LLMpediaThe first transparent, open encyclopedia generated by LLMs

AES-GCM

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: TLS Hop 3
Expansion Funnel Raw 75 → Dedup 6 → NER 5 → Enqueued 5
1. Extracted75
2. After dedup6 (None)
3. After NER5 (None)
Rejected: 1 (not NE: 1)
4. Enqueued5 (None)
AES-GCM
NameAES-GCM
TypeAuthenticated encryption
Invented byNational Institute of Standards and Technology, Dalal Malkhi?, Vincent Rijmen?
Published2007
Key size128, 192, 256 bits
Block size128 bits
Mode of operationGalois/Counter Mode

AES-GCM

AES-GCM is an authenticated encryption mode that combines the Advanced Encryption Standard block cipher with Galois field multiplication for authentication. It was standardized in NIST publications and widely adopted in protocols and products produced by organizations such as Apple Inc., Cisco Systems, Microsoft, Google, and Amazon (company). AES-GCM offers confidentiality and integrity in a single operation and is commonly used in settings influenced by events like the Heartbleed disclosure and standards efforts following the FIPS process.

Overview

AES-GCM pairs the AES block cipher with a Galois field-based universal hash function, producing authenticated ciphertext and a tag. The mode was designed under auspices related to NIST standardization and has been integrated into protocol stacks deployed by vendors including Juniper Networks, Intel, ARM Holdings, Broadcom, and Huawei. Deployment contexts span the Transport Layer Security ecosystem used by Mozilla Foundation and Internet Engineering Task Force standards, as well as virtual private networking products from OpenVPN and WireGuard contributors. The design reflects cryptographic engineering trends originating in academic work by researchers connected to conferences like CRYPTO and EUROCRYPT.

Algorithm Specification

AES-GCM operates by using AES in counter mode to encrypt plaintext blocks under a key (128/192/256) and a nonce/IV, while computing an authentication tag via a GHASH function defined over the Galois field GF(2^128). The specification appears in NIST publications relied upon by implementers at OpenSSL Project, LibreSSL, BoringSSL, and firmware projects at Intel Corporation and ARM Limited. Inputs include a nonce/IV, associated data (AD), and plaintext; outputs include ciphertext and a fixed-length tag. The GHASH function uses a field element H derived by encrypting an all-zero block with AES under the same key, then performing polynomial evaluation over GF(2^128) similar to constructions discussed in papers at ACM and IEEE conferences. The mode’s processing of AD and plaintext aligns with canonical forms used in standards committees like IETF and working groups associated with TLS.

Security Properties and Analysis

AES-GCM provides authenticated encryption with associated data (AEAD) guarantees when nonces are unique and keys are managed properly. Security analyses have been published in venues such as CRYPTO, EUROCRYPT, ACM CCS, and USENIX security symposia, with contributions from researchers affiliated with institutions such as MIT, Stanford University, ETH Zurich, Cornell University, and University of California, Berkeley. Proofs bound forgery probability in terms of tag length and number of queries, and reductions relate to the pseudorandomness of AES and the collision properties of GHASH. Attack research by teams from University of Bochum, Radboud University, and Cryptography Research, Inc. highlighted practical considerations and influenced advisories from CVE coordinators and disclosure policies at OWASP.

Performance and Implementations

AES-GCM achieves high throughput when AES and carry-less multiplication instructions are available; hardware acceleration using instructions like AES-NI and PCLMULQDQ on processors from Intel and AMD enables line-rate performance in appliances from Cisco and cloud platforms operated by Amazon Web Services and Google Cloud Platform. Implementations appear in libraries such as OpenSSL Project, BoringSSL, LibreSSL, libsodium, and Cryptography.io, and in operating systems including Linux kernel, FreeBSD, Windows NT, macOS, and Android (operating system). FPGA and ASIC vendors including Xilinx and Broadcom provide IP cores optimized for AES-GCM for use in network devices sold by Arista Networks and Juniper Networks.

Use Cases and Protocol Integration

AES-GCM is used for session protection in TLS versions adopted by IETF standards, in IPsec implementations specified by RFCs utilized by enterprises with equipment from Cisco Systems and Juniper Networks, in disk encryption systems offered by Microsoft and Apple Inc., and in secure messaging stacks influenced by projects at Open Whisper Systems. It is selected in cloud storage encryption offerings from Google Cloud Platform, Amazon Web Services, and enterprise key management services provided by HashiCorp and Thales Group. Standards bodies such as ISO and NIST reference AES-GCM in profiles for securing communications in industries regulated by agencies like FDA and NERC for critical infrastructure.

Vulnerabilities and Misuse Pitfalls

Security depends critically on nonce uniqueness and correct key lifecycle; nonce reuse has led to catastrophic failures reported in advisories tracked by CVE databases and discussed at conferences such as Black Hat and DEF CON. Side-channel vulnerabilities exploit microarchitectural features in CPUs from Intel and AMD, leading to mitigations issued by vendors like Microsoft and Apple Inc.. Incorrect implementations in libraries like early releases of OpenSSL Project or misconfigured deployments in appliances from Cisco Systems have produced real-world incidents prompting patches coordinated with CERT teams at US-CERT and vulnerability disclosure by researchers at Google Project Zero.

Category:Block cipher modes