Quantum Computers Are Not a Threat to 128-bit Symmetric Keys

The advancing threat of cryptographically-relevant quantum computers has made it urgent to replace currently-deployed asymmetric cryptography primitives—key exchange (ECDH) and digital signatures (RSA, ECDSA, EdDSA)—which are vulnerable to Shor’s quantum algorithm. It does not, however, impact existing symmetric cryptography algorithms (AES, SHA-2, SHA-3) or their key sizes. There’s a common misconception that quantum computers will “halve” the security of symmetric keys, requiring 256-bit keys for 128 bits of security. That is not an accurate interpretation of the speedup offered by quantum algorithms, it’s not reflected in any compliance mandate, and risks diverting energy and attention from actually necessary post-quantum transition work. The misconception is usually based on a misunderstanding of the applicability of a different quantum algorithm, Grover’s. AES-128 is safe against quantum computers. SHA-256 is safe against quantum computers. No symmetric key sizes have to change as part of the post-quantum transition. This is a near-consensus opinion amongst experts and standardization bodies and it needs to propagate to the rest of the IT community. The rest of this article backs up this claim both technically and with references to relevant authorities. The Grover speedup Grover’s is a quantum algorithm that allows searching an input space of size N of an unstructured function f for the “right answer” in π/4×N\pi / 4 \times \sqrt{N} invocations of f. This is commonly interpreted to mean that Grover’s algorithm can find an AES-128 key in 2642^{64} “time.” That is not the case in practice, because running such an attack as a single sequential thread would take hundreds of thousands of years, and parallelizing it makes its total cost grow. A few important things to understand about Grover’s algorithm:

the function oracle f must be implemented as part of the quantum circuit; the oracle invocations have to happen one after the other in series; importantly, there is no better way to parallelize the attack than to partition the search space (Zalka, 1997).

Why does the last point matter? Because unlike regular bruteforce attacks, which are “embarrassingly parallel,” partitioning the search space degrades the Grover quadratic speedup. Consider a classical bruteforce of a 64-bit key, where each attempt takes 5 ns (~ 16 cycles at 3 GHz). Running that on a single CPU would take nearly

264×5 ns≈3,000 years. 2^{64} \times 5 \text{ ns} \approx 3{,}000 \text{ years}.

So we parallelize it across

216=65,536 CPUs 2^{16} = 65{,}536 \text{ CPUs}

each exploring

2(64−16)=248 keys 2^{(64 - 16)} = 2^{48} \text{ keys}

in a little over

248×5 ns≈16 days. 2^{48} \times 5 \text{ ns} \approx 16 \text{ days}.

Note how the total amount of work done across the system

216×248=264 2^{16} \times 2^{48} = 2^{64}

has not changed. This is why we consider 64-bit keys weak: because they can be searched in parallel efficiently. If the attack had to be sequential, there would be no risk.1 Let’s try the same with a Grover attack on 128-bit keys. Again, running

2128=264 \sqrt{2^{128}} = 2^{64}

operations in a row is infeasible, so we again parallelize the attack across 2162^{16} quantum computers, each exploring

2(128−16)=2112 keys.

2^{(128 - 16)} = 2^{112} \text{ keys}.

Each instance will need to do

2128/216=256 work. \sqrt{2^{128} / 2^{16}} = 2^{56} \text{ work}.

Notice how that’s not 2482^{48}! A 2162^{16} search space reduction factor inside a square root only saves 282^{8} of work per instance, whereas classically it saves the full 2162^{16}. The total amount of work across the system went up from 2642^{64} to

256×216=272 2^{56} \times 2^{16} = 2^{72}

because we parallelized the attack, diluting the quadratic speedup in the process. Running the numbers That gives us the intuition for why Grover’s algorithm doesn’t parallelize. To decide if it’s still a threat we need to run the numbers with concrete orders of magnitude. First, we need to establish how many operations, or gates, in a row we can perform. To be conservative, let’s say that we have a fast-clock quantum architecture like superconducting qubits, and that a gate takes 1 µs.2 If we are willing to keep the attack running (with no power outage or loss of fidelity!) for a decade, that gives us a maximum sequence of gates or “depth” of

10 years/1 µs≈248 10 \text{ years} / 1 \text{ µs} \approx 2^{48}

Next, we need to know how many sequential gates it takes to compute AES-128 inside the quantum circuit.

