GCM = CTR + GHASH

Encryption: AES in counter mode. Authentication: GHASH — polynomial evaluation in GF(2^128).

Advertisement

Nonce sensitivity

Nonce reuse catastrophic: reveals authentication key + XOR of plaintexts. Never reuse nonce with same key.

Advertisement

Parallelism

CTR mode parallelizes trivially. GHASH also parallelizable. Full throughput on multicore.

PCLMULQDQ

Intel hardware instruction for carry-less multiplication → fast GHASH. Combined with AES-NI: 10+ GB/s.