up:: Classical Cryptography MOC

FIPS 197

FIPS 197 is the NIST standard that defines the Advanced Encryption Standard (AES), the symmetric block cipher that does most of the world’s bulk data encryption. Published in 2001, it specifies the Rijndael cipher operating on 128-bit blocks with three key sizes, 128, 192, and 256 bits. AES is the symmetric workhorse underneath TLS sessions, disk encryption, VPNs, and encrypted backups, and it’s the reassuring half of the quantum story: AES survives. The best known quantum attack on it, Grover’s algorithm, gives only a square-root speedup on key search, so AES-256 keeps about 128 bits of effective security and stays safe, while AES-128 drops to about 64 and is the one worth moving up. That’s the opposite of what happens to the public-key algorithms like RSA and ECDH, which Shor’s algorithm breaks outright.

Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, November 2001, updated May 2023, FIPS 197.

The short version:

  1. FIPS 197 is the NIST document that standardizes AES. AES is the cipher; FIPS 197 is the standard that defines it.
  2. It specifies the Rijndael design at three key sizes, AES-128, AES-192, and AES-256, all working on 128-bit blocks.
  3. AES is symmetric, so its security rests on key size, not on the factoring or discrete-log math that a quantum computer demolishes.
  4. AES survives the quantum transition. Grover’s algorithm halves effective strength, so AES-256 keeps about 128 bits and stays safe, and AES-128 drops to about 64.
  5. There’s no post-quantum symmetric standard to migrate to. The one move worth making is standardizing on AES-256 for long-lived data. The urgent work is replacing the vulnerable public-key algorithms around AES.

Think of FIPS 197 as the building code and AES as the lock the code approves. The code says exactly how the lock is built, which sizes are allowed, and how to test that a given lock is really up to spec. When a bank or a browser or a government agency says “we use AES,” what they mean underneath is “we use a cipher built to FIPS 197.” That’s why one short government document ends up sitting under a huge fraction of the encrypted traffic on earth.

What is FIPS 197?

FIPS 197 is a Federal Information Processing Standard, issued by NIST, that specifies the Advanced Encryption Standard. NIST originally published it on November 26, 2001, and reissued it with an editorial update on May 9, 2023 that made no technical changes to the algorithm. A FIPS is a mandatory standard for U.S. federal agencies and their contractors, so FIPS 197 is the document that makes AES the approved symmetric cipher for the U.S. government, and by inheritance for the enormous regulated market that follows federal cryptographic policy.

The standard does one thing precisely: it defines the algorithm. It gives the exact transformations, the three approved key lengths, and the test vectors that let anyone confirm an implementation computes AES correctly. It does not tell you how to manage keys, which mode to run the cipher in, or how to build a protocol around it; those live in companion NIST publications. FIPS 197 is the narrow, load-bearing core, the definition every other document points back to when it says “AES.”

Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, November 2001, updated May 2023, FIPS 197.

What is AES?

AES is the symmetric block cipher that FIPS 197 defines, based on the Rijndael design by Joan Daemen and Vincent Rijmen. Symmetric means the same key encrypts and decrypts, so both sides of a conversation share one secret. AES processes data in fixed 128-bit blocks and comes in three key sizes that differ in key length and in the number of internal rounds they run: AES-128 (10 rounds), AES-192 (12 rounds), and AES-256 (14 rounds). Every variant uses the same 128-bit block size.

Because it’s symmetric, AES has no hidden number-theoretic structure to exploit. Its security rests on the plain fact that nobody can search a large enough key space by brute force, which is exactly why its quantum story is so different from the story for public-key cryptography. AES is the bulk-confidentiality layer: something else negotiates or delivers a key, and AES protects the data once that key is in place. The internal mechanics of how those rounds scramble a block, the S-box, ShiftRows, MixColumns, and the key schedule, are covered in depth in the AES-256 note; this note stays on the standard itself.

Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, November 2001, updated May 2023, FIPS 197.

Where did AES come from, and what did it replace?

