Media Den logo

Media Den

← Blog

How Two Belgian Cryptographers Changed the Way the World Keeps Secrets

April 2026 · Privacy Advancements Series

A huge share of what you do online is protected by a single algorithm. Secure websites, encrypted cloud storage, private messaging apps: much of it traces back to AES-256-GCM. Most people have never heard of it. Here's the story of how it came to be.

The Standard That Was Dying

In 1977, the United States government standardized an encryption algorithm called DES (the Data Encryption Standard). For almost two decades, it was the backbone of secure digital communication. Banks used it. Governments used it. It was everywhere.

Then computers got faster. By the late 1990s, purpose-built hardware could crack a DES-encrypted message within days; in 1998, the EFF's "Deep Crack" machine solved a public challenge in about 56 hours, and by early 1999, the same hardware combined with a volunteer distributed network cracked another in just 22 hours.[10] The algorithm's 56-bit key, once considered untouchable, had become a liability. The US government needed a replacement, and they needed it to last.

In 1997, the National Institute of Standards and Technology (NIST) did something unusual: they put out an open call to the entire world.[1] Anyone (academic, corporate, or independent) could submit a candidate to become the new global encryption standard. The submissions would be evaluated publicly, scrutinized by cryptographers everywhere, and the best one would win.

The Race

Fifteen teams entered. The favourites were formidable: IBM submitted MARS. RSA Security submitted RC6. Counterpane Systems (led by the legendary cryptographer Bruce Schneier) submitted Twofish. A joint team from England, Israel, and Denmark submitted Serpent.[2]

And then there were two Belgian academics from a university in Leuven no one outside of cryptography had heard of.

Joan Daemen and Vincent Rijmen had been working on encryption algorithms since the early 1990s. They named their submission after themselves: Rijndael, a portmanteau of Rijmen and Daemen. Their entry was elegant, fast, and required remarkably little memory, a crucial advantage in a world where encryption needed to run on everything from servers to smart cards.

NIST held three public conferences over three years, inviting cryptographers from around the world to try to find weaknesses in each submission. On October 2, 2000, they announced the winner: Rijndael. On November 26, 2001, it was officially standardized as the Advanced Encryption Standard (AES).[3]

Why 256 Bits?

AES supports three key sizes: 128, 192, and 256 bits. That's the number of bits in the secret key used to encrypt and decrypt data. More bits means more possible key combinations, which means a brute-force attack takes longer, exponentially longer.

At 128 bits, there are more possible keys than there are atoms in the observable universe. So why bother with 256?

The answer is quantum computing. NIST's 1997 requirements explicitly called for an algorithm that could withstand future advances in computing, including quantum computers.[1] A quantum algorithm called Grover's search effectively cuts a key's strength in half: a 128-bit key becomes 64-bit effective security, which a sufficiently powerful quantum computer could eventually crack. A 256-bit key becomes 128-bit effective security, which remains safe even against quantum attacks.

In 2001, practical quantum computers were science fiction. Daemen and Rijmen built for a threat that didn't yet exist. Today, the NSA approves AES-256 for encrypting top-secret government data.[4]

Encryption Wasn't Enough

AES solved the confidentiality problem: only someone with the key could read the message. But encryption alone doesn't answer a different question: was the message tampered with?

Earlier encryption modes, including common ones like CBC (Cipher Block Chaining), couldn't detect if an attacker had modified the ciphertext in transit. They'd encrypt cleanly and decrypt cleanly, and you'd have no idea the data had been altered. Attackers learned to exploit this in a class of attacks called padding oracle attacks, which could sometimes allow decryption without ever knowing the key.

Confidentiality and integrity turned out to be two separate problems, and for years they were solved separately, and often badly.

Enter GCM, and a 19-Year-Old Who Died in a Duel

In 2004, David McGrew at Cisco and security researcher John Viega proposed a new mode of operation for AES called GCM (Galois/Counter Mode).[5] It solved both problems at once.

