[145038] in cryptography@c2.net mail archive
Re: Truncating SHA2 hashes vs shortening a MAC for ZFS Crypto
daemon@ATHENA.MIT.EDU (David-Sarah Hopwood)
Sun Nov 8 13:06:36 2009
Date: Sat, 07 Nov 2009 03:48:07 +0000
From: David-Sarah Hopwood <david-sarah@jacaranda.org>
To: cryptography@metzdowd.com
In-Reply-To: <20091103193608.GF1105@Sun.COM>
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig974B55725D05458B9CF0CC61
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Nicolas Williams wrote:
> On Tue, Nov 03, 2009 at 07:28:15PM +0000, Darren J Moffat wrote:
>> Nicolas Williams wrote:
>>> Interesting. If ZFS could make sure no blocks exist in a pool from m=
ore
>>> than 2^64-1 transactions ago[*], then the txg + a 32-bit per-transact=
ion
>>> block write counter would suffice. That way Darren would have to sto=
re
>>> just 32 bits of the IV. That way he'd have 352 bits to work with, an=
d
>>> then it'd be possible to have a 128-bit authentication tag and a 224-=
bit
>>> hash.
>>
>> The logical txg (post dedup integration we have physical and logical=20
>> transaction ids) + a 32 bit counter is interesting. It was actually =
my=20
>> very first design for IV's several years ago!
[...]
>> I suspect that sometime in the next 584,542 years the block pointer si=
ze=20
>> for ZFS will increase and I'll have more space to store a bigger MAC, =
>> hash and IV. In fact I guess that will happen even in the next 50 yea=
rs.
>=20
> Heh. txg + 32-bit counter =3D=3D 96-bit IVs sounds like the way to go.=
I'm confused. How does this allow you to do block-level deduplication,
given that the IV (and hence the ciphertext) will be different for every
block even when the plaintext is the same?
--=20
David-Sarah Hopwood =E2=9A=A5 http://davidsarah.livejournal.com
--------------enig974B55725D05458B9CF0CC61
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iF4EAREIAAYFAkr07gAACgkQWUc8YzyzqAfqUgD9EIyniat6TggA1Dijo5S+MivN
eT/Jg3pS84p0fOycEKkA/0MqlaVLEVqUK1FL658JWWOhpwKkwiwEIaDXqJoTAFfv
=ROM0
-----END PGP SIGNATURE-----
--------------enig974B55725D05458B9CF0CC61--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
