Is the STREAM construction misuse-resistant?

[oconnor663]

My understanding from the paper is that STREAM's security notion (nOAE) requires that nonces don't repeat. Instantiating STREAM on top of AES-SIV does make nonce reuse slightly less harmful, I think.* But an attacker can do something like chunk swapping between two messages that share the same nonce, which means that authenticity is immediately lost after a single reuse. Do I have that right? Is that something worth clarifying in the docs?

* It seems like some privacy might be retained after a few nonce reuses, but the "chosen prefix, secret suffix" attack described in the same paper would work if the attacker could make a lot of queries.

[tarcieri]

That's a reasonable concern with STREAM, yes. Nonce reuse could allow blocks to be swapped from one STREAM to another.

CHAIN would be required to prevent that.