up:: Classical Cryptography MOC

AES-256

AES-256 is the 256-bit key version of the Advanced Encryption Standard, the symmetric block cipher standardized by NIST in FIPS 197 and used almost everywhere to encrypt bulk data. It survives the quantum transition. The best known quantum attack on it, Grover’s algorithm, only halves its brute-force strength, which leaves AES-256 with about 128 bits of effective security, still far out of reach. That is the opposite of what happens to public-key algorithms like RSA and ECDH, which Shor’s algorithm breaks outright. So the honest headline is narrow: quantum computers shatter the public-key layer and merely dent the symmetric one, and AES-256 sits comfortably on the safe side of that line.

Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, updated May 2023, csrc.nist.gov/pubs/fips/197/final.

The short version:

  • AES-256 is a symmetric cipher, so it rests on key size, not on the factoring or discrete-log math that quantum computers demolish.
  • Grover’s algorithm gives only a quadratic speedup on brute-force search, which halves effective strength. AES-256 goes from 256-bit to about 128-bit security and stays safe.
  • AES-128 drops to about 64-bit effective strength under the same attack, which is why the one symmetric move worth making is standardizing on AES-256.
  • The “quantum breaks all encryption” claim is wrong. It confuses the public-key layer (broken by Shor) with the symmetric layer (dented but fine).
  • The real quantum exposure in a system using AES sits in the RSA or ECDH key exchange that delivers the AES key, not in AES itself.
  • CNSA 2.0 requires AES-256 for U.S. national-security systems, which is the clearest signpost that AES-256 is a keeper.

What is AES-256?

AES-256 is the strongest of the three standard key sizes of the Advanced Encryption Standard, a symmetric-key block cipher NIST published as FIPS 197 in 2001 after an open, multi-year public competition won by the Rijndael design. Symmetric means the same key encrypts and decrypts, so both sides of a conversation share one secret. AES processes data in fixed 128-bit blocks and comes in three key sizes, 128, 192, and 256 bits, which differ in key length and the number of internal rounds they run. AES-256 uses a 256-bit key and 14 rounds.

Because it is symmetric, AES-256’s security rests on a single, simple fact: nobody can search a 256-bit key space by brute force. There is no clever number-theoretic structure to exploit the way there is in RSA or elliptic-curve systems, which is exactly why the quantum story for AES is so different from the quantum story for public-key cryptography.

Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, updated May 2023, csrc.nist.gov/pubs/fips/197/final.

How does AES-256 work?

AES-256 is a substitution-permutation network, not a Feistel cipher, and it transforms a 128-bit block of data through 14 rounds of mixing driven by keys derived from the 256-bit master key. Each round applies four operations to the internal 128-bit state:

  1. SubBytes substitutes each byte through a fixed nonlinear lookup table (the S-box), which provides confusion, meaning the relationship between key and ciphertext is scrambled.
  2. ShiftRows cyclically shifts the rows of the state, spreading bytes across the block.
  3. MixColumns mixes the bytes within each column, so a change in one input byte diffuses across many output bytes.
  4. AddRoundKey combines the state with a round key derived from the master key through the key schedule.

The only structural difference between AES-256 and AES-128 is the key length and the round count (14 rounds for AES-256 versus 10 for AES-128). The block size is 128 bits for all three variants. The larger key and extra rounds are what give AES-256 its wider security margin.

One important caveat: AES on its own only encrypts a single 128-bit block. Real systems never use a bare block cipher. They run AES inside a mode of operation that turns the block cipher into something that can protect messages and files of any length, and modern deployments favor authenticated modes that also detect tampering.

Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, updated May 2023, csrc.nist.gov/pubs/fips/197/final.

What is AES-256 used for?

