# Will AES-256 be publicly broken by 2040?

## Question description

AES-256 is a widely-implemented specification for a symmetric block cipher algorithm for encrypting digital data. It is the strongest version of the Rijndael algorithm underlying the AES specification with 14 rounds of transformation and a 256 bit key size. The key size of 256 bits appears to render a brute-force search of the keyspace infeasible on foreseeable classical and quantum computers--the latter still must search an effective keyspace of 128 bits (see Grover's algorithm). The best publicly known attack on AES-256 requires the search of a keyspace slightly greater than 254 bits, which is infeasible. This keyspace is so large that a brute force search would be energy-constrained on a solar-system scale even with unlimited computing power at the physical limits of efficiency.

There is some consideration that mathematical and / or cryptoanalytic advances may enable new attacks on AES-256 that could make key recovery computationally feasible. Public, and presumably private, cryptanalysis of AES-256 is ongoing so it is plausible that by some means a practical break could become public knowledge by 2040. Advances in AI before the resolution date may plausibly speed up the rate of relevant mathematical and crytoanalytic discoveries.

## Indicators

Indicator | Value |
---|---|

Stars | ★★★☆☆ |

Platform | Metaculus |

Number of forecasts | 254 |

## Capture

AES-256 is a widely-implemented specification for a symmetric block cipher algorithm for encrypting digital data. It is the strongest version of the Rijndael algorithm underlying the AES specification with 14 rounds of transformation and a 256 bit...

## Embed

<iframe src="https://https://metaforecast.org/questions/embed/metaculus-6356" height="600" width="600" frameborder="0" />