Encrypting multiple small messages with a single reused symmetric key

Question

What is a good way of doing this? Practical and Secure.

This is for a browser environment.

For example, let's say there are a few 100 independent messages of about 100 characters each that you want to send to the server independently and in an arbitrary order and you want to encrypt them with the same key before they are sent to the server because you don't want the server to have the contents of the messages. The next day the server may return some of those messages and the user should be able to decrypt them in the browser with the same key.

How would you do this?

What encryption scheme and what block cypher? Why? What library is recommended?

NOTES:

1. This is in addition to HTTPS not instead of it.
2. The user does trust the server to send a trustworthy encryption function and use it.

Answer 1

You can use any authenticated, secure cipher. AES-GCM is currently used a lot. You need a nonce per message to use AES-GCM or you can use one of the SIV variants, which calculate a nonce (Synthetic IV) assuming that the messages are all distinct.

The question is more how to store the symmetric key than anything else, but that's not really a cryptography question - it's more about browser security and offline storage and such. Deriving a key from a passphrase might be a good idea, but note that you need a good key derivation mechanism in addition to a strong passphrase.

Often it makes sense to use asymmetric cryptography so that you don't need the private key during encryption. Keeping the key secure is the main issue with cryptography after all. In that case the passphrase could be used to wrap / unwrap (encrypt / decrypt) a private key value. Unfortunately you'd need local storage to store the wrapped private key - and this might be an issue in itself.