up:: Classical Cryptography MOC

AES-192

AES-192 is the 192-bit key version of the Advanced Encryption Standard, the middle of the three key sizes NIST standardized in FIPS 197, and it survives the quantum transition. The best known quantum attack on it, Grover’s algorithm, only halves its brute-force strength, which leaves AES-192 with about 96 bits of effective security, still far out of reach. It maps to NIST security category 3, sitting between AES-128 (category 1) and AES-256 (category 5). Like all symmetric AES, its quantum exposure is mild, because Shor’s algorithm, the attack that shatters public-key algorithms like RSA and ECDH, does not touch it.

Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, updated May 2023, csrc.nist.gov/pubs/fips/197/final.

The short version:

  • AES-192 is a symmetric cipher, so its security rests on the size of its key, not on the factoring or discrete-log math that quantum computers demolish.
  • Grover’s algorithm gives only a quadratic speedup on brute-force search, which halves effective strength. AES-192 goes from 192-bit to about 96-bit security and stays safe.
  • It is the least-deployed of the three AES sizes, and it is absent from the TLS 1.3 cipher suites, which offer only AES-128 and AES-256.
  • AES-192 maps to NIST security category 3, the same strength tier NIST recommends as a general-purpose default for post-quantum algorithms.
  • The real quantum exposure in a system using AES sits in the RSA or ECDH key exchange that delivers the AES key, not in AES itself.
  • CNSA 2.0 requires AES-256 for U.S. national-security systems and does not name AES-192, so AES-256 is the cleaner long-term baseline.

What is AES-192?

AES-192 is the middle of the three standard key sizes of the Advanced Encryption Standard, a symmetric-key block cipher NIST published as FIPS 197 in 2001 after an open, multi-year public competition won by the Rijndael design. Symmetric means the same key encrypts and decrypts, so both sides of a conversation share one secret. AES processes data in fixed 128-bit blocks and comes in three key sizes, 128, 192, and 256 bits, which differ in key length and the number of internal rounds they run. AES-192 uses a 192-bit key and runs 12 rounds, one step up from AES-128’s 10 rounds and one below AES-256’s 14.

Because it is symmetric, AES-192’s security rests on a single, simple fact: nobody can search a 192-bit key space by brute force. There is no number-theoretic structure to exploit the way there is in RSA or elliptic-curve systems, which is exactly why the quantum story for AES is so different from the quantum story for public-key cryptography.

Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, updated May 2023, csrc.nist.gov/pubs/fips/197/final.

How does AES-192 work?

AES-192 is a substitution-permutation network that transforms a 128-bit block of data through 12 rounds of mixing driven by keys derived from the 192-bit master key. Each round applies the same four operations every AES variant uses:

  1. SubBytes substitutes each byte through a fixed nonlinear lookup table (the S-box), which provides confusion, meaning the relationship between key and ciphertext is scrambled.
  2. ShiftRows cyclically shifts the rows of the state, spreading bytes across the block.
  3. MixColumns mixes the bytes within each column, so a change in one input byte diffuses across many output bytes.
  4. AddRoundKey combines the state with a round key derived from the master key through the key schedule.

The only structural difference between AES-192 and its siblings is the key length and the round count. AES-192 runs 12 rounds against 10 for AES-128 and 14 for AES-256, and the block size stays 128 bits for all three. The larger key and the extra rounds over AES-128 are what give AES-192 a wider security margin than the smallest variant. The full round-by-round mechanism, the S-box construction, the key schedule, and the mode-of-operation details are covered in depth on the AES-256 note, and everything there applies to AES-192 with the round count changed from 14 to 12.

One caveat carries over from every AES variant: AES on its own only encrypts a single 128-bit block. Real systems never use a bare block cipher. They run AES inside a mode of operation that turns the block cipher into something that can protect messages and files of any length, and modern deployments favor authenticated modes that also detect tampering.

Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, updated May 2023, csrc.nist.gov/pubs/fips/197/final.

What is AES-192 used for?

AES-192 is the least common of the three AES key sizes in practice, and it shows up where a configuration or a standard explicitly selects a 192-bit key rather than defaulting to 128 or 256. Its typical homes:

  1. IPsec and VPN configurations. Some IPsec policies and VPN products expose AES-192 as a selectable cipher for their tunnels, alongside the more common 128 and 256-bit options.
  2. Disk and file encryption options. A handful of storage and archive tools let an operator pick AES-192 when they want more margin than AES-128 without the full cost of AES-256.
  3. Cryptographic libraries and key stores. General-purpose crypto libraries implement all three key sizes, so AES-192 is available anywhere the developer names a 192-bit key.
  4. Key wrapping. Key-management systems can wrap other keys under a 192-bit AES key inside envelope-encryption hierarchies.

The one place AES-192 is conspicuously missing is TLS 1.3. The protocol behind the browser padlock defines its AES cipher suites at 128 and 256 bits only, so a modern web session negotiates AES-128-GCM or AES-256-GCM and never AES-192. That absence is a large part of why AES-192 sees so little traffic on the public internet: the most common secure-transport protocol on earth simply does not offer it.

