AES-256-GCM: Quantum-Safe Encryption

Security

AES-256-GCM: Why 256-Bit Encryption Survives Quantum Computers

15 min read

The Padlock on Everything You Do Online

Every time you visit a website with "https" in the address bar, buy something online, send a message through WhatsApp, or store a file in the cloud, your data is being scrambled by an encryption algorithm. More often than not, that algorithm is AES-256-GCM. It is the single most widely deployed encryption system on the planet. Banks use it. Governments use it. The military uses it. Your phone uses it right now, without you knowing, to protect the data on its storage chip.

But what is it, exactly? The name looks like an alphabet soup of letters and numbers. Let us break it down piece by piece, because understanding what protects your data is the first step toward making good decisions about security.

Breaking Down the Name: AES, 256, and GCM

The name "AES-256-GCM" has three parts, and each one matters.

AES stands for Advanced Encryption Standard. It is the encryption algorithm itself, selected by the U.S. National Institute of Standards and Technology (NIST) in 2001 after a five-year public competition. Fifteen candidate algorithms were submitted from research teams around the world. After multiple rounds of public analysis, an algorithm called Rijndael (designed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen) won the competition. NIST published it as FIPS 197, the Federal Information Processing Standard for encryption. AES replaced the older DES (Data Encryption Standard), which had been the government standard since 1977 but had become too weak as computers got faster.

256 is the key size in bits. Think of the key as the secret combination to a lock. A 256-bit key means there are 2^256 possible combinations. That number is staggeringly large. To put it in perspective: there are roughly 2^80 atoms in the observable universe. The number of possible AES-256 keys is trillions upon trillions of times larger than the number of atoms in existence. There is no computer, and no collection of computers, that could try all those combinations before the heat death of the universe.

GCM stands for Galois/Counter Mode. AES by itself can only encrypt one small block of data at a time (128 bits, or 16 bytes). GCM is the "mode of operation" that tells AES how to handle files of any size, and it adds a critical extra feature: authentication. We will get into what that means shortly.

Symmetric Encryption: One Key, Two Jobs

AES is a symmetric encryption algorithm. This means the same key that locks the data also unlocks it. Think of it like a house key: you use the same key to lock the front door and to open it later.

This is different from asymmetric (or "public-key") encryption, where you have two different keys: one public, one private. Asymmetric encryption is used for things like exchanging keys over the internet, where two strangers need to establish a shared secret without ever meeting. But asymmetric encryption is slow. Hundreds or thousands of times slower than AES.

So in practice, almost every encryption system works like this: use asymmetric encryption to securely agree on a shared key, then use AES (symmetric encryption) to do the actual heavy lifting of encrypting the data. The asymmetric step happens once; the symmetric step handles gigabytes of data at full speed.

QNSQY follows this exact pattern. The post-quantum key exchange (ML-KEM + X25519) is the asymmetric step that produces a shared key. Then AES-256-GCM takes that key and encrypts your actual file. The key exchange is the handshake; AES-256-GCM is the workhorse.

How AES Actually Scrambles Your Data

AES works on blocks of 128 bits (16 bytes) at a time. For each block, it applies a series of mathematical operations called "rounds." AES-256 uses 14 rounds. Each round performs four operations:

1. SubBytes: Every byte is replaced with a different byte according to a fixed lookup table (called an S-box). This introduces non-linearity, which means even a tiny change in input produces a wildly different output.
2. ShiftRows: Bytes within each row of the 4x4 block are shifted by different amounts. This spreads the influence of each byte across the entire block.
3. MixColumns: Each column of the block is mathematically mixed with the others using polynomial multiplication. This further diffuses the data so that every output byte depends on multiple input bytes.
4. AddRoundKey: The block is combined with a portion of the encryption key using an XOR operation. This is what ties the encryption to your specific key.

