- 
                Notifications
    You must be signed in to change notification settings 
- Fork 0
Enable indexing on eql_v2_encrypted columns without needing function helpers #118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
e921775    to
    6abe92b      
    Compare
  
    6abe92b    to
    69afdc8      
    Compare
  
    | -- REQUIRE: src/hmac_256/functions.sql | ||
|  | ||
|  | ||
| CREATE FUNCTION eql_v2.compare_hmac_256(a eql_v2_encrypted, b eql_v2_encrypted) | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the difference between this and blake3?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The types are different, although both resolve to text.
The implementation pattern is the same for every type of index for consistency.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry I mean what do we use them for? HMAC and Blake are essentially the same thing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@coderdan Blake3 is used in the SteVec implementation. I've followed the cipherstash-client implementation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Naming was discussed here https://discourse.cipherstash.com/t/eql-json-fields-should-be-named-after-their-search-term-algorithm/441
And in slack.
| -- -- PERFORM create_table_with_encrypted(); | ||
|  | ||
| SELECT e FROM ore WHERE id = 42 INTO ore_term; | ||
| -- -- EXECUTE 'EXPLAIN ANALYZE SELECT e::jsonb FROM encrypted WHERE e = ''("{\"ob\": \"abc\"}")'';' into result; | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be removed?
| -- PERFORM eql_v2.log('eql_v2.compare_ore_cllw_u64_8'); | ||
| -- PERFORM eql_v2.log('a', a::text); | ||
| -- PERFORM eql_v2.log('b', b::text); | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this be removed?
| -- Check if there's a difference | ||
| IF x != y THEN | ||
| differing := (x, y); | ||
| differing := true; | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By exiting the loop early this may be vulnerable to timing attacks.
The preferred approach is to record the first byte that differs and continue to the end of the input anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@coderdan The exit was in the original code. The only change I made was the unnecessary record. I can remove it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The cllw-ore crate has similar issue:
// TODO: More work required to make this constant time
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Epic. No show-stoppers but I'm curious about hmac vs blake. Is Blake just used in JSON indexing?
No description provided.