Is AES-128 Quantum Safe?

AES-128 quantum safety is uncertain.

How AES-128 Works

AES-128 is identical to AES-256 in structure — both are symmetric block ciphers operating on 128-bit blocks using the same substitution-permutation network architecture. The difference is key size: AES-128 uses a 128-bit key (16 bytes) and performs 10 rounds of transformations, compared to 14 rounds for AES-256. The smaller key size makes AES-128 faster (approximately 20-30% higher throughput) and uses less memory, making it attractive for resource-constrained environments like embedded systems and mobile devices.

AES-128 was adopted by NIST in 2001 and has been the default cipher for many applications: it is the minimum encryption standard for Wi-Fi WPA2/WPA3, the default TLS 1.3 cipher (TLS_AES_128_GCM_SHA256), commonly used for disk encryption (BitLocker, FileVault, dm-crypt), and widely deployed in VPN protocols (IPsec, OpenVPN, WireGuard).

Classically, AES-128 provides 128 bits of security — requiring 2¹²⁸ operations (approximately 340 undecillion attempts) to brute force, considered computationally infeasible for any foreseeable classical computer.

Quantum Vulnerability Explained

Grover's algorithm reduces AES-128's security from 128 bits to 64 bits, requiring approximately 2⁶⁴ quantum operations to brute-force a key. While 2⁶⁴ (18.4 quintillion) is still a massive number, it falls below the 128-bit post-quantum security threshold that NIST and NSA have established as the minimum for long-term protection.

To contextualize: 2⁶⁴ operations is considered the boundary between "secure" and "potentially vulnerable" for long-term data protection. Academic estimates suggest that a large-scale quantum computer (10,000+ logical qubits, optimized for Grover search) could potentially break a single AES-128 key in weeks to months, given sufficient quantum resources and coherence time. This is far from trivial but not impossible for nation-state adversaries with mature quantum programs.

NSA CNSA 2.0 requires AES-256 (minimum) for national security systems, explicitly rejecting AES-128 for classified data protection in the post-quantum era. NIST guidance acknowledges that while AES-128 is not "broken," it does not provide sufficient security margin for data requiring confidentiality beyond 2030-2040.

Migration Path

Upgrade from AES-128 to AES-256 for long-term quantum resistance. This is typically a configuration change, not a protocol replacement:

• TLS cipher suites: Reconfigure web servers and load balancers to prioritize AES-256-GCM over AES-128-GCM. Update TLS 1.3 configurations to prefer TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256.
• VPN configurations: Update IPsec, OpenVPN, and WireGuard configurations to use AES-256-CBC, AES-256-GCM, or ChaCha20-Poly1305 (also quantum-safe).
• Disk encryption: Reconfigure BitLocker, FileVault, LUKS, and VeraCrypt to use AES-256-XTS. Note: Re-encryption may be required for existing encrypted volumes.
• Wi-Fi: WPA3 supports both AES-128 and AES-256. Configure enterprise Wi-Fi for WPA3-Enterprise with AES-256 (GCMP-256).

Industries at Risk

Healthcare organizations with 50+ year HIPAA data retention requirements should not use AES-128 for long-term data protection. Medical records encrypted with AES-128 today may fall below acceptable security margins by 2050-2070, within the data's confidentiality lifetime. Electronic health record (EHR) systems should standardize on AES-256.

Financial services protecting trading algorithms, customer financial data, and regulatory compliance records (7-10 year retention for SOX, SEC requirements) should avoid AES-128 for data with multi-decade confidentiality requirements. Payment card data (PCI-DSS) currently permits AES-128, but 2⁶⁴ quantum security may be insufficient for protecting data captured in 2025-2026 and stored through 2034-2035.

Government and defense systems handling classified information are explicitly prohibited from using AES-128 under NSA CNSA 2.0. National security systems must use AES-256 (minimum) for SECRET-level and above classification levels.

Enterprise data backup and archival systems often use AES-128 for encryption-at-rest due to performance advantages. Organizations with multi-decade data retention policies (legal holds, compliance archives, long-term research data) should upgrade to AES-256 to ensure adequate security margins.

Timeline

• 2025-2026: AES-128 is classically secure and acceptable for short-term data protection (1-10 years). For long-term protection (20+ years), AES-256 is recommended.
• 2030: NSA CNSA 2.0 requires AES-256 for national security systems. AES-128 not approved for classified data.
• 2035-2040: As quantum computers mature, 2⁶⁴ quantum security may become marginal. AES-128 expected to be phased out for high-security applications.
• 2040+: AES-128 may be deprecated for general use, depending on quantum computing advances.

Organizations should adopt AES-256 as the default symmetric cipher for new deployments, reserving AES-128 only for low-security, short-lifetime data protection where performance constraints are critical.