====== Ciphers - GCM ======

**GCM** ([[http://en.wikipedia.org/wiki/Galois/Counter_Mode|Galois Counter Mode]]) is a is a [[https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation|mode of operation]] for symmetric-key cryptographic [[https://en.wikipedia.org/wiki/Block_cipher|block cipher]] widely adopted for its performance.

The operation is an [[https://en.wikipedia.org/wiki/Authenticated_encryption|authenticated encryption]] algorithm designed to provide both data authenticity (integrity) and confidentiality. 

GCM is defined for block ciphers with a block size of 128 bits.

----

===== Pros =====

GCM is:

  * Extremely fast.
  * Patent-free.
  * Can take full advantage of parallel processing.
  * Implementing GCM can make efficient use of an instruction pipeline or a hardware pipeline.
  * Supported as a [[http://tools.ietf.org/html/rfc5288|TLS ciphersuite]].
  * Supported by [[https://en.wikipedia.org/wiki/OpenSSL|OpenSSL]].
  * Supported by Crypto++.


----

===== Cons =====

  * GCM is CTR mode encryption with the addition of a Carter-Wegman MAC set in a [[https://en.wikipedia.org/wiki/Galois_field|Galois field]].
  * Implementing GCM is a hassle in a way that most other AEADs (Authenticated Encryption with Associated Data) are not.  But if you have someone else’s implementation — say OpenSSL’s — it’s a perfectly lovely mode.


GCM has two authentication weaknesses.

  - The first weakness is that an n-bit tag provides only n − k bits of authentication security when messages are 2 k blocks long.
    * Competing modes do not have this problem, or have it only when n = 128, in which case the practical effect is minimal.\\ \\ 
  - A successful forgery immediately reveals information about the authen­tication key.
    * This weakness exacerbates the consequences of the first one, and leads to a complete loss of authentication security.