How to Understand Why AES-128 Remains Secure in a Post-Quantum Era

Introduction

With the rise of quantum computing, many worry that our most trusted encryption methods will become obsolete. A persistent myth suggests that AES-128—the gold standard of symmetric encryption—will be easily broken once a cryptographically relevant quantum computer (CRQC) emerges. However, cryptography engineer Filippo Valsorda clarifies that this fear is rooted in a misunderstanding of how quantum algorithms actually work. In this step-by-step guide, you'll learn why AES-128 is perfectly fine in a post-quantum world, debunk the Grover's algorithm myth, and gain the confidence to trust the math that keeps your data safe.

What You Need

Before diving into the steps, ensure you have:

• Basic understanding of encryption – Familiarity with terms like key size, block cipher, and brute-force attack helps.
• Access to this guide – No special tools required, just an open mind and curiosity.
• Patience for math – We'll keep numbers simple, but a little arithmetic goes a long way.

Step-by-Step Guide

Step 1: Grasp the Fundamentals of AES-128

The Advanced Encryption Standard (AES) is a symmetric block cipher adopted by NIST in 2001. AES-128 uses a 128-bit key, offering a key space of 2¹²⁸ (approximately 3.4 × 10³⁸) possible combinations. This massive number makes brute-force attacks infeasible with classical computers. For context, using the entire Bitcoin mining network’s hashing power (as of 2026), a brute-force attack would take about 9 billion years. No known practical vulnerabilities exist in its 30-year history—security relies solely on key exhaustion.

Step 2: Understand Grover's Algorithm – The Quantum Threat

Grover's algorithm is a quantum search algorithm that can find a specific item in an unsorted database of N items in roughly √N steps. Applied to AES-128, it could theoretically reduce the effective key strength from 128 bits to 64 bits (since √(2¹²⁸) = 2⁶⁴). Many amateurs and even some experts incorrectly concluded that a CRQC would instantly break AES-128 by halving its security. However, this analysis misses a crucial flaw: parallelization.

Step 3: Recognize the Parallelization Fallacy

The popular myth assumes that a CRQC can parallelize the search across multiple quantum processors, speeding up the attack dramatically. In reality, Grover's algorithm is inherently serial. While classical Bitcoin miners can run thousands of ASICs in parallel, a quantum computer cannot efficiently parallelize Grover’s search. The algorithm requires sequential iterations that cannot be split across independent machines without losing quantum advantage. This means the imagined “less than a second” comparison using Bitcoin mining resources is purely illustrative—and fundamentally unrealistic for quantum computers.

Step 4: Evaluate the Real-World Impact

Even if a perfect CRQC existed, executing Grover’s algorithm for AES-128 would require an enormous number of qubits and operations. Current quantum chips have at most a few hundred qubits, while millions of error-corrected qubits would be needed. Moreover, the time to run 2⁶⁴ operations (the supposed reduced key search) is still astronomically long for a single serial quantum machine. For example, if each operation takes 1 nanosecond, 2⁶⁴ nanoseconds is about 584 years. Add real-world gate speeds and error correction overhead, and the timeline stretches to hundreds of thousands of years. Thus, the threat remains theoretical.

Step 5: Compare with Post-Quantum Standards

NIST is currently standardizing post-quantum cryptography (PQC) for asymmetric algorithms like RSA and ECC, which are genuinely vulnerable to Shor's algorithm. Symmetric ciphers like AES are far more resistant. For symmetric encryption, doubling key size (e.g., AES-256) provides a safety margin, but AES-128 remains adequate for most use cases under current quantum projections. The real threat lies in public-key cryptography, not block ciphers.

Step 6: Test Your Knowledge with a Simple Mental Exercise

Imagine you’re a cryptographer: To break AES-128 using Grover’s algorithm, you’d need a quantum computer that can run 2⁶⁴ sequential Grover iterations. Each iteration requires about 2¹²⁸ oracle calls (to check if the key is correct). Even with an ideal quantum computer, the total time is dominated by these steps. Parallelization does not help. Compare this to classical Bitcoin mining: 2⁶⁴ hashes per second is possible only because of massive parallelism. A single serial machine couldn’t dream of that speed. The same logic applies to quantum.

Step 7: Consult Expert Consensus

Cryptographers like Filippo Valsorda, alongside NIST, NSA, and other cryptographic bodies, agree that AES-128 is safe for the foreseeable future. The Quantum Threat Timeline reports from organizations like the Global Risk Institute estimate that a CRQC capable of breaking AES-128 is at least 20–30 years away, if ever. Meanwhile, AES-256 is recommended for extremely long-term security (e.g., classified data), but for everyday use, AES-128 remains the sweet spot between performance and security.

Tips for Staying Informed

• Don't fall for alarmism – Many online sources sensationalize quantum risks. Stick to official guidance from NIST and peer-reviewed research.
• Upgrade to AES-256 only if needed – If you're protecting data that must remain secret for 50+ years, consider AES-256. Otherwise, AES-128 is fine.
• Focus on public-key vulnerabilities – The real quantum danger is to RSA and ECC. Migrate to post-quantum schemes like CRYSTALS-Kyber or FALCON when available.
• Monitor quantum hardware progress – Track milestones like logical qubit counts and error rates, but don’t panic until a CRQC is demonstrated.
• Test your own understanding – Try explaining the parallelization flaw to a colleague. If they get it, you're confident.

Remember: The math hasn’t changed. AES-128 is still exponentially secure against both classical and quantum adversaries—provided the quantum computer can't parallelize. And it can't.