AES-GCM Encryption Explained

Q: AES-GCM Encryption Explained

## AES-GCM: Authenticated Encryption in One Step AES-GCM (Advanced Encryption Standard in Galois/Counter Mode) is a widely adopted authenticated encryption algorithm. It simultaneously encrypts data and produces an authentication tag, ensuring both confidentiality and integrity in a single operation. ### How GCM Works GCM combines two cryptographic operations: 1. CTR mode encryption — A counter block is encrypted with AES and XORed with each plaintext block, producing ciphertext. 2. GHASH au

Learn how AES-GCM encryption works, why it provides both confidentiality and authenticity, and how to use it with the Web Crypto API. Free browser-based encryption playground.

AES Encryption

Detailed Explanation

AES-GCM: Authenticated Encryption in One Step

AES-GCM (Advanced Encryption Standard in Galois/Counter Mode) is a widely adopted authenticated encryption algorithm. It simultaneously encrypts data and produces an authentication tag, ensuring both confidentiality and integrity in a single operation.

How GCM Works

GCM combines two cryptographic operations:

CTR mode encryption — A counter block is encrypted with AES and XORed with each plaintext block, producing ciphertext.
GHASH authentication — A Galois field multiplication computes an authentication tag over the ciphertext and any additional authenticated data (AAD).

Plaintext  ──▶  AES-CTR Encrypt  ──▶  Ciphertext
                     │
Ciphertext + AAD ──▶ GHASH ──▶ Authentication Tag (128-bit)

The authentication tag is typically 128 bits (16 bytes) and is appended to the ciphertext. During decryption, the tag is recomputed and compared — if it does not match, decryption fails and no plaintext is returned.

The Initialization Vector (IV)

AES-GCM requires a 96-bit (12-byte) IV (also called a nonce). The critical rule is: never reuse an IV with the same key. IV reuse in GCM is catastrophic — it allows an attacker to recover the authentication key and forge messages.

For most applications, generating a random 12-byte IV with crypto.getRandomValues() for each encryption operation is sufficient, as the probability of collision is negligible for reasonable message counts.

Key Sizes

AES-GCM supports three key sizes:

128-bit — Fast, sufficient for most applications
192-bit — Rarely used in practice
256-bit — Required for classified data (NSA Suite B), provides larger security margin

Web Crypto API Usage

const key = await crypto.subtle.generateKey(
  { name: "AES-GCM", length: 256 },
  true,
  ["encrypt", "decrypt"]
);

const iv = crypto.getRandomValues(new Uint8Array(12));
const ciphertext = await crypto.subtle.encrypt(
  { name: "AES-GCM", iv },
  key,
  plaintext
);

Advantages of GCM

Single-pass — Encryption and authentication happen simultaneously, making it faster than encrypt-then-MAC schemes
Parallelizable — Both CTR encryption and GHASH can process blocks in parallel
Hardware acceleration — AES-NI and CLMUL instructions on modern CPUs accelerate GCM significantly
AEAD — No need to separately manage a MAC algorithm

Use Case

AES-GCM is the default choice for modern application-layer encryption. It powers TLS 1.3 cipher suites, encrypts data in cloud storage services (AWS S3, Google Cloud Storage), protects API payloads, and secures local data in browser applications using the Web Crypto API. Any time you need to encrypt data and verify it has not been tampered with, AES-GCM is the recommended algorithm.

Try It — Encryption Playground

Open full tool →