#Cryptography question: I would like to use libsodium for secret-key encryption, but it requires a nonce, and I need the encryption to be deterministic/convergent (for deduplication).
Is "deriving the nonce from the data by hashing it" a reasonable solution to this problem, or does that have some issue I am not aware of?
@joepie91 I'm not an expert on the matter, but most encryption algorithms that include a nonce do require it to prevent leaking of e.g. secret key material (something something playstation signature key or something), so if libsodium requires a nonce for that algorithm it seems likely that the specific algorithm isn't built for your use-case. Different algorithms have different use-cases, don't get discouraged if the one you looked at doesn't seem to fit the bill.
@benaryorg The problem is that just about everything seems to require a nonce nowadays. Which is understandable, given how important it is for typical cases, but convergent encryption is very much an edgecase.
@benaryorg That's not sufficiently deterministic for my case, unfortunately; part of the protocol involves "checking if encrypted/sharded chunks already exist in the storage cluster, before uploading anything", for which the whole process (encoding, encryption, sharding) needs to be fully deterministic with zero 'external' malleable factors
@benaryorg (Which has been an absolute pain in the design process, but that's a different discussion 🙃)
@joepie91 I see the problem. I could look further into it but I guess you (knowing what you need) are ahead of me on that part so I'll just wish you good luck ^^
@joepie91 what about encryption each chunk you want to encrypt with a randomly chosen nonce then and storing the nonce with the data? I get that's not always possible of course.