BRENHAM, TX — In a forceful rebuttal to persistent online speculation, cryptography engineer Filippo Valsorda has declared that the widely used AES-128 encryption standard remains robust against future quantum computers, dismissing claims that its security would be halved as a misinterpretation of Grover's algorithm.
“The idea that AES-128 will suddenly become as weak as AES-64 in a post-quantum world is a myth that refuses to die,” said Valsorda in a technical post published Wednesday. “Even with a cryptographically relevant quantum computer, Grover's algorithm does not parallelize the way people imagine, and the effective security remains far beyond practical attack.”
Background
The Advanced Encryption Standard (AES) was adopted by NIST in 2001 and supports key sizes of 128, 192, and 256 bits. AES-128 has been the preferred variant due to its optimal balance of security and computational efficiency. Over three decades, no significant vulnerability has been discovered; the only known attack is brute-force enumeration of its 2128 possible keys — roughly 3.4 × 1038 combinations.
Using the entire global bitcoin mining hash rate as of 2026 as a measuring stick, a brute-force attack on AES-128 would take an estimated 9 billion years. That calculation assumes perfect parallelization, which is impossible for the type of search required by Grover's algorithm.
The Grover Misconception
In recent years, amateur cryptographers and mathematicians have applied Grover's algorithm — a quantum search method — to claim a CRQC could reduce AES-128's effective key space to 264. That would, in theory, allow the same bitcoin-scale resources to break the encryption in less than a second. However, Valsorda and other experts point out that this analysis ignores a critical limitation of Grover's algorithm.
“Grover's algorithm offers a quadratic speedup, but it does not parallelize trivially,” Valsorda explained. “The amateur calculations assume you can simply throw more quantum processors at the problem, but the algorithm itself is inherently sequential — each step depends on the previous one. The bitcoin mining analogy collapses because quantum computers cannot run as a cluster of independent ASICs.”
The Parallelization Reality
Grover's algorithm requires iterative operations that cannot be split across multiple machines for a linear speedup. While one can run multiple instances of the algorithm, the total runtime is determined by the depth of each instance, not the number of machines. For AES-128, even with a perfect CRQC, the number of iterations remains approximately 264 — a large enough number to require many billions of years of sequential processing, assuming a single quantum core currently unfeasible.
Furthermore, the quantum hardware needed to maintain coherence over such long computations does not exist and may never exist at scale. “We are talking about a quantum circuit that would need to run error‑free for trillions of gate operations,” Valsorda noted. “That is many orders of magnitude beyond anything currently envisioned.”
What This Means
For organizations and individuals relying on AES-128 today, the message is clear: no immediate migration is necessary. While NIST has been standardizing post-quantum cryptographic algorithms for key exchange and digital signatures, the AES symmetric cipher family remains resistant to quantum attacks as long as key sizes are adequate. AES-192 and AES-256 provide even larger security margins but require more computational resources. For most applications, AES-128 will remain fit for purpose well into the quantum era.
“There is no need to panic and rush to AES-256,” Valsorda said. “The real vulnerabilities in our systems are not in symmetric encryption but in public‑key cryptography like RSA and ECC, where Shor's algorithm does pose a true threat. We should focus on migrating those, not on mythical weaknesses in AES.” The consensus among cryptographers is that AES-128 will continue to be a trusty workhorse for decades, barring unforeseen breakthroughs in quantum error correction or algorithm design that may never materialize.
This story will be updated as new quantum computing developments emerge.