AES came out of an open, multi-year public competition NIST ran to replace the aging Data Encryption Standard (DES), whose 56-bit key had become brute-forceable. NIST announced the competition in 1997, invited cipher submissions from cryptographers worldwide, and subjected the finalists to years of public analysis. In October 2000 it selected the Rijndael design as the winner, and it published the result as FIPS 197 in 2001. That open process is a large part of why AES is trusted: the design was attacked in the open for years before it was standardized, rather than handed down from behind closed doors.

AES replaced DES and its stopgap successor Triple DES (3DES) as the government’s approved symmetric cipher. The lesson underneath that transition is the one the quantum migration repeats: a cipher’s key size has a shelf life, and when the margin erodes, the fix for symmetric cryptography is a bigger key, which is precisely what AES delivered over DES.

Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, November 2001, updated May 2023, FIPS 197.

What key sizes does FIPS 197 define?

FIPS 197 defines exactly three approved key sizes, and the choice between them is the whole practical decision the standard hands you. All three share the same 128-bit block; they differ in key length and round count, and those differences set the security margin.

VariantKey sizeRoundsBlock sizeClassical security
AES-128128-bit10128-bit128-bit
AES-192192-bit12128-bit192-bit
AES-256256-bit14128-bit256-bit

Against a classical attacker all three are strong, and AES-128 is not broken today. The reason to prefer AES-256 is durability against future pressure, especially the quantum kind covered below. Choosing a variant is a configuration decision, not an algorithm change, because all three are the same cipher at different sizes.

Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, November 2001, updated May 2023, FIPS 197.

Does a quantum computer break AES?

No. A quantum computer weakens AES but does not break it, which is the single most important thing to understand about the standard’s future. The only known quantum attack against AES is Grover’s algorithm, and Grover only speeds up brute-force key search quadratically, turning roughly 2^n work for an n-bit key into roughly 2^(n/2). That halves the effective bits of security. Walking the three sizes through that halving is the whole quantum verdict for AES:

VariantKey sizeClassical strengthEffective quantum strength under GroverVerdict
AES-128128-bit128-bit~64-bitMove up to AES-256 for long-lived data
AES-192192-bit192-bit~96-bitAdequate, but 256 is the clean baseline
AES-256256-bit256-bit~128-bitSafe, keep

AES-256 lands at about 128 bits of effective security under Grover, which is still astronomically out of reach, so it stays safe. AES-128 lands at about 64 bits, below the comfort line for data that must stay confidential for years, which is why the sensible symmetric move is standardizing on AES-256. Crucially, Shor’s algorithm, the quantum attack that actually breaks cryptography, does not apply to AES at all, because Shor solves factoring and discrete logarithms and AES rests on neither. NIST states the symmetric case plainly: Grover’s search “can have the effect of requiring larger key sizes, even in the symmetric key case,” and doubling the key size is enough to preserve security. AES-256 already is the bigger key.

The real-world margin is even more forgiving than the clean halving suggests, because Grover barely parallelizes (its square-root speedup is fundamentally serial) and the circuits required to run it against AES are enormous. There’s no post-quantum symmetric standard to migrate to, because AES-256 already carries the margin.

Sources: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, NISTIR 8105.

Grassl, Langenberg, Roetteler and Steinwandt, “Applying Grover’s algorithm to AES, quantum resource estimates,” 2016, arXiv:1512.04965.

Where’s the real quantum exposure if AES survives?

The exposure sits in the key exchange that delivers the AES key, not in AES itself. Almost every secure connection works in two stages: a public-key mechanism (RSA key transport or ECDH) agrees on a shared secret, then AES uses that secret to encrypt the bulk traffic. A quantum computer running Shor’s algorithm attacks the first stage. If it recovers the shared secret by breaking the recorded key exchange, it gets the AES key directly and never has to touch AES.

This is why harvest-now-decrypt-later threatens even AES-256-encrypted traffic. An adversary records an encrypted session today, including the public-key handshake, stores it, and waits for a capable quantum computer to unlock the key-agreement step and decrypt the AES traffic retroactively. The AES layer, built to FIPS 197, was never the weak link. The channel that handed it the key is the exposure, which is why the heavy work of the migration is replacing the vulnerable public-key algorithms with post-quantum standards like ML-KEM, not touching AES.

Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, NISTIR 8105.

