As quantum computing advances, fears about its ability to break widely used encryption have mounted. Yet cryptography engineer Filippo Valsorda clarifies a persistent misconception: AES-128, the most common variant of the Advanced Encryption Standard, remains robust even in a post-quantum world. This Q&A debunks myths by explaining the algorithm's strength, the misinterpretation of Grover's algorithm, and why parallelization limitations prevent quantum computers from cracking AES-128 efficiently.
What Is AES-128 and Why Is It So Widely Used?
The Advanced Encryption Standard (AES) is a block cipher adopted by NIST in 2001. AES-128 refers to the version using a 128-bit key, while 192- and 256-bit variants also exist. AES-128 became the preferred choice because it offers an optimal balance between computational efficiency and security. With no known vulnerabilities discovered in over three decades, the only theoretical attack is a brute-force search through all possible keys. That means trying 2128 (or about 3.4 × 1038) combinations—a task so immense that even dedicating the entire Bitcoin mining network (as of 2026) would require roughly 9 billion years. This proven resilience makes AES-128 the backbone of secure communications today.
How Does Grover's Algorithm Threaten AES?
Grover's algorithm is a quantum search method that can find a specific item in an unsorted database quadratically faster than classical algorithms. Some amateur cryptographers have misapplied it to claim that a cryptographically relevant quantum computer (CRQC) would halve AES-128's effective security from 128 bits to just 64 bits. If true, that would reduce the key search space to 264 possibilities—potentially allowing the Bitcoin mining network to break it in under a second. However, this comparison is purely illustrative and flawed because it assumes quantum computers can parallelize the work like classical ASICs, which they cannot.
Why Can't Quantum Computers Parallelize Grover's Algorithm?
The critical mistake in the Grover's algorithm threat scenario is the assumption that quantum computers can run multiple instances in parallel, similar to how Bitcoin ASICs split the search across thousands of chips. In reality, Grover's algorithm is inherently sequential: each iteration depends on the previous one, meaning you cannot simply divide the key space among many quantum processors. A CRQC would need to run the algorithm from start to finish on a single quantum computer. Even if a perfect CRQC existed, the number of sequential operations required would be astronomical—on the order of 264 steps. That's still many orders of magnitude beyond what current or near-future quantum systems can achieve. Without parallelization, the promised speedup vanishes.
What Does the Bitcoin Mining Comparison Really Show?
The comparison to Bitcoin mining resources is often used to illustrate how small 264 would be in a classical context. Indeed, if you could magically make 264 key guesses in parallel (as Bitcoin ASICs do for hashing), the search would complete almost instantly. But this analogy breaks down for quantum computing because Grover's algorithm cannot be parallelized. The Bitcoin network's massive parallelism is a classical strength, not a quantum one. The correct comparison is that a CRQC would need to run Grover's algorithm sequentially for an enormous number of steps, and no realistic CRQC can do that. The myth arises from ignoring this fundamental difference in how quantum searches operate.
Is There Any Scenario Where AES-128 Becomes Vulnerable to Quantum?
Currently, no practical vulnerability exists for AES-128, even against quantum computers. The theoretical threat from Grover's algorithm assumes a perfect CRQC that can execute 264 sequential operations—but building such a machine is far beyond known physics and engineering. Even if one were built, AES-256 would be even safer, halving to 128 bits of effective security. For AES-128, the quantum attack would still require an infeasible amount of time. Additionally, NIST's post-quantum cryptography standardization focuses on replacing public-key cryptosystems (like RSA and ECC), which are far more vulnerable to Shor's algorithm. Symmetric ciphers like AES are considered robust; doubling key size (e.g., AES-256) is a simple mitigation if needed.
What Should Organizations Do to Prepare for Quantum Threats?
For symmetric encryption like AES, the primary recommendation is to use key sizes of at least 256 bits when possible, though 128 bits remains safe for now. More urgently, organizations should focus on migrating from public-key cryptography (RSA, ECC) to post-quantum algorithms, as those are vulnerable to quantum attacks. NIST has already selected candidates (e.g., CRYSTALS-Kyber for key exchange). For existing AES-128 deployments, no immediate action is needed, but monitoring quantum computing progress is wise. The long-term strategy is to adopt hybrid systems that combine classical and post-quantum schemes, ensuring a smooth transition as quantum technology matures.
Why Does the Myth of AES-128's Death Persist?
The myth persists because Grover's algorithm is taught in introductory quantum computing courses as a neat result: it quadratically speeds up unstructured search. People then mechanically apply it to AES-128 without understanding the practical constraints—especially the lack of parallelization. Misleading articles and social media posts amplify the idea without critical analysis. Additionally, the Bitcoin mining analogy is intuitively compelling: if 264 is so easily crackable by classical hardware, surely quantum should do it faster. But the difference between parallel classical brute force and sequential quantum search is profound. Cryptography engineers like Filippo Valsorda repeatedly clarify that AES-128 remains secure, but the simplified narrative continues to spread, fueled by misunderstanding of quantum computing fundamentals.