Experimental AES-SIV cipher

[riobard]

I've added an experimental AES-SIV cipher to my Go port here riobard/go-shadowsocks2@7bcc772

This should in theory mitigate the issue of nonce reuse in SIP004 since SIV is misuse-resistant. However the performance of SIV is pretty bad, as SIV is a non-online 2-pass cipher.

Benchmarking on my machine using AES-SIV-512 results in ~1Gbps throughput measured by iperf3, compared to >4Gbps throughput using AES-256-GCM. In most cases 1Gbps is more than good enough.

[madeye]

I'm considering AES-GCM-SIV: https://tools.ietf.org/html/draft-gueron-gcmsiv-00

According to https://eprint.iacr.org/2015/102.pdf

Table 2 shows that GCM-SIV is 14% slower than AES-GCM on Haswell, and 19% slower than AES-GCM on Broadwell

Also, we have an open source implementation here:

https://github.com/Shay-Gueron/AES-GCM-SIV

[riobard]

Looks very promising! I haven't found a native Go lib supporting AES-GCM-SIV, though.

[riobard]

SIV is no longer necessary once #42 is implemented. Closing now.