Truncating SHA2 hashes vs shortening a MAC for ZFS Crypto

Alexander Klimov alserkli at
Mon Nov 2 02:45:14 EST 2009

On Fri, 30 Oct 2009, Darren J Moffat wrote:
> The SHA256 checksums are used even for blocks in the pool that aren't
> encrypted and are used for detecting and repairing (resilvering) block
> corruption.  Each filesystem in the pool has its own wrapping key and
> data encryption keys.
> Due to some unchangeable constraints I have only 384 bits of space to
> fit in all of: IV, MAC (CCM or GCM Auth Tag), and the SHA256 checksum,
> which best case would need about 480 bits.
> Currently I have Option 1 below but I the truncation of SHA256 down to
> 128 bits makes me question if this is safe.  Remember the SHA256 is of
> the ciphertext and is used for resilvering.

If you use hash only to protect against non-malicious corruptions,
when why you use SHA-2? Would not MD5 or even CRC be enough?


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list