CONTRARY to popular mythology, AES 128 is perfectly fine in a post-quantum world, according to the debate spurred by cryptography engineer Filippo Valsorda. The piece explains that AES 128 remains widely used and, with Grover’s algorithm, would not simply drop to 264 security; instead, even with quantum acceleration, the effective strength is far beyond a single qubit’s reach.
It notes there are 2^128 or 3.4 x 10^38 possible key combinations, and that a brute-force attack would take about 9 billion years using the entire Bitcoin mining resources as of 2026. The article also highlights that parity in parallelization means Grover’s speedup shrinks as cores increase, making the practical impact of quantum speedups more complex than a simple halving.
It points to sources backing AES’s continued suitability, while acknowledging the NSA’s version 2 of the Commercial National Security Algorithm Suite, which mandates AES-256 in certain cases.