Source: E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.3,” RFC 8446, August 2018, Appendix B.4 cipher suites, rfc-editor.org/rfc/rfc8446.

Is AES-192 quantum-safe?

Yes. AES-192 is considered quantum-safe because the only known quantum attack against it, Grover’s algorithm, provides just a quadratic speedup on brute-force key search, and that leaves AES-192 with a wide margin. Walking the numbers:

  1. Grover’s algorithm searches an unstructured space of N possibilities in about √N steps instead of up to N. For an n-bit key, that turns roughly 2^n work into roughly 2^(n/2) work, which halves the effective bits of security.
  2. AES-192 starts with 192 bits of classical security. Halved by Grover, that is about 96 bits of effective quantum security, which is still astronomically out of reach.
  3. AES-192 is a symmetric cipher, so Shor’s algorithm, the quantum attack that actually breaks cryptography, does not apply to it. Shor solves factoring and discrete logarithms, the hard problems behind public-key systems. AES rests on neither.

NIST states the symmetric case plainly: Grover’s search “can have the effect of requiring larger key sizes, even in the symmetric key case,” and “doubling the key size will be sufficient to preserve security.” The practical remedy for the whole symmetric layer is bigger parameters, and AES-192 already carries far more than the 128-bit comfort line that its 96-bit effective margin clears.

The real-world picture is even more forgiving than the clean halving suggests, for two reasons:

  1. Grover barely parallelizes. Its √N speedup is fundamentally serial, so splitting the search across many quantum machines gives each only a √(N/M) share. A thousand machines buy about a 31x speedup, not a thousandfold one.
  2. The circuits are enormous. Detailed resource estimates for running Grover against AES show staggering qubit counts and circuit depths, and NIST’s own analysis, which caps attack cost by a maximum circuit depth, concludes the AES reference primitives “provide substantially more quantum security than a naïve analysis might suggest.”

Sources: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final; Grassl, Langenberg, Roetteler and Steinwandt, “Applying Grover’s algorithm to AES: quantum resource estimates,” 2016, arXiv:1512.04965.

How does AES-192 compare to AES-128 and AES-256?

AES-192 lands squarely in the middle on every axis, and the comparison is the fastest way to see where it fits. All three share the same 128-bit block, the same round operations, and immunity to Shor’s algorithm; they differ in key length, round count, and how much margin they keep once Grover halves them:

CipherKey sizeRoundsClassical securityQuantum attackEffective quantum strengthVerdict
AES-128128-bit10128-bitGrover’s~64-bit (idealized)Move up for long-lived data
AES-192192-bit12192-bitGrover’s~96-bitSafe, but less deployed than 256
AES-256256-bit14256-bitGrover’s~128-bitSafe, the clean baseline

AES-192’s roughly 96-bit effective quantum strength sits comfortably above the 64-bit level where AES-128 starts to look thin for long-lived data, so AES-192 is a genuinely safe choice. The reason most guidance still points to AES-256 rather than AES-192 is not weakness in the 192-bit variant. It is standardization: TLS 1.3 offers 128 and 256 only, and CNSA 2.0 requires 256, so AES-256 is the option with the widest support and the clearest mandate behind it. AES-192 is the correct answer when a system specifically needs a 192-bit key; AES-256 is the correct answer when you want the durable default that everything supports.

Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.

What NIST security level is AES-192?

AES-192 is the anchor for NIST security category 3, the middle rung of the five-level scale NIST uses to rate post-quantum algorithms. Rather than invent a fresh strength unit, NIST pegged each category to the difficulty of attacking a primitive the world already trusts, and it defined Category 3 as any attack costing at least as much as a key search on a block cipher with a 192-bit key, which is AES-192. So when a standard like ML-KEM advertises its ML-KEM-768 parameter set at Category 3, it is claiming strength comparable to breaking AES-192.

That makes AES-192 a useful reference point even in systems that never deploy it as a cipher. Category 3 is the level NIST recommends as a sensible general-purpose default for post-quantum deployments, so AES-192’s difficulty is the yardstick a large share of the new standards are calibrated against. The full scale, and how each post-quantum parameter set maps onto it, lives on the security level note.

Source: NIST, “Submission Requirements and Evaluation Criteria for the Post-Quantum Cryptography Standardization Process,” December 2016, Call for Proposals.

Why isn’t AES-192 in CNSA 2.0?

CNSA 2.0, the NSA advisory that sets post-quantum algorithm requirements for U.S. National Security Systems, names AES-256 (per FIPS 197) as its required symmetric cipher at every classification level, and it does not include AES-192. The choice reflects a preference for the maximum symmetric margin rather than any flaw in AES-192. When the most conservative cryptographic authority in the U.S. government picks a single symmetric cipher for its quantum-resistant suite, it picks the one with the widest margin, and AES-256’s roughly 128-bit effective quantum strength is that maximum.

