Why CTR and SIV mode?

Why Cryptomator uses AES-CTR for content encryption and AES-SIV for file name encryption?

CTR mode is probably the mode with the easiest mathematical proof regarding resistance against certain attacks. At the time we started the project, it also was one of the modes with hardware acceleration. But it lacks integrity checks, so we needed HMACs to protect the content against CCAs. Today we have hardware support in Java for GCM, too. So we would probably choose this mode for its better performance regarding tag calculation. On the other hand, GCM is more complex, i.e. harder to check for flaws.

Both CTR and GCM need unique IVs. This means that for the same cleartext we would get different ciphertexts each time. This isn’t the case with SIV. We need deterministic filenames, otherwise we would break the file version history of most cloud storage providers. Thus SIV for file names.