AES-128 remains secure against quantum computing threats, contrary to widespread belief
A cryptography engineer at Google clarifies that Grover's algorithm does not reduce AES-128 security by half as commonly claimed, directing post-quantum transition efforts toward asymmetric encryption instead.
1 source · cross-referenced
- Filippo Valsorda published analysis arguing AES-128 provides adequate security even in a post-quantum computing environment, challenging the misconception that Grover's algorithm halves symmetric key strength
- The security reduction from Grover's algorithm is constrained by parallelization limits, resulting in an effective cost around 2^104 rather than the popularly cited 2^64
- NIST, German Federal Office for Information Security, and University of Waterloo researchers have endorsed AES-128 for post-quantum security, with NSA's 256-bit requirement being unrelated to quantum threats
- The focus on unnecessarily upgrading symmetric encryption diverts resources from critical work on post-quantum asymmetric algorithms vulnerable to Shor's algorithm
A widespread misconception about quantum computing's impact on cryptography is hampering preparation for the post-quantum era. The prevailing belief holds that quantum computers running Grover's algorithm would effectively halve the security strength of AES-128, reducing its 2^128 key space to a computationally manageable 2^64. Cryptography engineer Filippo Valsorda at Google has published detailed analysis arguing this interpretation misunderstands the fundamental mechanics of quantum parallelization.
The mathematical crux involves how Grover's algorithm scales differently than classical brute-force attacks when distributed across multiple processors. Classical attacks allow parallel computation where tasks are divided evenly—doubling computational resources halves the time needed. Grover's algorithm, however, requires sequential computation where parallelization introduces diminishing returns. Adding more quantum computers to a Grover search actually increases the total computational work required, eventually approaching the same 2^128 complexity of classical brute force if maximally distributed.
Under realistic operational constraints—such as completing an attack within ten years—the effective security cost of AES-128 against a quantum adversary approaches 2^104, well above the 2^80 threshold conventionally considered secure. This analysis aligns with guidance from the National Institute of Standards and Technology, Germany's Federal Office for Information Security, and academic researchers including Samuel Jaques at the University of Waterloo.
The NSA's mandate for AES-256 in its Commercial National Security Algorithm Suite predates quantum computing concerns and reflects a policy choice to use oversized primitives for standardization consistency rather than quantum-specific requirements. Valsorda argues that conflating unnecessary cryptographic upgrades with essential post-quantum work misdirects engineering effort from the genuine priority: replacing asymmetric encryption schemes vulnerable to Shor's algorithm, which offers exponential speedups unsuitable for any modern key size.
- Apr 24, 2026 · arXiv cs.AI
New framework enables LLMs to discover and reuse skills for long-horizon game-playing tasks
Trust69 - Apr 24, 2026 · arXiv cs.AI
Researchers propose policy-grounded metrics to replace agreement-based evaluation in AI content moderation
Trust70 - Apr 24, 2026 · Google DeepMind — Blog
Google DeepMind proposes Decoupled DiLoCo for resilient distributed AI model training across data centers
Trust69