The practical consequence is straightforward. Because vendors who sell into national-security systems inherit the CNSA 2.0 clock, AES-256 is effectively the symmetric floor for a large slice of the regulated market. AES-192 remains a fully approved NIST cipher under FIPS 197 and a safe choice on its own terms, and for organizations that want the option with the clearest mandate and the broadest protocol support, AES-256 is the cleaner default.

Source: NSA, “Announcing the Commercial National Security Algorithm Suite 2.0,” CSA U/OO/194427-22, September 2022, nsa.gov.

Where is the real quantum exposure if AES-192 is safe?

The exposure sits in the key exchange that delivers the AES key, not in AES-192. A VPN tunnel, an IPsec session, or an encrypted message almost always works in two stages: first a public-key mechanism (RSA key transport or ECDH) agrees on a shared secret, then AES uses that secret to encrypt the bulk traffic. A quantum computer running Shor’s algorithm attacks the first stage. If it recovers the shared secret by breaking the key exchange, it gets the AES key directly and never has to attack AES at all.

This is why harvest-now-decrypt-later is a real problem even for AES-192-encrypted traffic. An adversary records an encrypted session today, including the public-key key-exchange messages, stores it, and waits for a capable quantum computer. When one arrives, it breaks the recorded key exchange, derives the session key, and decrypts the AES traffic retroactively. The AES-192 layer was never the weak link. The channel that handed it the key was.

The practical takeaway is that the AES key size is nowhere near the hard part of the migration. The heavy lifting is replacing the vulnerable public-key key exchange with a post-quantum one such as ML-KEM, often deployed alongside the classical algorithm as hybrid cryptography during the transition. Get the key exchange right and a well-sized symmetric cipher like AES-192 or AES-256 stays strong.

Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.

Common misconceptions

  1. “Quantum computers will break AES-192.” They will not. The only known quantum attack is Grover’s, which halves the margin to about 96 bits of effective security, still far beyond any foreseeable machine.
  2. “AES-192 needs to be replaced with a post-quantum algorithm.” It does not. There is no post-quantum symmetric family to migrate to, because AES-192 already carries enough margin. The replacements are for public-key algorithms.
  3. “AES-192 is weaker than AES-256, so it must be quantum-vulnerable.” It has a smaller margin than AES-256, and 96 bits of effective quantum strength is still safe. The reason to prefer AES-256 is broader support and a clearer mandate, not a quantum weakness in AES-192.
  4. “AES-192 is a standard TLS cipher.” TLS 1.3 defines its AES cipher suites at 128 and 256 bits only, so AES-192 does not appear on a modern web session. It shows up mainly in IPsec, VPN, and storage configurations that select it explicitly.
  5. “If my data is AES-192 encrypted, harvest-now-decrypt-later does not apply.” It can still apply, because the attacker targets the public-key key exchange that delivered the AES key, not the AES cipher itself.
  6. “The security category number and the key size are the same thing.” They are not. AES-192’s 192-bit key is what anchors NIST security category 3, but the category is a strength tier defined by comparison, and post-quantum parameter-set names like ML-KEM-768 are internal design numbers, not the category.

Questions people ask

Is AES-192 still safe to use today? Yes. It is safe against classical attackers and retains about 96 bits of effective security against a Grover-equipped quantum attacker, which is a wide margin. The main reason it is less recommended than AES-256 comes down to deployment support rather than any security gap.

Do I have to replace AES-192 for post-quantum security? No. AES-192 is one of the primitives that carries forward through the transition unchanged. The post-quantum replacements target public-key algorithms like RSA and ECDH, not symmetric ciphers.

What is the difference between AES-192 and AES-256 for quantum? Both are halved by Grover’s algorithm. AES-192 drops to about 96 bits of effective strength and AES-256 to about 128 bits, and both stay safe. AES-256 keeps more margin and has broader protocol support and a mandate behind it, which is why it is the more common recommendation.

Why is AES-192 used so rarely? It falls between the two sizes most systems reach for, and the dominant secure-transport protocol, TLS 1.3, offers only AES-128 and AES-256. Where a 192-bit key is not explicitly required, deployments tend to default to 128 or step straight to 256.

How many rounds does AES-192 use? AES-192 runs 12 rounds, compared with 10 for AES-128 and 14 for AES-256. All three use the same 128-bit block and the same four per-round operations, and only the key length and round count differ.

Which NIST security level does AES-192 correspond to? AES-192 is the reference primitive for NIST security category 3, the middle of the five-level post-quantum strength scale, which NIST recommends as a general-purpose default for new deployments.

Does a quantum computer break AES-192 the way it breaks RSA? No. RSA and ECDH fall to Shor’s algorithm, which solves the exact math they rest on, so they stop working entirely. AES-192 faces only Grover’s algorithm, which merely halves the brute-force margin.

If AES-192 is safe, where should the migration actually focus? On the public-key layer: the RSA and ECDH key exchanges and signatures that quantum computers break. Replacing those with post-quantum standards, ideally with the agility to swap algorithms cleanly, is where the effort belongs.


Everything here is the map, given freely. When your team needs its own cryptography sorted into what survives the quantum transition and what has to move, that’s what an alignment briefing is for.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.