AES-GCM (Galois/Counter Mode)
The canonical authenticated symmetric cipher (AEAD). AES block cipher in counter mode paired with a Galois-field MAC delivers confidentiality and integrity in one pass.
Definition
AES-GCM, standardized in NIST SP 800-38D, runs AES-128/192/256 in counter mode while producing a Galois-field MAC in parallel. Output is ciphertext plus an authentication tag (typically 128 bits).
It parallelizes well and benefits from hardware acceleration — Intel AES-NI and ARMv8 Crypto Extensions push throughput an order of magnitude beyond software-only implementations. TLS 1.3, SSH, IPsec, Signal, and QUIC all default to it.
Confidentiality (no plaintext recovery from ciphertext) and integrity (tag verification flags tampering) come from a single construction — safer and faster than AES-CBC + HMAC composition. The cost: IV (nonce) uniqueness must be strictly enforced.
Lemma Oracle implementation
Lemma uses AES-GCM at every point sensitive data moves or rests — customer attributes, AI inputs, decision logs. Key material lives in HSM/KMS; nonces are derived from a counter combined with a context identifier so uniqueness is structurally guaranteed.
The ZK side never sees plaintext — only docHash crosses the circuit boundary. This two-layer split (verifiability via ZK, confidentiality via AES-GCM) is Lemma's default cryptographic shape.
Even when selective disclosure returns an attribute proof, the underlying document stays AES-GCM encrypted. Only the attribute commitment and the proof traverse the circuit.