A detailed technical argument that AES-128 and other 128-bit symmetric keys remain secure against quantum computers, debunking the common misconception that Grover's algorithm halves symmetric key security. The key insight is that Grover's algorithm cannot be efficiently parallelized — splitting the search space across multiple quantum computers degrades the quadratic speedup, making a practical attack on AES-128 require 140 trillion quantum circuits running in parallel for a decade. This is 430 sextillion times more expensive than breaking 256-bit elliptic curves with Shor's algorithm. NIST, BSI, and academic experts all agree: no symmetric key sizes need to change as part of the post-quantum transition. The post also argues against unnecessary migration to 256-bit symmetric keys, warning it wastes resources needed for the genuinely urgent asymmetric cryptography transition.
Table of contents
The Grover speedupA comparison with Shor’sNIST agreesBSI agreesSamuel Jaques agreesWhy not switch anyway, you know, to be safe?What about CNSA 2.0?Are 256-bit keys always useless?The pictureSort: