GCM = CTR + GHASH
Encryption: AES in counter mode. Authentication: GHASH — polynomial evaluation in GF(2^128).
Advertisement
Nonce sensitivity
Nonce reuse catastrophic: reveals authentication key + XOR of plaintexts. Never reuse nonce with same key.
Advertisement
Parallelism
CTR mode parallelizes trivially. GHASH also parallelizable. Full throughput on multicore.
PCLMULQDQ
Intel hardware instruction for carry-less multiplication → fast GHASH. Combined with AES-NI: 10+ GB/s.