Jay Taylor's notes

back to listing index

What is the difference between CBC and GCM mode?

[web search]
Original source (crypto.stackexchange.com)
Tags: encryption ciphers cbc gcm crypto.stackexchange.com
Clipped on: 2016-10-09

I am trying to learn more about GCM mode and how it differs between CBC. I already know that GCM provides a MAC which is used for message authentication. From what I have read, and seen code snippets of is that GCM does an exlusive or much like CBC, but I'm not sure what the exclusive-or is against. In CBC mode, the exlusive-or is plaintext against the previous ciphertext block, except for the first block which uses a random IV. Does GCM do the same, or does it do the exclusive-or against something else? If so, can someone please briefly explain how GCM uses the IV and how the exclusive-or is done.

asked Apr 8 '12 at 23:20
Image (Asset 3/4) alt=
Bob Bryan
3381410
2 upvote
  flag
If you disregard authentication, GCM behaves like CTR mode, not like CBC mode. Look those up on wikipedia. – CodesInChaos Apr 8 '12 at 23:30
   upvote
  flag
Just because it isn't defined on this page... GCM = Galois/Counter Mode, and CBC = Cipher Block Chaining... other definitions include MAC (Message Authentication Code), IV (Initialisation Vector), and CTR (CounTeR Mode). – Craig Francis Mar 4 at 10:53
up vote 30 down vote accepted

GCM and CBC modes internally work quite differently; they both involve a block cipher and an exclusive-or, but they use them in different ways.

In CBC mode, you encrypt a block of data by taking the current plaintext block and exclusive-oring that wth the previous ciphertext block (or IV), and then sending the result of that through the block cipher; the output of the block cipher is the ciphertext block.

GCM mode provides both privacy (encryption) and integrity. To provide encryption, GCM maintains a counter; for each block of data, it sends the current value of the counter through the block cipher. Then, it takes the output of the block cipher, and exclusive or's that with the plaintext to form the ciphertext.

Note two key differences:

  • What's being exclusive-or'ed; in CBC mode, the plaintext is exclusive-or'ed with data that the attacker knows (the IV or a previous ciphertext block); hence, that in itself does not provide any inherent security (instead, we do it to minimize the chance that we send the same block twice through the block cipher). In GCM mode, the plaintext is exclusive-or'ed with output from the block cipher; it is inherent in the security model that the attacker cannot guess that output (unless he already knows the plaintext and the ciphertext).

  • What's being sent through the block cipher; in CBC mode, the plaintext is sent through the block cipher (after it's been 'randomized' with an exclusive-or); in GCM mode, what's being sent through the block cipher doesn't actually depend on the data being encrypted, but instead only on internal state.

As for how GCM uses an IV (I personally consider 'nonce' a better term for what GCM uses, because that emphesizes the idea that with GCM, you cannot use the same nonce for the same key twice), well, it is used to initialize the counter.

answered Apr 9 '12 at 2:42
Image (Asset 4/4) alt=
poncho
55.2k172138
   upvote
  flag
Very interesting... If I understand correctly, you are saying that in GCM mode the ciphertext of a block is exlusive-or'ed against the plaintext that was just put through the cipher and that block is then sent. If this is true, then how is that block decrypted? Isn't the ciphertext from the AES (for example) encryption required to decrypt the data? How is that obtained? Also, if the original encrypted text is obtained, then it could be used to exclusive-or the sent ciphertext which would return the plaintext and would not need further decryption... I'm missing something... – Bob Bryan Apr 9 '12 at 4:23
   upvote
  flag
No, in GCM, we take a counter, send that through the block cipher, and then exclusive-or that with the plaintext to form the ciphertext. On the decryption side, we maintain the same counter, send that through the block cipher, and then exclusive-or that with the ciphertext to form the plaintext. – poncho Apr 9 '12 at 12:41

Your Answer

asked

4 years ago

viewed

22531 times

active

4 months ago

Blog

Technology Life / Arts Culture / Recreation Science Other
  1. Stack Overflow
  2. Server Fault
  3. Super User
  4. Web Applications
  5. Ask Ubuntu
  6. Webmasters
  7. Game Development
  8. TeX - LaTeX
  1. Programmers
  2. Unix & Linux
  3. Ask Different (Apple)
  4. WordPress Development
  5. Geographic Information Systems
  6. Electrical Engineering
  7. Android Enthusiasts
  8. Information Security
  1. Database Administrators
  2. Drupal Answers
  3. SharePoint
  4. User Experience
  5. Mathematica
  6. Salesforce
  7. ExpressionEngine® Answers
  8. Cryptography
  1. Code Review
  2. Magento
  3. Signal Processing
  4. Raspberry Pi
  5. Programming Puzzles & Code Golf
  6. more (7)
  1. Photography
  2. Science Fiction & Fantasy
  3. Graphic Design
  4. Movies & TV
  5. Music: Practice & Theory
  6. Seasoned Advice (cooking)
  7. Home Improvement
  8. Personal Finance & Money
  1. Academia
  2. more (8)
  1. English Language & Usage
  2. Skeptics
  3. Mi Yodeya (Judaism)
  4. Travel
  5. Christianity
  6. English Language Learners
  7. Japanese Language
  8. Arqade (gaming)
  1. Bicycles
  2. Role-playing Games
  3. Anime & Manga
  4. more (18)
  1. Mathematics
  2. Cross Validated (stats)
  3. Theoretical Computer Science
  4. Physics
  5. MathOverflow
  6. Chemistry
  7. Biology
  8. Computer Science
  1. Philosophy
  2. more (3)
  1. Stack Apps
  2. Meta Stack Exchange
  3. Area 51
  4. Stack Overflow Careers
site design / logo © 2016 Stack Exchange Inc; user contributions licensed under cc by-sa 3.0 with attribution required
rev 2016.9.26.4008