Some days ago, we had an interesting discussion about Galois/Counter Mode (GCM). While I cannot expose the exact context, instead I like to share some comments about that matter here.

GCM is a way to operate with symmetric-key cryptographic like AES. Also, GCM is a NIST standard, which is why I would generally avoid a recommendation here. The reason is that we knew since Edwards Snowden relation that the NSA has jasperized standards. Here is an example regarding GCM:

Polynomial MACs violate intuitive expected properties of cryptosystems, and are so finicky to work with that even the specification for AES-GCM contained invalid proofs of its security.


Given all these great features, you might ask: why does everyone hate GCM? In truth, the only people who hate GCM are those who’ve had to implement it. You see, GCM is CTR mode encryption with the addition of a Carter-Wegman MAC set in a Galois field. If you just went ‘sfjshhuh?’, you now understand what I’m talking about. Implementing GCM is a hassle in a way that most other AEADs are not. But if you have someone else’s implementation — say OpenSSL’s — it’s a perfectly lovely mode.

Within the community, there were some upheavals regarding this topic, also because there was a recommendation in between not to use AES-GCM for OpenSSH. The problem at this point is that some information such as the packet are not encrypted. There are also issues with GCM when the amount of data is larger than the actual block size.

The security of the connection depends on the quality of the random numbers. As soon as an IV or nonce is reused, the security of the connection is no longer guaranteed! It is then possible to decrypt the data streams that have gone before, I think.

In the end, the responsibility lies with the implementation, if OpenSSL is used here, it can be okay?

The advantage of GCM lies in the independence of the respective steps, which can be carried out in parallel without putting it into hardware. Completely in contrast to AES.

The real question is how much you trust the implementation to screw with their random numbers. Please take all of this with a grain of salt. I’m not a cryptographer, just very interested in the topic.

Best regards, akendo