AEAD encryption (again!?)

[jcmfernandes]

Hi! I know I'm not the first bringing this up, but almost 6 years have passed since that thread was created. What's the case against AES-GCM at this point? I wrote a PoC and a simple benchmark (it's in the PR), and the results on my Ryzen 5900X reveal a significant performance improvement:

Warming up --------------------------------------
          v1 encrypt     2.991k i/100ms
          v2 encrypt     3.756k i/100ms
Calculating -------------------------------------
          v1 encrypt     29.661k (± 1.6%) i/s -    149.550k in   5.043342s
          v2 encrypt     37.928k (± 1.7%) i/s -    191.556k in   5.052004s

Comparison:
          v2 encrypt:    37927.9 i/s
          v1 encrypt:    29660.9 i/s - 1.28x  slower

Warming up --------------------------------------
          v1 decrypt     2.999k i/100ms
          v2 decrypt     4.857k i/100ms
Calculating -------------------------------------
          v1 decrypt     31.843k (± 0.9%) i/s -    161.946k in   5.086207s
          v2 decrypt     50.303k (± 3.1%) i/s -    252.564k in   5.025839s

Comparison:
          v2 decrypt:    50302.8 i/s
          v1 decrypt:    31842.9 i/s - 1.58x  slower

Warming up --------------------------------------
 v1 decrypt tampered    10.339k i/100ms
 v2 decrypt tampered    24.053k i/100ms
Calculating -------------------------------------
 v1 decrypt tampered    103.586k (± 0.6%) i/s -    527.289k in   5.090543s
 v2 decrypt tampered    240.950k (± 0.4%) i/s -      1.227M in   5.091206s

Comparison:
 v2 decrypt tampered:   240949.6 i/s
 v1 decrypt tampered:   103585.8 i/s - 2.33x  slower

I tried tampering with the version, IV, salt, ciphertext, and authentication tag, and got similar results. I.e., it's still faster to attempt to decrypt the ciphertext than to HMAC the message.

Is there interest in a new encryption envelope? I know that this is a highly sensitive part of this library.