📝Galois/Counter Mode (GCM) and GMAC

Encryption is the same as Counter (CTR) mode but adds Galois field multiplication to compute message authentication code.

MAC algorithm

• encrypt 128 bits of zeros, run through GHASH

• xor/ghash with non-encrypted AD (Authentication Data) (optional)

• xor/ghash with ciphertext

• xor/ghash with concatenated length of AD (64 bit) and Plaintext (64 bit)

• finally, xor with encrypted initialization vector + counter 0

• the result is authentication tag

GHASH is a multiplication (in Galois Field) by H (= E_k(0¹²⁸) ) (encrypted zeros)