[swordswinger12]

>you can almost always delegate that kind of interface up one layer in your application stack and pass AES-SIV chunks of messages.

Without additional precautions this approach is vulnerable to a fairly basic chunk-reordering attack, since any re-ordering of the "chunks" is a valid ciphertext. I strongly recommend against this approach.

EDIT: Unfortunately there is not really a better way to implement a streaming interface on top of a nonce-misuse-resistant encryption scheme: it's fairly easy to prove that any nonce-misuse-resistant construction must necessarily be "offline" in the sense tptacek describes.

[bascule]

The plan for online authenticated encryption in Miscreant is to support Rogaway's CHAIN and STREAM constructions:

STREAM: https://github.com/miscreant/miscreant/issues/32

CHAIN: https://github.com/miscreant/miscreant/issues/33

These schemes achieve a security definition called OAE2 (STREAM specifically achieves nOAE, which Rogaway proves equivalent to OAE2) and are robust against reordering and truncation attacks. For more information, please see the paper:

http://web.cs.ucdavis.edu/~rogaway/papers/oae.pdf

[swordswinger12]

Ah, thanks for the reply Tony. This would indeed prevent the problem I described. Kinda curious about the downvotes, since tptacek's original comment suggested nothing like CHAIN or STREAM, but on crypto HN you gotta roll with the punches.

[tptacek]

I don't know why this got downvoted, because it's a really good point.