AES GCM

We basically use a counter like AES CTR and use the encrypted counter as an OTP for the text.

• We compute a tag using a GF128. Will touch this later.
• We compute a hashkey H which is basically a 128 bit number computed from encrypting 128 0 bits using our key for the encryption.
• If our nonce for the counter is n, we use n + 1, n + 2, and so on for each chunk.
• We encypt the nonce n with the key and use it as a part of our tag. Let's call it the masking key.
• We use the hashkey H, multiply it with the ciphertext block C1, and then add it to ciphertext block C2, multiply that with H again, add it to C3, and so on.
• The final expression of the above block becomes: C1 _ H^l + C2 _ H^(l-1) + ... Here l is the number of blocks.
• We take the above value, let's call it CT, add it to the length L (in bytes), multiply it with H, and then add it with the masking key M defined above.
• This expression becomes: CT _ H + L _ H + M

AAD: authentication of additional data

• During the computation of CT, we add additional data, basically treating that as ciphertext blocks to be added at the front of our already existing data. The process of computing CT and the tag remains the same.

Galois field mathematics for GCM

The field used for the tag computation is GF128. It's characterizing polynomial is $x^{128} + x^7 + x^2 + x + 1$. Rest of the things work the same way as how galois fields work.