GCM combines AES's stream encryption with an authentication mechanism based on mathematics developed by Évariste Galois, a French prodigy who made foundational contributions to abstract algebra before being killed in a duel in 1832 at the age of 20.[9] The algebra he invented — Galois field theory — provides a way to produce an authentication tag that acts like a tamper seal on the ciphertext. If a single bit of the encrypted data is changed, the tag won't verify, and the decryption will fail.

This combination (encryption plus authentication in a single pass) is called Authenticated Encryption with Associated Data (AEAD). It was a conceptual breakthrough: instead of bolting security properties together and hoping developers did it correctly, AEAD made the secure approach the default. NIST standardized GCM in 2007.[6]

The Standard the Internet Runs On

Today, AES-256-GCM is woven into the fabric of the modern internet.

TLS 1.3, which secures most modern HTTPS connections, requires AEAD ciphers, mandating both AES-128-GCM and AES-256-GCM as supported cipher suites.[7] Many major services, including iCloud and Google Drive, use AES-256 for data at rest. Apple Silicon chips include hardware acceleration for AES, making encryption fast enough that you never notice it happening.

Context
AES-256-GCM is also one of two dominant authenticated encryption algorithms in modern use. The other is ChaCha20-Poly1305, designed by cryptographer Daniel Bernstein as an alternative for hardware without AES acceleration. TLS 1.3 supports both; the client and server negotiate the one better suited to the available hardware.

The One Rule You Can't Break

AES-256-GCM has one critical requirement: each encryption must use a unique nonce (a number used exactly once per key). If the same nonce is ever reused with the same key, the entire security of the scheme unravels. An attacker who obtains two ciphertexts encrypted with the same key and nonce can recover the plaintext of both messages, and potentially the authentication key itself, allowing them to forge new ciphertexts.

A 2016 study found 184 public HTTPS servers in the wild actively repeating nonces.[8] It sounds like an easy mistake to avoid, but at scale (millions of encrypted files, connections, or messages) it requires careful engineering: counter-based nonce generation, per-file key derivation, or regular key rotation.

Well-built applications handle this transparently. You shouldn't have to think about it. But it's worth knowing the requirement exists, because it's why good cryptographic engineering matters.

AES-256-GCM in Media Den

Every photo and video you store in Media Den is encrypted with AES-256-GCM before it leaves your device. Each file gets a unique encryption key, derived from your password combined with a freshly generated random salt — so even if two files somehow produced the same nonce, they would be under different keys, making the overlap harmless. Your cloud provider (Amazon S3, Google Drive, or iCloud) never sees anything but ciphertext. Neither do we.

I hope this piece was interesting and informative. If you enjoyed, it and you care about your privacy, I would recommend you checking out the app.

Learn more about Media Den →

Download on the App Store Download on the App Store

References

  1. NIST, "Announcing Development of a Federal Information Processing Standard for Advanced Encryption Standard," September 1997. csrc.nist.gov
  2. NIST, "NIST Announces Encryption Standard Finalists," August 1999. nist.gov
  3. NIST, "Federal Information Processing Standard 197: Advanced Encryption Standard," November 2001. nvlpubs.nist.gov
  4. Wikipedia, "Commercial National Security Algorithm Suite." AES-256 is listed for protection of Top Secret information under CNSA 1.0. en.wikipedia.org
  5. Wikipedia, "Galois/Counter Mode." Credits the design of GCM to John Viega and David A. McGrew, with security analysis published at INDOCRYPT 2004. en.wikipedia.org
  6. NIST, "Special Publication 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC," November 2007. nvlpubs.nist.gov
  7. IETF RFC 8446, "The Transport Layer Security (TLS) Protocol Version 1.3," August 2018. rfc-editor.org
  8. H. Bock, A. Zauner, S. Devlin, J. Somorovsky, and P. Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS," IACR, 2016. eprint.iacr.org
  9. J. J. O'Connor and E. F. Robertson, "Évariste Galois," MacTutor History of Mathematics Archive, University of St Andrews. mathshistory.st-andrews.ac.uk
  10. Electronic Frontier Foundation, "EFF Builds DES Cracker," 1998. w2.eff.org