[p2p-hackers] convergent encryption reconsidered

Victor Duchovni Victor.Duchovni at morganstanley.com
Sun Mar 30 23:07:58 EDT 2008


On Sun, Mar 30, 2008 at 05:13:07PM -0400, Ivan Krsti?? wrote:

> That's a brute force search. If your convergence key, instead of being  
> a simple file hash, is obtained through a deterministic but  
> computationally expensive function such as PBKDF2 (or the OpenBSD  
> bcrypt, etc), then step 3 makes an exhaustive search prohibitive in  
> most cases while not interfering with normal filesystem operation.  
> What am I missing?

PBKDFS2 is excellent for turning interactively typed pass-phrases into
keys. It is not entirely clear that it is a good fit for a filesystem.
Updating any single file is now a computationally intensive process, the
performance impact may be unacceptable. With PBKDF2 and the iteration
count set to the for now popular "1000", a 64K byte file will now trigger
~~2 million sha1 compression function computations (if I remember the
sha1 block size correctly as 512 bits or 64 bytes).

A crude cost estimate on typical hardware (openssl speed):

    Doing sha1 for 3s on 8192 size blocks: 57316 sha1's in 3.00s

Extrapolating from this, on 64K sized files, we get ~1200 HMAC operations
per second. If we iterate that 1000 times, 1.2 key derivations per
second. The throughput to disk is CPU bound at ~64KB/s, which is rather
poor.

-- 
	Viktor.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list