On the Word “Nonce” in Cryptography and the UK

Earlier today, I made a Twitter shitpost that confused a lot of folks from the UK.

AES-GCM-SIV be like

You can have little a nonce reuse, as a treat

— Mastodon: soatok@furry.engineer, Cohost: soatok (@SoatokDhole) June 11, 2021

Now, anyone can be forgiven for not knowing what AES-GCM-SIV is, or for being confused by the grammar of the meme. But the source of confusion was the word “nonce”.

Let’s talk about what the word “nonce” means in cryptography, what it means in the UK, and why the UK is completely wrong.

What “Nonce” Means to Cryptographers

The word nonce means number to be used only once.

In some texts, you might see it written as in notation.

If a cryptographic protocol uses a nonce, typically its security depends on the number never being reused with a given key. (It’s fine if two different people use the same nonce, as long as their keys are different.)

Simple, concise, reasonable. I can explain this definition to a fifth grader and they’ll understand it immediately.

I don’t even have to dive into the origins or etymology of the term for it to be understandable. No problems here.

What “Nonce” Means to UK Residents

To a British person, the word nonce means a child molester.

Okay, that escalated quickly. How the hell did they arrive at that definition?

Well, it turns out, the UK slang usage of the word “nonce” is derived from “nance”–derived from “nancy” or “nancyboy”, which is a homophobic and/or transphobic slur.

If you’re not familiar with the discourse of LGBTQIA+ rights, one of the common refrains of homophobes and right-wing extremists (two groups whose Venn diagram is nearly a circle) is that queer people are going to target children.

When I was in school, the way they phrased it was, “Because they cannot reproduce, they must recruit.“

So it doesn’t exactly require the world’s greatest cryptanalysts to figure out how a word associated with gender noncomformity and/or homosexuality would evolve into a synonym for sexual offender in the UK’s vernacular.

Thus, the British usage of the term “nonce” is propping up a lot of hateful and ignorant ideology. Whenever you use the word “nonce” to describe sexual abusers, you’re being incidentally queerphobic. Maybe consider not doing that?

If you really want to insult someone, or imply they’re a threat to the safety of children, just call them a a friend of Jimmy Savile. Or if you want to go low-brow, just call them a paedo. Everyone understands “paedo”!

Why Not Just “Initialization Vector”?

A lot of people in cryptography who are aware of the British slang (but probably not its origins, until now) try to side-step their use of the word “nonce” by calling it an “initialization vector” instead; often abbreviated as IV.

This isn’t helpful for two reasons other than etymology and connotation.

1. Initialization vector means different things to cryptographic constructions (i.e. block cipher modes) than to cryptographic primitives (i.e. hash function internals).
2. When talking about constructions, the security requirements of an initialization vector are subtly different than a nonce.
   • Nonces: Never repeat for a given key. (CTR, GCM, etc.)
   • IVs: Never repeat and be unpredictable. (CBC, etc.)

A lot of cryptography libraries arbitrarily choose one term for their APIs, regardless of the mode used. For brevity, iv is tantalizingly convenient (but so is n), so you often see IV shoehorned everywhere.

For hash functions, the initialization vector is a constant that never changes. For block ciphers, it should always change (and, contrasted with a counter nonce, be an unpredictably random value). This makes the expected security properties of the term needlessly ambiguous.

A nonce is always intended to used once, and never reused.

There are already more than enough overloaded terms in cryptography (n.b. Galois/Counter Mode or Google Cloud Messaging? NaCl or Native Client?).

What About ECDSA Nonces?

ECDSA doesn’t really have a nonce, it has a one-time secret that MUST NOT ever repeat. This variable is called and the requirements are much stricter than even the initialization vectors for CBC mode:

1. It has to be a secret (where nonces and IVs can be public).
2. You can’t even have a biased distribution of bits in or you lose all confidentiality of your signing key. See also: LadderLeak.

Calling the ECDSA k-value a “nonce” is a bad habit that many of us are guilty of, but it’s truly not a nonce.

Which Usage Has Deeper Historical Roots?

The UK slang is much younger than the cryptography (and broader) use of the word “nonce”, which originates from Middle English and means “occurring, used, or made only once or for a special occasion”.

If you’re someone who values that sort of thing, the UK slang still loses out to how cryptographers use the word.

Which Usage Is More Popular?

Almost nobody outside the UK uses the word “nonce” in a bad way. The overwhelming majority of the English-speaking world doesn’t agree with the UK. See also: Nonce word.

This term has been used in cryptography literature since at least 1978.

Needham Schroeder (1978) is easily far back enough – thanks! pic.twitter.com/cPQnHTU8u6

— Paul Crowley (@ciphergoth) May 17, 2022

In Closing

When a cryptographer talks about a nonce, the meaning of the term is clear, obvious, and NOT thinly-veiled queerphobia that crept into the local slang. It’s also more in line with how the word is used in non-cryptographic contexts outside the UK.

The UK usage of the word “nonce” is worse than the cryptographer usage, and therefore they should cede the word’s meaning to cryptographers.

(Y’know, unless you value queerphobic rhetoric that highly.)

Why Does This Even Matter?

Most of the time, when I’m discussing nonces in a cryptography or security context, it’s incredibly clear what I mean by the word. But I frequently have to explain to folks that hail from the UK that, no, I’m not talking about sexual offenders.