up:: Classical Cryptography MOC
AES-128
AES-128 is the 128-bit key version of the Advanced Encryption Standard, the symmetric block cipher NIST standardized in FIPS 197 and one of the most widely deployed ciphers in the world. It is not broken today, and no classical attack comes close. Its quantum story is narrow but real: Grover’s algorithm halves the effective strength of any symmetric key, which takes AES-128 from 128 bits of security down to about 64 bits. Sixty-four bits is a thin margin for data that must stay secret for a decade or more, so the standing guidance for long-lived sensitive data is to move to AES-256, which keeps about 128 bits even after Grover. AES-128 sits on the surviving side of cryptography, the symmetric half that quantum computers merely weaken, unlike public-key algorithms such as RSA and ECDH that Shor’s algorithm breaks outright.
Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, updated May 2023, csrc.nist.gov/pubs/fips/197/final.
The short version:
- AES-128 is symmetric, so its security rests on the size of its key, not on the factoring or discrete-log math that quantum computers demolish.
- Grover’s algorithm gives a quadratic speedup on brute-force key search, which halves effective strength. AES-128 drops from 128-bit to roughly 64-bit quantum security.
- AES-128 is fine for short-lived data today, and the concern is margin for data that must stay confidential for many years.
- The clean fix is AES-256, which keeps about 128 bits after Grover. Moving up is a configuration change, not a new algorithm family.
- The real quantum exposure in a system using AES sits in the RSA or ECDH key exchange that delivers the AES key, not in AES itself.
- CNSA 2.0 builds its post-quantum suite around AES-256, and AES-128 is not part of it.
What is AES-128?
AES-128 is the smallest of the three standard key sizes of the Advanced Encryption Standard, a symmetric-key block cipher NIST published as FIPS 197 in 2001 after an open public competition won by the Rijndael design. Symmetric means one shared secret both encrypts and decrypts, so the same key protects and unlocks the data. AES processes data in fixed 128-bit blocks and comes in three key sizes, 128, 192, and 256 bits, which differ in key length and the number of internal rounds. AES-128 uses a 128-bit key and runs 10 rounds.
Because it is symmetric, AES-128’s security rests on one plain fact: nobody can search a 128-bit key space by brute force with a classical machine. There is no number-theoretic structure to exploit the way there is in RSA or elliptic-curve systems, which is exactly why the quantum story for AES is so different from the quantum story for public-key cryptography.
Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, updated May 2023, csrc.nist.gov/pubs/fips/197/final.
How does AES-128 work?
AES-128 is a substitution-permutation network that transforms a 128-bit block of data through 10 rounds of mixing driven by keys derived from the 128-bit master key. Each round applies four operations to the internal 128-bit state:
- SubBytes substitutes each byte through a fixed nonlinear lookup table (the S-box), which provides confusion, meaning the relationship between key and ciphertext is scrambled.
- ShiftRows cyclically shifts the rows of the state, spreading bytes across the block.
- MixColumns mixes the bytes within each column, so a change in one input byte diffuses across many output bytes.
- AddRoundKey combines the state with a round key derived from the master key through the key schedule.
The only structural difference between AES-128 and AES-256 is the key length and the round count, 10 rounds for AES-128 against 14 for AES-256. The block size stays 128 bits for all three variants. The shorter key and the smaller round count are what give AES-128 a narrower security margin than its larger sibling.
One caveat matters as much for AES-128 as for any variant: AES on its own only encrypts a single 128-bit block. Real systems never use a bare block cipher. They run AES inside a mode of operation that turns the block cipher into something that can protect messages and files of any length, and modern deployments favor authenticated modes that also detect tampering.
Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, updated May 2023, csrc.nist.gov/pubs/fips/197/final.
What is AES-128 used for?
AES-128 does the actual work of encrypting bulk data in an enormous range of systems, and it is often the variant a system uses by default rather than by deliberate choice. Its common homes:
- The TLS record layer. Once a browser and a server finish a TLS handshake, the session key is used with AES to encrypt every byte that follows, and many default TLS configurations negotiate AES-128-GCM. AES-128-GCM is one of the mandatory-to-implement cipher suites in TLS 1.3.
