AES 128 remains secure in post-quantum world, expert argues
Original: Contrary to popular superstition, AES 128 is just fine in a post-quantum world
Why This Matters
Corrects critical misunderstanding that could misdirect post-quantum cryptography efforts
Cryptography engineer Filippo Valsorda debunks widespread misconception that quantum computers will halve AES 128's security. He argues Grover's algorithm cannot be parallelized like classical brute-force attacks, maintaining AES 128's 30-year security record against quantum threats.
Valsorda published a blog post challenging the popular belief that cryptographically relevant quantum computers (CRQC) would reduce AES 128's effective strength from 2^128 to 2^64 key combinations. While classical computers can parallelize brute-force searches simultaneously, Grover's algorithm requires serial computation where each search occurs individually. The fundamental difference means quantum computers cannot achieve the massive parallelization that would make AES 128 vulnerable. Valsorda warns this misconception diverts attention from necessary post-quantum transition work, noting that AES 128 has no known vulnerabilities in its 30-year history and would still require approximately 9 billion years to break using current bitcoin mining resources.