Quantum Fears Overblown: AES-128 Encryption Survives the Hype, Expert Declares

By ✦ min read

<p><strong>BRENHAM, TX —</strong> In a forceful rebuttal to persistent online speculation, cryptography engineer Filippo Valsorda has declared that the widely used AES-128 encryption standard remains robust against future quantum computers, dismissing claims that its security would be halved as a misinterpretation of Grover's algorithm.</p> <p>“The idea that AES-128 will suddenly become as weak as AES-64 in a post-quantum world is a myth that refuses to die,” said Valsorda in a technical post published Wednesday. “Even with a cryptographically relevant quantum computer, Grover's algorithm does not parallelize the way people imagine, and the effective security remains far beyond practical attack.”</p> <h2>Background</h2> <p>The Advanced Encryption Standard (AES) was adopted by NIST in 2001 and supports key sizes of 128, 192, and 256 bits. AES-128 has been the preferred variant due to its optimal balance of security and computational efficiency. Over three decades, no significant vulnerability has been discovered; the only known attack is brute-force enumeration of its <strong>2¹²⁸</strong> possible keys — roughly 3.4 × 10³⁸ combinations.</p><figure style="margin:20px 0"><img src="https://cdn.arstechnica.net/wp-content/uploads/2026/04/quantum-encryption-1152x648.jpg" alt="Quantum Fears Overblown: AES-128 Encryption Survives the Hype, Expert Declares" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.arstechnica.com</figcaption></figure> <p>Using the entire global bitcoin mining hash rate as of 2026 as a measuring stick, a brute-force attack on AES-128 would take an estimated <strong>9 billion years</strong>. That calculation assumes perfect parallelization, which is impossible for the type of search required by Grover's algorithm.</p> <h3>The Grover Misconception</h3> <p>In recent years, amateur cryptographers and mathematicians have applied Grover's algorithm — a quantum search method — to claim a CRQC could reduce AES-128's effective key space to <strong>2⁶⁴</strong>. That would, in theory, allow the same bitcoin-scale resources to break the encryption in less than a second. However, Valsorda and other experts point out that this analysis ignores a critical limitation of Grover's algorithm.</p> <p>“Grover's algorithm offers a quadratic speedup, but <a href="#parallelization">it does not parallelize trivially</a>,” Valsorda explained. “The amateur calculations assume you can simply throw more quantum processors at the problem, but the algorithm itself is inherently sequential — each step depends on the previous one. The bitcoin mining analogy collapses because quantum computers cannot run as a cluster of independent ASICs.”</p> <h2 id="parallelization">The Parallelization Reality</h2> <p>Grover's algorithm requires iterative operations that cannot be split across multiple machines for a linear speedup. While one can run multiple instances of the algorithm, the total runtime is determined by the depth of each instance, not the number of machines. For AES-128, even with a perfect CRQC, the number of iterations remains approximately <strong>2⁶⁴</strong> — a large enough number to require many billions of years of sequential processing, assuming a single quantum core currently unfeasible.</p><figure style="margin:20px 0"><img src="https://cdn.arstechnica.net/wp-content/uploads/2026/04/quantum-encryption-640x427.jpg" alt="Quantum Fears Overblown: AES-128 Encryption Survives the Hype, Expert Declares" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.arstechnica.com</figcaption></figure> <p>Furthermore, the quantum hardware needed to maintain coherence over such long computations does not exist and may never exist at scale. “We are talking about a quantum circuit that would need to run error‑free for trillions of gate operations,” Valsorda noted. “That is many orders of magnitude beyond anything currently envisioned.”</p> <h2>What This Means</h2> <p>For organizations and individuals relying on AES-128 today, the message is clear: <strong>no immediate migration is necessary</strong>. While NIST has been standardizing post-quantum cryptographic algorithms for key exchange and digital signatures, the AES symmetric cipher family remains resistant to quantum attacks as long as key sizes are adequate. AES-192 and AES-256 provide even larger security margins but require more computational resources. For most applications, AES-128 will remain fit for purpose well into the quantum era.</p> <p>“There is no need to panic and rush to AES-256,” Valsorda said. “The real vulnerabilities in our systems are not in symmetric encryption but in public‑key cryptography like RSA and ECC, where Shor's algorithm does pose a true threat. We should focus on migrating those, not on mythical weaknesses in AES.” The consensus among cryptographers is that AES-128 will continue to be a trusty workhorse for decades, barring unforeseen breakthroughs in quantum error correction or algorithm design that may never materialize.</p> <p><em>This story will be updated as new quantum computing developments emerge.</em></p>