Generate locally unique nonces (number-only-used-once) in distributed Elixir.

Nonces are unique values that are generated once and never repeated within your system. They have many practical uses including:

• ID Generation: Create unique identifiers for database records, API requests, or any other resource in distributed systems. If this is your use case, have a look at Once.
• Cryptographic Operations: Serve as initialization vectors (IVs) for encryption algorithms, ensuring security in block cipher modes
• Deduplication: Identify and prevent duplicate operations or messages in distributed systems

Locally unique means that the nonces are unique within your application/database/domain, as opposed to globally unique nonces (like UUIDs) which are unique across all applications and domains.

Usage

Note that NoNoncense is not a GenServer. Instead it stores its initial state using :persistent_term and its internal counter using :atomics. Because :persistent_term triggers a garbage collection cycle on writes, it is recommended to initialize your NoNoncense instance(s) at application start, when there is hardly any garbage to collect.

# lib/my_app/application.ex
# generate a machine ID, start conflict guard and initialize a NoNoncense instance
defmodule MyApp.Application do
  use Application

  def start(_type, _args) do
    machine_id = NoNoncense.MachineId.id!(node_list: [:"myapp@127.0.0.1"])
    # base_key is required for encrypted nonces
    :ok = NoNoncense.init(machine_id: machine_id, base_key: System.get_env("BASE_KEY"))

    children =
      [
        # optional but recommended
        {NoNoncense.MachineId.ConflictGuard, [machine_id: machine_id]}
      ]

    opts = [strategy: :one_for_one, name: MyApp.Supervisor]
    Supervisor.start_link(children, opts)
  end
end

Then you can generate nonces.

# generate counter nonces
iex> <<_::64>> = NoNoncense.nonce(64)
iex> <<_::96>> = NoNoncense.nonce(96)
iex> <<_::128>> = NoNoncense.nonce(128)

# generate sortable nonces
iex> <<_::64>> = NoNoncense.sortable_nonce(64)
iex> <<_::96>> = NoNoncense.sortable_nonce(96)
iex> <<_::128>> = NoNoncense.sortable_nonce(128)

# generate encrypted nonces
# be sure to read the NoNoncense docs before using 64/96-bit encrypted nonces
iex> <<_::64>> = NoNoncense.encrypted_nonce(64)
iex> <<_::96>> = NoNoncense.encrypted_nonce(96)
iex> <<_::128>> = NoNoncense.encrypted_nonce(128)

Anatomy of a nonce

While there are different types of nonces, they share a common binary composition.

• 42 bits: Millisecond-precision timestamp (relative to the configured epoch, which is 2025-01-01 00:00 by default).
• 9 bits: Machine ID (supports up to 512 nodes).
• Remaining bits: Per-machine counter (size depends on total nonce length).

Nonce types

Choose the type that best fits your security and performance requirements.

Nonces are guaranteed to be unique if and only if:

• You use one instance and one nonce type. Only use separate instances for separate purposes (database IDs and encryption IVs, for example).
• Machine IDs are unique for each node (NoNoncense.MachineId and NoNoncense.MachineId.ConflictGuard can help with that).
• Nodes maintain a somewhat accurate clock (specifically, the UTC clock must progress between node restarts).
• Sortable nonces only: the machine clock has to be accurate.
• Encrypted nonces only: the cipher and key must not be changed.

Counter nonces

Counter nonces are essentially a counter that is initialized with the machine (node) start time. An overflow of a nonce's counter bits will trigger a timestamp increase by 1ms, meaning that the timestamp effectively functions as the high-order bits of the counter. Because the timestamp can't exceed the actual time (that would break the uniqueness guarantee), new nonce generation throttles if the timestamp catches up to the actual time.

That means that the maximum sustained rate is 8M/s per machine for 64-bit nonces (which have 13 counter bits). In practice, it is unlikely that nonces are generated at such an extreme sustained rate, and the timestamp will lag behind the actual time. This creates "saved up seconds" that can be used to burst to even higher rates. For example, if the first nonce is generated 10 seconds after initialization, 10K milliseconds have been "saved up" to generate 80M nonces as quickly as hardware will allow. Benchmarking shows rates in the tens of millions per second are attainable this way.

