[PoC/RFC] Add SIV

[sjaeckel]

Checklist

• documentation is added or updated
• tests are added or updated

This is a PoC/RFC for adding the enc+auth mode RFC5297 SIV - Synthetic Initialization Vector.

Feel free to tear it apart, improvements on the API welcome.

I had to decide how to process the AD's

1. incremental
2. by passing a vararg
3. by passing an array of pointers

1 wasn't really an option AFAIU the RFC
whether 2 or 3 I was like ¯\_(ツ)_/¯ so I went for 3

I didn't really look if it would make sense to have the context exposed so we could split the processing up in init()->add_ad()->{en,de}crypt()->done()

[karel-m]

Does this enable implementation of AES-GCM-SIV?

https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-06

[sjaeckel]

I haven't looked at that draft yet but this PR implements the "predecessor"

[sjaeckel]

I've read a bit through the ML and I think we should wait until the RFC is finished to prevent something like #256.

[sjaeckel]

Okay I played a bit with the implementation and I'm going to add an incremental add_AD() function.

Also there should be a siv_memory() function which has to support multiple AD's in one function call. I think I'll go the varargs way for that as it's already used as a pattern in the library whereas the array of pointers isn't. Any better ideas?

[karel-m]

Just FYI - there is a bunch of AES-GCM-SIV test vectors in wycheproof test suite (look for aes_gcm_siv_test.json).

[sjaeckel]

ust FYI - there is a bunch of AES-GCM-SIV test vectors in wycheproof test suite

thanks, but they don't help me now as this is only AES-SIV :)

I found those:
https://github.com/randombit/botan/blob/master/src/tests/data/aead/siv.vec
https://github.com/cryptomator/siv-mode/blob/master/src/test/resources/testcases.txt (attention, the file has 17mb ... you probably shouldn't click on the link ;) )

and I planned to hand-pick some of the cryptomator/siv-mode

[karel-m]

Now exists as RFC8452 (April 2019):

• AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption
• https://tools.ietf.org/html/rfc8452

[levitte]

Also there should be a siv_memory() function which has to support multiple AD's in one function call. I think I'll go the varargs way for that as it's already used as a pattern in the library whereas the array of pointers isn't. Any better ideas?

That would essentially be siv_memory_multi() no?

This PR looks interesting, but needs some love... or is it abandoned?

[sjaeckel]

This PR looks interesting, but needs some love... or is it abandoned?

Absolutely not abandoned, it just needs some love.

[sjaeckel]

My idea was to refactor what exists into a similar API to what we usually provide as XYZ_memory_multi(), maybe in the style of crypt_fsa().

I would not split it up into an iterative/incremental API.

What do you think? Do you have a better idea?