AES 128 remains secure in post-quantum world, expert argues
Original: Contrary to popular superstition, AES 128 is just fine in a post-quantum world
Why This Matters
Clarifies quantum computing threat assessment for widely-used encryption standards
Cryptography engineer Filippo Valsorda disputes widespread belief that quantum computers will halve AES 128's security strength. He argues Grover's algorithm cannot be parallelized like classical attacks, maintaining AES 128's viability against quantum threats despite popular misconceptions requiring 256-bit keys.
Cryptography engineer Filippo Valsorda published a blog post challenging the common misconception that quantum computers will render AES 128 encryption vulnerable. While amateur cryptographers claim quantum computers using Grover's algorithm would halve AES 128's effective strength from 2^128 to 2^64 key combinations, Valsorda explains this misunderstands how quantum algorithms work. Unlike classical computers that can parallelize brute-force searches, Grover's algorithm requires serial computation where each search occurs sequentially. 'What makes Grover special is that as you parallelize it, its advantage over non-quantum algorithms gets smaller,' Valsorda stated. AES 128 has no known vulnerabilities in 30 years, with brute-force being the only attack method. Current estimates suggest breaking it would take 9 billion years using all bitcoin mining resources as of 2026. Valsorda warns the misconception risks diverting attention from necessary post-quantum cryptographic transitions.