The Advanced Encryption Standard (AES) is a symmetric encryption algorithm – and if you are here you are likely considering between AES-128 or AES-256 or wondering which is more secure. The last digits are the length of the "secret key" – or think of it like the number of characters in your password, or the teeth on a physical key. From the outside the obvious choice is a 256-bit key, right? While it seems obviously better, does a 256-bit AES key actually make your more or less secure? This discussion will walk through some of the security behind AES-128 and AES-256.
Brute Force Attack Protection
A brute force is a guessing attack where an attacker tries all the potential secret keys until the right one is found. A brute force attack will succeed with 100% probability. Try every single key in the world to unlock your door, and eventually you'll find the right one, right? It isn't a question of IF the key can be found, but WHEN the key will be found.
But when considering how to protect against brute force attacks, you have to understand what different key lengths do. Combine that with the impending arrival of quantum computing. So the question remains: are the current forms of AES strong enough?
A Difference in Key Lengths
The main difference between 128 and 256-bit encryption algorithms is the length of the secret key that each uses. The numeric value of AES-128 and AES-256 corresponds to the 128-bit and 256-bit keys respectively.
In theory, the longer the secret key, the harder it is for an attacker to guess via brute force attack. However, you can't assume that AES-256 is twice as strong as AES-128. That isn't how this works.
First, AES-128 has 2128 and AES-256 has 2256 potential secret keys. Those are BIG numbers! Each bit added to the key length causes the key space to double. This means that AES-256 has 2^128 or 340,282,366,920,938,463,463,374,607,431,768,211,456 times the keys as AES-128.
Therefore, a brute force attack against an AES-256 key could take much longer than against an AES-128 key. However, don't throw 128-bit keys out yet! A 128-bit key is secure against all known attacks by modern technology. Consider the Bitcoin network – the largest modern distributed cluster of computational power for cryptography. The Bitcoin network performs approximately 2^67 operations per second. These operations are sort of like the difficulty to a brute force attack, and even then, it would take the Bitcoin network over 70,000,000,000,000,000,000,000,000 years to crack a single AES-128 key! So yes, your AES-128 bit key is just fine!
The Quantum Computing Threat
The threat of quantum computing to cryptography has been hitting the headlines a lot recently! Quantum computers work very differently than the computers you're used to using, and quantum algorithms are much more efficient at finding keys.
Quantum computer completely destroys the security of asymmetric encryption algorithms like RSA, and is well suited to the attack. But recall that AES is a symmetric algorithm, and attacks like Grover’s algorithm – the most widely used algorithm for attacking symmetric schemes – only weakens them. Grover’s algorithm can decrease the effective key length of a symmetric encryption by about half. That means that AES-128 has an effective key length of 2^64 bits and AES-256 has an effective key length of 2^128 bits
This may seem like a significant breakthrough, but it does NOT break either algorithm. With the right quantum computer, AES-128 would take about 2.61*10^12 years to crack, (2,610,000,000,000 years!) AES-256 would take 2.29*10^32 years. For reference, the universe is currently about 1.38×10^10 years old, so using a quantum computer to crack AES-128 would take 200x more time than the universe has existed! It's not going to happen - YET.
Let's consider that your attacker has a quantum computer with capabilities beyond current technology. Cracking your AES-128 key would take almost 3,000 qubits and AES-256 would require almost 7,000. As of 2020, the largest quantum computer in the world had 65 qubits with a stated goal of 1,000 by 2023. So you still have some time. Albeit the rate of technological advancement, perhaps not a lot of time, but you have a few good years ahead of you.
128 and 256-Bit Algorithms Under the Hood
Brute force attacks against a secret key are the best potential attack against a secure algorithm, with guaranteed eventual success. What if the algorithm itself had a vulnerability at its core that could be exploited?
AES is made up of two parts: the encryption algorithm (doing the actual encryption) and the key schedule (which converts the secret stuff into round keys of predetermined size). The security of both of these matters to the overall security of AES.
The Encryption Algorithm
AES-128 and AES-256 use the same encryption algorithm at its core with very minor differences. The encryption algorithm uses a set of mathematical operations and does them a predetermined number of times or “rounds” on the data. The only major difference between AES-128 and AES-256 encryption algorithms is the number of these rounds. AES-128 uses 10 rounds and AES-256 uses 14. More is better right? Kinda-sorta-maybe-not-really.
At it's core, this means that any attack on the core AES algorithm would likely affect both AES-128 and AES-256. However, for such an attack to be affective it would have to work up to a certain number of rounds. For example, if an attack was affective only 10 rounds and not 14, then clearly AES-128 would be the loser and AES-256 the winner. No such attacks are currently publicly known for AES. Not to say that the folks at Ft. Mead don't know something we don't...
Key Schedule
The key schedule is where AES-128 and AES-256 become vastly different. The way it works is the key schedule in AES-128 turns a 128-bit secret key into ten 128-bit round keys. And the key schedule for AES-256 transforms a single 256-bit secret key into fourteen 128-bit rounds keys. Well that's interesting...
Now hold on to your chair: the AES-128 key schedule is actually more secure. You read that right. The AES-256 key schedule has known vulnerabilities make it less secure. This means that attackers can currently perform related key attacks against AES-256!
However, a key attack might never happen in the real world. It is improbable (but not impossible) for an attacker to:
- Convince the key owner to provide their existing private key
- Create three other keys based on this private key
- Encrypt 299 blocks of known data with these three other keys
So even if the attack was feasible, the risk can be mitigated by simply using good key handling practices. A truly random key is never vulnerable related key attacks because it has no other related keys. But poor practices sometimes infect organizations.
Even though the attack is not feasible, some well known cryptographers say to use AES-128 over AES-256. If you have a simpler faster algorithm with a stronger key schedule, so why use the complex and slower one? "A bigger number is not always better..."
What do you choose? AES-128 or AES-256
Both 128-bit and 256-bit AES have their upsides and downsides. AES-128 is much faster and more efficient and less likely to be cracked (a stronger key schedule certainly helps). But AES-256 is more resistant to brute force threats, and is only weak against the related key attack outlined above (which should really never happen if you're careful with your keys).
Since both 128-bit and 256-bit AES are secure against modern and threats in the near future, the choice between them isn't a pressing security concern. The bottom line is that AES-128 provides more than enough security and is faster and more efficient, but readers who want that extra security provided by greater key sizes and more rounds can choose AES-256.