The de facto creed of the developed world is that “bigger is better.” We need bigger buildings, bigger factories, bigger phones, bigger batteries, more and more and more. Growth is the name of the game and we’ve been growing rapidly over the last few hundred years with more to come. With all this focus on making things bigger, it’s easy to think we know what constitutes “better.” The difference between encryption systems AES-128 and AES-256 really comes down to the numbers––after all, 256 is twice as big as 128, therefore AES-256 is superior, right?
While it turns out that our wisdom has served us well and AES-256 is, in fact, more secure than AES-128, the reasoning is a little more involved than what the numbers initially tell us.
Let me take you on a journey back to math class for a minute. Consider exponents for a moment. We know that 22 is equivalent to 4, as the exponent signifies “two multiplied by itself.” In the same way, 23 equals 8, or “two multiplied by itself twice” and so on. But what does this have to do with encryption? You see, AES encryption works in a similar manner. What AES does is takes whatever data you want encrypted, adds a key, and encrypts (or scrambles) the data so it can only be decrypted with that same key.
Now the number commonly seen beside AES (128 or 256) signifies how many possible combinations there are for that key; in the case of AES-128 that’s 2128 possible combinations. And for AES-256? 2256 possible combinations. That’s a lot––so mind-bogglingly large that for practical purposes, those combinations might as well be infinite. With our math skills we know that AES-256 has 2128 times more possible combinations of keys than AES-128. Mathematically, AES-256 is clearly the superior option.
Here’s some context, though: consider brute-force attacks. In the encryption world, a brute-force attack is just an attempt to find the right key by trying multiple combinations until the right one is inputted. In the Apple v. FBI case this was the crux of the issue, as iPhones are built to allow only ten passcode attempts before locking the user out, keeping in mind that this is out of a combination of up to 10,000 different possible combinations. In the case of AES encryption, however, in order for someone to crack 128-bit encryption through brute force they would have a total of 2128 combinations to try. According to some helpful math by the EE times, using our fastest supercomputer for this task would take it 1 billion billion years. And to crack AES-256 would take 2128 times longer than that. To put that into perspective, that is much longer than our universe has even been in existence.
So for encryption, is bigger really better? The answer is yes, but for all practical purposes data encrypted with AES-128 is secure enough to last against attacks until the end of time. And, since AES-256 is so much larger than AES-128, it requires more computational power to encrypt/decrypt, meaning if speed/performance is a factor then AES-128 will suit your purposes perfectly.
If AES-128 is your only option, rest assured that you’re getting top quality security for your data. Total security requires more than just strong encryption, however. Make sure you practice safe browsing habits, keep your searches private, and make sure you’re using strong passwords.
About Ravi Persaud
I am interested in the intersections between the Internet and the real world; that is, how technology fundamentally shifts personal data and our private lives to become more accessible, effecting our privacy in a digital age.