Truncating SHA2 hashes vs shortening a MAC for ZFS Crypto
Zooko Wilcox-O'Hearn
zooko at zooko.com
Wed Nov 4 00:18:30 EST 2009
[Folks, I don't seem to be getting messages from zfs-crypto-discuss
so I am reading the web archives of zfs-crypto-discuss and replying.]
in http://mail.opensolaris.org/pipermail/zfs-crypto-discuss/2009-
November/002951.html Darren Moffat wrote:
> SHA256 truncated to 192 bits.
You know, I've thought about this sort of thing quite a lot for Tahoe-
LAFS and there's a very good reason not to truncate SHA-256 at all.
That reason is: now you've got to do your own cryptanalysis work.
Suppose open cryptographers publish better and better attacks on
SHA-256 in the future. As the attacks get better and better, we'll
have to decide how urgent it is to upgrade from SHA-256 to (hopefully
by that time) SHA-3. If you're using a truncation of SHA-256 then
you might need to jump sooner than other people, and you won't know
whether or not this is the case unless you study the attacks yourself!
It is possible that a cryptographer will publish an attack on SHA-256
which is evaluated as "not a realistic threat", but which *is* a
realistic threat on SHA-256-trunc-192. None of the open
cryptographers will be checking or publicly mentioning whether
SHA-256-trunc-192 is vulnerable because SHA-256-trunc-192 isn't on
their radar.
> I have to store the IV because of other features coming in the
future. Originally I was calculating the IV based on: object set,
object, blockid and transaction group (unsigned 64bit ints). I still
do calculate the IV based on those but it needs to be stored.
> "Version" of the block doesn't really make sense in ZFS in that
way because ZFS is copy on write. Or maybe you can think of the birth
transaction id as the version because the other things like the
object set, object, level and block id identify the logical
filesystem location.
I don't understand the last sentence there. Does this mean that
you'll never be asked to encrypt more than one plaintext under a
different birth transaction id? If, so then perfect! -- use the
birth transaction id as the IV! What other features coming in the
future would need to know the IV and would not already know the birth
transaction id?
Something that I still don't understand is: why do you have a MAC tag
at all if you already have a SHA-256 hash of the ciphertext? David-
Sarah Hopwood suggested a good reason that you might want one [1],
but is that your reason? Because how big the MAC tag needs to be is
probably determined by why you need it.
Regards,
Zooko Wilcox-O'Hearn
[1] http://www.mail-archive.com/cryptography@metzdowd.com/msg11034.html
---
Your cloud storage provider does not need access to your data.
Tahoe-LAFS -- http://allmydata.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list