When could 256 bit encryption be brute forced?

Most Probably Never

Of the currently known quantum algorithms, Grover's algorithm is the one which directly affects symmetric ciphers the most. Essentially, for a cipher that a classical computer can bruteforce in time N, a quantum computer can bruteforce it in time square root of N. This means that a 256 bit cipher (which would take at most O(2256) compexity to bruteforce on a classical computer) could be bruteforced in O(2128) on a quantum computer.

Bruteforcing even a 128 bit key is limited by the laws of physics. As this excellent answer explains, the amount of energy required to bruteforce a 128 bit key is ridiculously large (all the world's resources for 10 years straight, just for cracking one key). So, absent any other significant breakthroughs, bruteforcing a 256 bit key is out of question. In fact, Grover's algorithm has been shown to be optimal, so any further breakthroughs are extremely unlikely.


You did not explain the name of 256-bit encryption it can be AES, ChaCha20, RSA encryption, DLog, or...

Shor's algorithm

Peter Shor's algorithm will crush the RSA encryption if we assume that you meant the 256-bit key security for RSA is approximated as 15560-bit modulus, a table key be found at keylength.com where there are various approaches.

Shor's algorithm will also crush the DLog in ECC therefore, the ECDHE and ECC signatures like Ed25519 will be gone.

The below table from;

  • Proos and Zalka Shor’s discrete logarithm quantum algorithm for elliptic curves, 2008

enter image description here

Grover's algrithm

Grover's algrithm search on the unstructured data is asymptotically optimal and has complexity Ω(√n). With AES-256 that will make √n . There is one interesting issue here and mostly not talked about; the setup and the running cost of the setup. Even the break of the AES-128 is not known to be practical with Grovers' method;

Grover's attack for AES-128 is in 264 time however that requires approximately 264 successive AES evaluations. This may not be achievable in a reasonable time. with a similar argument, we can talk about that AES-192 and AES-256 certainly not achievable.

The below table from;

  • M. Grassl et. al, Applying Grover's algorithm to AES: quantum resource estimates, 2015.

enter image description here

One can run a k parallel Grover algorithm that will only speed up √k not k or quadratic, that is another difference from classical parallel search like done for DES.

Therefore we can say that Grover's attack is not a practical attack even to AES-128. The attack time is still quadratic and the required gates are not practical and it can be around 286 for AES-128.

As a result, we can say that Grover's algorithm assesses classical cryptographic schemes' security parameters against quantum attacks. There are more cryptographic scheme those have resistance to Quantum attacks and NIST already has Post Quantum Cryptography Project that is currently 3rd stage.

For AES-128 there are more practical attacks, like the multi-target attack and side-channel attacks that include the cache attacks.

If you want to be secure use AES-256!