LLMpediaThe first transparent, open encyclopedia generated by LLMs

Galois/Counter Mode

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: CRYPTO Hop 4
Expansion Funnel Raw 76 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted76
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Galois/Counter Mode
NameGalois/Counter Mode
AbbreviationGCM
DeveloperJoan Daemen; Vincent Rijmen; David A. McGrew; John Viega
Introduced2004
Derived fromCounter mode (cryptography); Galois field
Block cipherAdvanced Encryption Standard
Key size128, 192, 256
Tag size96 (typical)
Mode of operationAuthenticated encryption

Galois/Counter Mode is an authenticated encryption mode that combines a Counter mode (cryptography) stream with a polynomial authentication function over a Galois field. It was developed to provide confidentiality and integrity simultaneously for packetized and streaming data in high-throughput environments used by standards bodies and industry. The design emphasizes parallelizability, low latency, and efficient hardware and software implementations tailored to Advanced Encryption Standard deployments.

History and Motivation

Galois/Counter Mode emerged from research communities associated with Cipher Block Chaining debates and the rise of Advanced Encryption Standard adoption, influenced by work at organizations such as NIST and projects involving researchers from Nokia Research Center and Intel Corporation. The mode addressed vulnerabilities revealed by cryptanalysts studying compositions of Message Authentication Code schemes and Authenticated encryption proposals during the early 2000s, with contemporaneous interest from institutions like IETF and IEEE seeking practical schemes for protocols used by TLS and IPsec. Funding, review, and adoption were driven by stakeholders including US Department of Defense, European Telecommunications Standards Institute, and large vendors such as Cisco Systems and Microsoft Corporation aiming to standardize secure high-speed transport.

Design and Operation

Galois/Counter Mode pairs a counter mode (cryptography) keystream generator based on Advanced Encryption Standard with a universal hash over a binary extension field, specifically operations in Galois field arithmetic. The core components include a block-cipher key schedule derived from AES key schedule practices, a per-packet initialization vector similar to constructions in IPsec ESP, and a GHASH polynomial evaluation using a field element H computed by encrypting an all-zero block under AES-128, AES-192, or AES-256. Processing breaks plaintext into blocks processed by the counter sequence while associated data is folded into the GHASH accumulator, reflecting design patterns seen in CBC-MAC alternatives and influenced by constructions evaluated at CRYPTO (conference) and EUROCRYPT. Tag generation combines final GHASH output with an encrypted counter block; verification recomputes the tag and resists trivial forgery methods examined by analysts from Cryptanalysis community groups and academic labs at universities such as MIT and Stanford University.

Security Properties and Analysis

Security claims for the mode are couched in terms of authenticated encryption with associated data, with proofs in the style of reductions popularized in publications from Bell Labs and standards-oriented proofs vetted by NIST panels. The confidentiality guarantee reduces to the pseudorandomness of AES in counter mode (cryptography), while integrity bounds relate to collision probabilities in the GHASH polynomial over GF(2^128), topics analyzed by researchers affiliated with RSA Laboratories, University of Waterloo, and Technische Universität Darmstadt. Practical attacks and limitations have been explored in papers presented at CRYPTO (conference), ASIACRYPT, and EUROCRYPT, including misuse scenarios involving nonce reuse studied in threat reports by NSA and academic teams at ETH Zurich. Security margins depend on tag length and nonce uniqueness; many security advisories from vendors like Apple Inc. and Google LLC emphasize correct nonce management to avoid forgery or plaintext recovery.

Performance and Implementation

Galois/Counter Mode is optimized for parallel processing and has been implemented in hardware accelerators in processors from Intel Corporation (via dedicated instruction sets), AMD and in network processors by Broadcom. Software implementations exploit vector extensions such as Intel AVX and ARM NEON for GHASH and AES rounds; benchmarking efforts by organizations like NIST and industry labs at IBM highlight throughput advantages in high-bandwidth applications including HTTP/2 and QUIC stacks. Implementers must carefully manage constant-time programming techniques advocated by security teams at OpenSSL Project and LibreSSL to prevent side-channel leaks studied by researchers at University of Cambridge and CWI. Hardware designs incorporate parallel multiplier arrays akin to those used in Reed–Solomon accelerator designs developed in telecommunications vendors like Ericsson.

Standards and Adoption

Galois/Counter Mode is specified in standards from IETF (notably in documents used by TLS and IPsec profiles), formalized by NIST guidance, and integrated into IEEE specifications for secure link-layer protocols. Major software and operating system projects—OpenSSL Project, LibreSSL, GnuTLS, Microsoft Windows, Linux kernel—and cloud providers such as Amazon Web Services, Google Cloud Platform, and Microsoft Azure offer GCM-enabled cipher suites. Regulatory and compliance regimes referencing FIPS and procurement frameworks at institutions like European Commission reference GCM in approved modes lists, which influenced adoption by vendors such as Oracle Corporation and Salesforce.

Variants and Extensions

Several variants and extensions address nonce-misuse resilience, different polynomial bases, and alternative field sizes; notable follow-ups include modes proposed in papers from research groups at IBM Research, Nokia Bell Labs, and Stanford University. Proposals such as misuse-resistant authenticated encryption schemes and modifications integrating SIV mode ideas were debated at IETF and presented at NDSS and USENIX Security Symposium. Hardware-aware variants tailor GHASH implementations for accelerator ecosystems developed by Qualcomm and ARM Holdings, while cryptographic libraries maintain alternative authenticated encryption algorithms like ChaCha20-Poly1305 for platforms where GCM trade-offs are unfavorable.

Category:Authenticated encryption modes