GCM vs CBC Mode Comparison
Detailed comparison of AES-GCM and AES-CBC encryption modes. Covers authentication, performance, padding, parallelism, vulnerability profiles, and migration guidance. Interactive demo available.
Detailed Explanation
GCM vs CBC: Choosing the Right AES Mode
AES-GCM and AES-CBC are the two most commonly encountered AES modes of operation. They differ significantly in security properties, performance characteristics, and implementation complexity.
Fundamental Difference
AES-CBC provides only confidentiality — it encrypts data but does not detect tampering. A separate MAC (like HMAC-SHA256) must be added for integrity.
AES-GCM provides authenticated encryption — confidentiality and integrity are guaranteed in a single operation. Tampered ciphertext is rejected automatically.
Security Properties Comparison
| Property | AES-CBC | AES-GCM |
|---|---|---|
| Confidentiality | Yes | Yes |
| Integrity | No (needs MAC) | Yes (built-in) |
| Padding required | Yes (PKCS#7) | No |
| Padding oracle risk | Yes | N/A |
| IV requirement | Unpredictable (random) | Unique (random or counter) |
| IV reuse impact | Leaks common prefix | Catastrophic (key recovery) |
| Ciphertext malleability | Yes | No |
Performance
GCM is significantly faster than CBC for several reasons:
Parallelism — GCM's counter mode allows encrypting all blocks simultaneously. CBC is inherently sequential because each block depends on the previous ciphertext.
No padding — GCM operates as a stream cipher (via CTR mode), so no padding overhead or processing is needed.
Hardware acceleration — Modern CPUs have dedicated instructions for both AES (AES-NI) and GCM's polynomial multiplication (PCLMULQDQ/CLMUL).
Benchmark (AES-256, 1 MB data, modern CPU with AES-NI):
CBC encrypt: ~800 MB/s (sequential)
GCM encrypt: ~4,500 MB/s (parallel + CLMUL)
CBC + HMAC-SHA256: ~600 MB/s (encrypt + MAC)
Decryption Parallelism
Interestingly, CBC decryption is parallelizable (each block only needs the previous ciphertext block, which is already known). But CBC encryption remains sequential. GCM is parallel in both directions.
Migration from CBC to GCM
When migrating existing systems from CBC to GCM:
- Verify IV generation — GCM IVs must never repeat. If your CBC implementation reused predictable IVs, the same code for GCM would be catastrophic
- Remove padding code — GCM does not use PKCS#7 padding
- Handle the authentication tag — GCM produces a 16-byte tag that must be stored with the ciphertext
- Update ciphertext format — The stored format changes:
IV + Ciphertext + Taginstead ofIV + Ciphertext - Plan for backward compatibility — Existing CBC-encrypted data still needs to be decryptable during migration
When CBC Is Still Appropriate
- Legacy system compatibility (older hardware/software that does not support GCM)
- Disk encryption with specific sector requirements (XTS mode is often preferred, but CBC variants exist)
- Regulatory requirements that specifically mandate CBC (rare but exists)
Recommendation
For all new applications, use AES-GCM (or ChaCha20-Poly1305 as an alternative). The built-in authentication eliminates an entire class of implementation errors that plague CBC deployments.
Use Case
The GCM vs CBC decision arises in security architecture reviews, compliance audits, and system migration projects. Teams upgrading from TLS 1.0/1.1 (CBC-based) to TLS 1.3 (GCM/ChaCha20 only) need to understand the differences. Application developers choosing encryption modes for data-at-rest encryption, database field encryption, or API payload protection should understand why GCM is recommended over CBC for new implementations.