- Cloud storage and managed services. Provider-managed encryption often defaults to AES-128 unless an operator selects a larger key.
- Database and disk encryption. Transparent database encryption and full-disk encryption products frequently ship AES-128 as the default.
- Application and library defaults. Many SDKs and crypto libraries pick AES-128 as the out-of-the-box key size.
- Key wrapping. Key-management systems and hardware security modules use AES to encrypt other keys inside envelope hierarchies, and 128-bit key-encryption keys are common.
The pattern across all of these is that AES is the bulk-confidentiality workhorse. Something else negotiates or delivers the key, and AES protects the data once the key is in place. That division of labor is the key to understanding AES-128’s quantum exposure, because the fragile part is usually the key delivery rather than AES.
Source: E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.3,” RFC 8446, August 2018, §9.1 mandatory cipher suites, rfc-editor.org/rfc/rfc8446.
Is AES-128 quantum-safe?
AES-128 is safe against every attacker that exists today, and its quantum margin is thin rather than broken. The only known quantum attack against it, Grover’s algorithm, provides a quadratic speedup on brute-force key search, and that halves the effective bits of security. Walking the numbers:
- Grover’s algorithm searches an unstructured space of
Npossibilities in about√Nsteps instead of up toN. For ann-bit key, that turns roughly2^nwork into roughly2^(n/2)work, which halves the effective bits of security. - AES-128 starts with 128 bits of classical security. Halved by Grover, that is about 64 bits of effective quantum security.
- AES-128 is a symmetric cipher, so Shor’s algorithm, the quantum attack that actually breaks cryptography, does not apply to it. Shor solves factoring and discrete logarithms, the hard problems behind public-key systems, and AES rests on neither.
NIST states the symmetric case plainly: Grover’s search “can have the effect of requiring larger key sizes, even in the symmetric key case,” and “doubling the key size will be sufficient to preserve security.” The remedy for the whole symmetric layer is bigger parameters, and for AES the bigger parameter already exists as AES-256.
Two facts soften the picture and are worth stating honestly, because they explain why 64 bits does not mean AES-128 falls the moment a quantum computer boots up:
- Grover barely parallelizes. Its
√Nspeedup is fundamentally serial, so splitting the search across many quantum machines gives each only a√(N/M)share. A thousand machines buy about a 31x speedup, not a thousandfold one. - The circuits are enormous. Detailed resource estimates for running Grover against AES-128 show staggering qubit counts and circuit depths, and NIST’s own analysis, which caps attack cost by a maximum circuit depth, concludes the AES reference primitives provide substantially more quantum security than a naive halving suggests.
So 64 bits is the idealized worst case, and the practical attack is far harder still. The reason AES-128 is a planning concern rather than a crisis is margin over time, not imminent failure.
Sources: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final; Grassl, Langenberg, Roetteler and Steinwandt, “Applying Grover’s algorithm to AES: quantum resource estimates,” 2016, arXiv:1512.04965.
Should you upgrade AES-128 to AES-256?
For data that must stay confidential over a long horizon the answer is yes, move to AES-256, because the two variants land on opposite sides of the comfort line once Grover halves them. The at-a-glance comparison:
| Property | AES-128 | AES-256 |
|---|---|---|
| Key size | 128-bit | 256-bit |
| Rounds | 10 | 14 |
| Classical security | 128-bit | 256-bit |
| Effective quantum security (Grover) | ~64-bit (idealized) | ~128-bit |
| Vulnerable to Shor | No | No |
| Post-quantum verdict | Upgrade for long-lived data | Safe, the durable baseline |
The decision comes down to how long the data has to stay secret, so it splits cleanly by retention horizon:
- Short-lived data stays fine on AES-128. Session keys, ephemeral traffic, and anything whose confidentiality value expires in minutes or hours faces no realistic quantum threat, because no quantum computer will run a deep 64-bit Grover search before that data stops mattering.
