GCM
1 Introduction
Galois/Counter Mode (GCM) is a block cipher mode of operation that uses universal hashing over
a binary Galois field to provide authenticated encryption. It can be implemented in hardware to
achieve high speeds with low cost and low latency. Software implementations can achieve excel-
lent performance by using table-driven field operations. It uses mechanisms that are supported
by a well-understood theoretical foundation, and its security follows from a single reasonable
assumption about the security of the block cipher.
There is a compelling need for a mode of operation that can efficiently provide authenticated
encryption at speeds of 10 gigabits per second and above in hardware, perform well in software,
and is free of intellectual property restrictions. The mode must admit pipelined and paralellized
implementations and have minimal computational latency in order to be useful at high data rates.
Counter mode has emerged as the best method for high-speed encryption, because it meets those
requirements. However, there is no suitable standard message authentication algorithm. This fact
leaves us in the situation in which we can encrypt at high speed, but we cannot provide message
authentication that can keep up with our cipher. This lack is especially conspicuous since counter
mode provides no protection against bit-flipping attacks.
GCM fills this need, while no other proposed mode meets the same criteria. CBC-MAC [1, Ap-
pendix F] and the modes that use it to provide authentication, such as CCM [2], EAX [3], and
OMAC [4], cannot be pipelined or parallelized, and thus are unsuitable for high data rates. OCB
[5] is covered by multiple intellectual property claims. CWC [6] does not share those problems,
but is less appropriate for high speed implementations. In particular, CWC’s message authen-
tication component uses 127-bit integer multiplication operations whose implementation costs
exceed those of even AES counter mode at high speeds, and it has a circuit depth that is twice
that of GCM. In contrast, the binary field multiplication used to provide authentication in GCM is
easily implemented at a fraction of the cost of counter mode at high speeds.
GCM also has additional useful properties. It is capable of acting as a stand-alone MAC, authen-
ticating messages when there is no data to encrypt, with no modifications. Importantly, it can be
used as an incremental MAC [7]: if an authentication tag is computed for a message, then part of
the message is changed, an authentication tag can be computed for the new message with compu-
tational cost proportional to the number of bits that were changed. This feature is unique among
all of the proposed modes.
Another useful property is that it accepts initialization vectors of arbitrary length, which makes it
easier for applications to meet the requirement that all IVs be distinct. In many situations in which
authenticated encryption is needed, there is a data element that could be used as a nonce, or as a
part of a nonce, except that the length of the element(s) may exceed the block size of the cipher. In
GCM, a nonce of any size can be used as the IV. This property is shared with EAX, but no other
1
