| Many protocols define how the nonce must be computed. And the nonce is not sent explicitly; the different parties compute it themselves the same way they agree on a shared secret. When a ciphertext is received, the recipient knows what the nonce is expected to be, instead of having to trust an arbitrary one. In the context of a stream of messages, it binds the nonce to a position in the stream, allowing detection of frames that have been replayed, reordered or lost. But when the intent is to send independent messages, the nonce should be included with the ciphertext. For constructions with a short nonce size, the ability to choose the nonce is also very useful to improve the security bounds, by using a key derivation function to derive a new key and nonce from a larger nonce. By the way, for streams, libsodium has the `crypto_stream_*()` functions that greatly simplifies the implementation of protocols and file encryption. |