Docs: Bounds for AES-GCM-SIV are incorrect

[NeilMadden]

Describe the bug:

Apologies, I couldn’t find a direct way to report documentation bugs.

The documentation for the AEAD primitive states for AES-GCM-SIV:

AES128_GCM_SIV is nearly as fast as AES128_GCM, with very good bounds for a large amount of messages

This (“a large amount of messages”) is only true in the MRAE security game, not in the normal nonce-based AEAD security game. AES-GCM-SIV has a 96-bit nonce, and so has the same bounds as AES-GCM regarding number of messages that can be encrypted before nonce reuse becomes likely. In the face of nonce-reuse, AES-GCM-SIV doesn’t achieve IND-CPA security, so doesn’t meet the security goals of the Aead interface in Tink. See this SE question and answer for some more details: https://crypto.stackexchange.com/questions/102334/beyond-birthday-bound-security-in-aes-gcm-siv

[tholenst]

Thank you for the report. We agree that this is badly formulated, though we think it's unspecific enough that it is not simply wrong. Clearly there is a lot of room for improvement here, but we don't know if we will get to this soon unfortunately :( We will leave this open though, it really should be improved and I hope someone gets to it.