Score:2

FOR AES GCM decrypt function, Does the output(PT) depend on Tag value(T)?

cn flag

According to spec, FOR GCM decrypt function input is IV, A, C, and T. As mentioned below:

5.2.2 Authenticated Decryption Function Given the selection of an approved block cipher, key, and an associated tag length, the inputs to the authenticated decryption function are values for IV, A, C, and T, as described in Sec. 5.2.1 above. The output is one of the following:

  • the plaintext P that corresponds to the ciphertext C, or
  • a special error code, denoted FAIL in this document.

I was referring a AES GCM reference model available online and I saw for decryption to calculate the PT result it does not consider Tag value.

Does the output (PT) depend on Tag value (T)?

Reference Model Link: https://github.com/mko-x/SharedAES-GCM/blob/master/Sources/gcmtest.c

Score:4
us flag

In GCM, the plaintext is computed without the tag. But the decision about whether it's safe to release the plaintext depends on the tag! If the tag is not correct, you must return an error. Without the tag "guarding" the release of the plaintext, it is trivial for an attacker to modify the contents of a ciphertext.

Score:3
in flag

Does the output (PT) depend on Tag value (T)?

No it doesn't, unless you assume that returning an error is also considered output. This output is often denoted as $\bot$ in descriptions, although your reference denotes it simply as "FAIL".

In the end, the encryption used within GCM is simply counter mode encryption (CTR or SIC). The only trick is that you may need to calculate the IV for the counter mode if the nonce size is larger than 12 bytes. I've created an example decryption without verification of the tag on StackOverflow - but note that it assumes a 12 byte nonce.

If you want to have a GCM mode where the decryption is dependent on the tag you should have a look at AES-GCM-SIV mode. Here a synthetic IV (SIV) is used which doubles as authentication tag.


If you use the ciphertext before verification you are be vulnerable to bit-specific changes in the resulting plaintext (the attacker can just flip the same bit in the ciphertext). This may in turn lead to plaintext oracles which could also affect confidentiality.

Decryption without direct verification still has some limited applicability. you may want to decrypt chunks of ciphertext and put the plaintext result into a temporary file, and then copy or move the temporary file to the final location once the authentication tag has been verified. If the verification returns an error the temporary file should be destroyed.

ar flag
Minor note to readers: GCM-SIV decryption being dependent on the authentication tag does *not* mean that a message with an invalid authentication tag always yields nonsense plaintext when decrypted. Indeed, if the tag is not properly verified by the decryptor, GCM-SIV is just as [malleable](https://en.wikipedia.org/wiki/Malleability_(cryptography)) as plain old CTR mode.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.