Paper 2024/1111

Collision Attacks on Galois/Counter Mode (GCM)

John Preuß Mattsson, Ericsson Research

Advanced Encryption Standard Galois/Counter Mode (AES-GCM) is the most widely used Authenticated Encryption with Associated Data (AEAD) algorithm in the world. In this paper, we analyze the use of GCM with all the Initialization Vector (IV) constructions and lengths approved by NIST SP 800-38D when encrypting multiple plaintexts with the same key. We derive attack complexities in both ciphertext-only and known-plaintext models, with or without nonce hiding, for collision attacks compromising integrity and confidentiality. Our analysis shows that GCM with random IVs provides less than 128 bits of security. When 96-bit IVs are used, as recommended by NIST, the security drops to less than 97 bits. Therefore, we strongly recommend NIST to forbid the use of GCM with 96-bit random nonces.

Available format(s)
Publication info
Secret-key CryptographyBlock CiphersCryptanalysisCollision AttacksAEADMACGCMGMAC
Contact author(s)
john mattsson @ ericsson com
2024-07-10: approved
2024-07-08: received
See all versions
Short URL
Creative Commons Attribution


      author = {John Preuß Mattsson},
      title = {Collision Attacks on Galois/Counter Mode ({GCM})},
      howpublished = {Cryptology ePrint Archive, Paper 2024/1111},
      year = {2024},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.