What best to put in unused nonce bytes when using AES-GCM-SIV [migrated]
I want to use AES-GCM-SIV for authenticated encryption of messages in my protocol.
Since it is a wireless protocol I want to transmit as little bytes as possible. For successful decryption I need to transmit the nonce alongside the ciphertext and the tag and in theory this nonce is 12 bytes for AES-GCM-SIV, but I don't think this nonce needs to be fully random - unique is enough (correct me if I am wrong). So I though 4 bytes may be enough to ensure uniqueness for a very very long time as the number of devices that share one key will be in the order of hundreds at most in my case. (If I wanted to be sure I could also use 5 bytes.)
My question now is what the rest of the bytes should be? Is it ok to set them to all zeroes or should I use some other constant or is there a general problem with this approach?
As a side note: What exactly are the security implications of nonce reuse for AES-GCM-SIV? My understanding is that it is "hardened" against nonce misuse, but I don't fully understand what that means in practice. The nonce must still be important or else you could just leave it constant, so at what point will this be a problem?
