GCMParameterSpec with tag length of 32 in Cipher

Question

For algorithm test vector evaluation, I am trying to perform an AESGCM encryption and decryption with arbitrary tag length values such as 32 bits.

When I try to initialize my cipher with such an arbitrary tag length as follows:

final Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
GCMParameterSpec parameterSpec = new GCMParameterSpec(tagLen, iv);
cipher.init(Cipher.ENCRYPT_MODE, secretKey, parameterSpec);

I am met with this error:

java.security.InvalidAlgorithmParameterException: Unsupported TLen value; must be one of {128, 120, 112, 104, 96}

Normally, this would be a good thing, because you don't want a tag length of 32. However, for my purposes I do need this tag length.

Is there a way that I can override these restrictions to allow for arbitrary tag lengths?

Yes, use BouncyCastle. In [NIST 800-38D](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf), lengths of 128, 120, 112, 104, and 96 bits are defined for the tag, as well as short lengths of 64 and 32 bits if certain conditions are met. The SunJCE provider only supports the 5 longer lengths. BouncyCastle also allows the two short lengths. — Topaco, Jul 08 '21 at 17:55
Turns out bouncycastle is a no go, not allowed for our use unfortunately. Thanks for the suggestion though. — factor2, Jul 08 '21 at 19:04
Just a thought - AES GCM is essentially AES-CTR combined with a HMAC, so you could do both cryptographic operations and concatenate the results. — Michael Fehr, Jul 08 '21 at 21:05
Please [do not cross post](https://meta.stackexchange.com/q/64068/176060). — Maarten Bodewes, Jul 08 '21 at 22:07
@MichaelFehr+ GCM is CTR (with tweaked nonce) plus **GMAC**, which is different, is not available as a separate primitive from the Sun/Oracle/Open providers, and is not trivial to write yourself. (It is available from Bouncy, but that's already covered.) — dave_thompson_085, Jul 09 '21 at 04:41

GCMParameterSpec with tag length of 32 in Cipher

0 Answers0