AES-256 does the actual work of encrypting bulk data almost everywhere it moves or rests, which is why it is one of the most widely deployed cryptographic primitives on earth. Its common homes:

  1. The TLS record layer. Once a browser and a server finish a TLS handshake, the session key they agree on is used with AES to encrypt every byte of the page, form, and API call that follows. AES-GCM is one of the two mandatory-to-implement cipher suites in TLS 1.3.
  2. Disk and device encryption. Full-disk encryption on laptops, phones, and servers uses AES to protect data at rest.
  3. VPN and IPsec traffic. Site-to-site and remote-access tunnels wrap their traffic in AES.
  4. Backups, archives, and databases. Long-retention stores and encrypted database columns lean on AES-256 specifically because the data has to stay confidential for years.
  5. Key wrapping. Key-management systems and hardware security modules use AES to encrypt (wrap) other keys inside envelope-encryption hierarchies.

The pattern across all of these is that AES is the bulk-confidentiality workhorse. Something else negotiates or delivers the key, and AES protects the data once the key is in place. That division of labor is the key to understanding its quantum exposure.

Source: E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.3,” RFC 8446, August 2018, §9.1 mandatory cipher suites, rfc-editor.org/rfc/rfc8446.

Is AES-256 quantum-safe?

Yes. AES-256 is considered quantum-safe because the only known quantum attack against it, Grover’s algorithm, provides just a quadratic speedup on brute-force key search, and that leaves AES-256 with a comfortable margin. Walking the numbers:

  1. Grover’s algorithm searches an unstructured space of N possibilities in about √N steps instead of up to N. For an n-bit key, that turns roughly 2^n work into roughly 2^(n/2) work, which halves the effective bits of security.
  2. AES-256 starts with 256 bits of classical security. Halved by Grover, that is about 128 bits of effective quantum security, which is still astronomically out of reach.
  3. AES-256 is a symmetric cipher, so Shor’s algorithm, the quantum attack that actually breaks cryptography, does not apply to it. Shor solves factoring and discrete logarithms, the hard problems behind public-key systems. AES rests on neither.

NIST states the symmetric case plainly: Grover’s search “can have the effect of requiring larger key sizes, even in the symmetric key case,” and “doubling the key size will be sufficient to preserve security.” The practical remedy for the whole symmetric layer is bigger parameters, and AES-256 already is the bigger parameter.

The real-world picture is even more forgiving than the clean halving suggests, for two reasons:

  1. Grover barely parallelizes. Its √N speedup is fundamentally serial, so splitting the search across many quantum machines gives each only a √(N/M) share. A thousand machines buy about a 31x speedup, not a thousandfold one.
  2. The circuits are enormous. Detailed resource estimates for running Grover against AES show the qubit counts and circuit depths are staggering, and NIST’s own analysis (which caps attack cost by a maximum circuit depth) concludes the AES reference primitives “provide substantially more quantum security than a naïve analysis might suggest.”

Sources: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final; Grassl, Langenberg, Roetteler and Steinwandt, “Applying Grover’s algorithm to AES: quantum resource estimates,” 2016, arXiv:1512.04965.

Should you use AES-128 or AES-256?

For post-quantum durability the answer is AES-256, because the two variants land on opposite sides of the comfort line once Grover halves them. The comparison:

CipherClassical securityQuantum attackEffective quantum strengthVerdict
AES-128128-bitGrover~64-bit (idealized)Move up to AES-256 for long-term data
AES-192192-bitGrover~96-bitAdequate, but 256 is the clean baseline
AES-256256-bitGrover~128-bitSafe, keep

AES-128 is not broken today, and 64 bits of idealized quantum strength still requires an attacker to run an enormous, deep quantum computation that does not exist yet. The reason to standardize on AES-256 is margin for long-lived data: anything that must stay confidential for a decade or more should carry the larger key so that no future improvement in quantum search pressure erodes its protection. AES-256 is the one symmetric change worth making proactively, and it is a configuration change rather than a new algorithm family.

Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.

Why is “quantum breaks all encryption” wrong?

