5

For algorithm test vector evaluation, I am trying to perform an AES in GCM mode for encryption and decryption with arbitrary tag length values such as 32 bits.

When I try to initialize my cipher with such an arbitrary tag length as follows:

final Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
GCMParameterSpec parameterSpec = new GCMParameterSpec(tagLen, iv);
cipher.init(Cipher.ENCRYPT_MODE, secretKey, parameterSpec);

I am met with this error:

java.security.InvalidAlgorithmParameterException: Unsupported TLen value; must be one of {128, 120, 112, 104, 96}

Normally, this would be a good thing, because you don't want a tag length of 32. However, for my purposes I do need this tag length.

Is there a way that I can override these restrictions to allow for arbitrary tag lengths?

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
factor2
  • 155
  • 9
  • It is generally a bad idea to use short tag lengths with GCM; in addition to the obvious weakness of someone being able to generate a forgery with probability $2^{-32}$, if someone were to find a forgery to a nonce used to encrypt a message, they can use that to generate other forgeries. This is specific to GCM (and similar algorithms, such as (I believe) Poly1305). Is there a reason you can't use (say) HMAC or CMAC, which doesn't have this cavaet? – poncho Jul 08 '21 at 18:01
  • 100% agreed, which is why I put this in the question: "Normally, this would be a good thing, because you don't want a tag length of 32. However, for my purposes I do need this tag length.". Since these are test vectors, I need to make sure that I use libraries that test the proper backends, in this case JCE. I need to specifically test the AESGCM algorithm for this library. – factor2 Jul 08 '21 at 18:08
  • A bit technical, however, a dupe of this ; [What are the constraints on using GCM with a tag size of 96 and 128 bits?](https://crypto.stackexchange.com/q/27374/18298). Message size and the number of messages are important to decide. You need to edit the library or find one to achieve 32-bit tag length ( that is off-topic here). – kelalaka Jul 08 '21 at 19:56
  • @poncho missing "AES/HMAC/NoPadding" – Sam Ginrich Jul 13 '22 at 18:31

1 Answers1

3

The Bouncy Castle library was created to support many algorithms in software, with the caveat that it let's you shoot yourself in the foot if you really want to.

I can run the above code with tag size 32 without issue:

Security.addProvider(new BouncyCastleProvider());

SecretKeySpec secretKey = new SecretKeySpec(new byte[16], "AES");

final Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "BC");
GCMParameterSpec parameterSpec = new GCMParameterSpec(32, new byte[16]);
cipher.init(Cipher.ENCRYPT_MODE, secretKey, parameterSpec);
cipher.update("Maarten did it".getBytes(StandardCharsets.UTF_8));
byte[] ct = cipher.doFinal();

Note that the error can be seen e.g. here. As you can see that is the internal implementation of AES/GCM in the provider, not e.g. Cipher. You may have found that out by looking at the full stacktrace...

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • 1
    `shoot yourself in the foot` :) – kelalaka Jul 08 '21 at 21:34
  • Well, the NIST recommendation for GCM does allow for a 32-bit MAC under some circumstances. If one follows the guidelines for short tags described in that document, I don't see why one couldn't use it. – Lucio Paiva Apr 17 '22 at 15:50
  • In case the authentication tag accumulates several input blocks, there might be a valid discussion on how to choose it's length dependent on the input length. – Sam Ginrich Jul 11 '22 at 16:25