What’s FIPS 197’s status today, and is AES still required?

FIPS 197 is current and in force, and AES-256 is required at the highest assurance levels. The May 2023 reissue kept the algorithm unchanged, so the standard published in 2001 is the standard in use now. What sharpens its standing is what the post-quantum policy did with it: CNSA 2.0, the NSA suite for U.S. national-security systems, names AES-256 (per FIPS 197) as the required symmetric cipher at every classification level, in the same advisory that retires classical public-key algorithms like RSA and ECDH in favor of ML-KEM and ML-DSA.

When the most conservative cryptographic authority in the U.S. government builds its quantum-resistant suite around a FIPS 197 cipher rather than replacing it, that’s about as clear a signpost of the standard’s longevity as exists. Because vendors selling into national-security systems inherit the CNSA 2.0 clock, AES-256 is effectively the symmetric floor for a large slice of the regulated market and a sensible default well beyond government.

Source: NSA, “Announcing the Commercial National Security Algorithm Suite 2.0,” CSA U/OO/194427-22, September 2022, CNSA 2.0.

Common misconceptions

  1. “FIPS 197 and AES are two different things.” They’re two names for the same thing at different levels. AES is the cipher, and FIPS 197 is the NIST standard that defines it. Saying “FIPS 197-compliant” and “AES” points at the same algorithm.
  2. “A quantum computer will break AES.” It won’t. The only known quantum attack is Grover’s, which halves the margin. AES-256 keeps about 128 bits of effective security, still far beyond any foreseeable machine.
  3. “AES needs a post-quantum replacement.” There’s no post-quantum symmetric family to migrate to, because AES-256 already carries enough margin. The replacements are for public-key algorithms.
  4. “AES-128 is already broken by quantum.” It isn’t broken today. Its effective strength under an idealized Grover attack drops to about 64 bits, which is the reason to prefer AES-256 for anything long-lived, not a present-day break.
  5. “FIPS 197 tells you everything you need to encrypt safely.” It defines the cipher only. Safe use also needs a mode of operation and correct key management, which live in companion standards like NIST SP 800-38 series. A strong AES key in a misused mode can still be weak.
  6. “If my data is AES-256 encrypted, harvest-now-decrypt-later doesn’t apply.” It can still apply, because the attacker targets the public-key key exchange that delivered the AES key, not the AES cipher itself.

Questions people ask

Is FIPS 197 the same as AES? Effectively yes. AES is the algorithm, and FIPS 197 is the NIST standard that specifies it. When a product claims AES, it’s claiming to implement the cipher defined in FIPS 197.

When was FIPS 197 published? NIST published it on November 26, 2001, after a multi-year public competition to replace DES, and reissued it with an editorial-only update on May 9, 2023 that made no technical changes to the algorithm.

Which AES key size should I use? AES-256 for long-lived data, because it keeps about 128 bits of effective security even against a quantum attacker, while AES-128 drops to about 64. Moving to AES-256 is a configuration change, not a new algorithm.

Does a quantum computer break AES the way it breaks RSA? No. RSA and ECDH fall to Shor’s algorithm, which solves the exact math they rest on, so they stop working entirely. AES faces only Grover’s algorithm, which merely halves the brute-force margin, so AES-256 survives.

Do I need FIPS validation to use AES? Using AES and having a FIPS-validated module are different things. Anyone can implement the AES algorithm from FIPS 197, but selling into federal environments generally requires a FIPS 140-3 validated cryptographic module, which is a separate certification of the implementation, not of the algorithm.

Is AES still approved for post-quantum security? Yes. CNSA 2.0 requires AES-256 (per FIPS 197) for U.S. national-security systems at every classification level, in the same advisory that retires classical public-key algorithms. AES-256 carries forward through the quantum transition unchanged.

If AES survives, what should a migration actually focus on? The public-key layer: the RSA and ECDH key exchanges and signatures that quantum computers break. Replacing those with post-quantum standards, ideally with the agility to swap algorithms cleanly, is where the effort belongs.


Everything here is the map, given freely. When your team needs its own cryptography sorted into what survives the quantum transition and what has to move, that’s the work I do, and there’s an alignment briefing for it.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.