AES-256 joins the quantum resistance

The cybersecurity and quantum technology sectors are still waiting for the National Institute of Standards and Technology to unveil its final list of post-quantum security algorithms, encryption schemes designed to be resistant to attacks from quantum computers. (Many people in those sectors expected an announcement in late April, but as of this writing it hasn’t happened.)

The new algorithms from NIST eventually will arrive, and many technology companies are lined up to help companies upgrade their systems and devices from current encryption, such as RSA and Elliptic Curve, to NIST’s post-quantum cryptography (PQC) solutions.

In the meantime, there is at least one existing encryption scheme that is believed, at least for now, to be quantum-resistant: Advanced Encryption Standard-256 (AES-256).

Tim Barnett, chief information officer at Bluefin, an enabler of payment security, told Fierce Electronics via email, “AES-256 specifically is believed to be quantum-resistant. According to Grover’s Algorithm [a powerful quantum search algorithm], a brute-force attack time can be reduced to its square root. But if this time is still sufficiently large, it becomes impractical to use as an attack vector. For AES-128 this is 2^64 (not safe enough), but AES-256 is 2^128 which yields too many brute force iterations. Hence, it is considered post-quantum computing resistant.”

A 2019 Kryptera research paper estimated that a quantum computer capable of more than 6,600 logical, error-corrected qubits would be required to break AES-256 encryption. That number of logical qubits would require a quantum computing system of millions of physical qubits. For comparison sake, IBM, among the leading quantum computing companies, is expected next year to achieve 1,121 qubits in 2023. 

Quantum computing is evolving quickly. It is getting easier every day to create qubits and to achieve error-corrected qubits, but it seems for now that AES-256 can provide some resistance against quantum attacks.

AES-256 is the larger-block-size sibling of the more commonly used AES-128 encryption standard. It is a symmetric encryption scheme, meaning it requires just one private key that must be protected by both parties, while asymmetric schemes like RSA (Rivest–Shamir–Adleman, the names of its creators) use a public key that can be used by anyone for encryption and communication, and then a private key for decryption.

According to Bluefin, adoption of AES-256 has been relatively slow even at a time when cybersecurity attacks continue to increase in frequency and variation, and as quantum computers are emerging as a potential threat. But the company believes the practicality ans resource-efficiency of AES-256 will offer value for years to come. 

“The most common application for RSA is on the web where a browser and a web server establish bidirectional data protection,” Barnett said. “The AES algorithm supports key sizes of 128, 192, and 256. The AES algorithm is extremely fast, offers very strong data protection, and does not require a lot of memory or CPU to encrypt the data it is protecting. RSA on the other hand has key sizes of 1024, 2048, 3072, 7600. Unfortunately, the algorithm is relatively slow. It also requires many more computational resources to decrypt data. And with larger key sizes, which provide greater protection, the resource need grows exponentially. It becomes impractical to use.”

He added, “Because of the strength and performance of AES vs. RSA, AES is normally used to protect data and communications. It’s faster, provides greater data protection and requires lower resources. Conversely, RSA does not require the two parties to securely share a secret key before sending encrypted messages. This makes it possible to communicate with anyone if you have their public key.”

Barnett acknowledged that the arrival of NIST PQC algorithms will add more technology schemes to the acronym soup of cybersecurity solutions, but that they will be very necessary in the future.

“The entire art of cryptography is terribly complex already,” he said.”Domain expertise in applied cryptography is a unique skill set likely not understood by most people. But the important part is coming up with PQC solutions that can be standardized and applied commercially.” 

He added, “There will likely be numerous methods adopted as part of NIST-approved standards. Some methods will be adopted industry-wide as commercial standards. And these standards will materialize in web browsers, web servers, encryption appliances, and point-to-point encryption protocols. Companies should adopt these new standards, and their commercial availability as soon as possible. It is only a matter of time until quantum computing is here, and businesses and their infosec teams should plan accordingly.”