From 863393ab2c656759e1c225537f692961d70041dc Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Thu, 11 Aug 2016 23:46:42 -0400
Subject: don't use IV as puzzle after all

Not a good idea to use IV, because all the parts of the IV that are 0
will not obscure the data in the first block at all.

Instead, sha256 the password to generate the IV, and keep the puzzle as
part of the key.
---
 Tunables.hs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'Tunables.hs')

diff --git a/Tunables.hs b/Tunables.hs
index ab170a5..1ecccf6 100644
--- a/Tunables.hs
+++ b/Tunables.hs
@@ -60,7 +60,7 @@ data EncryptionTunable = UseAES256
 	deriving (Show)
 
 -- | An additional puzzle that makes decryption more expensive.
-data DecryptionPuzzleTunable = UsePuzzleIV (Cost DecryptionOp)
+data DecryptionPuzzleTunable = KeyBlindingLeftSide (Cost DecryptionOp)
 	deriving (Show)
 
 defaultTunables :: Tunables
@@ -74,7 +74,7 @@ defaultTunables = Tunables
 	-- This is set to only 1 minute because GPUs are quite a lot
 	-- faster than CPUs at AES, and so setting it higher would make
 	-- clients too slow at key recovery.
-	, decryptionPuzzleTunable = UsePuzzleIV (GPUCost (Seconds 60))
+	, decryptionPuzzleTunable = KeyBlindingLeftSide (GPUCost (Seconds 60))
 	}
   where
 	argonoptions = Argon2.HashOptions
@@ -96,7 +96,7 @@ testModeTunables = Tunables
 	, objectSize = 1024*64
 	, expensiveHashTunable = UseArgon2 weakargonoptions argoncost
 	, encryptionTunable = UseAES256
-	, decryptionPuzzleTunable = UsePuzzleIV (GPUCost (Seconds 1))
+	, decryptionPuzzleTunable = KeyBlindingLeftSide (GPUCost (Seconds 1))
 	}
   where
 	UseArgon2 argonoptions argoncost = expensiveHashTunable defaultTunables
-- 
cgit v1.2.3