Re: [cryptography] data integrity: secret key vs. non-secret verifier; and: are we winning? (was: “On the limits of the use cases for authenticated encryption”)

On 2012-04-26 1:11 PM, Zooko Wilcox-O'Hearn wrote: how are we doing? Are we winning? I don't know about you, but I consider myself to be primarily a producer of "defense" technology. I'd like for every individual on the planet to have confidentiality, data integrity, to be able to share certain a

Re: [cryptography] data integrity: secret key vs. non-secret verifier; and: are we winning? (was: “On the limits of the use cases for authenticated encryption”)

Also, On Wed, Apr 25, 2012 at 10:11 PM, Zooko Wilcox-O'Hearn wrote: > Hello Nico Williams. Nice to hear from you. > > Yes, when David-Sarah Hopwood and I (both Tahoe-LAFS hackers) > participated on the zfs-crypto mailing list with you and others, I > learned about a lot of similarities between Ta

Re: [cryptography] data integrity: secret key vs. non-secret verifier; and: are we winning? (was: “On the limits of the use cases for authenticated encryption”)

On Wed, Apr 25, 2012 at 10:27 PM, Marsh Ray wrote: > On 04/25/2012 10:11 PM, Zooko Wilcox-O'Hearn wrote: >> 2. the verifier-oriented way: you make a secure hash of the chunk, and >> make the resulting hash value known to the good guy(s) in an >> authenticated way. > > > Is option 2 sort of just pu

Re: [cryptography] data integrity: secret key vs. non-secret verifier; and: are we winning? (was: “On the limits of the use cases for authenticated encryption”)

You'd have to ask Darren, but IIRC the design he settled on allows for unkeyed integrity verification and repair. I too think that's a critical feature to have even if having it were to mean leaking some information, such as file length in blocks, and number of files, as I look at this from an ope

Re: [cryptography] data integrity: secret key vs. non-secret verifier; and: are we winning? (was: “On the limits of the use cases for authenticated encryption”)

On 04/25/2012 10:11 PM, Zooko Wilcox-O'Hearn wrote: It goes like this: suppose you want to ensure the integrity of a chunk of data. There are at least two ways to do this (excluding public key digital signatures): 1. the secret-oriented way: you make a MAC tag of the chunk (or equivalently you u

[cryptography] data integrity: secret key vs. non-secret verifier; and: are we winning? (was: “On the limits of the use cases for authenticated encryption”)

Hello Nico Williams. Nice to hear from you. Yes, when David-Sarah Hopwood and I (both Tahoe-LAFS hackers) participated on the zfs-crypto mailing list with you and others, I learned about a lot of similarities between Tahoe-LAFS and ZFS. On Wed, Apr 25, 2012 at 1:10 PM, Nico Williams wrote: > > O

Re: [cryptography] “On the limits of the use cases for authenticated encryption”

I think Tahoe-LAFS is the exception to any rule that one should use AE, and really, the very rare exception. Not the only exception, though this type of application might be the only exception we want. A ZFS-like COW filesystem with Merkle hash trees should have requirements similar to Tahoe's, s

[cryptography] “On the limits of the use cases for authenticated encryption”

Folks: I posted this on Google+, which I'm effectively using as a blog: https://plus.google.com/108313527900507320366/posts/cMng6kChAAW I'll paste the content of my essay below. It elicited some keen observations from Nikita Borisov in the comments on G+, but I guess you'll have to actually load