On Sat, Mar 30, 2019 at 10:16:46PM +0100, Neal H. Walfield wrote:
Hi Ben,
Thanks for your note.
At Sat, 30 Mar 2019 10:04:38 -0500,
Benjamin Kaduk wrote:
I also have a use case for authentication of large chunks of data at rest:
they allow me to use a cheap bulk storage service that provides
(best-effort) replication and archiving but has poor physical security. So
I encrypt my data to myself and put it in storage, but when I get it back
I need to know that it's valid. I can imagine at least one case where
knowing exactly which chunk was corrupted would save effort; it may be a
toy example but perhaps it is illustrative of a broader case. Note that
there are algorithms to compute pi to arbitrary precision, and even to
compute the Nth digit thereof without coputing the previous digits. If I
need to have random-access inquiries into the value of pi, I could
precompute using softare I trust and do this self-encryption thing, and
when a chunk is bad I can recompute only that chunk and still trust that I
only ever use values generated by my trusted implementation.
Just to be clear: when you say "large chunks of data at rest," you're
not arguing that large AEAD chunks are better, are you? It seems to
me that if you use small chunks, at least in your example, you have
less work to do when you discover a corrupted chunk.
Thanks for spotting that; my "large chunks of data at rest" was meant to
just be large quantities of data (e.g., TB or more), with no relationship
to the chunk size used in the encryption thereof.
-Ben
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp