`For the encryption functionality in the ZFS filesystem we use AES in CCM`

`or GCM mode at the block level to provide confidentiality and`

`authentication. There is also a SHA256 checksum per block (of the`

`ciphertext) that forms a Merkle tree of all the blocks in the pool.`

`Note that I have to store the full IV in the block. A block here is a`

`ZFS block which is any power of two from 512 bytes to 128k (the default).`

`The SHA256 checksums are used even for blocks in the pool that aren't`

`encrypted and are used for detecting and repairing (resilvering) block`

`corruption. Each filesystem in the pool has its own wrapping key and`

`data encryption keys.`

`Due to some unchangeable constraints I have only 384 bits of space to`

`fit in all of: IV, MAC (CCM or GCM Auth Tag), and the SHA256 checksum,`

`which best case would need about 480 bits.`

`Currently I have Option 1 below but I the truncation of SHA256 down to`

`128 bits makes me question if this is safe. Remember the SHA256 is of`

`the ciphertext and is used for resilvering.`

Option 1 -------- IV 96 bits (the max CCM allows given the other params) MAC 128 bits Checksum SHA256 truncated to 128 bits Other options are: Option 2 -------- IV 96 bits MAC 128 bits Checksum SHA224 truncated to 128 bits Basically if I have to truncate to 128 bits is it better to do it against SHA224 or SHA256 ? Option 3 -------- IV 96 bits MAC 128 bits Checksum SHA224 or SHA256 truncated to 160 bits Obviously better than the 1 and 2 but how much better ? The reason it isn't used just now is because it is slightly harder to layout given other constrains in where the data lives. Option 4 -------- IV 96 bits MAC 32 bits Checksum SHA256 at full 256 bits I'm pretty sure the size of the MAC is far to small. Option 5 -------- IV 96 bits MAC 64 bits Checksum SHA224 at full 224 bits This feels like the best compromise, but is it ? Option 6 -------- IV 96 bits MAC 96 bits Checksum SHA224 or SHA256 truncated to 192 bits -- Darren J Moffat --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com