A 128-bit key is already unbreakable by brute force — so why do we bother with 256-bit keys like AES-256?
Because key length is not the security margin: real attacks shave the effective bit count. A time-memory tradeoff can need only about ⅔ of the bits, quantum search (Grover) halves them, and a conservative worst case is the cube root — 256/3 ≈ 85 bits is still hopeless, but 128/3 ≈ 43 would be reachable.
* Even the worst-case reduction leaves AES-256 at 2^85 — still infeasible. *
First, appreciate the scale. A 256-bit keyspace is $2^{256} \approx 10^{77}$. Earth has only about $10^{51}$ atoms; even if every atom were a 1-THz computer testing one key per cycle, the full search would still take on the order of millions of years. Pure brute force is a non-argument — which is exactly why "how big is the brute-force attack" tells you nothing about an algorithm's real security.
So why not stop at 128 bits? Because cleverer attacks reduce the exponent, and you want headroom against them:
| Attack | Effective work for a $k$-bit key | For $k = 256$ |
|---|---|---|
| Brute force | $2^{k}$ | $2^{256}$ |
| Time-memory tradeoff (Merkle-Hellman) | $\approx 2^{k \cdot 2/3}$ | $2^{170}$ |
| Quantum search (Grover) | $2^{k/2}$ | $2^{128}$ |
| Conservative worst case | $2^{k/3}$ | $2^{85}$ |
At 256 bits, even the pessimistic cube-root case leaves $2^{85}$ — still far beyond reach. Run the same reductions on a 128-bit key and the worst case is $2^{128/3} \approx 2^{43}$, which a large botnet or intelligence agency could plausibly manage. That difference is the safety margin AES-256 buys.
Bonus: the quantum row is why symmetric keys are "sliced in half" — Grover turns a 256-bit search into $2^{128}$ work, so AES-256 stays quantum-safe while AES-128 drops to a merely-64-bit quantum margin. Doubling the symmetric key is the whole defence against Grover.
Go deeper:
Brute-force attack (Wikipedia) — the astronomical scale of large keyspaces.
Grover's algorithm (Wikipedia) — the quadratic speed-up that halves symmetric security.