The Security and Performance of the Galois/Counter Mode (GCM) of Operation

  • David A. McGrew
  • John Viega
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3348)


The recently introduced Galois/Counter Mode (GCM) of operation for block ciphers provides both encryption and message authentication, using universal hashing based on multiplication in a binary finite field. We analyze its security and performance, and show that it is the most efficient mode of operation for high speed packet networks, by using a realistic model of a network crypto module and empirical data from studies of Internet traffic in conjunction with software experiments and hardware designs. GCM has several useful features: it can accept IVs of arbitrary length, can act as a stand-alone message authentication code (MAC), and can be used as an incremental MAC. We show that GCM is secure in the standard model of concrete security, even when these features are used. We also consider several of its important system-security aspects.


Medium Access Control Clock Cycle Block Cipher Advance Encryption Standard Message Authentication Code 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Baugher, M., McGrew, D., Naslund, M., Carrara, E., Norrman, K.: The Secure Real-time Transport Protocol. In: IETF RFC 3711 (March 2004)Google Scholar
  2. 2.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: Proceedings of the 38th FOCS. IEEE Computer Society Press, Los Alamitos (1997)Google Scholar
  3. 3.
    Bellare, M., Goldreich, O., Goldwasser, S.: Incremental cryptography: the case of hashing and signing. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 216–233. Springer, Heidelberg (1994)Google Scholar
  4. 4.
    Bellare, Ê.M., Kilian, J., Rogaway, P.: The Security of the Cipher Block Chaining Message Authentication Code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Bellare, M., Namprempre, C.: Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 531. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Bernstein, D.: Floating-point arithmetic and message authentication (manuscript, 2000), Available online at:
  7. 7.
    Black, J., Rogaway, P.: A Block-Cipher Mode of Operation for Parallelizable Message Authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 384. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Bellare, M., Rogaway, P., Wagner, D.: A conventional authenticated-encryption mode. Submission to NIST Modes of Operation process (2003)Google Scholar
  9. 9.
    Claffy, K., Miller, G., Thompson, K.: The nature of the beast: Recent traffic measurements from an Internet backbone. In: INET 1998, ISOC (1998)Google Scholar
  10. 10.
    Gladman, B.: AES and Combined Encryption/Authentication Modes (February 2004) Web Page,
  11. 11.
    Gligor, V., Donescu, P.: Fast encryption and authentication: XCBC encryption and XECB authentication modes. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, p. 92. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Iwata, T., Kurosawa, K.: OMAC: One-Key CBC MAC. Submission to NIST Modes of Operation Process (2002)Google Scholar
  13. 13.
    Jutla, C.: Encryption modes with almost free message integrity. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 529. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Kent, S., Atkinson, R.: IP Encapsulating Security Payload (ESP). IETF Request For Comments (RFC) 2406 (November 1998)Google Scholar
  15. 15.
    Kohno, T., Viega, J., Whiting, D.: The CWC-AES Dual-use Mode. Submission to NIST Modes of Operation Process (2003)Google Scholar
  16. 16.
    Krawczyk, H.: LFSR-based hashing and authentication. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 129–139. Springer, Heidelberg (1994)Google Scholar
  17. 17.
    McGrew, D.: The Universal Security Transform. IETF Internet Draft, Work in Progress (October 2002)Google Scholar
  18. 18.
    McGrew, D., Viega, J.: The Galois/Counter Mode of Operation (GCM). Submission to NIST Modes of Operation Process (January 2004)Google Scholar
  19. 19.
    Rogaway, P.: Authenticated encryption with associated data. In: Proceedings of the 9th CCS (November 2002)Google Scholar
  20. 20.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: A block-cipher mode of operation for efficient authenticated encryption. In: ACM CCS (2001)Google Scholar
  21. 21.
    Romanow, A. (ed.): Media Access Control (MAC) Security. IEEE 802.1AE, Draft Standard (July 2004)Google Scholar
  22. 22.
    Shoup, V.: On Fast and Provably Secure Message Authentication Based on Universal Hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996)Google Scholar
  23. 23.
    U.S. National Institute of Standards and Technology. The Advanced Encryption Standard. Federal Information Processing Standard (FIPS) 197 (2002)Google Scholar
  24. 24.
    Viega, J., McGrew, D.: The Use of Galois/Counter Mode (GCM) in IPsec ESP. IETF Internet Draft, Work in Progress (April 2004)Google Scholar
  25. 25.
    Wegman, M., Carter, L.: New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences 22, 265–279 (1981)zbMATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    Whiting, D., Ferguson, N., Housley, R.: Counter with CBC-MAC (CCM). Submission to NIST Modes of Operation Process (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • David A. McGrew
    • 1
  • John Viega
    • 2
  1. 1.Cisco Systems, Inc. 
  2. 2.Secure Software 

Personalised recommendations