A leading cryptography engineer is pushing back against persistent fears that quantum computers will soon break the widely used AES-128 encryption standard, calling the belief a dangerous myth that ignores fundamental physics.

“AES-128 is perfectly fine in a post-quantum world,” Filippo Valsorda, a renowned cryptography engineer, told reporters. “The supposed halving of its key strength to 2^64 via Grover’s algorithm ignores the critical fact that quantum computers cannot parallelize the attack in the way people assume.”

Valsorda’s statement comes as global attention intensifies on the existential threat quantum computing may pose to encryption. AES-128, the most common variant of the Advanced Encryption Standard adopted by NIST in 2001, has no known vulnerabilities in its 30-year history—making brute-force the only practical attack, with 2^128 possible key combinations.

Background

AES-128 uses a 128-bit key, providing 2^128 or approximately 3.4 × 10^38 possible combinations. To put that in perspective, using the entire bitcoin mining network as of 2026, a brute-force attack would take about 9 billion years.

The confusion began when amateur cryptographers and mathematicians applied Grover’s algorithm—a quantum search method—to AES, claiming it would halve the effective strength to just 2^64. This would, in theory, allow the same bitcoin-level resources to crack the key in under a second.

“The comparison is purely for illustration and flawed,” Valsorda explained. “Grover’s algorithm requires serial operations on a single quantum computer; it cannot be parallelized across thousands of ASIC miners. A cryptographically relevant quantum computer would need to run the algorithm sequentially, which is not how bitcoin mining works.”

What This Means

For organizations and governments, the message is clear: AES-128 remains secure for the foreseeable future. The widely circulated fear that quantum computers will render it obsolete is based on a misunderstanding of how quantum algorithms operate.

While post-quantum cryptography standards are being developed, the transition does not require immediate panic or replacement of existing AES-128 systems. The real vulnerability lies in public-key cryptography (like RSA and ECC), not symmetric ciphers like AES.

“We should focus quantum resistance efforts where they matter—on asymmetric cryptography,” Valsorda said. “AES-128 is not the problem.”

In summary, AES-128 remains the gold standard for symmetric encryption even in a post-quantum world, provided the underlying implementation is correct. The myth of its quantum demise stems from flawed parallelization assumptions that do not reflect actual quantum computing capabilities.