[karanlyons]

There’re also SIV constructions if you’re the more cautious type, which isn’t a bad type to be in cryptography.

[netheril96]

Don’t use SIV unless you know what you are doing. SIV is a deterministic encryption scheme, which invariably leaks information.

[karanlyons]

A naïve hash of the data you’re encrypting stuffed into the nonce leaks whether two plaintexts are the same (or…collided). A hash of the key and plaintext leaks whether the two plaintexts are the same under the same key. Using a proper keyed MAC prevents any rainbow table style attack in either case.

Generally speaking leaking that two plaintexts are the same is better than leaking two plaintexts XORed together. If you’re in a use case where that’s liable to happen (i.e., you don’t rekey “frequently”) I’d happily take the former leaked bit over the latter leaked messages.

There are also a handful of existing constructions you can just take off the shelf rather than rolling your own thing and getting it wrong.

[cakoose]

AES-GCM-SIV takes a nonce; if you reuse a nonce with two identical plaintexts, you reveal that the plaintexts were identical, but not much more.

With AES-GCM, if you reuse a nonce with two different plaintexts, you reveal the XOR of the two plaintexts!