Re: storing an explicit nonce

On Thu, Oct  7, 2021 at 10:28:55AM -0400, Robert Haas wrote:
> However, there's also the option of storing a nonce in each page, as
> suggested by the subject of this thread. I think that's probably a
> pretty workable approach, as demonstrated by the patch that started
> this thread. We'd need to think a bit carefully about whether any of
> the compile-time calculations the patch moves to runtime are expensive
> enough to matter and whether any such impacts can be mitigated, but I
> think there is a good chance that such issues are manageable.
> 
> I'm a little concerned by the email from "Sasasu" saying that even in
> XTS reusing the IV is not cryptographically weak. I don't know enough
> about these different encryption modes to know if he's right, but if
> he is then perhaps we need to consider his suggestion of using
> AES-GCM. Or, uh, something else.

I continue to be concerned that a page format change will decrease the
desirability of this feature by making migration complex and increasing
its code complexity.  I am unclear if it is necessary.

I think the big question is whether XTS with db/relfilenode/blocknumber
is sufficient as an IV without a nonce that changes for updates.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  If only the physical world exists, free will is an illusion.