How AES-GCM Achieves Authenticated Encryption
AES-GCM is called authenticated encryption because it protects both the secrecy and the authenticity of the message in one efficient step. The process starts with AES in counter mode to turn the plaintext into ciphertext. A unique nonce initializes a counter that generates a continuous keystream. Each block of plaintext is XORed with this keystream to produce the corresponding ciphertext block.
Simultaneously, GCM computes a message authentication code using a polynomial hash function over the finite field GF(2^128). This hash incorporates the ciphertext, any associated data such as headers, and the nonce. The result is multiplied by a secret hash subkey derived from the main encryption key. The final authentication tag is the 128-bit output of this computation.
During decryption, the same keystream is regenerated using the nonce and key. The ciphertext is XORed to recover the plaintext. Then the authentication tag is recomputed over the received ciphertext and associated data. If the newly computed tag exactly matches the received tag, the decryption succeeds and the data is accepted as authentic. Any mismatch immediately aborts the process, preventing the release of tampered or forged data.
Why the Tag Is Critical
The 128-bit tag provides extremely strong forgery resistance. An attacker who tries to modify even one bit of the ciphertext will cause the tag verification to fail with overwhelming probability. This property is what makes GCM much safer than unauthenticated modes like plain CTR or CBC, where an attacker could manipulate ciphertext without detection.
Performance and Parallelism
GCM is designed for high speed. The counter mode encryption is highly parallelizable, and the Galois hash can be computed efficiently with hardware acceleration available in most modern CPUs. In the browser, the Web Crypto API leverages these optimizations, delivering fast performance even for messages up to one megabyte.
Associated data, which is authenticated but not encrypted, allows including metadata such as message timestamps or sender identifiers without exposing them.
Security Properties
AES-GCM provides IND-CCA2 security under the assumption that the nonce is never repeated for the same key. The tag length of 128 bits ensures that forgery attempts require approximately 2^64 operations, which is computationally infeasible with current technology.
This combination of confidentiality, integrity, and efficiency explains why AES-256-GCM has become the default choice for secure client-side data protection in web applications.
Mastering how the tag and nonce work together is essential for using AES-GCM correctly and securely.