for your buck as an attacker. People are not necessarily aware that a 128-bit key doesn't mean 128-bit security or how much nonce randomization improves security.
It's also worth noting that the single-user/multi-user phrasing is being replaced by single-key/multi-key to add to the confusion.
