dchest
commented
3 years ago Deterministic nonce generation from content (or its cryptographic hash) is indeed safe for XSalsa20 up to a certain large limit of the number of encrypted messages (2^192 nonce space), so your idea is fine in principle. However, since SHA-1 is no longer collision-resistant, it would be possible to produce two different messages with the same nonce, breaking encryption.
I believe that using a predictable, deterministic manner of generating nonces might be weak.
Nonces for Salsa20 or AES-CTR/GCM, as opposed to IVs for AES-CBC, do not need to be unpredictable or random. The only requirement is that they must be different for different messages for the same key.
(PS Yes, it's better to ask such questions on crypto stackexchange :)
chmac
Firstly, thanks for this repo. It has made secure crypto super accessible in javascript.
I'm building git-remote-encrypted, an encrypted git remote helper, for javascript (via isomorphic-git) and as a git helper. I'd like the output of the encryption to be deterministic, so that if 2 users have the same keys, and encrypt the same repo, they will get the same result.
My strategy is to use 1 key and one "salt". To encrypt a git object, I use the object ID (which is an sha1 of its contents), combine that with the salt, and then sha512 the result. Or in other words:
This results in a "unique" nonce per encryption. However, I wonder if this is really secure. I believe that using a predictable, deterministic manner of generating nonces might be weak. I'm unsure as my cryptofu is extremely limited.
If you feel this question would be better asked on the crypto stackexchange, feel free to close without comment and I'll post there instead.