The claim is wrong because it collapses two very different halves of cryptography into one, and quantum computers do opposite things to each half. The distinction that the headline erases:

  1. Public-key cryptography is the catastrophe. RSA, Diffie-Hellman, ECDH, and the elliptic-curve signature schemes all rest on factoring or discrete logarithms, and Shor’s algorithm solves both efficiently. Those algorithms stop working entirely rather than merely weakening. This is the half that needs entirely new post-quantum standards like ML-KEM.
  2. Symmetric cryptography mostly survives. AES and the hash functions face only Grover’s algorithm, which halves the margin. The fix is a bigger key or a longer digest, not a new family. AES-256 keeps about 128 bits of security and carries forward unchanged.

So a more accurate headline is that quantum computers break the public-key half of cryptography and dent the symmetric half. AES-256 is squarely in the surviving group. Repeating “quantum breaks everything” is worse than imprecise, because it points remediation effort at the wrong layer, toward replacing AES when the urgent work is replacing the public-key algorithms around it.

Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016 (public-key algorithms fall; symmetric algorithms need larger key sizes), csrc.nist.gov/pubs/ir/8105/final.

Where is the real quantum exposure if AES-256 is safe?

The exposure sits in the key exchange that delivers the AES key, not in AES. A TLS session, a VPN tunnel, or an encrypted message almost always works in two stages: first a public-key mechanism (RSA key transport or ECDH) agrees on a shared secret, then AES uses that secret to encrypt the bulk traffic. A quantum computer running Shor’s algorithm attacks the first stage. If it recovers the shared secret by breaking the key exchange, it gets the AES key directly and never has to attack AES at all.

This is why harvest-now-decrypt-later is a real problem even for AES-256-encrypted traffic. An adversary records an encrypted session today, including the public-key key-exchange messages, stores it, and waits for a capable quantum computer. When one arrives, it breaks the recorded key exchange, derives the session key, and decrypts the AES traffic retroactively. The AES-256 layer was never the weak link. The channel that handed it the key was.

The practical consequence is that upgrading AES to 256-bit is necessary but nowhere near sufficient. The heavy lifting of the migration is replacing the vulnerable public-key key exchange with a post-quantum one such as ML-KEM, often deployed alongside the classical algorithm as hybrid cryptography during the transition. Get the key exchange right and a strong symmetric cipher like AES-256 stays strong.

Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.

What do modes like GCM add to AES-256?

A mode of operation is the wrapper that turns AES from a single-block cipher into something that can encrypt a whole message, and the modern default, Galois/Counter Mode, adds tamper detection on top of confidentiality. AES on its own maps one 128-bit block to one 128-bit block. GCM, standardized in NIST SP 800-38D, runs AES in a counter mode to encrypt data of any length and simultaneously computes an authentication tag that lets the recipient detect any modification. That combination is called authenticated encryption, and it is why “AES-256-GCM” is the string you see in modern TLS cipher suites rather than plain AES-256.

The mode matters for security as much as the key size does. The same AES-256 key can be strong or weak depending on how the mode is used. GCM in particular fails badly if the same nonce (the per-message counter value) is ever reused with the same key, so correct nonce handling is part of using AES-256 safely. None of this changes the quantum story, though. Grover’s halving is a property of the key size, and every standard multi-round AES mode is bounded by it in the same way.

Source: NIST, “Recommendation for Block Cipher Modes of Operation - Galois/Counter Mode (GCM) and GMAC,” SP 800-38D, November 2007, csrc.nist.gov/pubs/sp/800/38/d/final.

Does CNSA 2.0 require AES-256?

Yes. CNSA 2.0, the NSA advisory that sets the post-quantum algorithm requirements for U.S. National Security Systems, names AES-256 (per FIPS 197) as the required symmetric cipher at every classification level. That requirement is strong public evidence of AES-256’s standing: the same advisory that retires classical public-key algorithms like RSA and ECDH in favor of ML-KEM and ML-DSA keeps AES-256 in place rather than replacing it. When the most conservative cryptographic authority in the U.S. government builds its quantum-resistant suite around AES-256, that is about as clear an endorsement of the primitive’s longevity as exists.

