What is the difference between CBC and GCM mode?

Question

I am trying to learn more about GCM mode and how it differs from CBC. I already know that GCM provides a MAC, which is used for message authentication. From what I have read and from the code snippets I've seen, GCM does an exclusive-or much like CBC, but I'm unsure what the exclusive-or is against.

In CBC mode, the exclusive-or is plaintext against the previous ciphertext block, except for the first block, which uses a random IV. Does GCM do the same, or does it do the exclusive-or against something else? If so, can someone please briefly explain how GCM uses the IV and how the exclusive-or is done.

Answer 1

GCM and CBC modes internally work quite differently; they both involve a block cipher and an exclusive-or, but they use them in different ways.

In CBC mode, you encrypt a block of data by taking the current plaintext block and exclusive-oring that wth the previous ciphertext block (or IV), and then sending the result of that through the block cipher; the output of the block cipher is the ciphertext block.

GCM mode provides both privacy (encryption) and integrity. To provide encryption, GCM maintains a counter; for each block of data, it sends the current value of the counter through the block cipher. Then, it takes the output of the block cipher, and exclusive or's that with the plaintext to form the ciphertext.

Note two key differences:

• What's being exclusive-or'ed; in CBC mode, the plaintext is exclusive-or'ed with data that the attacker knows (the IV or a previous ciphertext block); hence, that in itself does not provide any inherent security (instead, we do it to minimize the chance that we send the same block twice through the block cipher). In GCM mode, the plaintext is exclusive-or'ed with output from the block cipher; it is inherent in the security model that the attacker cannot guess that output (unless he already knows the plaintext and the ciphertext).

• What's being sent through the block cipher; in CBC mode, the plaintext is sent through the block cipher (after it's been 'randomized' with an exclusive-or); in GCM mode, what's being sent through the block cipher doesn't actually depend on the data being encrypted, but instead only on internal state.

As for how GCM uses an IV (I personally consider 'nonce' a better term for what GCM uses, because that emphesizes the idea that with GCM, you cannot use the same nonce for the same key twice), well, it is used to initialize the counter.

Answer 2

As we know, Common method for encrypting data is to divide a plaintext in the blocks and xor the plaintext with a pseudo random string, this is what CBC does.

In GCM, IV is 96 bit which is a nonce, so first counter block is IV followed by 32 bit number '1'. ${IV \parallel 1}$, here the pseudo random string is generated by the encrypting(here AES 256) the o/p of a counter, and then xor with the plain text, and gives you cipher text. So, it can encrpyt ${2^{32}}$ blocks of data, before the counter loop over again. Now if you want to just encrypt the data we're done. But if you need integrity of cipher text then you can use GMAC, where feed the cipher text into an XOR and then into a hashing function, feed that o/p to next block of XOR (cipher text XOR hash of privious block), and so on. for fisrt block 128 bit of '0' is encrpted with key and hash and become the input of XOR function. for last block length of plaintext also XORed with last Hash and then that Hash is XORed with encrypted ${IV||0^{32}}$.

Usually, when people talk about GCM that talk about GCM and GMAC togather.

CBC alone is insecure and superseded by GCM in TLS1.2 and removed in TLS1.3.

• Below is a one block of plaintext encrypted with GCM