AES-128 in a Quantum Age: 6 Critical Facts Everyone Should Know

For years, a persistent myth has haunted the cybersecurity world: that the arrival of quantum computers will render the widely used AES-128 encryption obsolete. Cryptography engineer Filippo Valsorda, however, is on a mission to set the record straight. The truth is far less alarming—and far more nuanced. In this article, we break down the key facts you need to understand about AES-128's resilience in a post-quantum landscape, dispelling the popular superstition that refuses to die.

1. The Grover's Algorithm Myth: A Misunderstood Threat

One of the most common arguments against AES-128 in a quantum future comes from Grover's algorithm, a quantum search algorithm that supposedly halves the effective key strength of symmetric ciphers. Many amateur cryptographers have concluded that AES-128 would be reduced to a mere 2⁶⁴ operations, making it trivial to break. But this conclusion ignores a critical detail: Grover's algorithm cannot be efficiently parallelized. In a classical brute-force attack, you can throw thousands of machines at the problem simultaneously. With Grover's algorithm, each quantum computer must run the search sequentially, meaning the time savings are far less dramatic than claimed. The '2⁶⁴' figure assumes perfect parallelization, which is fundamentally impossible for Grover's algorithm.

2. Parallelization: The Game-Changer Everyone Overlooks

The inability to parallelize Grover's algorithm is the key reason AES-128 remains secure. Valsorda emphasizes that even a powerful quantum computer would need to run the algorithm from start to finish on a single machine. While a classical system can split the key space across millions of ASICs, a quantum system cannot. This means that the effective security of AES-128 against a quantum adversary is still far greater than 2⁶⁴—closer to 2⁹⁶ or even higher, depending on the implementation. The common comparison to bitcoin mining resources is misleading because it assumes parallelization that simply does not apply to Grover's algorithm.

3. Brute-Force Attack: Still a Billion-Year Undertaking

As of today, the only known method to break AES-128 is a brute-force search through all 2¹²⁸ possible keys—that's 3.4 × 10³⁸ combinations. To put that in perspective, even if you harnessed the entire computing power of the bitcoin network as of 2026, a full brute-force attack would take approximately 9 billion years. Quantum computing doesn't change this fundamental reality; even with Grover's algorithm, the time required remains astronomically large. The myth persists because people incorrectly assume quantum computers operate with infinite parallelism, which they simply do not.

4. Three Decades of Unbroken Security

AES-128 has been a NIST standard since 2001, and in three decades of intense cryptanalysis, no practical vulnerability has been discovered. The only theoretical attack is brute force, which we've already established is impractical. This track record gives cryptographers confidence that AES-128 will remain secure even as quantum technology advances. While post-quantum cryptography often focuses on asymmetric algorithms (like RSA and ECC) that are truly vulnerable to Shor's algorithm, symmetric ciphers like AES are far less impacted. The lack of any known shortcut for breaking AES-128 means that quantum computers offer no magical advantage.

5. The Misguided Amateur Analysis That Started It All

The widespread belief that AES-128 is doomed originates from a misunderstanding of quantum computing and cryptography. Amateur cryptographers and mathematicians took Grover's algorithm out of context, applying it without accounting for real-world constraints. They assumed that a cryptographically relevant quantum computer (CRQC) could simply run Grover's algorithm on a massive parallel cluster, much like bitcoin miners do with ASICs. Valsorda points out that this assumption is flawed: a CRQC is a fundamentally different machine and cannot parallelize the algorithm in the same way. The resulting '2⁶⁴ security' claim is therefore a theoretical artifact, not a practical threat.

6. What the Future Actually Holds for AES-128

Looking ahead, AES-128 will remain a robust choice for symmetric encryption for the foreseeable future. NIST already recommends AES-256 for top-secret data, but AES-128 continues to be the preferred option for many applications due to its excellent balance of security and performance. Even with a quantum computer, the effort required to break AES-128 would be so astronomical that it's effectively impossible. The real quantum threat lies with asymmetric cryptography, not AES. So if you're using AES-128 today, you can breathe easy—contrary to popular superstition, your data is safe.

In summary, the panic over AES-128 in a post-quantum world is largely based on a misunderstanding of how quantum algorithms work. Grover's algorithm does reduce the search space, but not as dramatically as often claimed, because it cannot be parallelized. Combined with AES-128's long history of security, it's clear that this encryption standard will continue to serve us well. As Filippo Valsorda would say, the myth is just that—a myth—and the truth is far more reassuring.