Quantum computers are not poised to tear through 128-bit symmetric keys the way internet doomsayers keep suggesting. The more realistic threat is narrower and more familiar: asymmetric systems such as RSA and ECDH are the ones that quantum algorithms target first, while AES-128 and SHA-256 stay in a much safer lane than the panic cycle implies.
That matters because the main question here is not whether quantum computers break encryption in the abstract, but whether AES-128 is suddenly obsolete. The answer is no: Grover’s algorithm can speed up brute-force search, but only quadratically, which is a very different problem from the exponential collapse that hits public-key cryptography.
The confusion comes from treating Grover’s algorithm like a magic ”faster search” button. It does speed up brute-force search, but only quadratically on a single thread, which is a very different beast from the exponential collapse people often imagine. That distinction matters because symmetric cryptography is built on brute-force resistance, and a quadratic cut is painful, but not the same as making the lock fall off the door.
Grover’s algorithm is not an instant wipeout
In the source post, cryptography engineer Filippo Valsorda pushes back on the popular assumption that quantum computing automatically breaks all encryption. His argument is simple enough: Grover’s algorithm does not parallelize cleanly, so you do not get a neat ”throw more qubits at it” scaling trick. That makes the usual post-quantum scare story a lot less dramatic for symmetric keys than for public-key systems.
That also tracks with how the industry has been planning. Public-key migration has already become the headline task for standards bodies and vendors, while symmetric ciphers are usually treated as a harder target that can be managed by longer keys and conservative design choices. In other words, the quantum story is real, but it is not evenly distributed.
Why AES-128 is still standing
AES-128 and SHA-256 are not suddenly obsolete just because quantum hardware exists in a lab or a headline. The article’s key point is that the threat model for symmetric cryptography is fundamentally different from the one faced by RSA, ECDH, and similar algorithms, which are vulnerable to Shor’s algorithm.
- Grover’s algorithm gives a quadratic, not exponential, speed-up for search.
- Symmetric systems do not get the same kind of parallel boost.
- Asymmetric cryptography is the part getting squeezed first.
And then there is the awkward hardware reality check: even Shor’s algorithm is still running into practical limits. The source notes that current quantum computers are not even able to factor 21 yet, which is a useful reminder that theoretical breakage and real-world breakage are still miles apart. The hype machine likes to skip that part.
The real near-term shift is public-key replacement
If there is a winner in the post-quantum scramble, it is symmetric encryption by default, simply because the immediate panic around it is overdone. The people who need to move first are the ones relying on public-key systems for key exchange, identity, and signatures. That migration is already underway in various forms, and it is where the engineering pain will land.
The bigger question is not whether quantum computers ”break encryption” in the abstract. It is which parts of today’s cryptographic stack break first, and which parts can be stretched, hardened, or replaced without turning every secure system into a construction project. For now, 128-bit symmetric keys are not the weak link people think they are.