Update, Jul 26 2023: Current proposal is #54364 (comment).
AES-GCM-SIV (RFC 8452) is a nonce misuse-resistant AEAD. When a nonce is reused, AES-GCM-SIV does not immediately fail catastrophically. Instead, it only discloses whether the contents of the messages are the same. It is generally safe to replace usages of AES-GCM with AES-GCM-SIV.
I propose adding a new package called x/crypto/aesgcmsiv. The API is provided below.
const (
// NonceSize is the size in bytes of an AES-GCM-SIV nonce.
NonceSize = 12
// TagSize is the size in bytes of an AES-GCM-SIV
// authentication tag.
TagSize = 16
// MaxPlaintextSize is the size in bytes of the largest
// allowed plaintext.
MaxPlaintextSize = 1 << 36
// MaxAdditionalDataSize is the size in bytes of the largest
// allowed additional authenticated data.
MaxAdditionalDataSize = 1 << 36
)
// New creates an instance of AES-GCM-SIV.
// The key must be either 16 bytes for 128-bit AES-GCM-SIV or 32 bytes for
// 256-bit AES-GCM-SIV. All other lengths are an error.
func New(key []byte) (cipher.AEAD, error)
Update, Jul 26 2023: Current proposal is #54364 (comment).
AES-GCM-SIV (RFC 8452) is a nonce misuse-resistant AEAD. When a nonce is reused, AES-GCM-SIV does not immediately fail catastrophically. Instead, it only discloses whether the contents of the messages are the same. It is generally safe to replace usages of AES-GCM with AES-GCM-SIV.
I propose adding a new package called
x/crypto/aesgcmsiv. The API is provided below.