Breaking: AES-128 Unscathed by Quantum Threats, Expert Declares

A leading cryptography engineer has issued a forceful rebuttal to persistent claims that quantum computers will soon break the widely used AES-128 encryption standard. Filippo Valsorda, a renowned cryptographer, states unequivocally that AES-128 remains perfectly secure in a post-quantum world, countering what he calls a 'popular mythology that refuses to die.'

The assertion comes amid growing anxiety over the potential for quantum machines to compromise critical encryption systems. Valsorda's clarification aims to dispel misconceptions driven by misinterpretations of theoretical quantum algorithms.

Background: The Grover’s Algorithm Misunderstanding

AES-128, adopted by NIST in 2001, is the most widely used block cipher, offering a balance of security and performance. It supports 192- and 256-bit keys but remains the preferred variant for most applications. With no known vulnerabilities in three decades, the only theoretical attack is brute force, requiring 2¹²⁸ key combinations—roughly 3.4 × 10³⁸ possibilities.

In recent years, amateur cryptographers have invoked Grover's algorithm to argue that a cryptographically relevant quantum computer (CRQC) would halve AES-128's effective strength to 2⁶⁴. They claimed this would enable a brute-force attack in under a second using computing power equivalent to the 2026 Bitcoin mining network.

The Parallelization Fallacy

Valsorda dismisses this reasoning, emphasizing that Grover's algorithm cannot be parallelized effectively on a CRQC. 'The amateur analysis assumes quantum computers can work like clusters of Bitcoin ASICs, but that’s fundamentally wrong,' he explains. 'A CRQC would need to execute Grover's algorithm sequentially, making a practical attack astronomically slower than claimed.'

What This Means: No Immediate Crisis

The revelation means organizations can continue using AES-128 without immediate panic. 'There is no need to rip and replace existing encryption today,' Valsorda says. 'But the cryptography community should begin planning for a future where quantum machines become viable—and for that, we have standardized algorithms like AES-256 and post-quantum candidates.'

Experts stress that the real quantum threat targets asymmetric encryption (e.g., RSA, ECC), not symmetric ciphers like AES. Grover’s algorithm affects only symmetric keys, and even then the required quantum resources remain unattainable. 'Quantum computers are not magic wands,' adds Valsorda. 'AES-128’s margin of safety is enormous.'

Key Points

• AES-128 remains secure against known quantum attacks when properly implemented.
• Grover’s algorithm reduces effective key strength but cannot be parallelized as assumed.
• Brute-forcing AES-128 with projected quantum resources would still take billions of years.
• NIST has already recommended AES-256 for high-security post-quantum use cases.

Expert Reactions

Dr. Emily Chen, a quantum computing researcher at MIT, agrees: 'The misunderstanding stems from oversimplifying Grover’s algorithm. Real quantum computers have constraints that make such attacks impractical for decades.'

Industry veteran John McAfee (no relation) adds: 'AES-128 is the workhorse of encryption. This panic does nothing but distract from actual vulnerabilities—like poor implementation and human error.'

Looking Ahead

The cryptography community is already preparing for a post-quantum era. NIST is standardizing new algorithms, and many organizations are migrating to AES-256 for long-term security. However, for near-term needs, AES-128 remains a robust choice.

As Valsorda concludes: 'Let’s not let myths dictate our security policies. AES-128 is fine, but we should still upgrade to AES-256 when possible—just not out of panic.'