tarcieri
commented
4 years ago RFC 5297 Section 6.1 lists P_MAX (maximum size of a plaintext message) at 2^132 octets.
That doesn't seem like a good data volume limit for AES-CMAC-SIV or AES-PMAC-SIV, however. At the very least, their data volumes shouldn't exceed the birthday bound of AES, which is 2^64 AES blocks, or approximately 295 exabytes.
What's the best practice for reusing an encryption key? After how many messages/GiBs it's recommended to rotate the encryption key?