I am developing an application in which all application state is entirely public. Each user of the application is equipped with their own ed22519 keypair, and the application can only ask users for signatures of arbitrary data.
I would like to store some private data for each user in the public application state. The private data for any given user should only be able to be decrypted by that specific user.
I believe the typical approach would be for the users to encrypt their own private data using their keypair and then the application would store that in the public application state. However, the application can only ask the users to sign data with their keypairs, not encrypt it.
Because of this, I was thinking of having the application ask the users to sign some message like
I am signing this message for <application> using <nonce>, where is a nonce that is stored publicly. This signature is then used as the random entropy to derive a new keypair, which can then be used to encrypt the private data.
Is this mechanism sound? Thank you in advance!