GCM vs. CTR

Here you can encrypt data with AES-GCM and decrypt it with AES-CTR.

Tell me more

The browser's native crypto API is used for both encryption and decryption. Its CTR implementation expects a first counter block and a counter length. It generates the subsequent counter blocks by incrementing the last [counter length] bytes:

First counter block:

065872b72582a7827afcfc63 \underset{\underset{counter}{⏟}}{00000002}

Second counter block:

065872b72582a7827afcfc63 \underset{\underset{counter + 1}{⏟}}{00000003}

Etc.

GCM does the same thing if your IV is 12 bytes long. That's why, in the default setting, you can decrypt GCM ciphertext with CTR: You'll get the original plaintext plus 128 bits of garbage, which result from "decrypting" the authentication tag.

If you want to read a little further, this blog post might be for you.

Key: IV for GCM: First CTR block: CTR counter length: Plaintext: Ciphertext: