Quantum Computers Are Not a Threat to 128-Bit Symmetric Keys

Contrary to popular belief, symmetric algorithms like AES-128 remain secure against quantum threats. Technical analysis shows that Grover's algorithm cannot be parallelized effectively enough to break current security standards.
Quantum Computers Are Not a Threat to 128-bit Symmetric Keys
The advancing threat of cryptographically-relevant quantum computers has made it urgent to replace currently-deployed asymmetric cryptography primitives—key exchange (ECDH) and digital signatures (RSA, ECDSA, EdDSA)—which are vulnerable to Shor’s quantum algorithm. It does not, however, impact existing symmetric cryptography algorithms (AES, SHA-2, SHA-3) or their key sizes.
There’s a common misconception that quantum computers will “halve” the security of symmetric keys, requiring 256-bit keys for 128 bits of security. That is not an accurate interpretation of the speedup offered by quantum algorithms, it’s not reflected in any compliance mandate, and risks diverting energy and attention from actually necessary post-quantum transition work. The misconception is usually based on a misunderstanding of the applicability of a different quantum algorithm, Grover’s.
AES-128 is safe against quantum computers. SHA-256 is safe against quantum computers. No symmetric key sizes have to change as part of the post-quantum transition. This is a near-consensus opinion amongst experts and standardization bodies and it needs to propagate to the rest of the IT community.
The Grover speedup
Grover’s is a quantum algorithm that allows searching an input space of size N of an unstructured function f for the “right answer” in invocations of f.
This is commonly interpreted to mean that Grover’s algorithm can find an AES-128 key in square root time. That is not the case in practice, because running such an attack as a single sequential thread would take hundreds of thousands of years, and parallelizing it makes its total cost grow.
A few important things to understand about Grover’s algorithm:
- The function oracle f must be implemented as part of the quantum circuit.
- The oracle invocations have to happen one after the other in series.
- Importantly, there is no better way to parallelize the attack than to partition the search space (Zalka, 1997).
Unlike regular bruteforce attacks, which are “embarrassingly parallel,” partitioning the search space degrades the Grover quadratic speedup.
Running the numbers
To decide if it’s still a threat we need to run the numbers with concrete orders of magnitude. Let's assume a fast-clock quantum architecture where a gate takes 1 µs. If we run the attack for a decade, that gives us a maximum sequence of gates (depth) of $3 \times 10^{14}$.
Liao and Luo (2025) provide a highly optimized Grover oracle for AES-128 with a depth of 232 T-gates and a circuit width of 724 logical qubits.
This means we’ll need 140 trillion quantum circuits of 724 logical qubits each operating in parallel for 10 years to break AES-128 with Grover’s.
Unlike Shor’s algorithm instantiations, which have been getting better over the years, there aren’t many terms in the Grover formula that can improve. There is probably little space left for improvement in the AES-128 Grover oracle depth.
A comparison with Shor’s
Breaking AES-128 with Grover is 430,000,000,000,000,000,000,000 times more expensive than breaking 256-bit elliptic curves with Shor’s algorithm.
NIST agrees
The U.S. National Institute of Standards and Technology (NIST) not only considers AES-128 to be safe, but made it the benchmark for the security of post-quantum primitives. AES-128 is by definition a Category 1 post-quantum algorithm.
NIST refers to the same observations explained above, noting that Grover’s algorithm requires a long-running serial computation, which is difficult to implement in practice. In a realistic attack, one has to run many smaller instances of the algorithm in parallel, which makes the quantum speedup less dramatic.
NIST’s existing standards in symmetric cryptography — including hash functions, block ciphers, and KDFs — are significantly less vulnerable to known quantum attacks than public-key cryptography standards.
Source: Hacker News















