AES-GCM across multiple packets

Question

I am just getting started with cryptography. After doing some research, I see that people usually advice against encryption using the same key and nonce. However if a message is too long and has to be broken up into multiple packets, how exactly does this work? Will a different key and nonce be generated for each packet with a distinct authentication tag computed for that packet? Would it be considered secure to generate a key for the entire message, but each packet will be encrypted using a different nonce, and once the entire message is encrypted, the authentication tag is computed.

Thanks in advance.

score 1 · Accepted Answer · answered Jul 29 '23 at 03:18

1

Typical AEAD (authenticated encryption with associated data) algorithms support 96-bit nonce - quite large, and a counter is good for it. So if you have different nonce for each encryption, you don't have to change the key. What's more, AES requires key expansion for computing key schedule, which is an expensive operation if done each time.

You've probably mis-interpreted "not using the same key and nonce". What it means is that each "key-nonce" pair must be unique, not both of them must be different.

answered Jul 29 '23 at 03:18

DannyNiu

9,207
2
24
57

Ah I see. Indeed, I misunderstood what is meant by "the same key and nonce". Thank you so much! – Guest123456 Jul 29 '23 at 13:22
However, rekeying is better for security, which is why it's done by AES-GCM-SIV. – samuel-lucas6 Aug 01 '23 at 19:42

AES-GCM across multiple packets

1 Answers1