GCM (Galois Counter Mode) is a is a mode of operation for symmetric-key cryptographic block cipher widely adopted for its performance.

The operation is an authenticated encryption algorithm designed to provide both data authenticity (integrity) and confidentiality.

GCM is defined for block ciphers with a block size of 128 bits.

GCM is:

• Extremely fast.
• Patent-free.
• Can take full advantage of parallel processing.
• Implementing GCM can make efficient use of an instruction pipeline or a hardware pipeline.
• Supported as a TLS ciphersuite.
• Supported by OpenSSL.
• Supported by Crypto++.

• GCM is CTR mode encryption with the addition of a Carter-Wegman MAC set in a Galois field.
• Implementing GCM is a hassle in a way that most other AEADs (Authenticated Encryption with Associated Data) are not. But if you have someone else’s implementation — say OpenSSL’s — it’s a perfectly lovely mode.

GCM has two authentication weaknesses.

1. The first weakness is that an n-bit tag provides only n − k bits of authentication security when messages are 2 k blocks long.
   • Competing modes do not have this problem, or have it only when n = 128, in which case the practical effect is minimal.
     
     
2. A successful forgery immediately reveals information about the authen­tication key.
   • This weakness exacerbates the consequences of the first one, and leads to a complete loss of authentication security.