LONDON, 22 April 2026 — On 21 April 2026, cryptography engineer Filippo Valsorda published a detailed technical argument asserting that AES 128 — the most widely deployed variant of the Advanced Encryption Standard — remains secure against future quantum computing attacks, directly contradicting a persistent belief among amateur cryptographers that Grover's algorithm renders the cipher fatally vulnerable. The claim, reported by Ars Technica on the same date, directly challenges the widespread assumption that a cryptographically relevant quantum computer (CRQC) would halve AES 128's effective key strength to just 264, a level some had argued could be brute-forced in under a second. Business20Channel.tv's quantum computing coverage has tracked this debate since 2024; our post-quantum migration guide provides essential background. This analysis examines the technical basis for Valsorda's position, its implications for enterprise encryption strategy, and the competitive dynamics among encryption standards vying for post-quantum relevance.

Executive Summary

• Filippo Valsorda argued on 21 April 2026 that AES 128 is "perfectly fine in a post-quantum world," challenging a decade-old misconception derived from misapplied Grover's algorithm calculations.
• AES 128, formally adopted by NIST in 2001, has maintained zero known vulnerabilities over its 30-year operational history; brute-forcing its 2128 (3.4 × 1038) possible key combinations would take roughly 9 billion years using the entire Bitcoin mining infrastructure available in 2026.
• The critical flaw in the amateur argument is the assumption that quantum search via Grover's algorithm can be freely parallelised — Valsorda and the broader cryptographic community contend it cannot.
• Enterprise migration to AES 256, driven primarily by quantum fear, may represent unnecessary computational expenditure for many deployments.
• The debate carries direct consequences for regulated industries — finance, healthcare, and government — where encryption standard choices affect compliance budgets running into billions of dollars globally.

Key Developments

Valsorda's Central Argument: Parallelisation Is the Crux

The technical heart of the dispute, as reported by Ars Technica on 21 April 2026, rests on whether a future CRQC could parallelise a Grover's algorithm attack against AES 128. Grover's algorithm, published by Lov Grover at Bell Labs in 1996, theoretically provides a quadratic speedup for unstructured search problems. Applied naïvely to a symmetric cipher, this halves the effective bit-strength: AES 128 would drop to an effective 64-bit security level. At 264 operations, the amateur argument goes, the cipher becomes trivially breakable. Filippo Valsorda's rebuttal centres on a critical constraint: Grover's algorithm requires sequential queries to an oracle. Unlike classical brute-force attacks, quantum search cannot simply be distributed across thousands of quantum processors to achieve linear speedup. A CRQC, Valsorda emphasised, "almost certainly couldn't run like clusters of bitcoin ASICs and more importantly couldn't parallelize the workload as the amateurs assume." This sequential bottleneck means the theoretical 264 figure vastly understates the real-world difficulty of a quantum brute-force attack on AES 128.

AES 128's Track Record: 30 Years, Zero Breaks

The Advanced Encryption Standard was formally adopted by NIST in 2001, following a five-year public competition that evaluated 15 candidate algorithms. The winning design, Rijndael, created by Belgian cryptographers Joan Daemen and Vincent Rijmen, supports key sizes of 128, 192, and 256 bits. AES 128 emerged as the preferred variant for most applications because it offered, as NIST's FIPS 197 specification noted, the optimal balance between computational cost and security margin. Over three decades, no practical cryptanalytic attack has reduced AES 128's security below its full 128-bit level. The best known classical attack, a biclique attack published in 2011 by Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger, reduced the computational complexity to approximately 2126.1 — a margin so slim it remains entirely theoretical. With 3.4 × 1038 possible keys and an estimated 9 billion years required to brute-force the cipher using the total global Bitcoin mining hash rate as of 2026, AES 128's classical security is not in dispute.

Market Context & Competitive Landscape

AES 256: Insurance Policy or Overkill?

The post-quantum panic has driven a measurable shift towards AES 256 in enterprise procurement. Gartner estimated in its 2025 cryptographic agility report that 62% of Fortune 500 companies had begun or completed migration from AES 128 to AES 256 for data-at-rest encryption, citing quantum risk as the primary driver. AES 256, with its 2256 key space, would — even under a theoretical Grover's attack — retain 128 bits of effective security. Yet this migration carries tangible costs. AES 256 requires 40% more computational cycles per encryption operation compared with AES 128, according to Intel's AES-NI documentation. For hyperscale cloud providers such as Amazon Web Services, Google Cloud, and Microsoft Azure, even marginal per-operation increases translate into significant energy and silicon costs at scale.

