It (GCM) requires a 96-bit IV which is usually split into a 32-bit explicit nonce and a 64-bit counter.
GCM uses a 96 bit IV internally, but the size of the IV is actually configurable (implementations may vary, of course).
From the specification:
$1 ≤ \operatorname{len}(IV) ≤ 2^{64}-1$.
however, the same specification also indicates:
For IVs, it is recommended that implementations restrict support to the length of 96 bits, to promote interoperability, efficiency, and simplicity of design.
Q: The authentication tag has to be 128 bits long (according to Ferguson). Thus, the total overhead is 196 bits.
The size of the authentication tag is also configurable, ranging from 64 bit to 128 bit in 8 bit increments. The shorter tag is just the leftmost bytes of the full 16 tag, so you can basically allow any size tag. The problem with GCM is that the security of the algorithm quickly diminishes for shorter authentication tags. Other algorithms will fare better.
The bit length of the tag, denoted $t$, is a security parameter, as discussed in Appendix B. In
general, $t$ may be any one of the following five values: 128, 120, 112, 104, or 96. For certain
applications, $t$ may be 64 or 32; guidance for the use of these two tag lengths, including
requirements on the length of the input data and the lifetime of the key in these cases, is given in
Appendix C
But what about other algorithms such as CCM or EAX, etc.? Can they use shorter IVs or are they also secure with 64-bit authentication tags? Do they have other vulnerabilities that affect the overhead?
Most authenticated ciphers - including CCM and EAX - are based upon CTR. They just require a nonce, which you can even send in a single byte or even bit, depending on the number of messages. You should study the specific API's how the IV is interpreted. CCM is a bit special in the sense that it also specifies the packet format, although that format is configurable with regard to various sizes.
CCM and EAX depend on (AES-)CBC-MAC and (AES-)CMAC respectively. These constructions are less vulnerable to smaller authentication tag sizes. Both are considered secure when used correctly.
If there are more authentication encryption algorithms that require the some amount of overhead which is the one with the least computational effort?
There is always OCB mode. It has one block cipher operation per plaintext block and configurable output size. It is also patented and not available for military use (which means you get into a IP rights minefield if you use it).
Currently there are efforts on the way to use the the Keccak sponge for single pass authenticated encryption. That's still under construction though.
Finally there is SIV mode. SIV mode uses a synthetic IV calculated from the plaintext, which doubles as authentication tag. This means that, as long as your plaintext is unique, the calculated IV is unique and the mode is CPA secure and authenticated. SIV is however two pass, two full passes over the plaintext are needed during encryption. This means it is not online as many other modes.
