AES-GCM has a limit on the length of the plaintext it encrypts: $2^{39} - 256$ bits. But is this limit per key or per (key, nonce)? That is, if I encrypt a message with the maximum length, and encrypt another message with the same key but different nonce, will it be secure still?
Asked
Active
Viewed 1,162 times
1 Answers
2
It is per message. I.e. per (key, nonce) -pair.
The reason it exists is that GCM uses CTR mode for encryption with (normally) a 32-bit counter. That means you can only encrypt $2^{32}$ blocks, i.e. $2^{39}$ bits with AES. The 256 bits that are subtracted are due to authentication.
So you can encrypt multiple maximum-length messages securely.
otus
- 32,462
- 5
- 75
- 167