Galois/Counter Mode - Performance

Performance

GCM is ideal for protecting packetized data, because it has minimum latency and minimum operation overhead.

GCM requires one block cipher operation and one 128-bit multiplication in the Galois field per each block (128 bit) of encrypted and authenticated data. The block cipher operations are easily pipelined or parallelized; the multiplication operations are easily pipelined, and can be parallelized with some modest effort (either by parallelizing the actual operation, or by adapting Horner's method as described in the original NIST submission, or both).

Intel has added the PCLMULQDQ instruction, highlighting its use for GCM . This instruction enables fast multiplication over GF(2^n), and can be used with any field representation.

Impressive performance results have been published for GCM on a number of platforms. Käsper and Schwabe described a "Faster and Timing-Attack Resistant AES-GCM" that achieves 10.68 cycles per byte AES-GCM authenticated encryption on 64-bit Intel processors. Dai et al. report 3.5 cycles per byte for the same algorithm when using Intel's AES-NI and PCLMULQDQ instructions.

When both authentication and encryption need to be performed on a message, a software implementation can achieve speed gains by overlapping the execution of those operations. Performance is increased by exploiting instruction level parallelism by interleaving operations. This process is called function stitching, and while in principle it can be applied to any combination of cryptographic algorithms, GCM is especially suitable. Manley and Gregg show the ease of optimizing when using function-stitching with GCM, and present a program generator that takes an annotated C version a cryptographic algorithm and generates code that runs well on the target processor.