GCM (Galois Counter Mode) is a is a mode of operation for symmetric-key cryptographic block cipher widely adopted for its performance.

GCM is:

• Extremely fast.
• Patent-free.
• Spported as a TLS ciphersuite.
• Supported by OpenSSL.
• Supported by Crypto++.

• GCM is CTR mode encryption with the addition of a Carter-Wegman MAC set in a Galois field.
• Implementing GCM is a hassle in a way that most other AEADs (Authenticated Encryption with Associated Data) are not. But if you have someone else’s implementation — say OpenSSL’s — it’s a perfectly lovely mode.

GCM has two authentication weaknesses.

1. The first weakness is that an n-bit tag provides only n − k bits of authentication security when messages are 2 k blocks long.
   • Competing modes do not have this problem, or have it only when n = 128, in which case the practical effect is minimal.
2. A successful forgery immediately reveals information about the authen­tication key.
   • This weakness exacerbates the consequences of the first one, and leads to a complete loss of authentication security.