Is it OK to use a hash of the key as nonce for AES GCM?

Question

I don't see an immediate risk of using the hash of the key as the nonce for AES GCM. Is there something I could be overlooking?

Answer 1

I assume you mean AES-GCM.

Nonces must be unique for any use of a key. Given that $n = H(k)$ is constant for constant key $k$, this implies that such a nonce may only be used once, ever. Nonce reuse is particularly catastrophic in GCM mode (as with any other CTR-based mode), as it causes the keystream to be identical.

Essentially, you wind up with two (or more) ciphertexts $C_0 = K \oplus P_0$, $C_1 = K \oplus P_1$. An attacker can trivially compute

$$ \begin{align} C_0 \oplus C_1 &= K \oplus P_0 \oplus K \oplus P_1\\ &= P_0 \oplus P_1 \oplus K \oplus K\\ &= P_0 \oplus P_1 \oplus 0\\ &= P_0 \oplus P_1 \end{align} $$

If an attacker can control the contents of any plaintext, it's trivially game over. Even in the event that an attacker can't, knowing the XOR of two plaintexts is almost inevitably enough to reconstruct the originals.

In general, nonces and IVs for any mode must be unique for any given key. In CTR-based modes, uniqueness is the only constraint placed on the nonce. Other modes may have more stringent requirements; for example, CBC requires IVs to be unpredictable by an attacker. Failure to follow these requirements can result in a complete break of the of the cipher.

Answer 2

As pointed out the nonce must be unique so hash of key only is not going to work. You could however hash the key and plaintext together to produce a secure nonce: $n = H(m|k)$.

Note that this would still result in the same ciphertext for identical plaintext. So it doesn't fulfill the requirements for the ciphertext to be indistinguishable.