GCM = CTR + GHASH
Encryption: AES in counter mode. Authentication: GHASH — polynomial evaluation in GF(2^128).
Advertisement
Nonce sensitivity
Nonce reuse catastrophic: reveals authentication key + XOR of plaintexts. Never reuse nonce with same key.
Advertisement
Parallelism
CTR mode parallelizes trivially. GHASH also parallelizable. Full throughput on multicore.