On Tuesday, 2009-12-01, at 6:45 , Darren J Moffat wrote: > I've settled on 160 bits of SHA256, 96 bit stored IV, and 96 bit > AuthTag/MAC.
And this 96-bit stored IV is the only IV, right? Because auxiliary information such as zbookmark_t and txg can't be used for this purpose? Have you worked out the birthday paradox consequences for a 96-bit IV? The easy one to calculate is that if you had 2^48 blocks then you'd have a 50% chance of IV collision. I don't know about you, but I would consider 2^48 blocks to be way more than you need to support for the forseeable future. But how many blocks does it take before you suffer a 10^-5 chance of IV collision? How about a 10^-9 chance? Anyway, what is your tolerance for a chance of IV collision? I haven't worked out the answers to these birthday paradox questions yet, but I intend to, with the help of my brother who is a statistician, and report back. Obviously only you can answer the one about what chance of IV collision you are comfortable with. Another question: does this scheme prevent deduplication? If two blocks have identical plaintext, but independent random IVs and therefore different ciphertext, then how can the deduper figure out that they could be deduped? (Foreshadowing: I have a crypto hack in mind that could address these two issues, if issues they be.) Regards, Zooko --- Your cloud storage provider does not need access to your data. Tahoe-LAFS -- http://allmydata.org
