Enable indexing on eql_v2_encrypted columns without needing function helpers #118

tobyhede · 2025-06-24T02:27:47Z

No description provided.

src/blake3/compare.sql

coderdan · 2025-06-24T08:55:17Z

src/hmac_256/compare.sql

+-- REQUIRE: src/hmac_256/functions.sql
+
+
+CREATE FUNCTION eql_v2.compare_hmac_256(a eql_v2_encrypted, b eql_v2_encrypted)


What's the difference between this and blake3?

The types are different, although both resolve to text.
The implementation pattern is the same for every type of index for consistency.

Sorry I mean what do we use them for? HMAC and Blake are essentially the same thing.

@coderdan Blake3 is used in the SteVec implementation. I've followed the cipherstash-client implementation

Naming was discussed here https://discourse.cipherstash.com/t/eql-json-fields-should-be-named-after-their-search-term-algorithm/441

And in slack.

src/operators/<=_test.sql

coderdan · 2025-06-24T12:57:53Z

src/operators/operator_class_test.sql


-      SELECT e FROM ore WHERE id = 42 INTO ore_term;
+--     -- EXECUTE 'EXPLAIN ANALYZE SELECT e::jsonb FROM encrypted WHERE e = ''("{\"ob\": \"abc\"}")'';' into result;


Should this be removed?

src/operators/operator_class_test.sql

src/operators/order_by_test.sql

coderdan · 2025-06-24T13:09:07Z

src/ore_cllw_u64_8/compare.sql

+    -- PERFORM eql_v2.log('eql_v2.compare_ore_cllw_u64_8');
+    -- PERFORM eql_v2.log('a', a::text);
+    -- PERFORM eql_v2.log('b', b::text);


Can this be removed?

coderdan · 2025-06-24T13:10:37Z

src/ore_cllw_u64_8/functions.sql

@@ -86,13 +94,13 @@ BEGIN

        -- Check if there's a difference
        IF x != y THEN
-            differing := (x, y);
+            differing := true;


By exiting the loop early this may be vulnerable to timing attacks.
The preferred approach is to record the first byte that differs and continue to the end of the input anyway.

@coderdan The exit was in the original code. The only change I made was the unnecessary record. I can remove it.

The cllw-ore crate has similar issue:

// TODO: More work required to make this constant time

coderdan

Epic. No show-stoppers but I'm curious about hmac vs blake. Is Blake just used in JSON indexing?

tobyhede added 9 commits June 24, 2025 09:42

feat: compare_hmac_256

5048ae0

feat: compare_blake3

068407d

feat: compare_ore_block_u64_8_256

293d450

feat: compare_ore_cllw_u64_8

64397f9

feat: compare_ore_cllw_var_8

5c853b2

feat: compare

9f0895b

feat: compare literal

55007b6

refactor: operators use compare function

c6392b6

refactor: operator class

c0028d7

tobyhede force-pushed the enable-index-on-hmac_256 branch from e921775 to 6abe92b Compare June 24, 2025 07:08

tobyhede marked this pull request as ready for review June 24, 2025 07:08

fix: disable ore_cllw operators

69afdc8

tobyhede force-pushed the enable-index-on-hmac_256 branch from 6abe92b to 69afdc8 Compare June 24, 2025 07:17