For years, a specific brand of digital dread has circulated among cryptographers and security enthusiasts: the "quantum apocalypse." The narrative suggests that once a cryptographically relevant quantum computer (CRQC) finally flickers to life, the Advanced Encryption Standard with 128-bit keys (AES 128)—the invisible bedrock of modern digital privacy—will essentially evaporate. This fear is largely rooted in Grover’s algorithm, a quantum process that theoretically halves the security of symmetric ciphers, turning a formidable 128-bit key into a supposedly vulnerable 64-bit target.
However, as cryptography engineer Filippo Valsorda recently noted, this "halving" is more of a mathematical abstraction than a practical death sentence. While the theoretical reduction in complexity is real, the physical constraints of parallelization and energy consumption tell a different story. In the classical world, breaking AES 128 by brute force remains an absurdity; even if one repurposed the entirety of the world’s Bitcoin mining hardware, the task would span billions of years.
The transition to a post-quantum world will certainly require new standards for public-key cryptography, but the panic surrounding AES 128 appears misplaced. The efficiency of the 128-bit standard—which balances security with computational speed—continues to offer a margin of safety that quantum hardware is unlikely to bridge anytime soon. In the architecture of future security, the old foundations may prove sturdier than the new ghosts haunting them.
With reporting from Ars Technica.
Source · Ars Technica
