Cryptology ePrint Archive: Report 2004/193

The Security and Performance of the Galois/Counter Mode of Operation (Full Version)

David A. McGrew and John Viega

Abstract: The recently introduced Galois/Counter Mode (GCM) of operation for block ciphers provides both encryption and message authentication, using universal hashing based on multiplication in a binary finite field. We analyze its security and performance, and show that it is the most efficient mode of operation for high speed packet networks, by using a realistic model of a network crypto module and empirical data from studies of Internet traffic in conjunction with software experiments and hardware designs. GCM has several useful features: it can accept IVs of arbitrary length, can act as a stand-alone message authentication code (MAC), and can be used as an incremental MAC. We show that GCM is secure in the standard model of concrete security, even when these features are used. We also consider several of its important system-security aspects.

Category / Keywords: secret-key cryptography /

Date: received 10 Aug 2004, last revised 7 Oct 2004

Contact author: mcgrew at cisco com

Available format(s): PDF | BibTeX Citation

Note: Revised to incorporate suggestions from reviewers. This document is the full version of the paper; an extended abstract is to appear at INDOCRYPT '04.

Version: 20041007:171853 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]