Galois-Counter Mode

cryptography

Definition

Galois-Counter Mode

Galois-Counter mode is an authenticated encryption mode for a block cipher. It combines counter-mode encryption with an authentication mechanism.

Mechanism

For confidentiality, GCM uses a CTR-like keystream construction. For integrity, it computes an authentication tag over the ciphertext and associated data.

A receiver accepts the decrypted plaintext only if the authentication tag verifies.

Modified ciphertext

If an attacker flips one ciphertext bit, the decrypted plaintext would also change under the CTR part. However, the authentication tag will no longer match, so the modified message is rejected.

Nonce

GCM requires a unique nonce for each encryption under the same key. Reusing a nonce can break both confidentiality and integrity.

Why it stops the attack

GCM prevents the kind of tampering that is possible in unauthenticated modes.

Preventing a field rewrite

Suppose an attacker wants to change an encrypted field from logs to flag. In plain CTR mode, this can be done by XORing the ciphertext with the corresponding difference. In GCM, the modified ciphertext no longer matches its authentication tag, so verification fails and the message is rejected.