Streaming Authenticated Encryption with Associated Data (Streaming AEAD)

The Streaming AEAD primitive provides authenticated encryption for streaming data, and is useful when the data to be encrypted is too large to be processed in a single step. Typical use cases include encryption of large files or live data streams.

Instances of Streaming AEAD follow the OAE2 definition proposed in the paper Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance by Hoang, Reyhanitabar, Rogaway and Vizár, and have the following properties:

  • Secrecy: Nobody will be able to get any information about the encrypted plaintext, except the length.
  • Authenticity: Without the key it is impossible to change the plaintext underlying the ciphertext undetected.
  • Symmetric: Encrypting the message and decrypting the ciphertext is done with the same key.
  • Randomization: The encryption is randomized. Two messages with the same plaintext will not yield the same ciphertext. This prevents attackers from knowing which ciphertext corresponds to a given plaintext.

Streaming AEAD is fast because it decrypts and authenticates only part of the ciphertext at a time. This allows it to obtain partial plaintext without the time required to process the entire ciphertext.

Encryption must be done in one session. It is not possible to modify an existing ciphertext or append to it without re-encrypting the entire file.

Associated data

Streaming AEAD also allows you to provide associated data that should be authenticated but not encrypted. Encryption with associated data ensures the integrity of the associated data (meaning the data has not been tampered with), but not its secrecy (see RFC 5116).

Choosing a key type

We recommend using AES128_GCM_HKDF_1MB. In general, the following holds true:

  • AES128_GCM_HKDF_1MB (AES256_GCM_HKDF_1MB) is the faster option, and can encrypt up to 264 files, with each up to 264 bytes. Keys generated by this template generally consume approximately 1MB during the encryption/decryption process. If your system doesn’t have a lot of memory, consider AES128_GCM_HKDF_4KB which only consumes approximately 4KB of memory.
  • AES128_CTR_HMAC_SHA256_1MB (AES256_CTR_HMAC_SHA256_1MB) is a more conservative option.

Minimal security guarantees

  • CCA2 security
  • At least 80-bit authentication strength
  • The plaintext can have arbitrary lengths within the range 0..238 and associated data can have arbitrary lengths within the range 0..231-1 bytes.
  • Can encrypt at least 232 messages with a total of 268 bytes so that no attack with up to 232 chosen plaintexts/chosen ciphertexts has success probability larger than 2-32.
  • There are no secrecy or validity guarantees for associated data.

Example use case

See I want to encrypt large files or data streams.