mleku on Nostr: it isn't AES-256 encryption without a minimum 12 byte nonce for GCM and 16 bytes for ...

it isn't AES-256 encryption without a minimum 12 byte nonce for GCM and 16 bytes for everything else, this is hashed together with the shared secret to seed the AES CSPRNG algorithm for the byte stream, the only differences between the schemes relates to their chunking and stream properties, some are like sponges others are block based, there is feedback and counter mode

you simply do not do encryption without per message nonces, or you expose yourself to easy plaintext attacks, and IMO the best MAC for nostr would literally just be a bip-340 signature on the encrypted message, appended to the end, in fact you almost don't need to add it because the whole message has been signed and can't be modified without breaking the signature (malleability is not possible with schnorr sigs anyway) so i'm of the opinion that in fact you don't need a MAC because the event itself is a MAC, and it not only protects the encrypted message but any additional tags which might carry things like versions, it includes the sender pubkey, and the recipient pubkey tag

i went through all the options and i chose AES CTR in my work on Indra and it can be even further simplified here because you can have a 32 byte nonce, the ECDH key, cat and hash to derive the message block by block using counter which also opens up the possibility of letting you selectively decrypt messages for the use of ephemeral messages and gossip broadcast, and i think that being that it's not a high volume of data, you could use SHA256 as the generator function instead of AES or ChaCha-20

the bigger problem with nostr DMs is how indiscriminately they are sent out and allowed to be retrieved by anyone, this is the thing that makes me the saddest