LLMpediaThe first transparent, open encyclopedia generated by LLMs

GCM (Galois/Counter Mode)

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: OpenSSL Hop 4
Expansion Funnel Raw 49 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted49
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
GCM (Galois/Counter Mode)
NameGalois/Counter Mode
TypeAuthenticated encryption
DesignerDavid A. McGrew; John Viega
Published2004
Key size128, 192, 256 bits
Block size128 bits
Mode of operationCounter mode with Galois field authentication

GCM (Galois/Counter Mode) is an authenticated encryption mode that combines counter-mode encryption with a Galois-field–based authentication tag, offering confidentiality and integrity in a single algorithm. It was developed in the early 2000s and standardized for widespread use, becoming a common choice in network protocols and cryptographic libraries. GCM is designed to be parallelizable and efficient on modern processors and has been the subject of extensive security and performance analysis.

Introduction

GCM was introduced by David A. McGrew and John Viega and later incorporated into standards by organizations such as the National Institute of Standards and Technology, the Internet Engineering Task Force, and the International Organization for Standardization. The mode builds on the Advanced Encryption Standard block cipher and counter-mode encryption techniques while using a multiplication operation in the binary Galois field GF(2^128) for message authentication. Its combination of features led to rapid adoption in implementations from manufacturers like Intel, ARM Holdings, and vendors of TLS libraries such as OpenSSL and LibreSSL.

Design and Operation

GCM operates by encrypting plaintext blocks with a block cipher in counter mode and computing an authentication tag using a hash function operating in GF(2^128). The design separates the encryption primitive, typically AES, from the GHASH authentication function, which is defined over the finite field with a reduction polynomial. Initialization uses an IV and counter construction inspired by counter mode conventions; associated data may be incorporated to authenticate headers or metadata without encrypting them, a feature leveraged by protocols like IPsec, Transport Layer Security, and Secure Shell. The core arithmetic—carry-less multiplication—maps to instructions such as the PCLMULQDQ instruction on x86-64 microarchitectures, enabling high-throughput implementations on platforms from AMD and Intel.

Security Properties and Analysis

Security proofs for GCM relate its confidentiality to the underlying block cipher and its integrity to the GHASH function, with bounds expressed in terms of forgery probabilities and nonce reuse. Analyses by researchers in academia and industry, including critiques from cryptanalysts at institutions like RSA Security and universities such as MIT and University of California, Berkeley, examine weaknesses arising from nonce misuse, collision properties in GF(2^128), and side-channel leakage on platforms including ARM Cortex cores. Practical attacks exploit repeated IVs or implementation flaws in libraries such as OpenSSL; countermeasures include strict IV management, use of random or monotonic counters, and constant-time implementations endorsed in guidance from bodies like ENISA.

Implementation and Performance

Implementations of GCM appear in cryptographic libraries and hardware accelerators, tuned for instruction sets available on CPUs and offload engines from vendors such as Intel, Qualcomm, and NVIDIA. Performance engineering leverages parallelizability across cores and SIMD extensions like AVX2 and NEON, and hardware features like AES-NI to accelerate AES rounds and reduce latency in systems from Dell EMC and Cisco Systems. Optimized implementations balance throughput and security, addressing side-channel leakage studied at research centers like INRIA and ETH Zurich, and are assessed in benchmarks by organizations such as SPEC and projects like LibreSSL's performance suites.

Usage and Applications

GCM is widely used in protocols and products that require authenticated encryption, including Transport Layer Security, IPsec, IEEE 802.11i (Wi‑Fi), and storage systems from vendors such as Samsung and Western Digital. Cloud providers like Amazon Web Services and Google Cloud Platform and virtualization platforms such as VMware and KVM incorporate GCM-based ciphersuites for network and disk encryption, while mobile platforms like Android and iOS use GCM within platform cryptographic APIs. Its associated data capability makes it suitable for secure tunneling and application-layer protocols implemented by projects like OpenVPN and WireGuard.

Standards and Variants

GCM is specified in standards and RFCs produced by bodies including NIST, IETF, and ISO/IEC, and appears in cryptographic profiles and certification schemes such as FIPS 140-2 and Common Criteria. Variants and related modes, including alternatives that address particular security or performance trade-offs, have been proposed and implemented in contexts involving algorithms like ChaCha20-Poly1305 or in countermeasures such as synthetic IV constructions advocated by researchers at Microsoft Research and Google. Deployments often follow guidance from agencies like NIST and compliance frameworks used by organizations including PCI Security Standards Council.

Category:Block cipher modes of operation