Recommended AEAD algorithms

[tarcieri]

Following up from RustCrypto/meta#10, this is an issue for discussion potentially adding "recommended" badges to certain algorithms in this repo:

[tarcieri]

I'd suggest at least the following are safe to recommend:

• aes-gcm
• aes-gcm-siv
• aes-siv
• chacha20poly1305
• eax

I don't think there are any algorithms implemented in this repo we should actively recommend people avoid, however some specific thoughts on why not to recommend certain algorithms:

ccm: obsoleted by eax

I don't think we should actively recommend against CCM as it is popular in the embedded space. However I think there were a number of bad decisions made in the design of CCM which are addressed by EAX. Some of those include:

• The length of the plaintext message and AAD need to be known in advance
• AAD is MAC'd last rather than first, which together with the above issue complicates online/streaming encryption
• AES-CCM uses needlessly complex message framing with variable-length length tags

xsalsa20poly1305: obsoleted by chacha20poly1305

• The ChaCha(20) stream cipher family provides better per-round diffusion than the Salsa20 family.
• ChaCha20 is a full AEAD algorithm, whereas XSalsa20Poly1305 does not support AAD.
• ChaCha20Poly1305 is specified in RFC 8439. XSalsa20Poly1305 has no associated RFC.
• The XChaCha20Poly1305 construction provides the same extended nonce benefits as XSalsa20Poly1305.

[newpavlov]

Note that I plan to introduce generic GCM and SIV crates, making the aes variants thin wrappers around them.

[tarcieri]

The aes-gcm and aes-siv crates are already generic around a block cipher, as it were.

[newpavlov]

The idea is to publish them under gcm and siv names respectively, to make them consistent with other crates.

[tarcieri]

Sure, we can do that, although I'd probably suggest trying to tackle RustCrypto/traits#444 first as for at least the aes-gcm case it requires implementing some specific interactions between e.g. the aes and ghash crates.