Liao and Luo (2025) provide a highly optimized Grover oracle for AES-128 with a depth of 232 T-gates (and a circuit “width” of 724, which is roughly speaking the number of logical qubits operating in parallel). Now we can solve for the lowest parallelization factor that will keep each instance within a maximum depth of 2482^{48} (i.e. completing in a decade on these hypothetical fast and perfect quantum computers).

π/4×2128/x×232=248 \pi / 4 \times \sqrt{2^{128} / x} \times 232 = 2^{48}

x≈247 x \approx 2^{47}

This means we’ll need 140 trillion quantum circuits of 724 logical qubits each operating in parallel for 10 years to break AES-128 with Grover’s. Another way to measure the cost of that attack is its DW cost, the depth × width product, roughly equivalent to discussing the product of cycles and cores for classical computation.

π/4×2128/247×232×724×247≈2104.5 \pi / 4 \times \sqrt{2^{128} / 2^{47}} \times 232 \times 724 \times 2^{47} \approx 2^{104.5}

Note that unlike Shor’s algorithm instantiations (and quantum error correction) which have been getting drastically better over the years, there aren’t many terms in that formula that can improve. The only two that are open to optimization are the AES-128 Grover oracle depth (232) and width (724), but they contribute only 17 bits to the total cost, and there is probably little space left for improvement. Liao and Luo (2025) shaved 7.5 bits off the very first estimate by Grassl et al. (

2015) and 1.5 bits off the earliest Grover-specific estimate of Jaques et al. (2019). A comparison with Shor’s Speaking of Shor’s, how does this compare with the recently discussed quantum attacks against 256-bit elliptic curves? After all, there are people who believe or believed those to be infeasible, too, but I’ve been arguing to take them seriously. Babbush et al. (2026) claim a Shor’s execution in

70M≈226 gates 70\text{M} \approx 2^{26} \text{ gates}

which would take minutes on an architecture with “fast” gate time of 10 µs (which is 10 times slower than what we conservatively assumed above).

2104.5/226=278.5 2^{104.5} / 2^{26} = 2^{78.5}

Breaking AES-128 with Grover is 430,000,000,000,000,000,000,000 times more expensive than breaking 256-bit elliptic curves with Shor’s. NIST agrees The U.S. National Institute of Standards and Technology (NIST) is the standardization body that ran the international competition for post-quantum cryptography and wrote the ML-KEM and ML-DSA specification documents. NIST not only considers AES-128 to be safe, but made it the benchmark for the security of post-quantum primitives. AES-128 is by definition a Category 13 post-quantum algorithm. In justifying the use of AES-128, NIST refers to the same observations we explained above, and introduces the concept of MAXDEPTH which is exactly the maximum serial computation that forces parallelization and limits Grover’s quadratic speedup.

It is worth noting that the security categories based on these reference primitives provide substantially more quantum security than a naïve analysis might suggest.

For example, categories 1, 3 and 5 are defined in terms of block ciphers, which can be broken using Grover’s algorithm, with a quadratic quantum speedup. But Grover’s algorithm requires a long-running serial computation, which is difficult to implement in practice. In a realistic attack, one has to run many smaller instances of the algorithm in parallel, which makes the quantum speedup less dramati[c].

NIST’s calculation uses less optimized (and hence less conservative) AES quantum circuits (from Grassl et al. (2015) instead of Liao and Luo (2025)), but faster (and hence more conservative) logical gate speed. Nonetheless, it lands in the same ballpark and comes to the same conclusion. Further proof, NIST IR 8547 ipd, Transition to Post-Quantum Cryptography Standards, disallows all quantum-vulnerable algorithms from 2035. However, it reiterates that all AES key sizes remain allowed in Section 4.1.3.

NIST’s existing standards in symmetric cryptography — including hash functions, XOFs, block ciphers, KDFs, and DRBGs — are significantly less vulnerable to known quantum attacks than the public-key cryptography standards in SP 800-56A, SP 800-56B, and FIPS 186. In particular, all NIST-approved symmetric primitives that provide at least 128 bits of classical security are believed to meet the requirements of at least Category 1 security within the system of five security strength categories for evaluating parameter sets in the NIST PQC standardization process (see Table 1).

Finally, in the Post-Quantum Cryptography FAQs, there is an explicit answer to “should we double AES key sizes.” (Emphasis mine.)

To protect against the threat of quantum computers, should we double the key length for AES now? (added 11/18/18) Grover’s algorithm allows a quantum computer to perform a brute force key search using quadratically fewer steps than would be required classically. Taken at face value, this suggests that an attacker with access to a quantum computer might be able to attack a symmetric cipher with a key up to twice as long as could be attacked by an attacker with access only to classical computers.