When discussing symmetric encryption algorithms - like the Advanced Encryption Standard (AES) - you may have been considering using AES-128 or AES-256. The last three digits represent the length of the secret key – think of it like the number of teeth in a physical key. From a security perspective, a 256-bit secret key is obviously better, but does it really matter which of the two options you choose? This article walks through some of the main security considerations for AES-128 and AES-256.
Brute Force Attack Protection
A brute force key guessing attack is where an attacker tries each potential secret key until the right one is found. This attack is guaranteed to succeed (eventually) and (ideally) should be the fastest way to break an encryption algorithm.
When discussing brute force attack protection, understanding just what different key lengths mean is essential. With the impending arrival of quantum computing, it is also good to know how they will impact cryptographic security. Are the current forms of AES strong enough?
The Difference in Key Length
The main difference between 128 and 256-bit encryption algorithms is the length of the secret key that they use. The 128 and 256 in AES-128 and AES-256 means that the two algorithms use 128-bit and 256-bit keys respectively.
The longer the secret key, the harder it is for an attacker to guess via brute force attack. However, AES-256 is not just twice as strong as AES-128.
With 128 and 256-bit secret keys, AES-128 and AES-256 have 2128 and 2256 potential secret keys respectively. With binary keys, each bit added to the key length doubles the key space. This means that AES-256 has 2^128 or 340,282,366,920,938,463,463,374,607,431,768,211,456 times as many keys as AES-128.
As a result, a brute force attack against an AES-256 key is much harder than against an AES-128 key. However, even a 128-bit key is secure against attack by modern technology. At its peak, the Bitcoin network - arguably the largest modern use of computational power for cryptography - performed approximately 150*10^18≈2^67 operations per second. Assuming that these operations are of equal difficulty to a brute force attack, it would take the Bitcoin network over 70,000,000,000,000,000,000,000,000 years to crack a single AES-128 key.
Resistance to Quantum Computing
The threat of quantum computing to cryptography has been well-publicized. Quantum computers work very differently than classical ones, and quantum algorithms can make attacks against cryptography much more efficient.
In the case of asymmetric encryption algorithms (like RSA), quantum computing completely breaks them. However, for symmetric algorithms like AES, Grover’s algorithm - the best known algorithm for attacking these encryption algorithms - only weakens them. Grover’s algorithm decreases the effective key length of a symmetric encryption algorithm by half, so AES-128 has an effective key space of 2^64 and AES-256 has an effective key space of 2^128.
However, while this seems significant, it doesn’t break either algorithm. With the right quantum computer, AES-128 would take about 2.61*10^12 years to crack, while AES-256 would take 2.29*10^32 years. For reference, the universe is currently about 1.38x10^10 years old, so cracking AES-128 with a quantum computer would take about 200 times longer than the universe has existed.
This also makes the assumption that an attacker has the “right” quantum computer. Cracking AES-128 would take an estimated 2,953 logical qubits and AES-256 would require 6,681. In 2020, the largest quantum computer had 65 qubits with a goal of hitting 1,000 by 2023.
128 and 256-Bit Algorithms Under the Hood
Brute force attacks against a secret key are the best potential attack against a secure algorithm but what if the algorithm is has a vulnerability?
AES is broken up into two distinct algorithms: the encryption algorithm (which does the actual encryption) and the key schedule (which converts the secret key into round keys). The security of each of these matters to the security of AES.
The Encryption Algorithm
AES-128 and AES-256 use an almost identical encryption algorithm. Each encryption algorithm takes a set of operations and applies them a certain number of times or “rounds”. The only difference between AES encryption algorithms is the number of rounds: AES-128 uses 10 and AES-256 uses 14.
This means that, if an attack against the AES algorithm was discovered, it would likely affect both AES-128 and AES-256. The only difference is if the attack only worked up to a certain number of rounds of AES (which some AES attacks do). If an attack worked for at least ten rounds but less than fourteen, then a clear winner exists between AES-128 and AES-256. However, no such attack is currently known for AES.
The Key Schedule
The key schedule is where AES-128 and AES-256 become very different. The AES-128 key schedule is designed to turn a 128-bit secret key into ten 128-bit round keys. The AES-256 key schedule transforms a 256-bit secret key into fourteen 128-bit rounds keys.
Of the two, the AES-128 key schedule is actually more secure. The AES-256 key schedule has known weaknesses that might make it possible to perform related key attacks against the algorithm.
A related key attack should never happen in real life. For it to occur, an attacker needs to:
- Convince the key owner to take their existing encryption key
- Create three other keys based on this key using relationships known to the attacker
- Encrypt 299.5 (that’s eight followed by 29 zeros) blocks of data with these keys
Even if this attack were feasible, it can be avoided simply by using good key generation practices. A truly random key should never be vulnerable to a related key attack because it has no related keys.
Despite the fact that this attack is infeasible to perform, some cryptographers advise – when given a choice between AES-128 and AES-256 with no constraints – using AES-128 over AES-256. If you have a simpler algorithm with a stronger key schedule, why use the more complex one?
Picking Between AES-128 and AES-256
128-bit and 256-bit AES both have their pros and cons. AES-128 is faster and more efficient and less likely to have a full attack developed against it (due to a stronger key schedule). AES-256 is more resistant to brute force attacks and is only weak against related key attacks (which should never happen anyway).
Since both algorithms are secure against modern and anticipated future threats, the choice between them doesn’t really matter from a security perspective. Our best guidance is that AES-128 provides more than adequate security while being faster and more resource-efficient but readers who want that extra security provided by greater key sizes and more rounds in the algorithm should choose AES-256.
The Ubiq Platform currently supports both AES-256-GCM and AES-128-GCM, so if you’re interested to find out more about how to quickly build data encryption into any application, watch our short demo video.