4

What is the the point of an "online" mode for an authenticated cipher?

I understand what "online" means in this context. However, I have trouble coming up with applications that would benefit from such a feature.

Usually, the "messages" that are encrypted and authenticated are not too long and I think that this is due to people not wanting to decrypt "big messages" completely only to throw them away if the tag is finally invalid. So, at least for network protocols, it seems like a very good idea to insert authentication tags more frequently.

But this strategy makes the "online" feature of some AE implementation seem irrelevant especially since support for online modes makes the implementation more complicated.

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
sellibitze
  • 321
  • 1
  • 9

2 Answers2

3

The usefulness of online AE (locally):
Assume you wrote a program that encrypt arbitrary files. Now further assume the user wants to view a movie, encrypted with this tool. The tool can now use the online-property to stream the movie in real-time as it uses online-encryption.

The usefulness of online AE (programatically):
Assume you want to process sensitive data. If your cipher supports online AE it can wipe the data after having written / read it an thus presents less attack surface.

The usefulness of online AE (network related):
Assume you stream a movie. You can now use the online AE feature to minimize the RAM needed (and thus give more RAM to the video decoder) and you can present the user with better loading times.

All in all:
Online-AE reduces memory usage and latency for applictions.

SEJPM
  • 46,697
  • 9
  • 103
  • 214
2

If you want to encrypt a long message with authenticated encryption, you should split it into many small segments (e.g. 4KiB each), with each fragment having its own tag. That way you only release plaintext to the application after verifying its tag. (As usual there are some pitfalls with designing such a construction).

Such a construction works with any AEAD scheme, no need for a single pass primitive. Since releasing unauthenticated data to the application is a security risk, I strongly recommend against supporting streaming decryption for authenticated encryption, unless you implemented such a segment based high level construction.

Single pass primitives might be useful in embedded systems with very little RAM or if you only need streaming on the encrypting but not the decrypting side. For usage with a typical computer or mobile device there is little advantage to "online" authenticated encryption primitives.

CodesInChaos
  • 25,121
  • 2
  • 90
  • 129