Filippo Valsorda cuts through the noise. In a post dated April 20, 2026, on his site words.filippo.io, he declares AES-128 safe against quantum computers. SHA-256 holds firm too. No need to double symmetric key sizes for the post-quantum era. This stance echoes NIST and BSI guidelines, yet clashes with voices urging a rush to AES-256.
Quantum threats split neatly. Shor’s algorithm guts asymmetric crypto—think ECDH, RSA, ECDSA. Those need post-quantum swaps like ML-KEM or ML-DSA. Symmetric ciphers? Grover’s algorithm looms. It promises a quadratic speedup for brute-force key searches. Popular lore says it halves security: 128 bits drop to 64. Double to 256 bits, then. But Valsorda calls that wrong. Dead wrong.
Grover searches an unstructured space of size N in roughly π/4 √N oracle calls. For AES-128, N=2^128, so √N=2^64 calls. Sounds dire. A single thread? Hundreds of thousands of years. Parallelize it, and costs balloon. Classical brute-force parallelizes perfectly—split the space, work drops linearly. Grover? Each parallel quantum machine runs a smaller instance. Speedup shrinks. Total work rises.
Take a 64-bit key classically. One CPU at 5 ns per try: 3,000 years. 65,536 CPUs, each tackling 2^48 keys: 16 days. Total operations unchanged at 2^64. Now Grover on 128 bits. Naive: 2^64 sequential ops. Split across 2^16 quantum rigs: each does 2^56, but aggregate hits 2^72. Higher than classical. Parallelization fights back.
Recent optimizations help little. Liao and Luo in 2025 sliced the AES-128 Grover oracle to 232 T-gates deep, 724 qubits wide. Still, a 10-year attack at 1 µs gates demands 2^47 parallel circuits—140 trillion of them. Depth-width cost: 2^104.5 T-gates. Compare to Shor on 256-bit curves: 2^26 gates per Babbush et al. (2026). Grover’s 2^78.5 times pricier. Impractical.
NIST agrees. Their FAQ states: “it is quite likely that Grover’s algorithm will provide little or no advantage in attacking AES, and AES 128 will remain secure for decades to come.” Category 1 post-quantum secure. All 128-bit classical symmetric primitives qualify. BSI lists AES-128, -192, -256 for new systems. CNSA 2.0 pushes 256-bit levels—not quantum-driven, Valsorda notes, since it accepts AES-256 without halving panic.
But doubts persist. The Quantum Insider on April 6, 2026, via thequantuminsider.com, warns AES-128 falls to ~64-bit quantum security. Weak. Migrate to AES-256 for ~128 bits. Doubling keys restores strength. Fair point for caution. Yet it glosses Grover’s serial nature, error correction overhead—2^16 physical ops per logical T-gate—and decoherence. Classical Bitcoin mining hashes at 2^69 per second. 128 bits? Centuries away, per Reddit’s r/crypto threads from late 2024, extrapolated to 2083.
And X buzzes. Users like @Andrii02101943 affirm: SHA-256 drops to ~128 bits via Grover—still secure. Real quantum peril hits ECC, RSA. Solana’s Anza pushes BLS12-381 for 128-bit pairings, ditching weaker BN254. Ethereum eyes 128-bit zkEVM proofs by 2026, per CryptoSlate December 2025. Bitcoin devs mull BIP-361 to freeze quantum-vulnerable wallets, but symmetric hashes endure.
Valsorda urges focus. Ditch asymmetric vulns by 2035, per NIST IR 8547. Symmetric? Stick with AES-128. Unneeded changes breed churn, divert resources. Protocol tweaks handle multi-target collisions—TLS pairs AES-128-GCM fine. Experts like Samuel Jaques (2024 slides) concur: margins vast, optimizations marginal.
Crypto engineers face choices. AES-256 runs slower, more rounds. Resource-strapped IoT? AES-128 wins. Banks tout 128-bit SSL; Reddit cybersecurity threads deem it plenty, faster than 256. Protectstar’s April 2025 blog pegs both unbreakable classically—quantum halves but 2^128 stays huge.
Zalka nailed it in 1997: Grover demands serial oracles. Parallel dilutes. Grassl (2015), Jaques (2019) back the math. No breakthroughs since. Quantum hype sells. Reality? 128 bits hold. For now. And likely decades.
Industry insiders know. Post-quantum means asymmetric overhaul. Symmetric stays. Valsorda’s math demands attention amid the rush.
Quantum Hype Meets Hard Math: Why 128-Bit Keys Won’t Break Tomorrow first appeared on Web and IT News.
