Hello John, > *Any* numeric sequence will repeat eventually unless it grows without > bound, like a TAI timestamp.
I take "repeats after exceeding 2^n consecutive numbers" over "repeats with a 1/2^n chance" (which can be generalized to 2^(n/2) thanks to the birthday problem). > But actually it's not enough that a nonce be unique, otherwise 1, 2, > 3, ... would be a perfectly good sequence of nonces. That is what a counter with a sequence of NUL bytes would produce. It's perfectly fine. As long as the sequence is not reused. > So you do want a long-period cryptographically strong random sequence > like ChaCha20 or Fortuna, or it will be possible to predict the next > nonce from the previous nonces. Why would predicting the next nonce matter? You cannot do anything useful with that knowledge. The nonce exists to perturb stream cipher operations so that the combination of same message, same key and nonce does not lead to the same ciphertext. Vasilij
signature.asc
Description: PGP signature