Why AES-128 Remains Secure Against Quantum Threats: Debunking the Halving Myth

Introduction

As quantum computing advances, fears about the vulnerability of encryption standards have intensified. One common belief is that AES-128, the widely used block cipher, will become obsolete once cryptographically relevant quantum computers (CRQCs) arrive. However, cryptography engineer Filippo Valsorda argues that this notion is based on a fundamental misunderstanding of how quantum algorithms—specifically Grover’s algorithm—affect symmetric key ciphers. In reality, AES-128 remains robust in a post-quantum world.

The Strength of AES-128

AES-128 is the most widely deployed variant of the Advanced Encryption Standard, adopted by NIST in 2001. While AES supports 192- and 256-bit keys, the 128-bit version has long been favored for its balance of security and computational efficiency. With over thirty years of scrutiny, no practical vulnerabilities have been found. The only known attack is a brute-force search of the key space, which for AES-128 contains 2¹²⁸ possible keys—approximately 3.4 × 10³⁸ combinations. To put this in perspective, using the entire Bitcoin mining network as of 2026, a brute-force attack would take roughly 9 billion years.

Understanding Grover’s Algorithm and Its Misapplication

Grover’s algorithm offers a quadratic speedup for unstructured search problems. Applied to AES-128, a quantum computer could in principle find the key in about 2⁶⁴ operations—half the bit length of the key. This observation led to the widespread claim that AES-128 is effectively only 64-bit secure against quantum attacks. However, this interpretation ignores a critical detail: Grover’s algorithm is inherently sequential and does not parallelize well.

The Parallelization Problem

In classical computing, brute-force attacks can be parallelized across thousands of ASICs or GPUs. For example, the Bitcoin network uses massive parallelization to solve hash puzzles. The flawed reasoning for AES-128 often assumes that a CRQC could similarly parallelize Grover’s algorithm, reducing the effective security to 2⁶⁴ and allowing an attack in under a second. In reality, quantum algorithms like Grover’s require deep circuits that run sequentially. You cannot simply run many quantum computers in parallel on the same problem and achieve linear speedup—the underlying physics of quantum interference prevents it. The correct measure of security is the number of sequential Grover iterations, which for AES-128 remains astronomically large.

Common Misconceptions About Post-Quantum Security

The myth that AES-128 is doomed persists partly because of confusion with asymmetric cryptography. Public-key systems like RSA and ECC rely on problems (factoring, discrete logarithms) that Shor’s algorithm can solve exponentially faster, rendering them truly vulnerable. Symmetric ciphers, however, are only polynomially affected by Grover’s algorithm. NIST’s post-quantum cryptography standards focus on replacing asymmetric primitives, while symmetric ciphers like AES-128 and AES-256 are expected to remain in use, albeit with larger key sizes for the latter if extra margin is desired.

Conclusion

Contrary to popular superstition, AES-128 is perfectly secure in a post-quantum world when properly implemented. The alleged halving of its security by Grover’s algorithm does not translate into a practical break, because parallelization is not directly applicable. While quantum computing poses a serious threat to asymmetric cryptography, symmetric encryption like AES-128 remains robust—and will likely continue to protect data for decades to come. For those seeking additional safety, AES-256 provides an even larger margin, but for most applications, AES-128 is more than sufficient.