96/128 bits counter nonces have such large counters that they can be generated at a practically unlimited sustained rate of >= 2^45 nonces per ms per machine, meaning they will never catch the actual time, and the practical rate is only limited by hardware.

Sortable nonces (Snowflake IDs)

Sortable nonces have an accurate creation timestamp (as opposed to counter nonces). This makes them analogous to Snowflake IDs, apart from the slightly altered bit distribution of NoNoncense nonces (42 instead of 41 timestamp bits, 9 instead of 10 ID bits, no unused bit).

This has some implications. Again, 96/128-bit sortable nonces can be generated as quickly as your hardware can go. However, the 64-bit variant can be generated at 8M/s per machine and can't ever burst beyond that (the "saved-up-seconds" mechanic of counter nonces does not apply here). This should of course be plenty for most applications.

Encrypted nonces

By encrypting a nonce, the timestamp, machine ID and sequence information leak can be prevented. However, we wish to encrypt in a way that maintains the uniqueness guarantee of the input counter nonce. We can achieve this by using a block cipher where the cipher's block size matches the nonce's bit-length.

Nonce encryption deep dive

Block ciphers essentially create a 1:1 (bijective) mapping of each plaintext block of data to an encrypted block. Most modern ciphers use 128-bit blocks, notably "gold standard" AES, making it the perfect choice for 128-bit nonces.

The problem is that we can't use a 128-bit block cipher for 64/96-bit nonces, because we can't truncate the output. If we encrypt a 64-bit nonce with AES and then truncate the output back to 64 bits, collisions are possible. This makes sense in extremis: if we truncated to a single byte, the 2^64 unique inputs would result in only 256 unique outputs. So that's why we need ciphers with 64 and 96-bit block sizes, respectively. Unfortunately these are exceedingly rare because they are no longer secure for general-purpose usage.

One such cipher is Speck, designed by the NSA in 2013 for lightweight encryption. It has both 64 and 96-bit variants. The optional dependency SpeckEx, backed by (precompiled) Rust crate speck_cipher, enables support for it. It is very fast; in line with hardware-accelerated AES. Be aware that although the primitive block cipher mode used by NoNoncense matches official test vectors, SpeckEx has not been reviewed or audited.

If you only want to use OTP (OpenSSL) ciphers, we are limited to DES, 3DES, and BlowFish which all operate on 64-bit blocks. Both DES and Blowfish have been moved to the legacy ciphers list in OpenSSL 3.0, which means they are not available on all systems (notably Mac and Windows). Blowfish is the default because it offers the best performance by miles and is still available (for now) in Linux distributions, on which Elixir applications are likely to run. 3DES is a fallback option if that doesn't work for you and you don't want to use Speck. It is still part (for now) of the default ciphers in OpenSSL.

For 96-bit nonces there are no block ciphers whatsoever to choose from in OTP. The best we can do is generate a 64-bit encrypted nonce and append 32 zero bits. That way the nonce as a whole is unique, despite the predictable tail. You should determine for yourself if you can live with that. The only other option - and the main reason it exists in the first place - is using SpeckEx, because Speck has a 96-bit variant that can encrypt a full 96-bit counter nonce, without needing any padding.

Crypto suitability

NoNoncense encrypted nonces are unique and unpredictable, making them suitable for use as the input IV/nonce of a block or streaming cipher to encrypt your own data, like so:

iex> data = "Hello world"
iex> key = :crypto.strong_rand_bytes(32)
iex> iv = NoNoncense.encrypted_nonce(128)
iex> ciphertext = :crypto.crypto_one_time(:aes_256_cbc, key, iv, data, true)

Technically speaking, some block modes and ciphers only require IVs/nonces that are unique for a given key (but not necessarily unpredictable). Examples are CTR, GCM, CCM modes and streaming ciphers like ChaCha20. That means NoNoncense counter & sortable nonces technically meet the criteria, but because they leak information this is not a recommended practice.