Paper 2004/193

The Security and Performance of the Galois/Counter Mode of Operation (Full Version)

David A. McGrew and John Viega


The recently introduced Galois/Counter Mode (GCM) of operation for block ciphers provides both encryption and message authentication, using universal hashing based on multiplication in a binary finite field. We analyze its security and performance, and show that it is the most efficient mode of operation for high speed packet networks, by using a realistic model of a network crypto module and empirical data from studies of Internet traffic in conjunction with software experiments and hardware designs. GCM has several useful features: it can accept IVs of arbitrary length, can act as a stand-alone message authentication code (MAC), and can be used as an incremental MAC. We show that GCM is secure in the standard model of concrete security, even when these features are used. We also consider several of its important system-security aspects.

Note: Revised to incorporate suggestions from reviewers. This document is the full version of the paper; an extended abstract is to appear at INDOCRYPT '04.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Contact author(s)
mcgrew @ cisco com
2004-10-07: revised
2004-08-10: received
See all versions
Short URL
Creative Commons Attribution


      author = {David A.  McGrew and John Viega},
      title = {The Security and Performance of the Galois/Counter Mode of Operation (Full Version)},
      howpublished = {Cryptology ePrint Archive, Paper 2004/193},
      year = {2004},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.