#Cryptography question: I would like to use libsodium for secret-key encryption, but it requires a nonce, and I need the encryption to be deterministic/convergent (for deduplication).
Is "deriving the nonce from the data by hashing it" a reasonable solution to this problem, or does that have some issue I am not aware of?
@dequbed The honest answer is that I have no idea :)
My rationale was something along the lines of: stay as close as possible to the standard recommended approach, and verify that specific deviations do not break the security model (I do not like rolling my own crypto).
By that reasoning, the closest thing that does what I want is "it still has a nonce, but it can be derived from the content/key". It's very possible that that's functionally indistinguishable from a nonce of zero - I simply don't know whether that is true! And so I did not take that step in my approach (yet).
@dequbed What would a more standard approach be for this usecase?
@joepie91 I usually see convergent encryption being implemented by using a KDF on the input data to derive a key and encrypt the input data (plus padding) using that key with a fixed zero IV/nonce. I'd personally default to AES-CBC + HMAC but that's a tradeoff depending on what exactly you're trying to do.
If you need deterministic but not *convergent* encryption you would seed the KDF with some secret you have.
@joepie91 Mind you, I'm leaving out many important details here for brevity to give an overall direction, if you want to implement this ping me on Matrix or Signal so I can give you a more detailed rundown.
@joepie91 Well, the standard approach is probably not to use libsodium's secret box — it's a very general purpose encryption primitive which means it tries very hard to be e.g. semantically secure which you explicitly do not want.