#Cryptography question: I would like to use libsodium for secret-key encryption, but it requires a nonce, and I need the encryption to be deterministic/convergent (for deduplication).
Is "deriving the nonce from the data by hashing it" a reasonable solution to this problem, or does that have some issue I am not aware of?
@joepie91 it sounds like what you want is https://github.com/maidsafe/self_encryption?tab=readme-ov-file#overview
I don't think libsodium has an approach that allows for that directly as it is designed to make devs do the safest crypto for specific well-known use cases by forcing certain practices. I have not seen this sort of scheme be widely adopted yet...
@ben That library is not very confidence-inspiring, to be honest - I haven't forgotten about Maidsafe's original sketchy business model (that they now pretend they've never had), and it speaks of an "additional obfuscation step" but then doesn't seem to provide any details about how that works or why it would be more secure than other approaches (or its vulnerability or lack thereof to known attacks against convergent encryption).
@joepie91 the crypto in the white paper is left open, the steps are pretty simple and reasonable enough to follow. It should be easy to reimplement a similar algorithm with more modern crypto (and without the massage dependency tree pulled in). Just not seen anyone trying. Let me know if you find one!
@ben There's quite a bit of history of convergent encryption in P2P software, long predating Maidsafe. Some notable ones include Freenet, GNUNet, and Tahoe-LAFS.
But crucially, there are several known attacks: https://tahoe-lafs.org/hacktahoelafs/drew_perttula.html - and so if an implementation claims that it is "as safe as any other modern encryption algorithm", that is a strong claim that requires supporting rationale (which I do not see here).
@joepie91 I think the white paper is straightforward enough and though there are obvious questions unanswered (like why obfuscate again after encryption at all?),it is the only crypto I've ever seen attempt to have deduplicatable results. In almost all other crypto, the attempt is to always avoid having the same plain yield the same ciphered text for good reasons. But if you want to deduplicate the results, this is the only I've ever seen attempt to provide that...