#AskFedi: Cryptography question: when implementing an encrypted storage system that also deduplicates (ie. the same plaintext data should result in the same ciphertext), is there any reason why the nonce shouldn't also be deterministically derived from the input data?
(I understand the security tradeoffs introduced by having deduplication, I am only asking about whether specifically a deterministic *nonce* introduces any additional issues beyond that)
@jornane The reason I'm asking is mostly because I don't trust myself to have a full understanding of the internal usages of the nonce.
The deterministic output is indeed what I'm trying to accomplish, but it'd suck if in the process of chasing that behaviour, I accidentally broke some other security property 🙃
The 'static nonce' point also does make sense; but I am not sure if that's *exactly* equivalent security-wise to a deterministically content-derived nonce?
@joepie91 your main reason not to do this should be, that you have no benefit from doing it, while still throwing out all the existing research into your ciphers.
Cryptography isn't secure, because someone looked into it and said it's secure, but because hundreds of people looked into it and nobody said it's not secure.
@joepie91 In your case you would have to analyse the "nonce" derivation, because you would still have to make sure, that it's unique. I don't know what ciphers we're talking about, but imagine some block cipher with block size 4 and two inputs:
AAAABBBB
AAAACCCC
They are not identical and therefore no duplicates. But the first blocks are and therefore, if you use the same IV, the first block of the ciphertexts will be the same as well.
@weddige The nonce in this case would be derived through a (cryptographically secure) hashing function of some kind, so different inputs would be encrypted with different nonces, but copies of the same input would use the same nonce.
@joepie91 Not a cryptographer here. I had a cryptography 101 class in university.
Isn’t the nonce exactly to prevent deduplication? So setting a deterministic value does what you’re intending do accomplish.
However, isn’t deterministic the same as static in this case? If you don’t care about identifying data across systems, you can set the nonce to nil, otherwise static value per deduplication domain.