I need to send a lot of small messages that are usually between 128 bits and 256 bits long, and each message is encrypted with a separate 128 bit AES key. Therefore, to send each message with the key would require between 256 and 384 bits of data. If a message is 129 bits long, it would still take 2 AES blocks to encrypt and the message size with the key would increase to 384 bits.
Because of this, I'm thinking I can increase throughput by using AES as a stream cipher. The solution I came up with is simply to use the key to encrypt a message of all 0's with size rounded up to the nearest 128 bits, using AES and a suitable non-authenticated encryption mode like CTR. Then, take the encrypted zeroes and XOR them with the plaintext to get a same sized ciphertext. I realize each key may only be used once, because given the plaintext and ciphertext, the stream can be recovered, but this is not a problem in my situation because each key is only used once. My question is, is this method secure, and does it have any other caveats such as the plaintext attack I mentioned?
