[cryptography] "stream MAC" - does anything like it exist?

mheyman at gmail.com mheyman at gmail.com
Mon Sep 13 14:01:59 EDT 2010


On Fri, Sep 10, 2010 at 2:06 PM,
<travis+ml-rbcryptography at subspacefield.org> wrote:
> ...something where you can spend a few bits authenticating each
>  frame of a movie, or sound sample, for example, and have some
>  probabilistic chance of detecting alteration at each frame.
>
On Sun, Sep 12, 2010 at 9:15 PM, Chris Palmer <chris at noncombatant.org> wrote:
> James A. Donald writes:
> I agree with Bellovin that truncating the MAC is of little benefit except in
> bandwidth-constrained applications --- truncating the MAC decreases its
> protective power. There may be situations in which it's a fine trade-off, of
> course.
>
I don't think full authentication tags on video or sound amount to
enough bits to care about reducing them.

Also having done some work in the past with respect to reduced
authentication (albeit per packet, not per frame),
<http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.121.9208&rep=rep1&type=pdf>,
I can tell you that while I agree that reducing authentication per
packet on video or sound doesn't hurt overall authenticity when
occasionally bad packets get through, it is very difficult to come up
with an application that can actually show benefit stemming from
reducing authentication. The 50,000 ft view is that IPsec HMAC-SHA1
costs about the same amount of processing as TCP. Almost anything else
you do with video or sound will cost orders of magnitude more. A
coworker was actually able to cobble a demo together that showed an
effect from faster authentication by sending uncompressed video over
the network to max it out. The host then did a straight copy of the
unconverted video to the graphics card. Even with the heaviest
authentication (HMAC-SHA1) the video was completely intelligible with
only the occasional stutter.
----
-Michael Heyman



More information about the cryptography mailing list