Truncating SHA2 hashes vs shortening a MAC for ZFS Crypto

David-Sarah Hopwood david-sarah at
Tue Nov 3 23:38:05 EST 2009

David-Sarah Hopwood wrote:
> Straw-man suggestion:
>   mac = MAC[dataset_mac_key](plaintext)
>   iv = Hash1(mac)
>   ciphertext = Encrypt[dataset_enc_key](iv, plaintext)
>   Store (mac, Hash2(ciphertext)) in the block pointer.
>   Use Hash2(ciphertext) as a dedupe tag.

Actually, there's nothing to prevent using both mac and Hash2(ciphertext)
as a dedupe tag in this scheme. It probably isn't necessary, but can't hurt,
and might help if weaknesses were found in SHA-256.

David-Sarah Hopwood  ⚥

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the cryptography mailing list