Is it normal that cypertext size can be smaller than IV when using AES-256-GCM?

sunknudsen

10/26/23, 10:10 AM

I noticed that when using AES-256-CBC with a 128-bit IV, the ciphertext is always at least 16 bytes long (size of IV).

I also noticed that when using AES-256-GCM with a 96-bit IV, the ciphertext size can be smaller than the IV.

Normal? Why?

174

1 + 0

aes

cbc

padding

gcm

Score:4

Crypto

kelalaka

10/26/23, 10:15 AM

I noticed that when using AES-256-CBC with a 128-bit IV, the ciphertext is always at least 16 bytes long.

AES-256-CBC uses PKCS#7 padding means that one can have at most 16 extra bytes.

Usually one sees IV|ciphertext where ciphertext is the encryption of the padding block.

I also noticed that when using AES-256-GCM with a 96-bit IV, the ciphertext can be smaller than 12 bytes long.

AES-GCM uses CTR mode that doesn't require padding so the ciphertext is always equal to plaintext size.

Usually one sees IV|ciphertext|tag where the default tag is 16 bytes.

This is strange and really depends on the output of the software library.

Is it normal that cyphertext size can be smaller than IV when using AES-256-GCM?

If we only talking about the ciphertext, in CTR mode it is always equal to the plaintext size.

Semantically, however, the IV is part of the ciphertext since without it one cannot decrypt the ciphertexts completely - CBC lost only the first block whereas CTR lost all.

+ 3

sunknudsen

10/26/23, 10:20 AM

“PKCS#7 padding” vs “CTR mode”… got it! Btw, I was referring to ciphertext as only the ciphertext version of plain text (not taking into consideration size of IV or auth tag).

kelalaka

10/26/23, 10:22 AM

I see, it should be #7 since #5 was only designed for 8-byte block sizes, though in Java they are the same and #7 enables for up to 256-byte block sizes.

dave_thompson_085

10/27/23, 12:35 AM

kelalaka: padding in original PKCS5 was only for 8-byte block, and PKCS7/CMS generalized it, but PKCS5v2.1 (in 2017) added AES and backported the CMS padding, so now both can properly be called by either name. I usually just say 'PKCS5/7 padding' (and ignore the differences between PKCS7 and CMS). We might also call it PKCS12 because 12 = 5 + 7, but, well, no, just no.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it normal that cypertext size can be smaller than IV when using AES-256-GCM?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.