AES-256-GCM: The Encryption Standard Behind Stealth Cloud

A deep technical breakdown of AES-256-GCM — how the block cipher works, why Galois/Counter Mode provides authenticated encryption, and how the Web Crypto API makes it available in every browser. The encryption primitive behind Stealth Cloud's zero-knowledge architecture.

The United States government classifies documents at the TOP SECRET level using AES-256. The same algorithm protects every TLS 1.3 connection on the internet. The same algorithm encrypts data at rest across AWS, Azure, and GCP. And the same algorithm runs natively in every modern web browser through the Web Crypto API, executing AES-256-GCM operations at near-hardware speed without a single line of server-side code.

AES-256-GCM is not merely popular. It is the dominant symmetric encryption construction on Earth, processing an estimated 90%+ of encrypted internet traffic. When NIST evaluated the Advanced Encryption Standard candidates in 2001, the Rijndael cipher won against 14 competitors. Twenty-five years later, no practical attack has reduced its security margin below the brute-force bound. The 256-bit keyspace contains 1.1 x 10^77 possible keys – more than the estimated number of atoms in the observable universe.

This is how it works, at every layer.

The AES Block Cipher: Core Mechanics

AES is a symmetric block cipher – it encrypts fixed-size blocks of plaintext (128 bits / 16 bytes) using a secret key. The same key encrypts and decrypts. AES supports three key lengths: 128, 192, and 256 bits. AES-256, the variant used in Stealth Cloud architecture, uses a 256-bit key and performs 14 rounds of transformation.

The State Matrix

AES operates on a 4x4 matrix of bytes called the state. A 16-byte plaintext block is arranged column-by-column into this matrix:

| b0  b4  b8  b12 |
| b1  b5  b9  b13 |
| b2  b6  b10 b14 |
| b3  b7  b11 b15 |

Every round transforms this state through four operations, applied in sequence.

Round Operations

1. SubBytes (Substitution). Each byte in the state is replaced by its corresponding value in the S-box – a fixed 256-entry lookup table derived from the multiplicative inverse in GF(2^8) composed with an affine transformation. This is the primary source of non-linearity in AES. Without SubBytes, the cipher would be a system of linear equations – trivially breakable.

2. ShiftRows (Permutation). Each row of the state is cyclically shifted left by a different offset: row 0 stays, row 1 shifts 1 byte, row 2 shifts 2 bytes, row 3 shifts 3 bytes. This ensures that columns mix across rounds – a byte in column 0 in one round affects column 1 in the next.

3. MixColumns (Diffusion). Each column of the state is treated as a polynomial over GF(2^8) and multiplied by a fixed polynomial. This operation ensures that every output byte depends on all four input bytes of the column. Combined with ShiftRows, it guarantees that after two rounds, every output bit depends on every input bit – a property called full diffusion.

4. AddRoundKey (Key Mixing). The state is XORed with a 128-bit round key derived from the original 256-bit key through the key schedule. The key schedule uses the S-box and round constants to generate 15 distinct round keys from the original key, ensuring that each round uses different key material.

AES-256 executes 14 rounds of these four operations (with MixColumns omitted in the final round). The mathematical structure is carefully designed so that each operation addresses a specific class of cryptanalytic attack: SubBytes defeats linear cryptanalysis, MixColumns defeats differential cryptanalysis, and AddRoundKey binds the encryption to the secret key.

Why AES Alone Is Not Enough

A raw block cipher encrypts one 16-byte block at a time. Real data – a chat message, a document, a streaming response – is larger than 16 bytes. The method used to chain multiple blocks together is called the mode of operation, and the choice of mode is at least as important as the choice of cipher.

The Problem with ECB

The simplest mode, Electronic Codebook (ECB), encrypts each block independently with the same key. Identical plaintext blocks produce identical ciphertext blocks. The famous “ECB penguin” demonstration shows that encrypting a bitmap image of a penguin in ECB mode produces ciphertext that is still visually recognizable as a penguin. Patterns in the plaintext survive encryption.

ECB is a textbook example of why cryptographic primitives cannot be used naively. A correct algorithm in the wrong mode provides an illusion of security.

The Problem with CBC

Cipher Block Chaining (CBC) mode XORs each plaintext block with the previous ciphertext block before encryption, eliminating the pattern leakage of ECB. CBC was the dominant mode for TLS until 2018. But CBC has a critical flaw: it is not authenticated. An attacker who can modify ciphertext blocks and observe whether decryption succeeds or fails can recover the plaintext through padding oracle attacks – a vulnerability that has been exploited against TLS (BEAST, POODLE), ASP.NET, and numerous other systems.

The lesson: encryption without authentication is a vulnerability, not a defense.

