STREAM is a a construction which, when combined with AES-SIV or AES-PMAC-SIV, provides online/streaming authenticated encryption and defends against reordering and truncation attacks.
The algorithm was designed by cryptographer Phil Rogaway and is described in the paper Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance in which it is formally proven to have the properties of a nonce-based online authenticated encryption (nOAE) construction (see Section 7, p. 18).
The STREAM design used in Miscreant has the following properties:
- KDF is not mandatory: raw Ek is used for encryption. Using a KDF to derive a unique key per STREAM is still strongly encouraged
- Nonce encoding is
nonce_prefix || ctr || last_blockwhere:
- nonce_prefix: 8-byte (64-bit) fixed prefix
- ctr: 32-bit big endian counter value
last_block: 1-byte flag indicating if this is the last block (
- Associated data is per-message (as suggested in the IACR version of the paper)