Score:1

Is it possible to partially decrypt an aes-gcm ciphertext?

za flag

Say that I encrypt a large file using aes-gcm and upload it somewhere. Can I then download only the first few blocks (as well as IV and tag) and decrypt them?

If not, is there another authenticated encryption that allows this?

kelalaka avatar
in flag
You can decrypt but no tag control! Do you want to skip the tag control? What is the need for this? possibly like this one; [How to securely encrypt/decrypt data with a maximum chunk size?](https://crypto.stackexchange.com/q/86080/18298)?
savx2 avatar
za flag
I'd like to keep the integrity guarantee if possible. I know this is possible with, say, AES-CTR but I would prefer authenticated encryption.
kelalaka avatar
in flag
Never use plaintext before the tag control!
savx2 avatar
za flag
so I guess the answer is that this is not possible unless you chunk the file and encrypt each chunk separately?
kelalaka avatar
in flag
Yes, the reason for authentication is to ensure that the plaintext is not modified and authentic. Of course, GCM authenticates on the ciphertext so that we can verify even before decryption.
Score:1
in flag

Yes, you can decrypt a single AES-GCM partially. AES-GCM uses counter mode encryption, and you can decrypt counter mode from any specific offsite, assuming you know the nonce and method to calculate the counter values. Here is a Java implementation that takes GCM encryption and decrypts the ciphertext without verifying the tag and here is a way to run CTR mode encryption from any offset - the remaining trick is to combine the two.

However, to maintain authenticity you would still need to pass all data through the GMAC construct. As most implementations will perform both the GMAC and decryption pass at the same time you therefore may need to use a separate GMAC and counter mode implementation. For Java, if I remember correctly, GCM is implemented using relatively easy to split primitives within the Bouncy Castle lightweight API (specified by the classes in the org.bouncycastle package tree).

If you can design your own protocol you can indeed split your message into multiple chuncks and authenticate those separately. You should however make sure that an attacker cannot duplicate, delete or shuffle these chunks. Kelalaka has already indicated one scheme on how this can be done.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.