@dequbed The honest answer is that I have no idea :)

My rationale was something along the lines of: stay as close as possible to the standard recommended approach, and verify that specific deviations do not break the security model (I do not like rolling my own crypto).

By that reasoning, the closest thing that does what I want is "it still has a nonce, but it can be derived from the content/key". It's very possible that that's functionally indistinguishable from a nonce of zero - I simply don't know whether that is true! And so I did not take that step in my approach (yet).