"Zooko Wilcox-O'Hearn" writes: > I remember this discussion on the zfs-crypto list! It led me to a very > general crypto engineering question. It goes like this: suppose you > want to ensure the integrity of a chunk of data. There are at least > two ways to do this (excluding public key digital signatures): > > 1. the secret-oriented way: you make a MAC tag of the chunk (or > equivalently you use Authenticated Encryption on it) using a secret > key known to the good guy(s) and unknown to the attacker(s). > > 2. the verifier-oriented way: you make a secure hash of the chunk, and > make the resulting hash value known to the good guy(s) in an > authenticated way. > > Tahoe-LAFS uses the latter approach, ZFS settled on the former.
Doesn't 2) lead to information disclosure? If "chunk" is plaintext, then knowing the hash of it may be useful to an attacker, and a system using that approach would appear to violate the principle of confidentiality. If "chunk" is ciphertext, then your scheme of sending around (authenticated) hashes of the ciphertext should work fine even with AEADs, shouldn't it? Perhaps "chunk" is something in between, such as plaintext padded with a nonce, although then you have nonce re-use issues. I couldn't find the definition of "chunk" in this thread nor in the links you sent initially. /Simon _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography