AES GCM: BouncyCastle vs. C# AesGCM (BCryptDcrypt) - nonces uneven (longer) of the recommended 12 bytes

[flankendiskriminator]

Hello,

this is more of a "how to do?" question when using AES GCM with nonces (IV) larger than 12 bytes. I want to implement a AES GCM Implementation in C# with Windows Basics which also acceptes those nonces. Microsoft is blocking all nonces which are uneven of 12 bytes (longer or shorter).

So i checked BouncyCastels C# implementation and it works flawlessy. I checked BouncyCastle and came to this piece of code:

if (nonce.Length == 12)
{
    Array.Copy(nonce, 0, J0, 0, nonce.Length);
    this.J0[BlockSize - 1] = 0x01;
}
else
{
    gHASH(J0, nonce, nonce.Length);
    byte[] X = new byte[BlockSize];
    Pack.UInt64_To_BE((ulong)nonce.Length * 8UL, X, 8);
    gHASHBlock(J0, X);
}

Which is EXACTLY what i want and which compacts the nonce if longer than 12 bytes to - 16 bytes..... :-(

I have implemented the same functions as above an get the same J0 value as BouncyCastles does - but it is still 16 bytes.

How do i compact the 16 bytes down to 12 bytes?

I have debugged for several days but did not find the final function where the nonce/J0 is used.....

[peterdettman]

Unfortunately It's not possible to convert a non-96-bit nonce to a 96-bit one externally. The nonce is used to derive the 128-bit value J0 and there is no way to initialize GCM directly with a J0 value (except in the trivial case where the final 32 bits of J0 happen to == 1).

[flankendiskriminator]

Thanks Peter. So as long as i can't send the C# API a Nonce unequal of 12 byte to let it set the internal J0 or set the J0 directly, i have no way to get this working?

Do i understand this correct?

[peterdettman]

I believe so. If the API only supports 12-byte nonce, there's no workaround for longer ones.

[flankendiskriminator]

Oh you can reply, sorry....

Thanks Peter, you saved me at least 2 weeks of work, happy holiday!