Avoid AES-GCM-SIV (?)

[vbakke]

First, thank you so much for compiling this list. 😃👍 I just wish I'd found this earlier : )

(EDIT: I found the sentence "So it's important to emphasise that AES-GCM-SIV (and nonce-misuse resistant modes in general) are not a magic invulnerability shield." in the "don't" link. So I will rephrase my whole question.)

I don't find the article at ImperialViolet telling us to avoid AES-GCM-SIV. Even if it isn't such a silvery bullet as many believe. I read the article in support of AES-GCM-SIV, but with a caution note at the end.

Cpmpared to the risk of catastrophic failure of reusing an IV is almost any of the streaming / one-time-pad algorithms, such as CTR, GCM, OCB, Chacha, etc, I regard the SIV alternatives easier to use correctly. (This is a guide for non-expert cryptographers, after all.)

SIV algorithms have one other property that should be mentioned. Encrypting the same value twice will yield the same cipher. This may often be harmful, but is an added bonus when pseudonymization fields in a database. You may still be able to use encrypted values as foreign keys, even if you cannot decipher them.

[samuel-lucas6]

I'm glad you find the guidelines useful. However, there are various inaccuracies and changes I'd like to make, like switching to a pros/cons list for each algorithm rather than trying to rank them. The issue is dedicating the time to researching and then writing everything. This type of project would be better if it was community driven like MITRE ATT&CK, getting updates as the literature evolves and input from people with different experience, except nobody would be willing to do that. There's simply too much literature for one person to cover. You can't be knowledgeable about everything, and you need a work-life balance.

Now AES-GCM-SIV is a tricky one. Misuse-resistant AEADs aren't any easier to use because you should still be using a nonce. Therefore, you can probably just use a nonce-based AEAD with a large random nonce (e.g., XChaCha20-Poly1305, AEGIS-256, a transform for AES-GCM, or similar). Those are more widespread, more efficient, can be made hard to misuse by a library, and don't give you a false sense of security/encourage completely deterministic encryption. The main downside is storage overhead.

In an ideal world, we'd probably just have misuse-resistant AEADs as a precaution. However, the reality is that they're less available and often not required so people don't want to sacrifice performance.