Added AES-SIV cipher

cipher.go

@@ -28,6 +28,9 @@ var aeadList = map[string]struct {
 	"aes-192-gcm-16":         {24, sscipher.AESGCM16},
 	"aes-256-gcm-16":         {32, sscipher.AESGCM16},
 	"chacha20-ietf-poly1305": {32, sscipher.Chacha20IETFPoly1305},
+	"aes-siv-256":            {32, sscipher.AESSIV},
+	"aes-siv-384":            {48, sscipher.AESSIV},
+	"aes-siv-512":            {64, sscipher.AESSIV},
 }
 
 // List of stream ciphers: key size in bytes and constructor

cipher/aead.go

@@ -4,6 +4,8 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 
+	"github.com/jacobsa/crypto/siv"
+
 	"golang.org/x/crypto/chacha20poly1305"
 )
 
@@ -27,3 +29,25 @@ func AESGCM(key []byte) (cipher.AEAD, error) { return aesGCM(key, 0) }
 func AESGCM16(key []byte) (cipher.AEAD, error) { return aesGCM(key, 16) }
 
 func Chacha20IETFPoly1305(key []byte) (cipher.AEAD, error) { return chacha20poly1305.New(key) }
+
+type aesSIV []byte
+
+func (key aesSIV) NonceSize() int { return 16 }
+func (key aesSIV) Overhead() int  { return 16 }
+func (key aesSIV) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
+	b := make([]byte, key.Overhead()+len(plaintext))
+	_, err := siv.Encrypt(b[:0], key, plaintext, [][]byte{additionalData, nonce})
+	if err != nil {
+		panic(err)
+	}
+	copy(dst[:len(b)], b)
+	return dst[:len(b)]
+}
+func (key aesSIV) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
+	b, err := siv.Decrypt(key, ciphertext, [][]byte{additionalData, nonce})
+	copy(dst[:len(b)], b)
+	return dst[:len(b)], err
+}
+
+// AES-SIV mode. Key size must be 32/48/64 bytes.
+func AESSIV(key []byte) (cipher.AEAD, error) { return aesSIV(key), nil }