I’m writing an application that needs to deterministically encrypt some data (where two equal ciphertexts will produce two equal plaintexts; this is acceptable and in fact desirable for this application), and I’d like to stay as far away from low-level crypto stuff as possible, as such I’d like to use
nacl‘s SecretBox. The docs are very clear that the
nonce parameter should never be reused.
Intuitively it makes sense to me that if I do reuse a nonce, but only ever for a given key/plaintext pair, then no information is revealed (other than that the plaintexts are equal, which in this case is desirable), since the attacker already has that exact information on hand. And at 24 bytes, it’s considered safe to use random nonces.
So, I’d like to generate my nonce by taking an HMAC of the plaintext using the SecretBox key. My understanding is that an HMAC doesn’t reveal any information about the plaintext or the key, and produces cryptographically-secure random output, and thus could be safely stored in plaintext for later use unsealing the SecretBox.
git-crypt (which has a fairly similar use case to my application) does something similar, but using AES in CTR mode, which leads me to believe this approach is likely sound, and that if I’m mistaken, it’s due to SecretBox particularities and not the overall concept.
This seems straightforward to me, but I know cryptography can be anything but intuitive, so I’d like to check my understanding. Am I correct in assuming I’m safe generating my SecretBox nonces from an HMAC of the plaintext using the SecretBox key?