Galois/Counter mode (Galois is pronounced “GAL-wah”) encryption (“GCM mode”) is a block cipher mode of operation that combines confidentiality and data authentication. This means that the encrypted data cannot be undetectably altered.
GCM mode builds on the concepts introduced in CTR mode and CTR mode should be reviewed first in order to understand GCM. As with CTR mode, GCM uses an IV/nonce and encrypts increasing counter values. But GCM extends the CTR operations to include a Message Authentication Code (MAC) calculation as a built-in part of the operation. The MAC, called a “tag” in GCM jargon, is verified during decryption. If it does not match the data must be discarded.
As with CTR mode, the encryption process is can be performed in parallel, but the calculation of the GCM tag can also be calculated in parallel. Thus, AES-GCM is typically faster than AES-CTR combined with a serial MAC calculation like, for example, HMAC.
GCM is most commonly used with AES; AES-GCM typically prefers a 12-byte IV and, as with CTR, this IV must not be reused. Moreover, for any key-IV pair, GCM is limited to encrypting 64 GB.