- Long-lived sensitive data should move to AES-256. Archives, backups, regulated records, and anything that must stay confidential for a decade or more should carry the larger key, so that no future improvement in quantum search pressure erodes its protection over that horizon.
- Key-encryption keys deserve the larger key first. A 128-bit key that wraps many other keys concentrates risk, and upgrading the keys that protect other keys buys the most margin for the least work.
The upgrade path is unusually gentle. It is the same cipher with a longer key and four more rounds, so moving from AES-128 to AES-256 is a configuration change, not a migration to a new algorithm family. That is the opposite of the public-key side, where the vulnerable algorithms have to be replaced wholesale with post-quantum standards like ML-KEM.
Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.
Why is symmetric cryptography only weakened, not broken?
Symmetric cryptography survives the quantum transition because it rests on brute-force key search, and quantum computers speed that search up quadratically instead of collapsing it. The distinction between the two halves of cryptography is the whole story:
- Public-key cryptography is the catastrophe. RSA, Diffie-Hellman, ECDH, and the elliptic-curve signature schemes all rest on factoring or discrete logarithms. Shor’s algorithm solves both efficiently, so those algorithms stop working entirely and need brand-new post-quantum replacements like ML-KEM.
- Symmetric cryptography mostly survives. AES and the hash functions face only Grover’s algorithm, which halves the margin. AES has no factoring or discrete-log structure for Shor to attack, so the fix is a longer key rather than a new family.
The reason the difference is so stark is that Shor exploits hidden mathematical structure and Grover does not. Shor finds the periodicity buried in the factoring and discrete-log problems and turns a search into a calculation. AES-128 has no such structure, so the best a quantum computer can do is search its keys faster, and even that speedup is only the square root. That is why quantum computers shatter the public-key layer and merely dent the symmetric one, and why AES-128 needs a bigger key rather than a replacement.
Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016 (public-key algorithms fall, symmetric algorithms need larger key sizes), csrc.nist.gov/pubs/ir/8105/final.
Where is the real quantum exposure if AES-128 is used?
The exposure sits in the key exchange that delivers the AES key, not in AES-128 itself. A TLS session, a VPN tunnel, or an encrypted message almost always works in two stages: first a public-key mechanism (RSA key transport or ECDH) agrees on a shared secret, then AES uses that secret to encrypt the bulk traffic. A quantum computer running Shor’s algorithm attacks the first stage. If it recovers the shared secret by breaking the key exchange, it gets the AES key directly and never has to touch the 64-bit Grover problem at all.
This is why harvest-now-decrypt-later threatens even AES-128-encrypted traffic through a channel other than Grover. An adversary records an encrypted session today, including the public-key key-exchange messages, stores it, and waits for a capable quantum computer. When one arrives, it breaks the recorded key exchange, derives the session key, and decrypts the traffic retroactively, whatever AES key size was in use. The symmetric layer was never the weak link. The channel that handed it the key was.
The practical consequence is that upgrading AES-128 to AES-256 is a real improvement for long-lived data, and it is nowhere near the whole job. The heavy lifting of the transition is replacing the vulnerable public-key key exchange with a post-quantum one such as ML-KEM, often deployed alongside the classical algorithm as hybrid cryptography during the transition. Get the key exchange right and a well-sized symmetric cipher stays strong.
Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.
Is AES-128 part of CNSA 2.0?
No. CNSA 2.0, the NSA advisory that sets post-quantum algorithm requirements for U.S. National Security Systems, names AES-256 (per FIPS 197) as its required symmetric cipher, and AES-128 is not part of that suite. The same advisory that retires classical public-key algorithms like RSA and ECDH in favor of ML-KEM and ML-DSA keeps AES in place at the 256-bit key size, which is strong public evidence of where the most conservative U.S. cryptographic authority draws the symmetric line. When that authority builds its quantum-resistant suite around AES-256 rather than AES-128, the guidance for anyone protecting long-lived data follows.
