[Cryptography] Unique nonce vs new key
Natanael
natanael.l at gmail.com
Wed Mar 10 03:22:48 EST 2021
Den ons 10 mars 2021 00:38Phillip Hallam-Baker <phill at hallambaker.com>
skrev:
> I am looking at the details of my packetizer and have come across the
> following design choice that I would like to understand a bit better.
>
> [...]
>
> I am thinking of a different approach, I generate a primary key and then
> specify a nonce to some form of KDF function from which I derive the AES
> iv/nonce and key. This means I am performing a KDF per chunk and an AES key
> setup per chunk.
>
> [...]
>
> The idea here being that in a streaming video context or the like, there
> are collections of data within the stream that are all or nothing. Either I
> have a full frame of video data I can process or I aborted part way through
> because it was stale and will simply chuck it away.
>
> I doubt that I would ever want a chunk to be more than a few hundred KB
> simply because even if I am dealing with tens of TB of data, I want to have
> integrity checking at a much more granular level. My AES authentication tag
> is not just my protection against malice, it is my extended checksum as
> well.
>
>
> Thoughts? Comments?
>
How about a streaming AEAD encryption construction, such as STREAM or CHAIN
by Rogaway, if you have a sequence of packets / chunks to both encrypt and
decrypt in order?
These work similarly to what you describe that you would need here, since
you can verify chunks of data at a time and also verify ordering of chunks.
Seems like an important property for video (and more), as in your example.
https://eprint.iacr.org/2015/189
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210310/29eb1de4/attachment.htm>
More information about the cryptography
mailing list