Galois/Counter Mode: Authenticated Encryption

GCM (Galois/Counter Mode) solves both problems simultaneously. It is an AEAD (Authenticated Encryption with Associated Data) construction, meaning it provides:

Confidentiality – the ciphertext reveals nothing about the plaintext.
Integrity – any modification to the ciphertext is detected.
Authenticity – the ciphertext was produced by someone who holds the key.

These three properties are bundled into a single operation. You cannot accidentally use GCM without authentication. This is a fundamental design advantage over modes like CBC, where developers must manually add authentication (HMAC) and frequently get the composition wrong.

How GCM Works

GCM combines two operations in parallel:

Counter Mode (CTR) for encryption. Instead of chaining blocks, CTR mode generates a keystream by encrypting a sequential counter with the block cipher. The plaintext is XORed with this keystream, producing ciphertext. Each block uses a unique counter value, derived from a 96-bit initialization vector (IV) concatenated with a 32-bit block counter:

Counter_0 = IV || 0x00000001
Counter_1 = IV || 0x00000002
Counter_n = IV || (n + 1)

The keystream is: E(K, Counter_0), E(K, Counter_1), ...

The ciphertext is: C_n = P_n XOR E(K, Counter_n)

This is parallelizable – every block can be encrypted independently, making GCM exceptionally fast on modern hardware.

GHASH for authentication. Simultaneously, GCM computes an authentication tag over the ciphertext and any additional authenticated data (AAD) using GHASH – a universal hash function based on multiplication in the Galois field GF(2^128).

GHASH computes:

X_0 = 0
X_i = (X_{i-1} XOR C_i) * H    (for each ciphertext block C_i)

Where H = E(K, 0^128) is the hash key – the encryption of the zero block under the AES key. The final authentication tag combines the GHASH output with the encrypted counter:

Tag = GHASH(H, AAD, C) XOR E(K, Counter_0)

This tag is appended to the ciphertext. During decryption, the recipient recomputes the tag and compares it to the received tag. If they differ, the ciphertext has been tampered with, and decryption is rejected entirely – no partial output, no oracle.

The IV Requirement

GCM has one critical requirement: the IV must never repeat for the same key. Reusing an IV under the same key allows an attacker to recover the GHASH key H and forge authentication tags. This is not a theoretical concern – it is a catastrophic, full-compromise failure mode.

For ephemeral infrastructure like Stealth Cloud, this constraint is naturally satisfied: each session generates a fresh AES-256 key via the Web Crypto API, and IVs are generated from a cryptographically secure random number generator. When the session ends and the key is destroyed via cryptographic shredding, the IV space resets.

Performance: Hardware Acceleration

Modern x86 and ARM processors include dedicated AES instructions – AES-NI on Intel/AMD, ARMv8 Cryptography Extensions on ARM. These instructions execute AES rounds in a single CPU cycle, pushing throughput beyond 10 GB/s on commodity hardware.

GCM benefits doubly: the CTR encryption and GHASH authentication can pipeline on modern CPUs, with AES-NI handling encryption and the CLMUL (carry-less multiplication) instruction accelerating the Galois field arithmetic in GHASH. The result is that AES-256-GCM runs at essentially the same speed as unencrypted I/O on modern systems.

Benchmarks on an Apple M2 chip (2023): AES-256-GCM processes 8.7 GB/s in single-threaded operation. On a server-class Intel Xeon with AES-NI, throughput exceeds 20 GB/s. These numbers mean encryption is no longer a performance excuse. The cost of not encrypting is a design choice, not an engineering constraint.

Web Crypto API: AES-256-GCM in the Browser

The Web Crypto API, standardized by the W3C and available in all modern browsers, exposes AES-256-GCM as a first-class primitive. This is the mechanism that enables client-side encryption without server involvement – the architectural foundation of zero-persistence systems.

Key Generation

const key = await crypto.subtle.generateKey(
  { name: "AES-GCM", length: 256 },
  true,  // extractable (for export/backup)
  ["encrypt", "decrypt"]
);

This generates a 256-bit key using the browser’s cryptographically secure random number generator (backed by OS-level entropy sources: /dev/urandom on Linux, CryptGenRandom on Windows, SecRandomCopyBytes on macOS/iOS).

Encryption

const iv = crypto.getRandomValues(new Uint8Array(12)); // 96-bit IV
const ciphertext = await crypto.subtle.encrypt(
  { name: "AES-GCM", iv: iv, tagLength: 128 },
  key,
  plaintext  // ArrayBuffer
);

The returned ciphertext includes the 128-bit authentication tag appended to the encrypted data.

Decryption

const plaintext = await crypto.subtle.decrypt(
  { name: "AES-GCM", iv: iv, tagLength: 128 },
  key,
  ciphertext  // ArrayBuffer (includes tag)
);

If the authentication tag does not verify – indicating tampering or a wrong key – the operation throws a DOMException and returns no data. There is no way to extract partial plaintext from a failed GCM decryption. This is authentication by design, not by developer discipline.

