#AskFedi: Cryptography question: when implementing an encrypted storage system that also deduplicates (ie. the same plaintext data should result in the same ciphertext), is there any reason why the nonce shouldn't also be deterministically derived from the input data?
(I understand the security tradeoffs introduced by having deduplication, I am only asking about whether specifically a deterministic *nonce* introduces any additional issues beyond that)
@joepie91 Not a cryptographer here. I had a cryptography 101 class in university.
Isn’t the nonce exactly to prevent deduplication? So setting a deterministic value does what you’re intending do accomplish.
However, isn’t deterministic the same as static in this case? If you don’t care about identifying data across systems, you can set the nonce to nil, otherwise static value per deduplication domain.
@jornane The reason I'm asking is mostly because I don't trust myself to have a full understanding of the internal usages of the nonce.
The deterministic output is indeed what I'm trying to accomplish, but it'd suck if in the process of chasing that behaviour, I accidentally broke some other security property 🙃
The 'static nonce' point also does make sense; but I am not sure if that's *exactly* equivalent security-wise to a deterministically content-derived nonce?
