Confusing names for AES-SIV algorithms

[davidv1992]

The current naming scheme in the AES-SIV uses a different naming scheme for the lengths than rfc5297, naming the algorithm lengths to the number of bits of security provided rather than the key length. This is highly confusing for potential users refering to standards documents and or the IANA registry of AEAD algorithm identifiers.

From my perspective, ideally these aeads should follow the naming convention from the rfc, but if not this should be clearly indicated in the documentation so as to avoid pitfalls for new users.

[tarcieri]

I assume you're referring to the names in RFC5297 Section 6, i.e. AEAD_AES_SIV_CMAC_256, AEAD_AES_SIV_CMAC_384, AEAD_AES_SIV_CMAC_512.

FWIW I have never seen any other cryptographic library use those names:

• OpenSSL uses: AES-128-SIV, AES-192-SIV, AES-256-SIV
• Botan uses: aes-128-siv, aes-192-siv, aes-256-siv
• ntpsec's libaes_siv uses: AES-128-SIV, AES-256-SIV

...just as a few examples.

Trying to adopt the key-size-not-security-level names would also make the naming inconsistent with the aes-gcm-siv crate. And in general, I think it would make things more confusing for users.

We can add a comment to the type declaration for each of the AEADs which provides the RFC5297 name, however I don't think it makes sense to change the actual type names.