#AskFedi: Cryptography question: when implementing an encrypted storage system that also deduplicates (ie. the same plaintext data should result in the same ciphertext), is there any reason why the nonce shouldn't also be deterministically derived from the input data?
(I understand the security tradeoffs introduced by having deduplication, I am only asking about whether specifically a deterministic *nonce* introduces any additional issues beyond that)
@joepie91 your main reason not to do this should be, that you have no benefit from doing it, while still throwing out all the existing research into your ciphers.
Cryptography isn't secure, because someone looked into it and said it's secure, but because hundreds of people looked into it and nobody said it's not secure.
@joepie91 In your case you would have to analyse the "nonce" derivation, because you would still have to make sure, that it's unique. I don't know what ciphers we're talking about, but imagine some block cipher with block size 4 and two inputs:
AAAABBBB
AAAACCCC
They are not identical and therefore no duplicates. But the first blocks are and therefore, if you use the same IV, the first block of the ciphertexts will be the same as well.
@weddige The nonce in this case would be derived through a (cryptographically secure) hashing function of some kind, so different inputs would be encrypted with different nonces, but copies of the same input would use the same nonce.
