Quantum Fears Overhyped: AES-128 Encryption Remains Unbroken, Expert Insists

<p>A leading cryptography engineer is pushing back against persistent fears that quantum computers will soon break the widely used AES-128 encryption standard, calling the belief a dangerous myth that ignores fundamental physics.</p> <p><em>“AES-128 is perfectly fine in a post-quantum world,”</em> Filippo Valsorda, a renowned cryptography engineer, told reporters. <em>“The supposed halving of its key strength to 2^64 via Grover’s algorithm ignores the critical fact that quantum computers cannot parallelize the attack in the way people assume.”</em></p> <p>Valsorda’s statement comes as global attention intensifies on the existential threat quantum computing may pose to encryption. AES-128, the most common variant of the Advanced Encryption Standard adopted by NIST in 2001, has no known vulnerabilities in its 30-year history—making brute-force the only practical attack, with 2^128 possible key combinations.</p> <h2 id="background">Background</h2> <p>AES-128 uses a 128-bit key, providing 2^128 or approximately 3.4 × 10^38 possible combinations. To put that in perspective, using the entire bitcoin mining network as of 2026, a brute-force attack would take about 9 billion years.</p><figure style="margin:20px 0"><img src="https://cdn.arstechnica.net/wp-content/uploads/2026/04/quantum-encryption-1152x648.jpg" alt="Quantum Fears Overhyped: AES-128 Encryption Remains Unbroken, Expert Insists" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.arstechnica.com</figcaption></figure> <p>The confusion began when amateur cryptographers and mathematicians applied Grover’s algorithm—a quantum search method—to AES, claiming it would halve the effective strength to just 2^64. This would, in theory, allow the same bitcoin-level resources to crack the key in under a second.</p> <p><em>“The comparison is purely for illustration and flawed,”</em> Valsorda explained. <em>“Grover’s algorithm requires serial operations on a single quantum computer; it cannot be parallelized across thousands of ASIC miners. A cryptographically relevant quantum computer would need to run the algorithm sequentially, which is not how bitcoin mining works.”</em></p><figure style="margin:20px 0"><img src="https://cdn.arstechnica.net/wp-content/uploads/2026/04/quantum-encryption-640x427.jpg" alt="Quantum Fears Overhyped: AES-128 Encryption Remains Unbroken, Expert Insists" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.arstechnica.com</figcaption></figure> <h2 id="what-this-means">What This Means</h2> <p>For organizations and governments, the message is clear: AES-128 remains secure for the foreseeable future. The widely circulated fear that quantum computers will render it obsolete is based on a misunderstanding of how quantum algorithms operate.</p> <p>While post-quantum cryptography standards are being developed, the transition does not require immediate panic or replacement of existing AES-128 systems. The real vulnerability lies in public-key cryptography (like RSA and ECC), not symmetric ciphers like AES.</p> <p><em>“We should focus quantum resistance efforts where they matter—on asymmetric cryptography,”</em> Valsorda said. <em>“AES-128 is not the problem.”</em></p> <p>In summary, AES-128 remains the gold standard for symmetric encryption even in a post-quantum world, provided the underlying implementation is correct. The myth of its quantum demise stems from flawed parallelization assumptions that do not reflect actual quantum computing capabilities.</p>