After 14 rounds of these operations, the original 16 bytes of your file have been transformed into 16 bytes of ciphertext that look like completely random noise. Without the key, there is no known shortcut to reverse this transformation other than trying every possible key, which, as we covered, is not feasible.

The beauty of this design is its simplicity and its thoroughness. Each round is individually simple, but stacking 14 of them together creates an avalanche effect: changing a single bit of the input changes approximately half the bits of the output. This makes the encryption resistant to every known form of mathematical attack.

Why 256 Bits? The Quantum Computer Question

AES comes in three key sizes: 128, 192, and 256 bits. For decades, AES-128 was considered perfectly secure. And against conventional computers, it still is. No one can brute-force a 128-bit key. But quantum computers change the calculus.

Quantum computers threaten cryptography through two specific algorithms, and understanding the difference between them is essential.

Shor's algorithm is the one that makes headlines. It can break public-key cryptography (RSA, elliptic curves, Diffie-Hellman) by solving certain math problems exponentially faster than any classical computer. If a sufficiently large quantum computer is built, RSA-2048 crumbles. This is why the world is moving to post-quantum algorithms like ML-KEM.

Grover's algorithm is less dramatic but still important. It speeds up brute-force searches. Specifically, it provides a quadratic speedup, which means it effectively cuts the key length in half. Think of it this way: if your lock has a combination with 2^256 possibilities, a quantum computer running Grover's algorithm can find the right one in roughly 2^128 attempts, instead of the full 2^256.

Grover's impact on AES key sizes: AES-128 drops from 128-bit security to 64-bit security under Grover's algorithm. A 64-bit search is within reach of a well-funded attacker even today, using classical hardware. AES-256 drops from 256-bit to 128-bit security, which remains far beyond any foreseeable computing capability. This is why AES-256 is the minimum for quantum safety.

The NSA's CNSA 2.0 suite (Commercial National Security Algorithm Suite) mandates AES-256 for protecting classified information through the quantum era. NIST's post-quantum guidance makes the same recommendation. When the people responsible for protecting state secrets say "use AES-256," it is worth paying attention.

There is also a practical constraint that makes the Grover threat even less concerning. Grover's algorithm requires a quantum computer to maintain "coherence" (a fragile quantum state) for the entire duration of the search. For AES-256, that means sustaining 2^128 quantum operations without a single error. Current quantum computers can maintain coherence for milliseconds. The gap between where quantum hardware is and where it would need to be is enormous.

What GCM Does (And Why It Is Non-Negotiable)

Here is a scenario that illustrates why encryption alone is not enough. Suppose you encrypt a file containing a bank transfer instruction: "Send $1,000 to Alice." An attacker intercepts the encrypted file. They cannot read it. But what if they could modify it? What if, by flipping certain bits in the ciphertext, they could change the amount or the recipient without ever knowing the original message?

This is not hypothetical. With basic encryption modes (like the old CBC mode), bit-flipping attacks are real and have been exploited in practice. The attacker does not need to decrypt anything. They just need to make strategic modifications to the ciphertext, and the recipient decrypts a message that looks legitimate but has been tampered with.

GCM solves this problem by adding authentication. GCM is an AEAD mode, which stands for Authenticated Encryption with Associated Data. Here is what that means in plain terms:

1. Encryption (Counter Mode): GCM uses AES in counter mode (CTR). It generates a unique number (a counter) for each 128-bit block, encrypts that counter with the AES key to produce a stream of random-looking bytes (called a keystream), and then XORs that keystream with your plaintext. The result is ciphertext. Because each block uses a different counter value, this process is parallelizable, meaning different parts of a large file can be encrypted simultaneously across multiple CPU cores.
2. Authentication (GHASH): Simultaneously, GCM runs a mathematical function called GHASH over the ciphertext. GHASH is a polynomial hash that uses multiplication in a Galois field (a branch of abstract algebra, hence the "G" in GCM). The result is a 128-bit authentication tag. This tag is like a mathematical fingerprint of the entire ciphertext plus any additional metadata you want to protect.

