> AES256 could be broken tomorrow, or maybe it has already been.
This is extremely unlikely.
> What we know is that, extrapolating compute speed from the past decades and even assuming quantum computers become useable in practice, the best algorithms we currently have cannot be brute-forced within the next 50 years.
Quantum computers only offer a quadratic speedup against symmetric ciphers.
AES 256 will survive much longer than the next 50 years against brute force attacks.
It will either be broken spectacularly, using theoretical methods entirely inconceivable today, or live on – brute force is of no concern at all due to the amounts of energy and matter required to perform it against 256 bit keys.
AES-256 was broken in 2011.[1] While only four times faster than brute force and thus not a practical attack, it suggests that compromise is possible. The Snowden documents indicated that the NSA was working on breaking AES-256. It seems unlikely they would waste effort on a task they considered impossible. Whatever they achieve will be achievable by others eventually.
On top of that, no implementation is perfect. Bugs are discovered in cryptographic APIs on a regular basis. Even if your API is perfect, the application calling the API can have bugs that allow compromise.
>>AES 256 will survive much longer than the next 50 years against brute force attacks.
From what I understand it simply can't be broken by brute force because simply iterating through every possible value of a 256 bit key would require more energy than there is in the universe, and that's without actually trying any of the combinations, just simply having a computer do a i++ through all possible values.
I'm not sure if quantum computing helps here in any way , someone else would need to chime in here with details.
> iterating through every possible value of a 256 bit key
It's my understanding that when encryption gets "broken", it usually refers to something other than a simple brute force attack. Like, something that would make it so you don't need to run as many iterations or whatever.
I assume this because a brute force attack is something that is always possible from day 1, whereas an encryption scheme being broken is something that happens some time afterwards.
My understanding is that encryption is "broken" any time it becomes feasible for someone to decrypt your data without the key. Brute force attacks are always hypothetically possible, but the encryption isn't broken unless such an attack is feasible.
As a counter-example, DES would count as "unbroken" under your definition. The EFF built a machine in 1998 for under $250,000 that could crack a DES key in under 24 hours. I don't know what that would cost today, but I wouldn't be surprised if a couple GPUs could get you the same thing today.
The difference is whether such an attack has even a vanishing chance of succeeding. For AES, the hardware just isn't anywhere close to that. Afaik, there isn't anything that could even hypothetically threaten to make brute force attacks on AES feasible on the table today.
I think you're mixing "weak" and "broken". Out of interest I looked at the Known attacks section of wikipedias AES article and it says as the first sentence "For cryptographers, a cryptographic "break" is anything faster than a brute-force attack".
DES is both weak and broken, but it could be either without the other.
> I'm not sure if quantum computing helps here in any way
Theoretically a quantum computer can brute-force AES-256 using 2^128 sequential steps using Grover's algorithm (i.e. a quadratic advantage over a classical computer). Parallelization diminishes the advantage, e.g. if you're limited to 2^64 sequential steps, you get a 2^64 speedup over classical, for a cost of 2^192 which is still ridiculously large.
Thus quantum computing is not a relevant threat for AES-256 or most other 256-bit symmetric crypto.
This is extremely unlikely.
> What we know is that, extrapolating compute speed from the past decades and even assuming quantum computers become useable in practice, the best algorithms we currently have cannot be brute-forced within the next 50 years.
Quantum computers only offer a quadratic speedup against symmetric ciphers.
AES 256 will survive much longer than the next 50 years against brute force attacks.
It will either be broken spectacularly, using theoretical methods entirely inconceivable today, or live on – brute force is of no concern at all due to the amounts of energy and matter required to perform it against 256 bit keys.