Galois/Counter Mode (GCM)

Galois/Counter Mode (GCM) is an authenticated encryption mode that provides both confidentiality (encryption) and authenticity (integrity verification) in a single operation. It's the recommended mode for AES in modern applications.

Components

• CTR Mode: Counter-mode encryption for confidentiality
• GHASH: Galois field multiplication for authentication
• Authentication Tag: Verifies ciphertext and AAD integrity

How It Works

Inputs:
- Key (128, 192, or 256 bits)
- Nonce/IV (96 bits recommended)
- Plaintext
- Additional Authenticated Data (AAD) - optional, unencrypted but authenticated

Outputs:
- Ciphertext (same length as plaintext)
- Authentication Tag (128 bits typically, can be truncated)

Usage Example

// Encryption
ciphertext, tag = AES_GCM_Encrypt(key, nonce, plaintext, aad)

// Decryption (fails if tag doesn't verify)
plaintext = AES_GCM_Decrypt(key, nonce, ciphertext, tag, aad)

// CRITICAL: Decryption returns error if tampered
// Do NOT use plaintext until tag is verified!

Advantages

• Single pass for both encryption and authentication
• Parallelizable (fast on modern CPUs)
• Hardware acceleration (AES-NI)
• No padding required

Critical Warning: Nonce Reuse

Reusing a nonce with the same key completely breaks security. See GCM Nonce Reuse.

See Also

• Advanced Encryption Standard (AES)
• GCM Nonce Reuse
• Cryptographic Nonce