For the encryption functionality in the ZFS filesystem we use AES in CCM or GCM mode at the block level to provide confidentiality and authentication. There is also a SHA256 checksum per block (of the ciphertext) that forms a Merkle tree of all the blocks in the pool. Note that I have to store the full IV in the block. A block here is a ZFS block which is any power of two from 512 bytes to 128k (the default).

The SHA256 checksums are used even for blocks in the pool that aren't encrypted and are used for detecting and repairing (resilvering) block corruption. Each filesystem in the pool has its own wrapping key and data encryption keys.

Due to some unchangeable constraints I have only 384 bits of space to fit in all of: IV, MAC (CCM or GCM Auth Tag), and the SHA256 checksum, which best case would need about 480 bits.

Currently I have Option 1 below but I the truncation of SHA256 down to 128 bits makes me question if this is safe. Remember the SHA256 is of the ciphertext and is used for resilvering.

Option 1
IV              96 bits  (the max CCM allows given the other params)
MAC             128 bits
Checksum        SHA256 truncated to 128 bits

Other options are:

Option 2
IV              96 bits
MAC             128 bits
Checksum        SHA224 truncated to 128 bits

        Basically if I have to truncate to 128 bits is it better to do
        it against SHA224 or SHA256 ?

Option 3
IV              96 bits
MAC             128 bits
Checksum        SHA224 or SHA256 truncated to 160 bits

        Obviously better than the 1 and 2 but how much better ?
        The reason it isn't used just now is because it is slightly
        harder to layout given other constrains in where the data lives.

Option 4
IV              96 bits
MAC             32 bits
Checksum        SHA256 at full 256 bits

        I'm pretty sure the size of the MAC is far to small.

Option 5
IV              96 bits
MAC             64 bits
Checksum        SHA224 at full 224 bits

        This feels like the best compromise, but is it ?

Option 6
IV              96 bits
MAC             96 bits
Checksum        SHA224 or SHA256 truncated to 192 bits

Darren J Moffat

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to