The requirement also propagates outward. Vendors who sell into national-security systems inherit the CNSA 2.0 clock, which makes AES-256 the effective symmetric floor for a large slice of the regulated market and a sensible default well beyond government.
Source: NSA, “Announcing the Commercial National Security Algorithm Suite 2.0,” CSA U/OO/194427-22, September 2022, nsa.gov.
Common misconceptions
- “Quantum computers have already broken AES-128.” They have not. The only known quantum attack is Grover’s, which halves the idealized margin to about 64 bits, and running that search needs a deep quantum computation that does not exist yet.
- “AES-128 needs to be replaced with a post-quantum algorithm.” It does not. There is no post-quantum symmetric family to migrate to. The upgrade path is a longer key of the same cipher, AES-256, and the replacements are for public-key algorithms.
- “AES-128 is fine forever because it is not broken.” It is fine for short-lived data, and its roughly 64-bit quantum margin is thin for data that must stay confidential for a decade or more, which is why long-retention data should move to AES-256.
- “If my data is AES-128 encrypted, harvest-now-decrypt-later does not apply.” It can still apply, because the attacker targets the public-key key exchange that delivered the AES key, not the AES cipher itself.
- “AES-128 and AES-256 differ only in how hard they are to brute force classically.” They also differ in quantum margin, and that gap is the whole reason to prefer AES-256 for long-lived data. AES-128 lands near 64 bits under Grover while AES-256 lands near 128 bits.
- “Any use of AES-128 is equally secure.” The mode of operation and key management matter as much as the key size. AES-128 in a misused mode, or with a reused GCM nonce, can be weak despite a sound key.
Questions people ask
Is AES-128 still safe to use today? Yes. It is unbroken against classical attackers and faces no practical quantum attack now. The caution is about margin for long-lived data, where its roughly 64-bit quantum strength under Grover is thinner than many organizations want for a multi-year or multi-decade horizon.
Do I have to replace AES-128 for post-quantum security? Not with a new algorithm. For short-lived data AES-128 is acceptable, and for long-lived sensitive data the move is to AES-256, which is the same cipher with a longer key. The post-quantum replacements target public-key algorithms like RSA and ECDH, not symmetric ciphers.
What is the difference between AES-128 and AES-256 for quantum? Both are halved by Grover’s algorithm. AES-128 drops to about 64 bits of effective strength, which is below the comfort line for long-lived data, while AES-256 drops to about 128 bits, which stays safe. That gap is the reason to standardize on AES-256 for anything with a long confidentiality lifetime.
Does a quantum computer break AES-128 the way it breaks RSA? No. RSA and ECDH fall to Shor’s algorithm, which solves the exact math they rest on, so they stop working entirely. AES-128 faces only Grover’s algorithm, which merely halves the brute-force margin.
How urgent is upgrading AES-128 to AES-256? It depends on data lifetime. Ephemeral and short-lived data can stay on AES-128 for now, and long-retention archives, backups, regulated records, and key-encryption keys are the pieces worth upgrading first, because their confidentiality has to outlast the arrival of a capable quantum computer.
Is AES-128 approved by NIST? Yes. AES-128 is a NIST standard under FIPS 197. What CNSA 2.0 adds for national-security systems is a requirement for the 256-bit key size specifically, and AES-128 is not part of the CNSA 2.0 suite.
Why does harvest-now-decrypt-later still threaten AES-128 traffic? Because the attacker does not brute-force AES. They record the session, break the public-key key exchange later with a quantum computer, recover the shared secret, and use it to decrypt the traffic. The AES-128 layer is not what gives way. The key-delivery channel is.
If AES-128 is acceptable for short-lived data, where should migration effort actually go? To the public-key layer, the RSA and ECDH key exchanges and signatures that quantum computers break. Replacing those with post-quantum standards, ideally with the agility to swap algorithms and key sizes cleanly, is where the effort belongs, and standardizing new deployments on AES-256 is the low-cost symmetric move alongside it.
Everything here is the map, given freely. When your team needs its own cryptography sorted into what survives the quantum transition and what has to move, that’s what an alignment briefing is for.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.