When should I choose AES-GCM over CTR?

Prefer AES-GCM for most applications because it provides both confidentiality and integrity (AEAD). CTR offers only confidentiality and must be combined with a MAC to prevent undetected tampering.

Can I reuse nonces with AES-GCM or CTR?

No. Reusing a nonce/IV with the same key breaks security for both modes. Always use unique nonces per message.

AES-GCM vs CTR

AES-CTR turns a block cipher into a keystream generator. You XOR the keystream with plaintext to encrypt and with ciphertext to decrypt. It is fast and parallelizable but provides no authenticity: bit flips in the ciphertext become predictable flips in the plaintext, so receivers cannot detect tampering. To gain integrity you must pair CTR with a separate MAC (e.g., HMAC-SHA256) in an encrypt-then-MAC construction.

AES-GCM integrates encryption and authentication (AEAD). It outputs a ciphertext and an authentication tag; the receiver verifies the tag before releasing plaintext. This blocks undetected modification and supports associated data (AAD) so you can bind unencrypted headers to the message. For most modern systems, prefer AES-GCM for its simplicity and safety.

Critical operational rule: never reuse a nonce/IV with the same key in either mode. Nonce reuse compromises confidentiality for CTR and both confidentiality and integrity for GCM. Use random or monotonically increasing nonces as specified by your library and rotate keys periodically.

Related tools

Try: AES-GCM, AES, HMAC-SHA256

FAQ

When should I choose AES-GCM over CTR?: Prefer AES-GCM for most applications because it provides both confidentiality and integrity (AEAD). CTR offers only confidentiality and must be combined with a MAC to prevent undetected tampering.
Can I reuse nonces with AES-GCM or CTR?: No. Reusing a nonce/IV with the same key breaks security for both modes. Always use unique nonces per message.