paragonie / ciphersweet

Fast, searchable field-level encryption for PHP projects
https://ciphersweet.paragonie.com
Other
437 stars 32 forks source link

Differences between slow and fast method for blind index #66

Closed magi-web closed 2 years ago

magi-web commented 2 years ago

Thank you very much for this awesome work !

I'm currently building a symfony/doctrine bridge package to provide your library as a user friendly feature. My concern is about the Blind Index generation which can take time when we want to build a large list of indexes. I ran a benchmark to compare both slow and fast methods :

        // Init encryption fields
        // We use the BoringCrypto BackendInterface which calls Libsodium

         $accountNameS = (new EncryptedField($this->engine, RemoteWallet::class, 'account_name'))
            ->addBlindIndex(
                new BlindIndex('account_name'.'_bi', [], EncryptorInterface::DEFAULT_FILTER_BITS)
            );

        $accountNameF = (new EncryptedField($this->engine, RemoteWallet::class, 'account_name'))
            ->addBlindIndex(
                new BlindIndex('account_name'.'_bi', [], EncryptorInterface::DEFAULT_FILTER_BITS, true)
            );

        $startS = microtime(true);
        $idxS = [];
        for ($i = 0; $i < 1000; $i++) {
            $idxS[] = $accountNameS->getBlindIndex((string) $i, 'account_name'.'_bi');
        }
        $endS = microtime(true) - $startS;

        $startF = microtime(true);
        $idxF = [];
        for ($i = 0; $i < 1000; $i++) {
            $idxF[] = $accountNameF->getBlindIndex((string) $i, 'account_name'.'_bi');
        }
        $endF = microtime(true) - $startF;

        $this->io->table(['Method', 'Duration', 'First index'], [['Slow', $endS, $idxS[0]], ['Fast', $endF, $idxF[0]]]);

        $this->io->comment('Are idx tables different ? (of course they should be) '.(array_diff($idxS,$idxF) !== [] ? 'Yes' : 'No'));

Here is the output on my laptop :

 -------- ------------------- ------------- 
  Method   Duration            First index  
 -------- ------------------- ------------- 
  Slow     66.616168022156     cd7882e9     
  Fast     0.039582014083862   1d704b7d     
 -------- ------------------- ------------- 

 // Are idx tables different ? (of course they should be) Yes        

I'd like to know if we can safely use Fast method or if we should prefer the slow one as a good practice.

paragonie-security commented 2 years ago

The fast indices are sufficient for security. The slow ones were provided so nobody reinvented their own PBKDF2-based blind index alternative and made a critical vulnerability i.e. between HMAC and PBKDF2. It was included with the Libsodium-based backend for feature-parity.

magi-web commented 2 years ago

Thank you very much !