up:: Classical Cryptography MOC
AES (Advanced Encryption Standard)
AES, the Advanced Encryption Standard, is the symmetric-key block cipher that NIST standardized in FIPS 197 and that now encrypts the overwhelming majority of bulk data in transit and at rest. It comes in three key sizes, AES-128, AES-192, and AES-256, all operating on 128-bit blocks and differing only in key length and round count. AES survives the quantum transition. The strongest known quantum attack on it, Grover’s algorithm, only halves its brute-force strength, so a 256-bit key retains about 128 bits of effective security while a 128-bit key drops toward about 64. Public-key algorithms like RSA and ECDH fare far worse, because Shor’s algorithm breaks them outright. The honest headline is narrow: quantum shatters the public-key layer and merely dents the symmetric one, and the symmetric move worth making is standardizing on AES-256.
Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, updated May 2023, csrc.nist.gov/pubs/fips/197/final.
The short version:
- AES is a symmetric block cipher, so its security rests on key size, not on the factoring or discrete-log math that quantum computers demolish.
- It comes in three key sizes: AES-128 (10 rounds), AES-192 (12 rounds), and AES-256 (14 rounds), all with a 128-bit block.
- Grover’s algorithm gives only a quadratic speedup on brute-force search, which halves effective strength. AES-256 lands at about 128 bits and stays safe; AES-128 lands at about 64.
- The one symmetric change worth making proactively is standardizing on AES-256 for long-lived data, and that is a configuration change, not a new algorithm family.
- The “quantum breaks all encryption” claim confuses the public-key layer (broken by Shor) with the symmetric layer (dented but fine). AES sits on the surviving side.
- CNSA 2.0 requires AES-256 for U.S. national-security systems at every classification level, the clearest signpost that AES-256 is a keeper.
What is AES?
AES is a symmetric-key block cipher, meaning the same secret key both encrypts and decrypts, and it works on data in fixed 128-bit blocks. NIST published it as FIPS 197 in November 2001 after an open, multi-year public competition in which the Rijndael design, by Belgian cryptographers Joan Daemen and Vincent Rijmen, was selected as the winner in 2000. That open-competition pedigree is part of why AES is trusted: its design was scrutinized publicly for years before it became a standard, and a 2023 update to FIPS 197 modernized the document without changing the algorithm.
Because AES is symmetric, its security rests on a single, simple fact: nobody can search its key space by brute force. There is no clever number-theoretic structure to exploit the way there is in RSA or elliptic-curve systems, which is exactly why the quantum story for AES is so different from the quantum story for public-key cryptography. AES protects confidentiality once a key is in hand; something else has to deliver that key, and that division of labor is the whole key to understanding its quantum exposure.
Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, updated May 2023, csrc.nist.gov/pubs/fips/197/final.
What are the three AES key sizes?
AES comes in exactly three standardized key sizes, and they differ only in key length and the number of internal rounds, never in block size. All three operate on 128-bit blocks. The choice among them is a security-margin decision, and this note routes each to its own detailed page:
| Variant | Key size | Rounds | Classical security | Effective quantum strength (Grover) | Verdict |
|---|---|---|---|---|---|
| AES-128 | 128-bit | 10 | 128-bit | ~64-bit (idealized) | Not broken, but move up for long-lived data |
| AES-192 | 192-bit | 12 | 192-bit | ~96-bit | Adequate, though 256 is the clean baseline |
| AES-256 | 256-bit | 14 | 256-bit | ~128-bit | Safe, keep, and the recommended default |
The larger key sizes run more rounds because more key material has to be mixed into the state, and the extra rounds are part of what gives AES-256 its wider margin. For post-quantum durability the answer is AES-256, because the three variants land on different sides of the comfort line once Grover halves them. AES-128 is not broken today, but its idealized 64-bit post-Grover strength is the reason anything that must stay confidential for a decade or more should carry the 256-bit key. The full reasoning, including why the idealized halving overstates the real-world quantum threat, lives on the AES-256 page.
Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, updated May 2023, csrc.nist.gov/pubs/fips/197/final.
How does AES work?
AES is a substitution-permutation network, not a Feistel cipher, and it transforms a 128-bit block through a series of rounds driven by keys derived from the master key. Each round applies four operations to the internal 128-bit state:
- SubBytes substitutes each byte through a fixed nonlinear lookup table, the S-box, providing confusion, meaning the relationship between key and ciphertext is scrambled.
- ShiftRows cyclically shifts the rows of the state, spreading bytes across the block.
- MixColumns mixes the bytes within each column, so a change in one input byte diffuses across many output bytes.
