Breaking News — Despite persistent rumors that quantum computers will soon break the most widely used encryption standard, AES-128 is not in danger. Cryptography engineer Filippo Valsorda has unequivocally stated that the algorithm remains robust in a post-quantum world, debunking a popular misconception that has fueled unnecessary alarm.
“AES-128 is perfectly fine. The security claims that it gets halved to 2^64 due to Grover’s algorithm are based on an unrealistic parallelization assumption,” Valsorda said in a statement to the press.
The erroneous belief stems from a misinterpretation of Grover’s algorithm, which in theory could reduce the effective key size of AES-128 from 128 bits to 64 bits. However, this theoretical gain assumes that a cryptographically relevant quantum computer (CRQC) can operate as a massively parallel machine—something that is physically implausible.
Read background on AES-128 | What this means for industry
Background: The Unbroken Standard
AES-128 is the most common variant of the Advanced Encryption Standard, adopted by NIST in 2001. It uses a 128-bit key, balancing computational efficiency with high security. NIST also specifies 192- and 256-bit versions, but AES-128 remains the preferred choice for most applications due to its performance and proven track record.
In three decades of existence, no practical vulnerability has been discovered in AES-128. The only known attack is brute force, which requires trying all 2^128 possible keys—approximately 3.4 × 10^38 combinations. Using the entire Bitcoin mining network (as of 2026) would take roughly 9 billion years to crack a single key.
What This Means
The continued assurance from experts like Valsorda means that organizations need not rush to replace AES-128 in their systems. While other encryption algorithms—such as RSA and ECC—are indeed threatened by quantum computers, symmetric ciphers like AES are far less vulnerable.
“We should focus resources on upgrading public-key cryptography, not on abandoning AES-128. The myth that it’s broken is distracting and wasteful,” Valsorda added. The security community now has clear guidance: AES-128 remains a reliable workhorse for data-at-rest and in-transit encryption for the foreseeable future.