AES-GCM has a limit on the length of the plaintext it encrypts: $2^{39} - 256$ bits. But is this limit per key or per (key, nonce)? That is, if I encrypt a message with the maximum length, and encrypt another message with the same key but different nonce, will it be secure still?
Asked
Active
Viewed 1,113 times
1 Answers
2
It is per message. I.e. per (key, nonce) -pair.
The reason it exists is that GCM uses CTR mode for encryption with (normally) a 32-bit counter. That means you can only encrypt $2^{32}$ blocks, i.e. $2^{39}$ bits with AES. The 256 bits that are subtracted are due to authentication.
So you can encrypt multiple maximum-length messages securely.
otus
- 32,132
- 5
- 70
- 165
-
actually per spec there is a soft block limit of $2^{64}$ and a hard nonce limit of $2^{32}$ (if not using 96-bit IVs), whichever comes first – Richie Frame Jan 11 '16 at 10:53
-
@RichieFrame, good to know, but I guess that doesn't really change the answer? – otus Jan 11 '16 at 11:12
-
@RichieFrame: What does the soft block limit mean? – Siyuan Ren Jan 11 '16 at 11:21
-
@SiyuanRen the soft block limit is a recommended maximum authenticated block count with a single key, soft because it is not a strict limit. Encrypting too many blocks or generating too many authentication tags can allow recovery of the hash subkey, and thus forging of new tags. – Richie Frame Jan 11 '16 at 21:06
-
@RichieFrame: What are those limit if the nounce if 96-bit? – Siyuan Ren Jan 12 '16 at 03:54
-
@SiyuanRen Nonce limit is more complex, and takes into account the max message size, as well as the tag size. To keep security above $2^{64}$ do not exceed $2^{28.9}$ 96-bit nonces if you are encrypting very large data sets (GB+), and use 128-bit tags if you are processing more than 1MB of data per nonce. For other size nonces, I would not exceed $2^{9.2}$ for large data sets, that is how bad the security drops. I would also limit the blocks to $2^{48}$ per key for 96-bit nonces and $2^{40}$ for others – Richie Frame Jan 12 '16 at 07:00