AES GCM : is it acceptable to return the wrong plaintext if the tag is incorrect?

Answer by eckes for AES GCM : is it acceptable to return the wrong plaintext...

April 15, 2021, 1:54 am

Just an additional point of information from the field. The NIST spec is strict in not allowing this, and it has good properties if an API does not do this. For example it protects against naive usage...

View Article

Answer by Gilles 'SO- stop being evil' for AES GCM : is it acceptable to...

April 13, 2021, 2:29 pm

There are several reasons for an authenticated decryption (with AES-GCM or any other AE or AEAD mechanism) not to return any plaintext if the ciphertext is not authentic (i.e if the tag does not...

View Article

Answer by fgrieu for AES GCM : is it acceptable to return the wrong plaintext...

April 14, 2021, 2:46 am

Is it acceptable to return the wrong plaintext if the tag is incorrect?No. For one, it's against the spec quoted in question.How bad is it to return the wrong plaintext anyway?It's bad at least because...

View Article

Answer by kelalaka for AES GCM : is it acceptable to return the wrong...

April 13, 2021, 3:58 pm

There is an article* that answers the question in the negative for GCM and CCM. The article introduces the first formalization of the Releasing Unverified Plaintext (RUP) setting. The related security...

View Article

Answer by poncho for AES GCM : is it acceptable to return the wrong plaintext...

April 13, 2021, 6:16 am

how can we prevent the cipher from being returned in case the tag is wrong ? As far as I understand, to compute the tag the decryption process must be done entirely.Actually, GCM decryption can be done...

View Article

AES GCM : is it acceptable to return the wrong plaintext if the tag is...

April 15, 2021, 1:54 am

Let's start by saying I'm no cryptography expert, I'm just a developer, so feel free to correct me (using words, not downvotes) if what I'm saying is non-sense.Context: I'm doing some crypto as a...

View Article