Answer by eckes for AES GCM : is it acceptable to return the wrong plaintext...
Just an additional point of information from the field. The NIST spec is strict in not allowing this, and it has good properties if an API does not do this. For example it protects against naive usage...
View ArticleAnswer by Gilles 'SO- stop being evil' for AES GCM : is it acceptable to...
There are several reasons for an authenticated decryption (with AES-GCM or any other AE or AEAD mechanism) not to return any plaintext if the ciphertext is not authentic (i.e if the tag does not...
View ArticleAnswer by fgrieu for AES GCM : is it acceptable to return the wrong plaintext...
Is it acceptable to return the wrong plaintext if the tag is incorrect?No. For one, it's against the spec quoted in question.How bad is it to return the wrong plaintext anyway?It's bad at least because...
View ArticleAnswer by kelalaka for AES GCM : is it acceptable to return the wrong...
There is an article* that answers the question in the negative for GCM and CCM. The article introduces the first formalization of the Releasing Unverified Plaintext (RUP) setting. The related security...
View ArticleAnswer by poncho for AES GCM : is it acceptable to return the wrong plaintext...
how can we prevent the cipher from being returned in case the tag is wrong ? As far as I understand, to compute the tag the decryption process must be done entirely.Actually, GCM decryption can be done...
View ArticleAES GCM : is it acceptable to return the wrong plaintext if the tag is...
Let's start by saying I'm no cryptography expert, I'm just a developer, so feel free to correct me (using words, not downvotes) if what I'm saying is non-sense.Context: I'm doing some crypto as a...
View Article