Internal · Testbed

evergreen

Bounded Nonces Considered Sufficient

A typographic testbed that lays out a full academic paper — title block, abstract, numbered sections, definitions, theorems, an algorithm, displayed math, results, figures, and references — in the site's aesthetic.

·

testbed, typography, research-paper, design-system, internal

Cite this
APA
Mangalapilly, Y. J. (2026, July). Bounded Nonces Considered Sufficient. Saṃhitā Notes. https://yesudeep.com/_research-paper/
BibTeX
@online{mangalapilly2026bounded,
          author  = {Yesudeep Jose Mangalapilly},
          title   = {Bounded Nonces Considered Sufficient},
          journal = {Sa\d{m}hit\=a Notes},
          year    = {2026},
          month   = {July},
          url     = {https://yesudeep.com/_research-paper/},
          urldate = {2026-07-16},
        }
Plain
Yesudeep Jose Mangalapilly. “Bounded Nonces Considered Sufficient.” Saṃhitā Notes, 2026. https://yesudeep.com/_research-paper/.
RIS
TY  - ELEC
        AU  - Mangalapilly, Yesudeep Jose
        TI  - Bounded Nonces Considered Sufficient
        T2  - Saṃhitā Notes
        PY  - 2026
        UR  - https://yesudeep.com/_research-paper/
        Y2  - 2026-07-16
        ER  - 

Ada R. Cipher · Boris N. Once · Charvi Token

Institute for Applied Marginalia, Saṃhitā University · {ada, boris, charvi}@example.edu

We revisit the assumption that a content-security nonce must be drawn from an unbounded space to be unforgeable. We show that a per-response token of fixed width k bits resists prediction with probability negligible in k, give a constructive generation procedure, and report a measurement over a synthetic corpus of 1.6 million responses. Our central result is that k = 128 is not merely sufficient but comfortable: the marginal security of additional bits falls off exponentially while the cost of generation stays constant. We close with the limits of the model and three directions for further work.

Introduction

A nonce is a number used once. The folklore holds that "more random is more secure," and so implementers reach for ever-wider tokens, paying generation and transport cost for security they do not measure11 This is a footnote, rendered as a sidenote in the gutter — the paper's apparatus for asides that would interrupt the argument.. Prior work on the width of single-use tokens [1] left the question of a tight bound open. This paper asks the narrow question precisely: how wide must a nonce be? — and answers it with a bound, a construction, and a measurement.

Our contributions are threefold:

  • A formal sufficiency bound (Theorem 1) relating token width to prediction probability under a standard adversary.
  • A constructive generator (Algorithm 1) that meets the bound using only a cryptographically secure source and a fixed-width encoding.
  • An empirical study over a synthetic corpus, showing the bound is not just asymptotic but tight at deployable widths.

The remainder is organized as follows. Section 2 fixes definitions and the threat model. Section 3 states and proves the bound. Section 4 gives the construction. Section 5 reports measurements, and Section 6 concludes.

Preliminaries

We work in the standard model and assume a probabilistic polynomial-time adversary with read access to prior responses but no access to the server's randomness source.

A nonce scheme is a pair (Gen, Check) where Gen emits a token t ∈ {0,1}^k per response and Check accepts t on a response iff t was the token Gen emitted for that response.

A scheme is ε-unforgeable if no adversary, given any number of prior tokens, predicts the token of a fresh response with probability greater than ε.

The two definitions above are the whole vocabulary we need; everything that follows is a statement about the relationship between k and ε.

Threat model

The adversary sees an arbitrary transcript of past (response, token) pairs and must produce the token for a response it has not seen. It may compute without bound between rounds. It may not observe the generator's internal state — the assumption a cryptographically secure source is meant to earn.

The sufficiency bound

We can now state the central result. Its proof is a one-line counting argument, which is precisely the point: the security does not depend on any structure of the token beyond its width.

If Gen draws each token uniformly from {0,1}^k using a cryptographically secure source, the scheme is ε-unforgeable for ε = 2^{-k}.

The probability that a single guess matches a uniformly random k-bit value is exactly:

Pr[forge]=12k=2k. \Pr[\text{forge}] = \frac{1}{2^{k}} = 2^{-k}.

For k = 128 this is on the order of 3 × 10^{-39}, a figure with no operational meaning other than "never." Doubling to 256 bits squares the denominator and changes nothing a defender can perceive — the marginal bit is free of cost only because it is also free of benefit.

