GCM = CTR + GHASH

Encryption: AES in counter mode. Authentication: GHASH — polynomial evaluation in GF(2^128).

Advertisement

Nonce sensitivity

Nonce reuse catastrophic: reveals authentication key + XOR of plaintexts. Never reuse nonce with same key.

Advertisement

Parallelism

CTR mode parallelizes trivially. GHASH also parallelizable. Full throughput on multicore.