The Quantum Myth: Why AES-128 Remains Secure in a Post-Quantum World
Fillippo Valsorda
A persistent “popular mythology” has emerged in the present cybersecurity scene, claiming that the introduction of cryptographically relevant quantum computers (CRQCs) will immediately make 128-bit symmetric encryption obsolete. According to cryptography engineer Filippo Valsorda, this “stubborn misconception” is a dangerous diversion that is “hampering the already hard work of quantum readiness” rather than just a technical mistake. Expert agreement, spearheaded by Valsorda and backed by institutions like NIST, is unambiguous as corporations rush to get ready for a post-quantum future: AES-128 is just fine.
You can also read Quantum eMotion QeM Achieves NYSE Trading Milestone
The “Halving” Fallacy
Amateur mathematicians and cryptographers have been spreading the myth that quantum computers will “halve” the effective security of symmetric keys for more than ten years. Grover’s algorithm, a quantum technique that can search an unsorted database more quickly than a classical computer, is misconception.
It is widely believed that Grover’s technique decreases AES-128’s security to just 264 bits. To put this into perspective, given all of the world’s bitcoin mining resources as of 2026, it would take about 9 billion years to break a 2128 key classically. That identical key may be brute-forced by a CRQC in less than a second, according to the myth. According to Valsorda, this interpretation is essentially incorrect since it ignores the mathematical and physical reality of how quantum algorithms really scale.
You can also read DARPA Contracts Awards Infleqtion for Heterogeneous Quantum
The Parallelization Paradox
The idea of parallelization forms the basis of the case for AES-128’s robustness. If an attack is too slow in classical computing, you can just increase. For instance, you can employ three friends, divide the search space into four sections, and complete the task four times quicker if a search takes too long for one computer.
This is not how Grover’s algorithm operates. It is a serial computation that takes a lengthy time. As Valsorda explains, “What makes Grover special is that as you parallelize it, its advantage over non-quantum algorithms gets smaller”.
Valsorda demonstrates the inefficiency of quantum parallelization using a simplified lock-picking analogy:
- Classical: You and three buddies must attempt 64 different combinations to open a 256-combination lock. The division of labor is effective.
- Quantum: In principle, a quantum computer could find the key in √256 = 16 attempts. However, each of your three friends four quantum computers must try √256/4 = 8.
- The Result: As a result, the group completes 8×4=32 attempts, which is twice as much work as a single quantum computer working alone.
In practical terms, this means that although a quantum computer could theoretically speed up an attack, requesting assistance actually slows it down. The real cost to crack AES-128 is still around 2104, which is well over any realistic barrier for a successful breach, even when sensible restrictions are put in place, such as requiring an attack to be completed within a 10-year window.
You can also read Viewbix ltd Rebrands as Quantum X Labs to Quantum Future
The Reality of “Core-Seconds”
Sophie Schmieg, a senior cryptography engineer at Google, examines “core-seconds” to give this protection more technical depth. An attacker has a 50% chance of success if they pause midway through a traditional brute-force search. You just need two computers to decrease the time in half.
In comparison, there is only a 25% chance of success if a Grover’s search is stopped midway. An attacker would require four computers rather than two to partition the search space and retain a high likelihood of success. An attacker would require 2128 quantum computers in the “maximally parallel instance” at the extreme end of this scale, where each quantum computer examines just one key, making the attack no more effective than a classical one.
Compliance and Global Standards
Major scientific and regulatory organizations have not required a switch from AES-128 for quantum ready, despite the widespread misconception. Valsorda cites a “litany of sources” that back the standard’s ongoing application, such as:
- NIST stands for the National Institute of Standards and Technology.
- Federal Office for Information Security in Germany.
- Scholars such as University of Waterloo professor Samuel Jaques.
The NSA’s Commercial National Security Algorithm Suite (Version 2), which requires AES-256, is the only significant exemption. Valsorda points out that this prerequisite existed long before the current drive toward quantum ready. Rather than being a particular response to Grover’s method, the NSA’s choice for AES-256 seems to be a move toward uniformity, choosing one “oversized primitive” for all settings to avoid fractured security levels.
AES-256 is still necessary in some situations, such as preventing “collisions” in which two keys happen to be equivalent at random because of the birthday paradox. However, 128-bit keys continue to be a reliable “sweet spot” between security and computational efficiency for the great majority of applications.
You can also read Aeluma receives NASA award for integrated Quantum Dot Lasers
Focus on the Real Threat: Shor’s Algorithm
The risk of becoming fixated on symmetric encryption, such as AES, is that it takes focus away from the real existential threat that quantum computing poses: Shor’s algorithm. Asymmetric (public-key) algorithms can be broken in “polynomial time” using Shor’s algorithm, in contrast to Grover’s, which provides a reasonable square-root acceleration.
Public-key encryption, which protects everything from digital signatures to online browsing, is very weak. It is a “tall enough order” to transition these systems without having to deal with the “needless churn” that comes with swapping out perfectly operating symmetric systems.
The cybersecurity community should consider AES-128’s ongoing resiliency a “blessing,” according to Valsorda. Engineers can concentrate their limited resources on the critical changes needed to survive the quantum era by ignoring symmetric systems.
You can also read SEALSQ News: Advancing PQC In Silicon For AI Resilience
