How long would it take to brute force an AES-128 key?

Question

How long would it take to crack a AES-128 key using the most advanced technology currently available? The hardware can be anything, be it a high-performance CPU, GPU or even FPGA?

Answer 1

I wrote a similar answer in the past, where the assumption was half the key is known. Since then, the bitcoin hashrate almost tripled (it's used in the estimation, as below). The estimation for half the known key would therefore be $~3.6$ seconds.

But to brute force a $128$ bit key, we get this estimate:

Let's assume we can test as many keys as the current hashrate of the bitcoin network. There special purpose hardware is used and it's for SHA-256, this makes it not directly usable, but it should be close. That means we could test approximately $5 \cdot 10^{18} \approx 2^{62.117}$ encryptions per second. Regarding the type of hardware: For some years now bitcoins are mined mostly with ASICs, which are faster and more efficient than all of those options you listed. That's special purpose hardware, which can't be programmed to do anything else - but it's the best we can do for speed.

That means, for the full key we need $\approx 2^{128} / 2^{62.117} = 2^{65.883}$ seconds. This is approximately:

• $68 \cdot 10^{18}$ seconds
• $18.9 \cdot 10^{15}$ hours
• $2.158 \cdot 10^{12}$ years. Written as integer: $2,158,000,000,000$

Since that number is still slightly hard to grasp, this is the age of the universe: $13.799 \cdot 10^9 = 13,799,000,000$

So a rough estimation would be $156.4$ times the age of the universe for testing all keys. You can divide that number by $2$ to get the average time to find the correct key.

Related question: How much would it cost in U.S. dollars to brute force a 256 bit key in a year?

Answer 2

High efficiency AES implementations are known to operate at 277Mb/s using 13.21mW of power. That is 163,820,000 block encryptions per watt per second. Imagine we can do 128 times better over time, say in the next 100 years (should be easy with lots of money).

Now imagine we extract 7500TW of solar energy by covering the planet in solar panels (landmass not required for plant growth), and under those panels are our AES processors.

With our 'today' efficiency we can process $2^{80}$ keys per second, our future efficiency would be able to do $2^{88}$ easy, but that still leaves $2^{40}$ seconds required to fully process a 128-bit key, or over 34000 years.

We will hit the limits of lithography, but I would assume we can improve our compute performance another 128-times in that time period, and maybe improve solar efficiency by double, so lets say 136 years. If we really decide to cover all land mass with solar panels to do the job, we can get maybe 4X more power, and get it done in 40 years.... BUT it will take much longer than that for process tech and buildout of the panels, and the infrastructure to get it all working, so I would still say at least a few centuries, probably under 2000 years.

Answer 3

Assuming that you have $2^N$ ciphertexts with different keys each, finding one of the plaintext becomes easier as $N$ increases ($2^{128 - N + k}$ tries - where $k$ is $2^k$ = the amount of plaintexts you want to find), making it actually feasible to find some plaintexts of AES-128 with a large amount of ciphertexts in a reasonable time.

Also see https://cr.yp.to/snuffle/bruteforce-20050425.pdf or if you want a simpler explanation https://blog.cr.yp.to/20151120-batchattacks.html

Answer 4

I didn't understand the most answers here. I my view, exascale computing will be able, to easily crack 128 bit keys in near future. And in fact, 128 bit stands for random generated 16 byte masterkeys, with an security margin of 16^16 (a-f, 0-9). That masterkey is always used to encrypt the data, and is also encrypted by the user password.

That means: 16^16/10^18 (exascale computer) = 0,3 seconds to test all possibilities to find the masterkey (without delays/iterations), without any user password. So only 256 bit keys with 32 byte are secure enough, to protect our data for the next decades. An 512 or 1024 bit cipher would be even better, to have no problems for the next xxx hundred years. I didn't like that "secure enough for xx years".