Nonce Collision Probability Calculator

Reviewed by the CalculatorHub team, edited by James Graham. Birthday-bound collision model. Last verified 19 June 2026.

Random nonces must almost never repeat, because a single reuse can break encryption or signatures. This calculator estimates the probability that at least two of your randomly generated nonces collide, given the nonce bit length and how many you generate, using the birthday approximation. Enter the nonce size and count to see the collision probability and how it compares to a common 2^-32 safety threshold.

Nonce size (bits)

Number of nonces generated

Collision probability

0.00

Probability (log2)

0.00

Below 2^-32 threshold?

Safe count at 2^-32 limit

0.00

Nonce collision formula

N = 2^bits
collision probability p ~ 1 - exp( -k^2 / (2N) )
for small p: p ~ k^2 / (2N)
safe count at limit L: k_max ~ sqrt( 2 * N * L )

This is the birthday approximation for k draws from N equally likely values. The exponential form is accurate from negligible to near-certain probabilities. The safe count solves the small-probability form for the number of nonces that keeps the collision risk at or below a chosen limit.

Worked example

A 96-bit nonce, 1 billion (10^9) generated. N = 2^96, about 7.92e28. p ~ k^2 / (2N) = (10^9)^2 / (2 times 7.92e28) = 10^18 / 1.58e29 = about 6.31e-12, around 2^-37.4, comfortably below the 2^-32 threshold. The safe count at the 2^-32 limit is sqrt(2 times 2^96 times 2^-32) = 2^32.5, about 6.07 billion.

Nonce collisions: frequently asked questions

What is a nonce and why do collisions matter?

A nonce is a number used once, generated fresh for each operation such as an encryption or a signature. If two operations reuse the same random nonce, the security of many schemes (for example AES-GCM or ECDSA) can break catastrophically. So the chance of an accidental repeat must be kept negligible.

How is collision probability calculated?

With N = 2^bits possible nonces and k draws, the birthday approximation gives collision probability p ~ 1 - exp(-k^2 / (2N)). For small probabilities this is close to k^2 / (2N). The calculator uses the exact exponential form to stay accurate across the range.

How many nonces are safe for a given size?

A common rule keeps the collision probability below 2^-32. For a 96-bit random nonce (as in AES-GCM) that limit is reached near 2^32 messages, which is why standards cap the number of messages per key. Use this calculator to check your own nonce size and volume.

Does a counter avoid collisions?

Yes, a strictly increasing counter never repeats within its range, avoiding birthday collisions entirely, as long as it never wraps or resets and is unique per key. Random nonces are simpler to manage across distributed systems but carry birthday-bound collision risk, which this tool quantifies.

Sources and references

NIST Computer Security Resource Center: SP 800-38D, Galois/Counter Mode and nonce requirements.
NIST Computer Security Resource Center: cryptographic standards and guidelines.
Formula: standard birthday-bound collision approximation.

Reviewed by the CalculatorHub team, edited by James Graham, 19 June 2026. See our methodology.