Security

AES-256 is the Bell Bottom Pants of Post-Quantum

Leave a comment

Newsflash! AES-128 holds up against quantum computers.

Filippo Valsorda took a walk through the math last week. Ok, but we already knew that NIST treats AES-128 as the Category 1 benchmark by definition, and BSI recommends AES-128. Outside CNSA 2.0, no compliance regime requires moving off AES-128, and CNSA 2.0’s AES-256 mandate is for uniform Top Secret protection, not Grover resistance.

Not exactly news after all, I guess. Alas, since I have been probing the Internet for a long while now, I can tell you what’s been really happening with AES key sizes out there related to post-quantum key exchange.

For example, hosts that only negotiate AES-128 adopted PQC come in at a respectable 48%. Compare that with hosts that only negotiate AES-256 and you see PQC drop off a cliff to 6%. The hosts that accept either one sit at 0%. Some of these may be cautious operators waiting for validated implementations, but the TLS 1.2-era cipher pinning pattern is visible in the configs.

I think it’s reasonable to say that we should expect the AES-256 population to be at least comparable, or even better than AES-128. Someone who specified a stronger symmetric cipher might also have taken the trouble to deploy hybrid key exchange. Well, I’m here to tell you the data says otherwise. Clearly the AES-256-only crowd are the worst-prepared for PQ.

It’s detailed on the pqprobe blog. The short version is that AES-128-GCM in a TLS 1.3 suite is mostly a marker of being behind a CDN, and the CDNs are also where ML-KEM has been deployed since 2024. The AES-256-only configs appear to be older server-side preference lists from the TLS 1.2 era that pinned AES-256 alongside classical key exchange and never got revisited.

That’s another way of saying AES-256-only hosts are legacy, and haven’t updated their TLS config in years. They picked AES-256 back when dinosaurs roamed the networks and locked everything else in alongside it: the key exchange, the curve, the signature algorithm. They got the symmetric cipher right and went extinct before Shor said he doesn’t care about the symmetric cipher.

If you have AES-256 pinned somewhere in your stack, that is fine on its own. The question is what else got pinned in the same file. The PQC adoption number I’m probing for that population is barely registering. The hosts falling behind while using AES-256 to be ahead, got there by leaving everything else alone.

Bell bottoms were also forward-looking once. Space age, mod, the future. Then they became the thing you point at to date a photograph.

All the data and methodology are up for your inspection.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.