The advantage of any adversary making q guesses against the scheme of Theorem 1 is at most q · 2^{-k}, which remains negligible for q polynomial in k.

The construction

The generator is deliberately dull. Dullness is a feature: every clever addition is a place for entropy to leak.

Generate a bounded nonce.

input:  width k (bits), secure source S
output: a base64url token t

1.  b ← S.random_bytes(⌈k / 8⌉)   # CSPRNG, not Math.random
2.  t ← base64url(b)              # encoding is cosmetic
3.  store t against response id
4.  return t

Two properties of the construction are worth stating. First, the encoding in step 2 is cosmetic: the verifier does a strict string comparison and never decodes t, so base64url is chosen purely for transport. Second, the source in step 1 carries the entire security argument — substitute a non-cryptographic PRNG and Theorem 1 fails immediately, since the tokens are then predictable from a few outputs regardless of k.

The trust boundary the construction defends. A token the server vouched for runs with full authority; one the attacker forged is rejected — the same shape whether the vouching is by signature or by nonce. (A figure, to exercise the paper's figure apparatus.)

Measurements

We generated a synthetic corpus of 1.6 million responses at four widths and measured (a) the empirical collision rate and (b) the median generation time. The corpus is synthetic by design: real traffic adds confounds (caching, retries) that the caching analysis treats separately.

Collision rate and generation cost by token width, over 1.6M synthetic responses. Collisions vanish by 64 bits; generation cost is flat — the wider token buys nothing measurable. (Figures illustrative.)
width (bits) collisions gen. time (µs) verdict
32 184 0.9 unsafe
64 0 1.0 borderline
128 0 1.1 recommended
256 0 1.3 wasteful

The collision column tells the story the bound predicts: at 32 bits the birthday effect is visible in a corpus this size; by 64 it is gone; past 128 the column is all zeros and the cost column is flat. The same data as a chart:

Generation cost is effectively constant across widths — the security/cost tradeoff is degenerate, which is the paper's whole argument.

A reader who wants the mechanism behind these numbers, rather than the numbers, will find it in the companion note on strict CSP22 A second sidenote, to confirm two can coexist without colliding, exactly as in the main testbed..

Conclusion

We have shown that a fixed-width nonce is sufficient, that the sufficient width is small, and that paying for more is paying for nothing. The result is unglamorous, which we take as evidence for it: a security property that depends only on a token's width, and not on any cleverness in its construction, is exactly the kind that survives contact with real systems.

Three limits bound the claim. The model assumes the generator's state is unobservable; a side channel breaks it. It assumes per-response uniqueness, which a cache can silently violate [3]. And it is a statement about prediction, not about exfiltration — a nonce stolen from the page is a different problem, and a harder one.

The reference list below is generated by a filter each source is declared once with a key, cited inline by key, and auto-numbered here in declaration order. Entries are filler that exercise the formatting.

References

  1. A. R. Cipher, B. N. Once. “On the Width of Single-Use Tokens.” Proc. Imaginary Symposium on Applied Marginalia, 2026.
  2. C. Token. “Encodings Are Not Entropy.” Journal of Cosmetic Cryptography 12(3):45–67, 2025.
  3. M. F. Lock, N. Key. “A Survey of Things Used Once.” ACM Computing Surveys 58(2):1–34, 2026.
  4. P. Seed, Q. Jitter. “Self-Seeding Generators at Early Boot.” Trans. on Reproducible Randomness, 2024.

How to cite

APA
Mangalapilly, Y. J. (2026, July). Bounded Nonces Considered Sufficient. Saṃhitā Notes. https://yesudeep.com/_research-paper/
BibTeX
@online{mangalapilly2026bounded,
          author  = {Yesudeep Jose Mangalapilly},
          title   = {Bounded Nonces Considered Sufficient},
          journal = {Sa\d{m}hit\=a Notes},
          year    = {2026},
          month   = {July},
          url     = {https://yesudeep.com/_research-paper/},
          urldate = {2026-07-16},
        }
Plain
Yesudeep Jose Mangalapilly. “Bounded Nonces Considered Sufficient.” Saṃhitā Notes, 2026. https://yesudeep.com/_research-paper/.
RIS
TY  - ELEC
        AU  - Mangalapilly, Yesudeep Jose
        TI  - Bounded Nonces Considered Sufficient
        T2  - Saṃhitā Notes
        PY  - 2026
        UR  - https://yesudeep.com/_research-paper/
        Y2  - 2026-07-16
        ER  - 

Type to search · ↑↓ to move · ↵ to open · Esc to close