Re: storing an explicit nonce

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Antonin Houska <ah(at)cybertec(dot)at>
Cc: Ants Aasma <ants(at)cybertec(dot)at>, Sasasu <i(at)sasa(dot)su>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: storing an explicit nonce
Date: 2021-10-07 15:54:54
Message-ID: 20211007155454.GC5475@momjian.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Thu, Oct 7, 2021 at 10:27:15AM +0200, Antonin Houska wrote:
> Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> > The above text isn't very clear. What I am saying is that currently
> > torn pages can be tolerated by hint bit writes because only a single
> > byte is changing. If we use a block cipher like AES-XTS, later 16-byte
> > encrypted blocks would be changed by hint bit changes, meaning torn
> > pages could not be tolerated. This means we would have to use full page
> > writes for hint bit changes, perhaps making this feature have
> > unacceptable performance overhead.
>
> IIRC, in the XTS scheme, a change of a single byte in the 16-byte block causes
> the whole encrypted block to be different after the next encryption, however
> the following blocks are not affected. CBC (cipher-block chaining) is the mode
> where the change in one block does affect the encryption of the following
> block.

Oh, good point. I was not aware of that. It means XTS does not feed
the previous block as part of the nonce to the next block.

> I'm not sure if this fact is important from the hint bit perspective
> though. It would be an important difference if there was a guarantee that the
> 16-byte blocks are consitent even on torn page - does e.g. proper alignment of
> pages guarantee that? Nevertheless, the absence of the chaining may be a
> reason to prefer CBC to XTS anyway.

Uh, technically most drives use 512-byte sectors, but I don't know if
there is any guarantee that 512-byte sectors will not be torn --- I have
a feeling there isn't. I think we get away with the hint bit case
because you can't tear a single bit. ;-) However, my patch created a
full page write for hint bit changes. If we don't use the LSN, those
full page writes will only happen once per checkpoint, which seems
acceptable, at least to Robert.

Interesting on the CBC idea which would force the rest of the page to
change --- not sure if that is valuable.

I know stream ciphers can be diff'ed to see data because they are
xor'ing the data --- I don't remember if block ciphers have similar
weaknesses.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com

If only the physical world exists, free will is an illusion.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2021-10-07 16:00:04 Re: pg_dump does not dump tables created in information_schema schema
Previous Message Stephen Frost 2021-10-07 15:50:23 Re: storing an explicit nonce