[cryptography] "stream MAC" - does anything like it exist?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Sep 14 12:51:35 EDT 2010

"Zooko O'Whielacronx" <zooko at zooko.com> writes:

>Also, even if you did have a setting where the CPU cost of HMAC-SHA1 was a
>significant part of your performance (at e.g. 12 cycles per byte [1]), then
>you could always switch to Poly1305 or VMAC (at e.g. 2 cycles per byte), or
>to an authenticated encryption mode (effectively zero cycles per byte?).

Uhh, when used for multimedia protection, what you've just described is known
as "naive encryption" (see "An Empirical Study of Secure MPEG Video
Transmission" by Li Gong).  You could probably fill entire conference
proceedings with methods that have been designed to get around having to
encrypt/authenticate/whatever every byte of multimedia data, including endless
analyses of how little you can get away with protecting vs. protection
overhead vs. what an attacker can do with the unprotected bits.

>So while the trade-off of giving up a little security in order to achieve
>even lower CPU costs is theoretically interesting, in practical terms you can
>get full security at a negligible CPU cost.

Given the amount of work that's gone into the former, I'd say there's more
than just a theoretical interest in it.  I'm trying to think of some overview
references for this sort of thing, perhaps the chapters "Multimedia
Encryption" and "Multimedia Authentication" in the book "Multimedia Security
Technologies for Digital Rights Management" would be a good start.

It would help if the OP could indicate how much CPU budget they had available
for encryption and/or authentication, just the two chapters referenced above
contain ~120 references for different mechanisms and tradeoffs.

Peter (who's had to plough through way too much of this stuff in the past).

More information about the cryptography mailing list