[MLS] Proposal: Change AES-GCM to AES-SIV

[Dennis Jackson <dennis.jackson@cs.ox.ac.uk>]

Proposal: Change AES-GCM to AES-SIV

Rationale: 

AES-GCM requires a unique nonce for every message, otherwise it
fails catastrophically by directly leaking the authentication key
and consequently provides no resistance to active attacks on 
confidentiality. 

AES-SIV is a drop in replacement for AES-GCM which significantly
mitigates the impact of repeated nonces. For a message pair with
repeated nonces the attacker only learns if the two plaintexts were
equal. There is no other loss of confidentiality or authenticity. This
is provably the minimum leakage possible in the event of a repeated
nonce. 

Handling nonces is a tricky part of any implementation and easy to get
wrong in the presence of state loss or concurrency. Failures
in nonce generation are both catastrophic and subtle. Richard Barnes
has already improved the specification by moving from explicit to
implicit nonces which can aid the discovery of faulty implementations.
However, implicit nonces are not a silver bullet and recent papers have
uncovered serious nonce reuse issues in both TLS [1] and WPA [2]. 

+ AES-SIV significantly mitigates the impact of nonce reuse
+ AES-SIV is a drop in replacement with the same interface as AES-GCM
+ AES-SIV makes use of the same hardware support as AES-GCM
+ AES-SIV has a proof of security [3] and is described in RFC 5297 [4]
* AES-SIV has reasonable (but not extensive) library support (including
  OpenSSL, BoringSSL, Intel IPP)
* Despite being over 10 years old, AES-SIV has not seen widespread
  deployment
* AES-SIV Encryption is ~70% of the speed of AES-GCM Encryption
  (Decryption is the same speed as AES-GCM)

References: 

[1] https://www.usenix.org/system/files/conference/woot16/woot16-paper-bock.pdf

[2] https://www.krackattacks.com/

[3] http://web.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf

[4] https://datatracker.ietf.org/doc/rfc5297/