Earlier today, I made a Twitter shitpost that confused a lot of folks from the UK.

Now, anyone can be forgiven for not knowing what AES-GCM-SIV is, or by the broken grammar of the meme. But the source of confusion was the word “nonce”.

Let’s talk about what the word “nonce” means in Cryptography, what it means in the UK, and why the UK is completely wrong.

What “Nonce” Means to Cryptographers

The word nonce means number to be used only once.

In some texts, you might see it written as in notation.

If a cryptographic protocol uses a nonce, typically its security depends on the number never being reused with a given key. (It’s fine if two different people use the same nonce, as long as their keys are different.)

Simple, concise, reasonable. I can explain this definition to a fifth grader and they’ll understand it immediately.

What “Nonce” Means to UK Residents

To a British person, the word nonce means a child molester.

Okay, that escalated quickly. How the hell did they arrive at that definition?

Well, it turns out, the word “nonce” is derived from “nance”–a homophobic slur derived from “nancy” or “nancyboy”.

If you’re not familiar with the discourse of LGBTQIA+ rights, one of the common refrains of homophobes and right-wing extremists (two groups whose Venn diagram is nearly a circle) is that queer people are going to target children.

When I was in school, the way they phrased it was, “If they cannot reproduce, they must recruit.”

So it doesn’t exactly require the world’s greatest cryptanalysts to figure out how a word associated with gender noncomformity and/or homosexuality would become a synonym for sexual offender in the UK’s vernacular.

Thus, the British usage of the term is propping up a lot of hateful and ignorant ideology. Whenever you use the word “nonce” to describe sexual abusers, you’re being queerphobic.

If you really want to insult someone, or imply they’re a threat to the safety of children, just call them a a friend of Jimmy Savile.

Why Not Just “Initialization Vector”?

A lot of people in cryptography who are aware of the British slang (but probably not its origins, until now) try to side-step their use of the word “nonce” by calling it an “initialization vector” instead; often abbreviated as IV.

This isn’t helpful for two reasons other than etymology and connotation.

1. Initialization vector means different things to cryptographic constructions (i.e. block cipher modes) than to cryptographic primitives (i.e. hash function internals).
2. When talking about constructions, the security requirements of an initialization vector are subtly different than a nonce.
   • Nonces: Never repeat for a given key. (CTR, GCM, etc.)
   • IVs: Never repeat and be unpredictable. (CBC, etc.)

A lot of cryptography libraries arbitrarily choose one term for their APIs, regardless of the mode used. For brevity, iv is tantalizingly convenient (but so is n), so you often see IV shoehorned everywhere.

For hash functions, the initialization vector is a constant that never changes. For block ciphers, it should always change (and, contrasted with a counter nonce, be an unpredictably random value). This makes the expected security properties of the term needlessly ambiguous.

A nonce is always intended to used once, and never reused.

There are already more than enough overloaded terms in cryptography (n.b. Galois/Counter Mode or Google Cloud Messaging? NaCl or Native Client?).

In Closing

When a cryptographer talks about a nonce, the meaning of the term is clear, obvious, and NOT thinly-veiled queerphobia that crept into the local slang.

The UK usage of the word “nonce” is worse than the cryptographer usage, and therefore they should cede the word’s meaning to cryptographers.

(Y’know, unless you value queerphobic rhetoric that highly.)