Re: storing an explicit nonce

On Wed, Oct 6, 2021 at 3:17 PM Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> With AES-XTS, we don't need to use the LSN as part of the nonce though,
> so I don't think this argument is actually valid..? As discussed
> previously regarding AES-XTS, the general idea was to use the path to
> the file and the filename itself plus the block number as the IV, and
> that works fine for XTS because it's ok to reuse it (unlike with CTR).

However, there's also the option of storing a nonce in each page, as
suggested by the subject of this thread. I think that's probably a
pretty workable approach, as demonstrated by the patch that started
this thread. We'd need to think a bit carefully about whether any of
the compile-time calculations the patch moves to runtime are expensive
enough to matter and whether any such impacts can be mitigated, but I
think there is a good chance that such issues are manageable.

I'm a little concerned by the email from "Sasasu" saying that even in
XTS reusing the IV is not cryptographically weak. I don't know enough
about these different encryption modes to know if he's right, but if
he is then perhaps we need to consider his suggestion of using
AES-GCM. Or, uh, something else.

--
Robert Haas
EDB: http://www.enterprisedb.com