- AddRoundKey combines the state with a round key derived from the master key through the key schedule.
The round count is 10 for AES-128, 12 for AES-192, and 14 for AES-256, and the block size is 128 bits for all three. One caveat matters for every deployment: AES on its own only transforms a single 128-bit block. Real systems never use a bare block cipher. They run AES inside a mode of operation, described in Block Cipher Modes, that turns the cipher into something able to protect messages and files of any length, and modern systems favor authenticated modes like GCM that also detect tampering.
Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, updated May 2023, csrc.nist.gov/pubs/fips/197/final.
What is AES used for?
AES does the actual work of encrypting bulk data almost everywhere it moves or rests, which is why it is one of the most widely deployed cryptographic primitives on earth. Its common homes:
- The TLS record layer. Once a browser and a server finish a TLS handshake, the session key they agree on is used with AES to encrypt every byte of the page, form, and API call that follows.
- Disk and device encryption. Full-disk encryption on laptops, phones, and servers uses AES to protect data at rest, typically in the XTS mode described in Block Cipher Modes.
- VPN and IPsec traffic. Site-to-site and remote-access tunnels wrap their traffic in AES.
- Backups, archives, and databases. Long-retention stores and encrypted database columns lean on AES-256 specifically because the data has to stay confidential for years.
- Key wrapping. Key-management systems and hardware security modules use AES to encrypt other keys inside envelope-encryption hierarchies.
The pattern across all of these is that AES is the bulk-confidentiality workhorse. Something else negotiates or delivers the key, and AES protects the data once the key is in place. That division of labor is the key to its quantum exposure.
Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, updated May 2023, csrc.nist.gov/pubs/fips/197/final.
Is AES quantum-safe?
Yes, with the caveat that the answer is cleanest for AES-256. AES is symmetric, so Shor’s algorithm, the quantum attack that actually breaks cryptography, does not apply to it, because Shor solves factoring and discrete logarithms and AES rests on neither. The only relevant quantum pressure comes from Grover’s algorithm, and Grover only weakens rather than breaks. Walking the numbers:
- Grover searches an unstructured space of
Npossibilities in about√Nsteps instead of up toN. For ann-bit key, that turns roughly2^nwork into roughly2^(n/2), which halves the effective bits of security. - AES-256 starts at 256 bits and lands at about 128 bits of effective quantum security, which is astronomically out of reach.
- AES-128 starts at 128 bits and lands at about 64, which is why it is the variant to move away from for long-lived data.
NIST states the symmetric case plainly: Grover’s search “can have the effect of requiring larger key sizes, even in the symmetric key case,” and its own simple heuristic is to double the key length to compensate for Grover’s quadratic speedup. AES-256 already is the doubled parameter. The real-world picture is even more forgiving than the clean halving suggests, because Grover barely parallelizes and the circuits required to run it against AES are staggering, which the Grover on AES and AES-256 pages cover in detail.
Sources: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final; Grassl, Langenberg, Roetteler and Steinwandt, “Applying Grover’s algorithm to AES: quantum resource estimates,” 2016, arXiv:1512.04965.
Why is “quantum breaks all encryption” wrong?
The claim is wrong because it collapses two very different halves of cryptography into one, and quantum computers do opposite things to each half. The distinction that the headline erases:
- Public-key cryptography is the catastrophe. RSA, Diffie-Hellman, ECDH, and the elliptic-curve signature schemes all rest on factoring or discrete logarithms, and Shor’s algorithm solves both efficiently. Those algorithms stop working entirely rather than merely weakening, which is why they need new post-quantum standards like ML-KEM and ML-DSA.
- Symmetric cryptography mostly survives. AES and the hash functions face only Grover’s algorithm, which halves the margin. The fix, where one is even needed, is a bigger key or a longer digest, not a new family. AES-256 keeps about 128 bits of security and carries forward unchanged.
So a more accurate headline is that quantum computers break the public-key half of cryptography and dent the symmetric half. AES is squarely in the surviving group. Repeating “quantum breaks everything” is worse than imprecise, because it points remediation effort at the wrong layer, toward replacing AES when the urgent work is replacing the public-key algorithms around it.
Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016 (public-key algorithms fall; symmetric algorithms need larger key sizes), csrc.nist.gov/pubs/ir/8105/final.
Where is the real quantum exposure if AES is safe?
The exposure sits in the key exchange that delivers the AES key, not in AES. A TLS session, a VPN tunnel, or an encrypted message almost always works in two stages: first a public-key mechanism (RSA key transport or ECDH) agrees on a shared secret, then AES uses that secret to encrypt the bulk traffic. A quantum computer running Shor’s algorithm attacks the first stage. If it recovers the shared secret by breaking the key exchange, it gets the AES key directly and never has to attack AES at all.
