pub fn encrypt_chk(
plaintext: &[u8],
) -> Result<(Vec<u8>, EncryptionKey), CryptoError>Expand description
CHK encrypt: derive key from content, encrypt with zero nonce
Returns: (ciphertext with auth tag, content_hash as decryption key)
Zero nonce is safe because CHK guarantees: same key = same content. We never encrypt different content with the same key.
The content_hash is both:
- The decryption key (store securely, share with authorized users)
- Enables dedup: same content → same ciphertext