In the face of a widely discussed quantum threat, cryptography researcher Filippo Valsorda argues that AES-128 remains strong in a post-quantum world. While quantum computers threaten many public-key systems, symmetric keys like AES-128 do not lose security as dramatically as is often claimed.
He explains that the key difference lies in how brute-force searches behave classically versus with Grover’s algorithm. Grover’s algorithm offers a quadratic speedup, not an exponential one, so the security reduction from 128 bits to 64 bits is not as dire as some warnings suggest. When attackers must finish within realistic timeframes, parallelizing the quantum search does not trivially halve security, and the total work, under reasonable constraints, remains far beyond 2^64.
Experts, including Sophie Schmieg of Google, describe the cost in terms of core-seconds rather than simple key-length reductions. Schmieg highlights that even with quantum acceleration, AES-128 would require enormous resources, pushing the effective security well beyond the 128-bit target under practical scenarios.
NSA guidance remains nuanced: while some interpretations advocate AES-256 for very long-term confidentiality, the NSA’s Commercial National Security Algorithm Suite still references AES-256 as a design choice to avoid fragmentation across security levels. This is not a universal condemnation of AES-128, but a policy choice for certain threat models.
Overall, the message is pragmatic: prioritize transitioning to post-quantum asymmetric algorithms and secure key exchange, but preserve the strong, well-understood symmetric primitives like AES-128 for now. The consensus is that AES-128 is not broken, and the ongoing work should focus on the larger challenges posed by quantum-ready cryptography.
