# One GCM implementation pitfall posted March 2017

If you look at Go's implementation of GCM, in particular this, you can see that the counter is set to `nonce||1`

:

```
if len(nonce) == gcmStandardNonceSize {
// Init counter to nonce||1
copy(counter[:], nonce)
counter[gcmBlockSize-1] = 1
}
```

It needs to be. Without it, the first block of keystream is the encryption of 0 if the nonce is 0 (which can happen if nonces are generated from a counter). The encryption of 0 is also... the authentication key!

Here are some random

populararticles:Here are some random

recentarticles:## Comments