Home » Blog » What is Galois/Counter Mode (GCM)?

What is Galois/Counter Mode (GCM)?


The Galois/Counter Mode (GCM) is an algorithm for authenticated encryption that addresses confidentiality and authenticity at the same time. It is a NIST standard designed to avoid security flaws in authenticated encryption.

GCM algorithm

 Find below a graphical representation of the GCM algorithm. This representation is based on the NIST recommendation. You can find the whole document at this link.

GCM algorithm
GCM algorithm

As you can see in the picture above, the algorithm receives 4 inputs:

  • A key K
  • An initialization vector IV
  • Plain text P
  • Additional authenticated data A

The IV must meet the following requirement: “The probability that the authenticated encryption function ever will be invoked with the same IV and the same key on two (or more) distinct sets of input data shall be no greater than 2-32. “

As a first step, you calculate a hash key H using the zero block. You will need this key H later to calculate the output of the GHASH function.

Next, you calculate the (pre-counter) block J0. Notice that the calculation of J0 is calculated depends on the length of the initialization vector. The operator || denotes string concatenation.

After that, you calculate the value of the initial counter block by using the 32-bit increment function. With the initial counter block, you produce the ciphertext C using the GCTR function.

Using the function GHASH, you produce a single output block using the additional authenticated data A and the ciphertext C, obtaining a value S.

Finally, you calculate the tag T that using the GCTR function. We use this tag for authentication.

The algorithm returns the ciphertext C and the authentication tag T.

MSBt returns the t less significative bits of a given bit string.

GHASH

GHASH is the authentication mechanism of GCM, and it is based on a hash function.

Here, the mechanism uses a hash subkey H (See the picture above).  We call the instance of the hash function GHASHH.

The aim of this function is to put together the Additional Authenticated Data A and the ciphertext C into a single block. The result of encrypting the block is the authentication tag T.

The hash function GHASH is a keyed hash function, but it is not a cryptographic hash function. NIST recommendation suggests only using GHASH within the context of GCM.

The intermediate results of applying GHASH must be kept secret.

See below a graphical representation of the GHASH function.

GHASH function
GHASH function. Source.

GCTR

This function takes as input the secret key K and a bitstream J0 and returns the ciphertext.

See below a graphical representation of the GCTR function.

GCTR function. Source.

GCM Real-World applications

Internet Protocol Security (IPSec) is a secure network protocol that encrypts and authenticates data packages to provide secure communication.

In this link, you can find the standard specification on how to use GCM in the IPSec Encapsulating Security Payload.

GCM has also applications in the Secure Shell Protocol (SSH), Transport Layer Security (TLS), and software like OpenVPN.

Some security considerations

The misuse of the initialization vector IV can have negative impacts on the security of GCM. For instance, reuse of a key/IV pair will result in loss of confidentiality for the messages that used the same IV value.

The reuse of an IV by the sender can allow an attacker to identify the key used with GHASH. This can lead to message forgeries.

Related posts: