Nonce reuse for different recipients?

Question

I'm generating a new random symmetric key and want to pass that to multiple people using crypto_box_easy. Is it okay to reuse the same (random) nonce for the same message and same sender but for different recipients? Can the same nonce be used for a symmetric encryption with the random key and crypto_secretbox_easy?

As the nonce has to be served along with the encrypted message it can't be hidden anyway, but is reuse across multiple different recipients a problem? If they provide a badly generated public key, can that weaken encryption in a way that other peoples' secret keys could be extracted?

Thanks a lot.

Answer 1

A nonce can be reused as long as a (key, nonce) tuple is not reused.

You're right that reusing a nonce with the same key would result in a catastrophic loss of privacy with a stream cipher like XSalsa20.

The thing is, crypto_box_easy uses the recipients public key to generate a shared secret that is then used with a nonce.

Thus even with a static nonce, the (nonce, key) pair for each recipient will be different.

Although, it's not acceptable to use the same (nonce, key) pair twice, you can use the same nonce for each recipient, but only once.

It's acceptable to use the same nonce once for each recipient using the crypto_box_easy construct ONCE.

It even states this in the libsodium documentation:

The nonce doesn't have to be confidential, but it should be used with just one invocation of crypto_box_easy() for a particular pair of public and secret keys.

i.e. for one message per recipient.