Breaking: Cryptography Expert Reaffirms AES-128 Resilience in Quantum Era
In a decisive statement that counters growing online misinformation, cryptography engineer Filippo Valsorda has declared that AES-128 – the most widely deployed encryption standard – remains fully secure even after the arrival of quantum computers. “Contrary to popular mythology that refuses to die, AES 128 is perfectly fine in a post-quantum world,” Valsorda said in a technical briefing released today.
The assertion directly challenges amateur cryptographers and mathematicians who have repeatedly claimed that a cryptographically relevant quantum computer (CRQC) would instantly crack AES-128. Their reasoning relies on Grover’s algorithm, which mathematically halves the effective key strength from 128 bits to 64 bits.
The Flaw in Grover’s Argument
Valsorda, a noted cryptography engineer known for his work on Go and Cloudflare, explained that the amateur analysis ignores a fundamental constraint: parallelization. “CRQCs cannot run Grover’s algorithm in parallel like bitcoin ASICs do for hash-based brute force. The common comparison to bitcoin mining is purely illustrative and deeply misleading,” he stated.
If a CRQC could magically parallelize, the estimated 264 operations would indeed allow the entire bitcoin mining network (as of 2026) to break AES-128 in under a second. But that scenario is impossible under known physics and engineering constraints. The actual time for a single Grover’s search remains astronomically high – still requiring billions of years even with quantum advantages.
AES-128 Security by the Numbers
AES-128, formally adopted by NIST in 2001, has no known structural vulnerabilities. The only published attack path is brute force through all 2128 (about 3.4 × 1038) possible key values. Using the entire bitcoin mining hash rate as a comparison, a classical brute force would need 9 billion years to exhaust the keyspace.
“This isn’t about quantum computing being a myth – it’s about understanding what quantum computers can and cannot do,” Valsorda emphasized. “Grover’s algorithm is real, but its application to symmetric encryption like AES requires a single serial chain of operations. You can’t speed it up by throwing more qubits at it.”
Background: The Long-Standing AES Standard
The Advanced Encryption Standard (AES) was developed in the late 1990s and adopted by the U.S. government in 2001. It supports key sizes of 128, 192, and 256 bits. AES-128 became the preferred version due to its balance of security and performance.
Over the past decade, as quantum computing research accelerated, a wave of sensational claims emerged that quantum computers would instantly obsolete all current encryption. These claims often cited Grover’s algorithm but omitted the critical constraint that quantum algorithms cannot be parallelized in the same way classical ones can.
NIST has been actively developing post-quantum cryptographic standards, but those focus on asymmetric (public-key) systems like RSA and ECC, which are genuinely vulnerable to Shor’s algorithm. Symmetric ciphers like AES are considered much more resistant – and Valsorda’s analysis confirms that AES-128 remains safe.
What This Means
For organizations and individuals currently using AES-128 encryption – including most HTTPS traffic, wireless networks, and file storage – no immediate upgrade is required. The security community can focus on transitioning asymmetric algorithms while symmetric encryption remains robust.
“The panic around AES-128 is a distraction from real quantum threats to public-key cryptography,” Valsorda said. “We should invest our energy in migrating to post-quantum asymmetric standards, not in spreading FUD about symmetric ciphers that will serve us well for decades.”
This clarity should help IT teams prioritize upgrades without unnecessary costs or complexity. Enterprises can continue relying on AES-128 for data at rest and in transit while planning for eventual quantum-ready protocols for public-key exchanges.
Bottom line: AES-128 is not broken, not weakened, and not obsolete. The myth that quantum computers destroy AES-128 is itself due for retirement.
— This is a breaking news update. Follow background on AES history and the Grover’s algorithm flaw for more details.