Truncating SHA2 hashes vs shortening a MAC for ZFS Crypto

Darren J Moffat Darren.Moffat at Sun.COM
Fri Oct 30 13:30:03 EDT 2009

For the encryption functionality in the ZFS filesystem we use AES in CCM 
or GCM mode at the block level to provide confidentiality and 
authentication.  There is also a SHA256 checksum per block (of the 
ciphertext) that forms a Merkle tree of all the blocks in the pool. 
Note that I have to store the full IV in the block.   A block here is a 
ZFS block which is any power of two from 512 bytes to 128k (the default).

The SHA256 checksums are used even for blocks in the pool that aren't 
encrypted and are used for detecting and repairing (resilvering) block 
corruption.  Each filesystem in the pool has its own wrapping key and 
data encryption keys.

Due to some unchangeable constraints I have only 384 bits of space to 
fit in all of: IV, MAC (CCM or GCM Auth Tag), and the SHA256 checksum, 
which best case would need about 480 bits.

Currently I have Option 1 below but I the truncation of SHA256 down to 
128 bits makes me question if this is safe.  Remember the SHA256 is of 
the ciphertext and is used for resilvering.

Option 1
IV		96 bits  (the max CCM allows given the other params)
MAC		128 bits
Checksum	SHA256 truncated to 128 bits

Other options are:

Option 2
IV		96 bits
MAC		128 bits
Checksum	SHA224 truncated to 128 bits

	Basically if I have to truncate to 128 bits is it better to do
	it against SHA224 or SHA256 ?

Option 3
IV		96 bits
MAC		128 bits
Checksum	SHA224 or SHA256 truncated to 160 bits

	Obviously better than the 1 and 2 but how much better ?
	The reason it isn't used just now is because it is slightly
	harder to layout given other constrains in where the data lives.

Option 4
IV		96 bits
MAC		32 bits
Checksum	SHA256 at full 256 bits

	I'm pretty sure the size of the MAC is far to small.

Option 5
IV		96 bits
MAC		64 bits
Checksum	SHA224 at full 224 bits

	This feels like the best compromise, but is it ?

Option 6
IV		96 bits
MAC		96 bits
Checksum	SHA224 or SHA256 truncated to 192 bits

Darren J Moffat

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list