Why AES-128 Remains Secure Against Quantum Computers: Debunking Common Myths
By
<h2>Introduction</h2><p>Quantum computing is often portrayed as a looming threat that will shatter modern encryption. Among the many algorithms at risk, the Advanced Encryption Standard (AES) has been a frequent target of speculation. Many believe that AES-128, the most widely used variant, will become obsolete once a sufficiently powerful quantum computer emerges. However, cryptography engineer Filippo Valsorda argues that this fear is largely unfounded. In reality, AES-128 remains robust in a post-quantum world, and the common narrative surrounding its vulnerability is based on a misunderstanding of how quantum algorithms work.</p><figure style="margin:20px 0"><img src="https://cdn.arstechnica.net/wp-content/uploads/2026/04/quantum-encryption-1152x648.jpg" alt="Why AES-128 Remains Secure Against Quantum Computers: Debunking Common Myths" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.arstechnica.com</figcaption></figure><h2 id="understanding-aes-128">Understanding AES-128</h2><p>AES (Advanced Encryption Standard) is a symmetric block cipher adopted by NIST in 2001. It supports key sizes of 128, 192, and 256 bits. AES-128 has long been the preferred choice because it offers an optimal balance between computational efficiency and security. Over its three decades of use, no practical vulnerabilities have been discovered. The only known method to break AES-128 is a brute-force attack—testing all possible key combinations. With 2<sup>128</sup> (approximately 3.4 × 10<sup>38</sup>) possible keys, even using the entire Bitcoin mining network’s hashing power as of 2026 would require roughly 9 billion years to crack it. This immense key space provides a vast security margin.</p><h2 id="quantum-threat">The Quantum Threat: Grover's Algorithm</h2><p>The fear surrounding AES-128 originates from Grover’s algorithm, a quantum search algorithm that can speed up unstructured search problems. Amateur cryptographers and mathematicians have often applied Grover’s algorithm to key search, claiming that a cryptographically relevant quantum computer (CRQC) would halve AES-128’s effective security from 2<sup>128</sup> to 2<sup>64</sup>. They then argue that a brute-force attack requiring only 2<sup>64</sup> operations could be performed in less than a second using the same hypothetical Bitcoin mining resources. However, this reasoning is flawed because it ignores a critical constraint: Grover’s algorithm does not parallelize efficiently.</p><h2 id="parallelization-fallacy">The Parallelization Fallacy</h2><p>The key misconception lies in how Grover’s algorithm operates. Unlike classical brute-force attacks, which can be divided among many machines working in parallel, Grover’s algorithm is inherently sequential. Each iteration of the algorithm depends on the previous one, meaning that doubling the number of quantum processors does not halve the time required. To exploit Grover’s algorithm effectively, a single quantum computer must run the entire sequence of operations in order. Moreover, the algorithm itself requires a quantum circuit depth proportional to √(N) for a search space of size N. For AES-128, that translates to roughly 2<sup>64</sup> sequential operations—a number that remains astronomically large even with perfect quantum hardware. The assumption that a CRQC could simply “run Grover” faster by using more qubits or parallel clusters is incorrect. In practice, scaling quantum computers to run such deep circuits is extraordinarily challenging, and the error correction overhead further increases the computational cost. Thus, the popular claim that AES-128’s security collapses to 2<sup>64</sup> under quantum attack is misleading; the actual difficulty remains far beyond practical reach for the foreseeable future.</p><figure style="margin:20px 0"><img src="https://cdn.arstechnica.net/wp-content/uploads/2026/04/quantum-encryption-640x427.jpg" alt="Why AES-128 Remains Secure Against Quantum Computers: Debunking Common Myths" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.arstechnica.com</figcaption></figure><h2 id="conclusion">Conclusion</h2><p>AES-128 is not doomed by quantum computing. While Grover’s algorithm does provide a theoretical speedup, its sequential nature and implementation challenges keep AES-128 secure against any realistic quantum adversary. The confusion stems from oversimplified comparisons that ignore the fundamental differences between classical parallelization and quantum algorithmic constraints. For now and for the near future, AES-128 remains a sound choice for protecting sensitive data, even in a world where quantum computers exist. Organizations should continue to monitor developments, but there is no immediate need to abandon AES-128 in favor of larger key sizes or entirely new algorithms. As Valsorda emphasizes, contrary to popular superstition, AES-128 is perfectly fine in a post-quantum world.</p>
Tags: