AES 128 Encryption Remains Secure Post-Quantum
▼ Summary
– Cryptography engineer Filippo Valsorda asserts that AES 128 encryption remains secure even with the advent of quantum computing.
– AES 128 is a widely adopted, 30-year-old standard with no known vulnerabilities, making brute force the only known attack method.
– A brute-force attack on AES 128 would require an infeasible amount of time, estimated at about 9 billion years using vast computational resources.
– Some critics incorrectly claim quantum computers using Grover’s algorithm could reduce AES 128’s effective security to a breakable level.
– This claim is flawed because a cryptographically relevant quantum computer could not parallelize the attack workload in the assumed manner.
Amid widespread concern over the threat quantum computers pose to modern cryptography, a key point is often misunderstood. Cryptography engineer Filippo Valsorda emphasizes that AES 128 encryption remains secure and is not rendered obsolete by the advent of quantum technology. This widely deployed standard continues to provide robust protection for data.
Formally adopted by NIST in 2001, the Advanced Encryption Standard offers key sizes of 128, 192, and 256 bits. The 128-bit variant has long been the preferred choice, striking an optimal balance between strong security and efficient computational resource use. For three decades, no practical vulnerability has been found in its design. The only known method of attack is a brute-force search of the key space, which contains 2^128 possible combinations. To illustrate the scale, using the entire global Bitcoin mining network as of 2026 to attempt such an attack would require roughly nine billion years to succeed.
Public confidence, however, has been shaken over the last ten years. A common misconception stems from a misinterpretation of Grover’s algorithm, a quantum search technique. Some amateur analysts have incorrectly claimed that a cryptographically relevant quantum computer, or CRQC, would effectively halve the security strength of AES 128 to a mere 64 bits. This flawed analysis suggests such a machine could brute-force the encryption almost instantly using resources comparable to today’s Bitcoin mining network.
This conclusion rests on a critical error. The theoretical speedup from Grover’s algorithm does not translate to the massively parallelized attack these scenarios assume. A quantum computer running Grover’s search cannot simply divide the workload across thousands of machines like a network of Bitcoin mining ASICs. The algorithm’s structure imposes fundamental limits on parallelization, making a practical attack against AES 128 with a quantum computer infeasible. The security margin provided by 128-bit keys remains astronomically high, even in a post-quantum context.
(Source: Ars Technica)