When you decrypt, GCM recomputes the authentication tag and compares it to the one stored with the file. If even a single bit of the ciphertext was changed, the tags will not match, and decryption is rejected entirely. There is no partial decryption. There is no "best effort" recovery. Either the data is exactly what was encrypted, or you get an error. Period.

The "Associated Data" part: AEAD lets you authenticate data that you do not want to encrypt. For example, QNSQY uses this to authenticate the file header (which contains the algorithm version, salt, and other metadata). This header needs to be readable before decryption starts, but it also needs to be tamper-proof. GCM authenticates it alongside the ciphertext, so any modification to the header is also detected.

This is why modern cryptographic standards insist on authenticated encryption. Using AES without authentication (in modes like ECB or even plain CTR) is considered a security flaw. GCM provides both confidentiality and integrity in a single, efficient operation.

The Nonce: GCM's One Critical Rule

GCM has one strict requirement: every encryption operation must use a unique nonce (number used once). The nonce is 96 bits (12 bytes) in standard GCM. It does not need to be secret, but it absolutely must never be reused with the same key.

If you encrypt two different messages with the same key and the same nonce, an attacker can XOR the two ciphertexts together and recover both plaintexts. Worse, they can forge authentication tags, completely breaking the integrity guarantee. This is not a theoretical weakness; it has been exploited in real attacks against systems that mismanaged nonces.

QNSQY generates a fresh 96-bit random nonce for every single encryption operation using a cryptographically secure random number generator. Since each file gets its own nonce, and keys are derived fresh for each operation via the hybrid KEM process, nonce reuse is not a practical concern. The probability of a random 96-bit collision is astronomically small.

For systems that encrypt billions of messages with the same key (like TLS sessions), the 96-bit nonce becomes a limiting factor. That is one reason why XChaCha20-Poly1305 exists as an alternative: its 192-bit nonce makes random collisions even less likely. QNSQY offers XChaCha20-Poly1305 as an option on every tier for users who want this extra margin.

Performance: Why AES-256-GCM Is Practically Free

Encryption has a reputation for being slow. In the 1990s, that was true. Running DES or Triple-DES in software was computationally expensive. But in 2008, Intel introduced AES-NI (AES New Instructions), a set of hardware instructions built directly into the CPU that perform AES rounds in a single clock cycle. AMD followed with their own implementation shortly after. Today, every x86-64 processor sold since roughly 2010, and most ARM processors used in modern phones and tablets, have hardware AES acceleration.

With AES-NI, AES-256-GCM encryption and decryption routinely exceeds 25 GB/s per CPU core. That means a 1 GB file encrypts in under 100 milliseconds. A 100 MB document encrypts in under 10 milliseconds. For most real-world file sizes, the encryption step is literally faster than the time it takes to read the file from your hard drive. The disk is the bottleneck, not the encryption.

Where You Already Use AES-256-GCM (Without Knowing It)

AES-256-GCM is not some niche algorithm used only by security specialists. It is the default cipher suite in most of the technology you already use:

• Web browsing (TLS 1.3): When you visit any HTTPS website, your browser negotiates a cipher suite with the server. In TLS 1.3, AES-256-GCM is one of the two mandatory cipher suites. Every online banking session, every email login, every search query is protected by it.
• Disk encryption: BitLocker (Windows), FileVault (macOS), and LUKS (Linux) all use AES-256 for full-disk encryption. If your laptop is stolen, the thief sees nothing but random noise on the drive.
• VPNs: IPsec and WireGuard VPN tunnels use AES-256-GCM (or its close cousin ChaCha20-Poly1305) to encrypt traffic between your device and the VPN server.
• SSH: When you connect to a remote server via SSH, AES-256-GCM is typically the negotiated encryption algorithm.
• Cloud storage: AWS, Google Cloud, and Azure all use AES-256 for encrypting data at rest in their storage services.
• Messaging: Signal, WhatsApp, and other encrypted messengers use AES-256-GCM as the symmetric cipher inside their encryption protocols.

The reason AES is everywhere is that it has survived 25 years of relentless attack by the global cryptographic research community. Thousands of papers have been published analyzing AES. The best known attack against full AES-256 (a "biclique" attack published in 2011) reduces the search space from 2^256 to 2^254.4. That is a theoretical improvement of roughly four times faster, which is completely irrelevant in practice when the original number is already incomprehensibly large.

AES-256-GCM in QNSQY

In QNSQY, AES-256-GCM is the default AEAD cipher in every tier (Free, Pro, and Business). Here is how it fits into the overall encryption process:

1. Key derivation: If you are encrypting with a password, QNSQY runs your password through Argon2id (a memory-hard key derivation function) to produce a 256-bit AES key. If you are encrypting with a recipient's public key, the hybrid key exchange (ML-KEM + X25519) produces the key.
2. Nonce generation: A fresh 96-bit random nonce is generated from the operating system's cryptographic random number generator.
3. Encryption: The file contents are encrypted with AES-256-GCM using the derived key and nonce. The file header (containing metadata like the algorithm version, salt, and KEM ciphertext) is included as associated data, meaning it is authenticated but not encrypted.
4. Output: The resulting .qs file contains the header, the nonce, the encrypted data, and the 128-bit authentication tag. Everything needed to decrypt (except the key) is in the file.

QNSQY also offers XChaCha20-Poly1305 as an alternative on every tier. Both algorithms provide equivalent security (256-bit keys, 128-bit authentication tags). The practical difference is that AES-256-GCM is faster on hardware with AES-NI (which is almost everything), while XChaCha20-Poly1305 has a larger nonce and performs well in software on platforms without hardware AES acceleration.

A 25-Year Track Record

AES was published in 2001. In the quarter century since, it has been studied more intensively than perhaps any other cryptographic algorithm in history. It has been formally verified. It has been subjected to side-channel analysis, differential cryptanalysis, linear cryptanalysis, algebraic attacks, related-key attacks, and every other technique cryptographers have invented. No practical attack has ever been found against full AES-256.

The GCM mode was standardized by NIST in 2007 as SP 800-38D. It has similarly been analyzed extensively. The known weaknesses of GCM (nonce reuse vulnerability, short tag lengths if misconfigured) are well-understood and easily avoided with proper implementation. QNSQY uses the full 128-bit tag and fresh random nonces, avoiding both pitfalls.

When you encrypt a file with QNSQY, you are using an algorithm that has been vetted by the NSA for classified information, mandated by NIST for government systems, deployed by every major technology company, and scrutinized by the world's best cryptographers for over two decades. Combined with post-quantum key exchange, it provides security against both today's threats and tomorrow's quantum computers.

Sources

1. NIST FIPS 197: Advanced Encryption Standard (AES), November 2001. csrc.nist.gov/publications/detail/fips/197/final
2. NIST SP 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, November 2007. csrc.nist.gov/publications/detail/sp/800-38d/final
3. Grover, L. K. "A Fast Quantum Mechanical Algorithm for Database Search," Proceedings of the 28th Annual ACM Symposium on Theory of Computing, 1996.
4. NSA CNSA 2.0: Commercial National Security Algorithm Suite 2.0. media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF
5. Bogdanov, A. et al. "Biclique Cryptanalysis of the Full AES," ASIACRYPT 2011.

Related Articles

• BLAKE3: Fastest Cryptographic Hash
• Argon2id: Why Memory-Hard Hashing Matters
• Why Hybrid Encryption Matters

Quantum-Safe Symmetric Encryption

Every QNSQY encrypted file uses AES-256-GCM by default. 256-bit keys. Authenticated. Hardware-accelerated.

---

Originally published at quantumsequrity.com.