This is why harvest-now-decrypt-later is a real problem even for AES-256 traffic. An adversary records an encrypted session today, including the public-key key-exchange messages, stores it, and waits for a capable quantum computer. When one arrives, it breaks the recorded key exchange, derives the session key, and decrypts the AES traffic retroactively. The AES layer stays strong. The channel that handed it the key is the exposure. The practical consequence is that standardizing on AES-256 is necessary housekeeping, and replacing the vulnerable public-key key exchange with a post-quantum one such as ML-KEM, often deployed as hybrid cryptography during the transition, is the heavy lifting.
Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.
Does CNSA 2.0 require AES-256?
Yes. CNSA 2.0, the NSA advisory that sets the post-quantum algorithm requirements for U.S. National Security Systems, names AES-256 (per FIPS 197) as the required symmetric cipher at every classification level. That requirement is strong public evidence of AES-256’s standing: the same advisory that retires classical public-key algorithms like RSA and ECDH in favor of ML-KEM and ML-DSA keeps AES-256 in place rather than replacing it.
When the most conservative cryptographic authority in the U.S. government builds its quantum-resistant suite around AES-256, that is about as clear an endorsement of the primitive’s longevity as exists. The requirement also propagates outward, because vendors who sell into national-security systems inherit the CNSA 2.0 clock, which makes AES-256 the effective symmetric floor for a large slice of the regulated market and a sensible default well beyond government.
Source: NSA, “Announcing the Commercial National Security Algorithm Suite 2.0,” CSA U/OO/194427-22, September 2022, nsa.gov.
Common misconceptions
- “Quantum computers will break AES.” They will not. The only known quantum attack is Grover’s, which halves the margin. AES-256 keeps about 128 bits of effective security, far beyond any foreseeable machine.
- “AES needs to be replaced with a post-quantum algorithm.” It does not. There is no post-quantum symmetric family to migrate to, because AES-256 already carries enough margin. The replacements are for public-key algorithms.
- “AES-128 is already broken by quantum.” It is not broken today, but its idealized post-Grover strength drops to about 64 bits, which is why AES-256 is the better long-term choice for data that must stay confidential for years.
- “All three AES key sizes are equally future-proof.” They are not. AES-256 lands at about 128 bits after Grover, while AES-128 lands at about 64, so the key size is the whole decision for long-lived data.
- “Any use of AES is equally secure.” The mode of operation and key management matter as much as the key size. AES in a misused mode, or with a reused GCM nonce, can be weak despite a strong key. See Block Cipher Modes.
- “Bigger AES keys are the hard part of the migration.” Moving to AES-256 is a configuration change. The hard, expensive part of the transition is finding and replacing vulnerable public-key cryptography.
Questions people ask
Is AES still safe to use today? Yes, and AES-256 is the recommended long-term symmetric baseline. AES is safe against classical attackers, and against a Grover-equipped quantum attacker AES-256 retains about 128 bits of effective security, which is a wide margin.
What key size should I use for AES? AES-256. All three sizes are unbroken classically, but AES-256 lands at about 128 bits of effective strength after Grover while AES-128 lands at about 64, so 256 is the clean baseline for anything that must stay confidential for years.
What is the difference between AES-128, AES-192, and AES-256? Key length and round count, not block size. AES-128 uses a 128-bit key and 10 rounds, AES-192 a 192-bit key and 12 rounds, and AES-256 a 256-bit key and 14 rounds. All process 128-bit blocks. The larger keys carry wider security margins.
Do I have to replace AES for post-quantum security? No. AES is one of the few primitives that carries forward through the transition unchanged. The post-quantum replacements target public-key algorithms like RSA and ECDH, not symmetric ciphers.
Does a quantum computer break AES the way it breaks RSA? No. RSA and ECDH fall to Shor’s algorithm, which solves the exact math they rest on, so they stop working entirely. AES faces only Grover’s algorithm, which merely halves the brute-force margin.
Is AES approved by NIST and required by any mandate? Yes. AES is a NIST standard (FIPS 197), and CNSA 2.0 requires AES-256 for U.S. national-security systems at every classification level.
If AES is safe, what should the migration actually focus on? The public-key layer: the RSA and ECDH key exchanges and signatures that quantum computers break. Replacing those with post-quantum standards, ideally with the agility to swap algorithms cleanly, is where the effort belongs.
Everything here is the map, given freely. When your team needs its own cryptography sorted into what survives the quantum transition and what has to move, that’s what an alignment briefing is for.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.