Skip to content
Tony Arcieri edited this page Dec 21, 2017 · 6 revisions

STREAM is a a construction which, when combined with AES-SIV or AES-PMAC-SIV, provides online/streaming authenticated encryption and defends against reordering and truncation attacks.

The algorithm was designed by cryptographer Phil Rogaway and is described in the paper Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance in which it is formally proven to have the properties of a nonce-based online authenticated encryption (nOAE) construction (see Section 7, p. 18).

Diagram

STREAM Diagram

Design

The STREAM design used in Miscreant has the following properties:

  • KDF is not mandatory: raw Ek is used for encryption. Using a KDF to derive a unique key per STREAM is still strongly encouraged
  • Nonce encoding is nonce_prefix || ctr || last_block where:
    • nonce_prefix: 8-byte (64-bit) fixed prefix
    • ctr: 32-bit big endian counter value
    • last_block: 1-byte flag indicating if this is the last block (0x00 if false, 0x01 if true)
  • Associated data is per-message (as suggested in the IACR version of the paper)
You can’t perform that action at this time.