Cryptography engineer Filippo Valsorda argues that AES 128 remains secure in a post-quantum world, debunking the widespread misconception that Grover's algorithm would halve its effective key strength to 2^64. The flaw in the popular argument is that Grover's algorithm cannot be parallelized the way classical brute-force attacks can — a cryptographically relevant quantum computer (CRQC) would not be able to distribute the workload across multiple units. With 2^128 possible key combinations, AES 128 still requires an astronomically infeasible effort to break, even accounting for quantum computing advances.
Sort: