diff --git a/internal/crypto/crypto.go b/internal/crypto/crypto.go
index 07ea3cc43..01cd82c45 100644
--- a/internal/crypto/crypto.go
+++ b/internal/crypto/crypto.go
@@ -237,9 +237,9 @@ var ErrInvalidCiphertext = errors.New("invalid ciphertext, same slice used for p
 
 // validNonce checks that nonce is not all zero.
 func validNonce(nonce []byte) bool {
-	sum := 0
-	for b := range nonce {
-		sum += b
+	var sum byte
+	for _, b := range nonce {
+		sum |= b
 	}
 	return sum > 0
 }
diff --git a/internal/crypto/crypto_int_test.go b/internal/crypto/crypto_int_test.go
index 9473d1382..769f34d1e 100644
--- a/internal/crypto/crypto_int_test.go
+++ b/internal/crypto/crypto_int_test.go
@@ -163,3 +163,30 @@ func TestCrypto(t *testing.T) {
 		}
 	}
 }
+
+func TestNonceVadlid(t *testing.T) {
+	nonce := make([]byte, ivSize)
+
+	if validNonce(nonce) {
+		t.Error("null nonce detected as valid")
+	}
+
+	for i := 0; i < 100; i++ {
+		nonce = NewRandomNonce()
+		if !validNonce(nonce) {
+			t.Errorf("random nonce not detected as valid: %02x", nonce)
+		}
+	}
+}
+
+func BenchmarkNonceValid(b *testing.B) {
+	nonce := NewRandomNonce()
+
+	b.ResetTimer()
+
+	for i := 0; i < b.N; i++ {
+		if !validNonce(nonce) {
+			b.Fatal("nonce is invalid")
+		}
+	}
+}