The requirement also propagates outward. Because vendors who sell into national-security systems inherit the CNSA 2.0 clock, AES-256 is effectively the symmetric floor for a large slice of the regulated market, which makes it a sensible default well beyond government.

Source: NSA, “Announcing the Commercial National Security Algorithm Suite 2.0,” CSA U/OO/194427-22, September 2022, nsa.gov.

Common misconceptions

  1. “Quantum computers will break AES-256.” They will not. The only known quantum attack is Grover’s, which halves the margin to about 128 bits of effective security, still far beyond any foreseeable machine.
  2. “AES-256 needs to be replaced with a post-quantum algorithm.” It does not. There is no post-quantum symmetric family to migrate to, because AES-256 already carries enough margin. The replacements are for public-key algorithms.
  3. “AES-128 is already broken by quantum.” It is not broken today, but its effective strength under an idealized Grover attack drops to about 64 bits, which is why AES-256 is the better long-term choice for data that must stay confidential for years.
  4. “If my data is AES-256 encrypted, harvest-now-decrypt-later does not apply.” It can still apply, because the attacker targets the public-key key exchange that delivered the AES key, not the AES cipher itself.
  5. “Any use of AES is equally secure.” The mode of operation and key management matter as much as the key size. AES-256 in a misused mode, or with a reused GCM nonce, can be weak despite the strong key.
  6. “Bigger AES keys are the hard part of the migration.” Moving to AES-256 is a configuration change. The hard, expensive part of the transition is finding and replacing vulnerable public-key cryptography.

Questions people ask

Is AES-256 still safe to use today? Yes, and it is the recommended long-term symmetric baseline. It is safe against classical attackers and retains about 128 bits of effective security against a Grover-equipped quantum attacker, which is a wide margin.

Do I have to replace AES-256 for post-quantum security? No. AES-256 is one of the few primitives that carries forward through the transition unchanged. The post-quantum replacements target public-key algorithms like RSA and ECDH, not symmetric ciphers.

What is the difference between AES-128 and AES-256 for quantum? Both are halved by Grover’s algorithm. AES-128 drops to about 64 bits of effective strength, which is below the comfort line for long-lived data, while AES-256 drops to about 128 bits, which stays safe. That gap is the whole reason to standardize on AES-256.

Does a quantum computer break AES the way it breaks RSA? No. RSA and ECDH fall to Shor’s algorithm, which solves the exact math they rest on, so they stop working entirely. AES faces only Grover’s algorithm, which merely halves the brute-force margin.

Why does harvest-now-decrypt-later still threaten AES-256 traffic? Because the attacker does not attack AES. They record the session, break the public-key key exchange later with a quantum computer, recover the shared secret, and use it to decrypt the AES traffic. The AES-256 layer stays strong; the key-delivery channel is the exposure.

Is AES-256 approved by NIST and required by any mandate? Yes. AES is a NIST standard (FIPS 197), and CNSA 2.0 requires AES-256 for U.S. national-security systems at every classification level.

Should I worry about AES-256-GCM specifically? GCM is a strong, authenticated mode and is fine to use. The one operational hazard is nonce reuse with the same key, which breaks GCM’s guarantees. Correct nonce management is part of using it safely, and it has nothing to do with quantum.

If AES-256 is safe, what should the migration actually focus on? The public-key layer: the RSA and ECDH key exchanges and signatures that quantum computers break. Replacing those with post-quantum standards, ideally with the agility to swap algorithms cleanly, is where the effort belongs.


Everything here is the map, given freely. When your team needs its own cryptography sorted into what survives the quantum transition and what has to move, that’s what an alignment briefing is for.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.