For AES-GCM, does knowing plaintext and ciphertext allow attacker to learn the key?

Question

Say, for an AES-GCM encryption, an attacker knows essentially everything except the key. This would include:

Plaintext
Ciphertext
IV
Algorithm (AES-GCM)

In this case, will the attacker gain any advantage towards learning the key?

The application: I am using Password-Based Encryption following PKCS #5 recommendations. When the user supplies a password, I want the application code to know that the password provided was correct or incorrect. To accomplish this, I propose decrypting an IV+ciphertext with the key derived from the user-supplied password. If the decrypted data matches the expected plaintext value, then I know the user-supplied password provided is correct. And conversely, if it doesn't match, then user-supplied password is incorrect.

See What are the rules for using AES-GCM correctly? and we assume only the key is secret, the rest is known; And. why don't you use password hashing algorithms? — kelalaka, Jun 10 '22 at 23:04
Re: "See 'What are the rules for using AES-GCM correctly'" Sure. Are you calling my attention to some part of it though? — Erik Hermansen, Jun 10 '22 at 23:27
Re: "why don't you use password hashing algorithms?" I have reasons, but they aren't very compelling. Maybe password-hashing is a better approach. — Erik Hermansen, Jun 10 '22 at 23:28

forest · Accepted Answer · 2022-06-11T07:28:17.897

AES is not vulnerable to known-plaintext attacks, and AES-GCM is no different.

GCM mode is extremely similar to CTR, or counter, mode. It functions by passing an incrementing counter through AES. The output is then used as keystream. If an attacker knows something about the plaintext, they can XOR it with the ciphertext to derive the keystream. Because the keystream is just an encrypted counter, an attacker now has plaintext-ciphertext pairs but doesn't know the key.

AES is a secure block cipher and knowledge of plaintext-ciphertext pairs is not sufficient to derive any information about the key, nor information about any other plaintext.^* If GCM was used with a block cipher vulnerable to known-plaintext attacks, then it could be possible to calculate the key and then generate all future and past keystream. AES (and thus AES-GCM) is not vulnerable to this attack.

A simplified diagram from Wikipedia describing GCM mode:

GCM from Wikipedia

I propose decrypting an IV+ciphertext with the key derived from the user-supplied password.

You're describing challenge-response authentication. There are many existing protocols for this. Don't roll your own solution.

_{* If the the IV is reused with the same key then the keystreams will be the same and the attacker can eliminate it by XORing the two ciphertexts together. The result is the XOR of the two plaintexts, which is highly problematic.}

score 1 · Answer 2 · answered Jun 11 '22 at 04:31

1

This will allow recovering the key stream but not the key. There are no known practical known plaintext key recovery attacks on AES.

The keystream will not be usefull unless you reuse the nonce(IV). don't reuse nonce and you are good.

answered Jun 11 '22 at 04:31

Meir Maor

11,835
1
23
54

For AES-GCM, does knowing plaintext and ciphertext allow attacker to learn the key?

2 Answers2