A claim has emerged that even as quantum computing technology advances, symmetric-key encryption such as AES-128 is not a realistic target for attacks.

On April 21 local time, online media outlet Gigazine reported that Filippo Valsorda (필리포 발소르다), a cryptography engineer responsible for maintaining the Go programming language’s cryptography standard library, said the quantum threat should be assessed by distinguishing between public-key cryptography and symmetric-key cryptography.

Asymmetric cryptography such as RSA, ECDSA and EdDSA is vulnerable to Shor’s algorithm and is cited as urgently needing replacement. By contrast, symmetric-key cryptography such as AES-128, which uses the same key for encryption and decryption, would still be extremely costly to attack even if Grover’s algorithm is applied, he explained.

In theory, Grover’s algorithm can reduce the number of brute-force search attempts. But the function that verifies the correct answer must itself be placed inside a quantum circuit, a process that is effectively close to serial processing. Parallelisation is also not easy, so splitting the search space across multiple devices does not reduce efficiency as cleanly as it does with classical computers.

In practice, if a 64-bit key is distributed across about 2 to the 16th power classical computers, the workload per device falls to 1 over 2 to the 16th power. But even if a Grover attack on a 128-bit key is divided among about 2 to the 16th power quantum computers, the burden on each instance only falls by 1 over 2 to the 8th power.

The required scale of computation is also large. Even assuming 1 microsecond per quantum gate operation and running the equipment almost without stopping for 10 years, the length of serial computation a single machine can perform is about 2 to the 48th power gates. Even applying AES-128 optimisations published in 2025, he said answer verification would require 724 logical qubits, with 2 to the 32nd power run in parallel for about 10 years.

Valsorda estimated that the cost of breaking AES-128 with Grover’s algorithm is about 2 to the 78.5th power times, or about 43×10 to the 20th power times, larger than breaking 256-bit elliptic-curve cryptography with Shor’s algorithm. The U.S. National Institute of Standards and Technology and Germany’s Federal Office for Information Security also take the position that AES-128, AES-192 and AES-256 can continue to be used.

Cryptography researcher Samuel Jaques (사무엘 제이크스) presented a similar view in 2024. He said claims that AES key length must be doubled because of Grover’s algorithm are wrong, and he assessed the likelihood of AES-128 being broken as very low because the cost of parallel attacks is excessively high. Valsorda argued that rather than uniformly moving symmetric-key cryptography to 256 bits, resources should be focused on replacing public-key cryptography that is vulnerable to Shor’s algorithm.