Postgres Pro
Downloads
Home   >   mailing lists

Re: storing an explicit nonce - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: storing an explicit nonce
Date
Msg-id 20211007155454.GC5475@momjian.us
Whole thread Raw
In response to Re: storing an explicit nonce  (Antonin Houska <ah@cybertec.at>)
Responses Re: storing an explicit nonce  (Andres Freund <andres@anarazel.de>)
List pgsql-hackers
Tree view 
On Thu, Oct  7, 2021 at 10:27:15AM +0200, Antonin Houska wrote:
> Bruce Momjian <bruce@momjian.us> wrote:
> > The above text isn't very clear.  What I am saying is that currently
> > torn pages can be tolerated by hint bit writes because only a single
> > byte is changing.  If we use a block cipher like AES-XTS, later 16-byte
> > encrypted blocks would be changed by hint bit changes, meaning torn
> > pages could not be tolerated.  This means we would have to use full page
> > writes for hint bit changes, perhaps making this feature have
> > unacceptable performance overhead.
> 
> IIRC, in the XTS scheme, a change of a single byte in the 16-byte block causes
> the whole encrypted block to be different after the next encryption, however
> the following blocks are not affected. CBC (cipher-block chaining) is the mode
> where the change in one block does affect the encryption of the following
> block.

Oh, good point.  I was not aware of that.  It means XTS does not feed
the previous block as part of the nonce to the next block.

> I'm not sure if this fact is important from the hint bit perspective
> though. It would be an important difference if there was a guarantee that the
> 16-byte blocks are consitent even on torn page - does e.g. proper alignment of
> pages guarantee that? Nevertheless, the absence of the chaining may be a
> reason to prefer CBC to XTS anyway.

Uh, technically most drives use 512-byte sectors, but I don't know if
there is any guarantee that 512-byte sectors will not be torn --- I have
a feeling there isn't.  I think we get away with the hint bit case
because you can't tear a single bit.  ;-)  However, my patch created a
full page write for hint bit changes.  If we don't use the LSN, those
full page writes will only happen once per checkpoint, which seems
acceptable, at least to Robert.

Interesting on the CBC idea which would force the rest of the page to
change --- not sure if that is valuable.

I know stream ciphers can be diff'ed to see data because they are
xor'ing the data --- I don't remember if block ciphers have similar
weaknesses.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  If only the physical world exists, free will is an illusion.

pgsql-hackers by date:

Previous
From: Stephen Frost
Date:
Subject: Re: storing an explicit nonce
Next
From: Tom Lane
Date:
Subject: Re: pg_dump does not dump tables created in information_schema schema