In our first article, we saw why it’s impossible to brute-force crack AES-256 encryption with today’s computing power.
But we all know that computers get faster every year… so will there be a point where computers will be fast enough to crack AES-256?
It’s a fascinating question, so let’s look at it in more detail.
What about Moore’s law?
Moore’s law, in various forms, states that the number of transistors in a dense integrated circuit doubles approximately every two years. This sometimes get expressed that chip performance doubles every 18 months – a combination of more transistors and faster transistors. Moore’s law was proposed in 1965, and has held true for 50 years.
However, leading academics and engineers currently believe that Moore’s law will only apply until roughly 2021, due to a physical limit of the minimum width of logic gates before the effects of quantum tunnelling becomes a problem. If you’re interested, refer to these resources on Wikipedia and YouTube.
So with current technology, Moore’s law is predicted to slow down within 1 decade. Even the law’s inventor, Graham Moore, agreed in a 2015 interview that “someday it has to stop”.
But let’s say that future generations of engineers somehow find a way to continue improving performance in the same exponential way as in the last 50 years. We can then extrapolate our calculations to see when future computers will be able to brute-force AES-256.
In these calculations, we ask – at what year in the future, will a particular computer be able to brute-force AES-256 in under 1 year?
If you had all the 2 billion computers on earth, and they were upgraded to the latest capabilities as predicted by Moore’s law, then the first year when collectively all computers can crack AES-256 in under 1 year is 2276. The world’s fastest super computer will follow suit in the year 2293, and the first year when a single PC can crack AES-256 is the year 2323.
| Computing power | Assuming Moore’s Law, the earliest that AES-256 can be brute-force attacked in under a year |
|---|---|
| High-end PC | 2323 |
| Fastest supercomputer | 2293 |
| 2 billion high-end PCs | 2276 |
So even if Moore’s Law continues for another 250 years, your data will still be safe against the fastest supercomputer built available at the time.
How will quantum computers affect the security of AES encryption?
It’s known that quantum computers pose a serious threat to cryptography and several different types of encryption – RSA and elliptic curve cryptography as examples. Although a quantum computer of sufficient power has not yet been built, the science and physics behind quantum computers enables us to know with mathematical certainty that these computers will break those forms of encryption. It’s estimated that such a computer capable of cracking RSA-2048 will be available by 2029, but will consume so much energy it will need a nuclear power plant all to itself.
Therefore, many companies are transitioning to post-quantum cryptography – using only techniques that will still be secure well into the future. For example, the cryptographic techniques chosen in ScramBox were carefully selected to ensure quantum resistance – for security well into the future.
It is known that using Grover’s algorithm to attack a symmetric cipher such as AES, the best security a key of length n can offer is 2n/2 so AES-256 only offers 2128 post quantum security. In other words, AES-256 in a post-quantum world will offer the same security as AES-128 in the current “classical” world.
To illustrate what this means, we can analyse the security of AES-128 on current classical computers.
If we repeat all the calculations that we described in the first article of this series, the average time it would take to brute force AES-128 on different hardware is:
| Hardware | Average time to brute-force AES-128 on today’s hardware |
|---|---|
| Single High-end PC | 80,338,847,075,077,281,003,416 years 80,338 million trillion years |
| World’s fastest supercomputer | 80,338,847,075,077,281 years 80,338 trillion years |
| 2 billion PCs | 40,169,423,537,538 years 40 trillion years |
| Comparison – life of the universe | 15,000,000,000 years 15 billion years |
Clearly, this explains why the world’s cryptography experts believe that AES-256 is secure, even against the quantum computing threat.
What about Quantum computers and Moore’s Law working together?
What if every computer became a quantum computer? And the world’s fastest supercomputer became an equivalently powerful quantum supercomputer? And if Moore’s Law still holds for these new technologies?
Then this would be the revised situation:
| Computing power | Earliest that AES-256 (reduced to the classical security of AES-128) can be brute-force quantum attacked on average in under a year |
|---|---|
| High-end quantum PC | 2131 |
| Fastest quantum supercomputer | 2101 |
| 2 billion high-end quantum PCs | 2084 |
Once again, we reiterate that these to be hypothetical situations that assume that scientists will overcome many known and unknown challenges to continue the advancement of computing technology. These can be regarded as worst-case situations for security of AES encryption.
Conclusions
Let’s wrap up the discussions in this article and draw some conclusions.
- Even if Moore’s Law continued into the future for hundreds of years (of which Graham Moore himself was disbelieving), and scientists overcame the hard limitations of quantum tunnelling, it would be centuries before AES-256 was vulnerable.
- Even if a quantum computer were built that would be powerful enough to attack AES-256, it would only reduce the security to 128 bits, and would still not perform exhaustive search in a practical timeframe.
- Combining both Moore’s Law and quantum attack, a quantum supercomputer wouldn’t be able to crack AES-256 for decades, but it might come close by 2101.
Given that none of us have a crystal ball, it’s obviously impossible to predict how long AES-256 will remain safe – whether it’s 100 years, or 100 trillion years.
So let’s put it in perspective.
Under this set of assumptions, data encrypted with AES-256 will still be safe for longer than classified information remains secret. In the UK, there is a 30 year rule, whereas in the USA, most classified information (barring some narrow exceptions) becomes declassified after 25 years.
AES-256 still remains the best defense we have against hacking, eavesdropping and cybercrime.
In our next part of this article series, we’ll examine if there are any other weaknesses in AES that could affect its security.