Key Destruction

// After session ends:
// 1. The CryptoKey object becomes eligible for garbage collection
// 2. The V8 isolate's memory is released
// 3. No key material was ever written to disk

In a Stealth Cloud architecture, AES-256-GCM keys exist only in the browser’s JavaScript heap. They are never transmitted to any server. When the session ends – or when the user triggers a burn – the key object is dereferenced and the memory is released. This is cryptographic shredding at the application layer: destroy the key, and all ciphertext encrypted with it becomes computationally irrecoverable.

Security Analysis: What Could Break AES-256?

Brute Force

A 256-bit key requires 2^256 operations to brute-force. The Landauer limit – the minimum energy required to flip a bit – means that a computer operating at the thermodynamic limit, using the entire energy output of the sun (3.8 x 10^26 watts), would take approximately 3 x 10^51 years to enumerate the keyspace. The universe is 1.38 x 10^10 years old. Brute force is not a category of risk for AES-256.

Cryptanalytic Attacks

The best known attack against AES-256 is the biclique attack by Bogdanov, Khovratovich, and Rechberger (2011), which reduces the brute-force complexity from 2^256 to 2^254.4. This is a theoretical improvement of a factor of ~3 – completely irrelevant in practice. The security margin of AES-256 remains enormous.

Side-Channel Attacks

The real-world attack surface of AES is not mathematical but physical. Timing attacks exploit the fact that table lookups in software AES implementations may take different amounts of time depending on cache behavior. Power analysis attacks monitor the electromagnetic emissions of hardware during encryption to recover key bits.

Hardware AES instructions (AES-NI) are specifically designed to be constant-time – every operation takes the same number of cycles regardless of input values. This eliminates timing side channels at the instruction level. The Web Crypto API in browsers delegates to these hardware instructions, inheriting their side-channel resistance.

Quantum Computing

Grover’s algorithm provides a quadratic speedup for searching unstructured spaces, reducing the effective security of AES-256 from 256 bits to 128 bits against a quantum computer. A 128-bit security level is still considered secure by all major standards bodies, including NIST. AES-256-GCM is post-quantum survivable for symmetric encryption. The quantum threat to cryptography is primarily against asymmetric algorithms (RSA, ECC) used for key exchange, not against AES itself.

AES-256-GCM vs. ChaCha20-Poly1305

The primary alternative to AES-256-GCM in modern protocols is ChaCha20-Poly1305, a stream cipher and MAC combination designed by Daniel J. Bernstein. Both are AEAD constructions. Both are used in TLS 1.3.

Property	AES-256-GCM	ChaCha20-Poly1305
Type	Block cipher + GHASH	Stream cipher + Poly1305 MAC
Key Size	256 bits	256 bits
Hardware Acceleration	AES-NI (x86, ARM)	None standard (but fast in software)
Software Performance (no HW accel)	Slower	Faster
Hardware Performance	10-20+ GB/s	3-5 GB/s
Nonce Misuse Resistance	Catastrophic on IV reuse	Catastrophic on nonce reuse
Adoption	Dominant	Growing (mobile, IoT)

On devices with AES-NI (virtually all modern x86 and ARM v8 processors), AES-256-GCM is faster. On devices without hardware acceleration – older mobile devices, embedded systems – ChaCha20-Poly1305 is faster. Google enabled ChaCha20 in Chrome specifically for Android devices that lacked AES hardware support.

For browser-based applications using the Web Crypto API, AES-256-GCM is the natural choice: it is universally supported, hardware-accelerated, and the API provides a clean, hard-to-misuse interface.

Why GCM Matters for Zero-Persistence Architecture

The combination of properties in AES-256-GCM – speed, authenticated encryption, browser-native support, hardware acceleration, and resistance to partial decryption – makes it uniquely suited to zero-persistence architectures where privacy is enforced by cryptography rather than policy.

Consider the Stealth Cloud message flow: a user’s prompt is encrypted client-side with AES-256-GCM before it leaves the browser. The server processes encrypted payloads. The response is re-encrypted before transit. At no point does an unencrypted message exist outside the user’s device. This is not a feature bolted onto an existing architecture – it is the architecture itself.

Traditional cloud providers encrypt data at rest with AES-256, but they hold the keys. Their encryption protects against external attackers, not against the provider itself. The distinction between provider-managed encryption and client-managed encryption is the distinction between a privacy policy and a mathematical guarantee. One can be changed with a terms-of-service update. The other cannot.

The Stealth Cloud Perspective

AES-256-GCM is the load-bearing encryption primitive of modern privacy infrastructure – fast enough to encrypt every byte in real time, strong enough to resist every known attack including quantum search, and natively available in every browser without plugins or dependencies. Stealth Cloud builds on this foundation by ensuring the encryption keys never leave the client, transforming AES-256-GCM from a transit protection mechanism into a zero-knowledge architecture where the server is cryptographically excluded from accessing user data.