How can you determine how long the MAC for GCM must be?

Question

I want to use AES-GCM to encrypt 7 Byte data chunks.

A 16 Byte MAC seems like overkill to me and the library I'm using gives me the option to make the MAC smaller.

Are there any criteria for choosing the length of the MAC or are fewer bytes always less security?

please check this answer Ciphertext and tag size and IV transmission with AES in GCM mode The answer might give the answer to your question — kelalaka, Jan 12 '19 at 21:19
@kelalaka I seriously cannot access the Nist GCM specification, because of the government shutdown. Geez. Still looks promising, though. Will search for a mirror. — Minix, Jan 12 '19 at 21:29
@kelalaka Exactly where I ended up :) Appendix C, Table 1 seems to answer my question. Do you want to write it up as an answer? — Minix, Jan 12 '19 at 21:53

score 2 · Answer 1 · answered Jan 12 '19 at 22:26

In Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC Appendix C, Table 1 & 2 NIST gives the recommended maximum number of invocations of the decrypt function of GCM for different message lengths using a MAC of 4 and 8 Byte.

My message length of 7 Byte cipher text + 0 Byte additional authenticated data (AAD) enables me to decrypt $2^{22}$ and $2^{32}$ messages respectively, before having to change the symmetric key.

Since in my application I want to send $2^{32}$ messages before I'll have to change the key, I'll have to use 8 Bytes.

How can you determine how long the MAC for GCM must be?

1 Answers1