The Streaming AEAD primitive provides authenticated encryption for streaming data. It is useful when the data to be encrypted is too large to be processed in a single step. Typical use cases include encryption of large files or live data streams.
Encryption is done in segments, which are bound to their location within a ciphertext and cannot be removed or reordered. Segments from one ciphertext cannot be insert into another ciphertext. To modify an existing ciphertext, the entire data stream must be re-encrypted.1
Decryption is fast because only a portion of the ciphertext is decrypted and authenticated at a time. Partial plaintexts are obtainable without processing the entire ciphertext.
Streaming AEAD implementations fulfill the AEAD definition and are OAE2-secure. They have the following properties:
- Secrecy: Nothing about the plaintext is known, except its length.
- Authenticity: It is impossible to change the encrypted plaintext underlying the ciphertext without being detected.
- Symmetric: Encrypting the plaintext and decrypting the ciphertext is done with the same key.
- Randomization: Encryption is randomized. Two messages with the same plaintext yield different ciphertexts. Attackers cannot know which ciphertext corresponds to a given plaintext.
Associated data
Streaming AEAD can be used to tie ciphertext to specific associated
data. Suppose you have a database with the fields user-id
and encrypted-medical-history
. In this scenario, user-id
can be used as
associated data when encrypting encrypted-medical-history
. This prevents an
attacker from moving medical history from one user to another.
Choose a key type
We recommend AES128_GCM_HKDF_1MB for most uses. Generally:
- AES128_GCM_HKDF_1MB (or AES256_GCM_HKDF_1MB) is the faster option. It can encrypt 264 files with up to 264 bytes each. ~1 MB of memory is consumed during the encryption and decryption process.
- AES128_GCM_HKDF_4KB consumes ~4 KB of memory and is a good choice if your system doesn't have a lot of memory.
- AES128_CTR_HMAC_SHA256_1MB (or AES256_CTR_HMAC_SHA256_1MB) is a more conservative option.
Security guarantees
Streaming AEAD implementations offer:
- CCA2 security.
- At least 80-bit authentication strength.
- The ability to encrypt at least 264 messages3 with a total of 251 bytes2 . No attack with up to 232 chosen plaintexts or chosen ciphertexts has success probability larger than 2-32.
Example use case
See I want to encrypt large files or data streams.
-
A reason for this restriction is the use of the AES-GCM cipher. Encrypting a different plaintext segment at the same location would be equivalent to reusing the IV, which violates the security guarantees of AES-GCM. Another reason is that this prevents roll-back attacks, where the attacker may try to restore a previous version of the file without detection. ↩
-
232 segments are supported, with each segment containing
segment_size - tag_size
bytes of plaintext. For 1 MB segments, the total plaintext size is 232 * (220-16) ~= 251 bytes. ↩ -
Streaming AEAD becomes insecure when a derived key (128-bit) and nonce prefix (independent random 7-byte value) combination is repeated. We have 184-bit collision resistance, which roughly translates to 264 messages if we want success probability to be less than 2-32. ↩