AES-128 in the Quantum Age: Debunking the Myths

With the rise of quantum computing, many have questioned the future of encryption standards. A persistent myth claims that AES-128, the most widely used block cipher, will become vulnerable once quantum computers arrive. But cryptography experts like Filippo Valsorda set the record straight: AES-128 remains robust and secure even in a post-quantum world. This Q&A explains the facts behind the hype.

What is AES-128 and why is it so widely used?

AES-128 is the 128-bit key variant of the Advanced Encryption Standard, a symmetric block cipher adopted by NIST in 2001. It became the default for securing data because it strikes an ideal balance between computational efficiency and cryptographic strength. The algorithm encrypts data in 128-bit blocks using a 128-bit key, and it has withstood decades of cryptanalysis without any practical vulnerabilities. Its widespread adoption spans everything from Wi-Fi security (WPA2) to file encryption and VPNs. The only known theoretical attack against AES-128 is brute force — trying every possible key — which is infeasible due to the enormous key space of 2^128 (about 3.4 × 10^38 combinations).

How secure is AES-128 against classical brute-force attacks?

Imagine assembling the entire Bitcoin mining network as it existed in 2026 — a colossal collection of specialized hardware computing billions of hashes per second. Even with that immense power, cracking a single AES-128 key would take roughly 9 billion years. That's longer than the age of the universe. The key space is so vast that no classical computer, no matter how fast, can exhaustively search it within any reasonable timeframe. For comparison, AES-256 would take exponentially longer, but AES-128 already provides more than enough security for all current and foreseeable classical threats.

What is Grover’s algorithm and how does it supposedly threaten AES-128?

Grover’s algorithm is a quantum search algorithm that can find an item in an unsorted database of N items in roughly √N steps. Some have misapplied this to AES-128, arguing that a quantum computer could reduce the effective key strength from 2^128 to 2^64, because searching 2^128 keys would require only 2^64 quantum operations. This sounds alarming: 2^64 is large but potentially breakable by a determined attacker. However, this reasoning ignores a critical practical limitation — parallelization. Grover’s algorithm is inherently sequential; it does not benefit from running on multiple quantum processors in parallel. Each quantum computer must run the entire search linearly, unlike classical clusters where many machines work simultaneously.

Why is the claim that AES-128 becomes 2^64 incorrect in practice?

The fatal flaw in the 2^64 argument is that Grover’s algorithm cannot be parallelized like classical brute force. Classical attacks can split the key space into chunks and assign each chunk to a different machine, achieving linear speedup. A quantum computer running Grover’s algorithm must perform the search in a single, sequential timeline; doubling the number of quantum processors only reduces the runtime by a constant factor, not by half. Consequently, to halve the security level (from 128 bits to 64 bits), you would need an enormous number of quantum processors — far more than any conceivable future quantum data center could provide. Even with a hypothetical cryptographically relevant quantum computer (CRQC), breaking AES-128 would still take billions of years when accounting for the lack of parallelism. The popular comparison using Bitcoin mining resources is misleading because those resources can parallelize; a CRQC cannot.

How long would a quantum computer actually take to break AES-128?

Realistic estimates show that even a future CRQC with millions of logical qubits would need an astronomically long time to break a single AES-128 key using Grover’s algorithm — likely still on the order of billions of years, just like classical brute force. The required number of sequential quantum operations is still 2^64, and each operation takes a finite amount of time (at least one gate cycle, roughly nanoseconds). Multiplying 2^64 operations by nanoseconds yields an enormous total runtime. Additionally, quantum error correction overhead multiplies the time further. Thus, AES-128 remains perfectly secure against both classical and quantum adversaries for the foreseeable future.

Should we worry about AES-128 in a post-quantum world?

No. The consensus among cryptographers, including Filippo Valsorda, is that AES-128 is fine even after quantum computers become capable of running Shor’s algorithm (which threatens RSA and ECC). AES-128 is not affected by Shor’s algorithm; it only faces Grover’s algorithm, which offers only a quadratic speedup — and that speedup is further negated by the parallelization constraint. NIST itself has not called for moving away from AES-128 for symmetric encryption in post-quantum transition plans. The real focus is on replacing public-key cryptography. So, contrary to internet lore, AES-128 will remain a trusted workhorse for decades to come. Users can confidently continue using AES-128 without upgrading to AES-256 for quantum reasons (though AES-256 offers extra margin for other concerns).

How does AES-256 compare in the quantum context?

AES-256 uses a 256-bit key, doubling the key size from AES-128. In a quantum setting, Grover’s algorithm would reduce its effective strength from 2^256 to 2^128 — still astronomically beyond any conceivable attack. While AES-256 provides an even larger security margin, it comes with increased computational cost (roughly 40% slower in software). For most applications, AES-128 is sufficient and more efficient. However, some organizations with extremely long-term security requirements (e.g., protecting secrets for 50+ years) may prefer AES-256 as a precaution. The important takeaway is that both remain secure post-quantum; the myth that AES-128 becomes breakable is simply false.