Post-Quantum Cipher Suites: CRYSTALS-Kyber and Beyond

The broader post-quantum landscape, shaped by NIST's Post-Quantum Cryptography Standardisation Project, focuses primarily on asymmetric (public-key) algorithms rather than symmetric ciphers like AES. NIST selected CRYSTALS-Kyber (now ML-KEM) as its primary key encapsulation mechanism in July 2024, alongside CRYSTALS-Dilithium (ML-DSA) for digital signatures. These algorithms address genuine quantum vulnerability: RSA and elliptic-curve cryptography are susceptible to Shor's algorithm, which can factorise large integers and compute discrete logarithms in polynomial time on a sufficiently powerful quantum computer. AES, as a symmetric cipher, faces only Grover's quadratic speedup — a categorically weaker threat. The distinction matters enormously for procurement decisions.

Industry Implications

Financial Services: Compliance Costs Under Scrutiny

The financial sector is among the most aggressive adopters of AES 256 migration, driven by regulatory pressure from bodies including the European Central Bank and the US Federal Reserve. The Bank for International Settlements issued guidance in March 2025 recommending "quantum-safe cryptographic standards" without specifying whether AES 128 qualified. This ambiguity has pushed major banks — including JPMorgan Chase and HSBC — towards AES 256 as a precautionary measure. If Valsorda's analysis gains broader acceptance, institutions may reassess whether the tens of millions of dollars allocated to symmetric cipher migration could be better directed towards replacing genuinely vulnerable RSA and ECC deployments. Our Quantum AI section tracks these regulatory developments in real time.

Government and Defence: The NSA's 2015 Guidance Revisited

The US National Security Agency issued its Commercial National Security Algorithm Suite (CNSA) guidance in 2015, recommending AES 256 for protecting classified information at all levels. This guidance, rather than any demonstrated weakness in AES 128, has been the single most influential driver of enterprise migration. The NSA's rationale was explicitly precautionary: with classified data requiring protection horizons of 50 years or more, a conservative approach to quantum risk was considered prudent. For commercial enterprises whose data sensitivity does not approach Top Secret classification, the calculus differs substantially. Healthcare organisations subject to HIPAA in the United States and GDPR in Europe face no regulatory requirement to use AES 256 specifically; AES 128 remains fully compliant under both frameworks as of April 2026.

Business20Channel.tv Analysis

The Parallelisation Fallacy: Why Amateurs Got It Wrong

Our assessment, drawing on the Ars Technica reporting and a decade of covering cryptographic standards for Business20Channel.tv, is that Valsorda's argument is technically sound and addresses a genuine misunderstanding that has distorted enterprise security spending. The error committed by amateur cryptographers is a fundamental one: conflating theoretical algorithmic complexity with practical computational feasibility. Grover's algorithm does indeed offer a quadratic speedup — this is mathematically proven. But the speedup applies to a single quantum processor executing sequential oracle queries. To parallelise Grover's search across N quantum processors, you do not achieve an N-fold speedup; you achieve only an N1/2-fold improvement, a result demonstrated by Christof Zalka in 1999 and reinforced by subsequent work from arXiv:quant-ph/9711070. This means that even with one million quantum processors working in concert, the effective speedup factor is only 1,000 — a far cry from the linear parallelism available to classical brute-force attacks.

The Real Quantum Threat Is Asymmetric, Not Symmetric

We believe the industry's fixation on AES key sizes represents a dangerous misallocation of attention. The genuine, existential quantum threat to modern cryptography lies in asymmetric systems: RSA, Diffie-Hellman, and elliptic-curve cryptography. Shor's algorithm, unlike Grover's, provides an exponential speedup that renders these systems wholly insecure against a sufficiently powerful CRQC. NIST's urgency in standardising ML-KEM and ML-DSA reflects this priority. Every dollar spent migrating AES 128 to AES 256 — in the absence of a regulatory mandate — is a dollar not spent replacing RSA-2048 key exchanges or ECDSA signatures, where the threat is orders of magnitude greater. The Bitcoin mining comparison used by Valsorda — that brute-forcing AES 128 classically would take 9 billion years using the entire 2026 mining infrastructure — is illustrative precisely because it underscores the irrelevance of Grover's theoretical halving when the base security level is already astronomically high.

Procurement Implications: Where Budgets Should Go

For CISOs and CTOs reading this analysis, we would argue the priority order is clear. First, inventory and replace all RSA and ECC deployments with NIST-standardised post-quantum alternatives. Second, ensure cryptographic agility — the ability to swap algorithms without re-architecting systems. Third, and only third, consider AES 256 migration where data sensitivity and protection horizons genuinely warrant it. The NSA's 2015 CNSA guidance is appropriate for national security contexts; it should not be cargo-culted into commercial IT environments where AES 128 remains entirely fit for purpose.

Why This Matters for Industry Stakeholders

The practical stakes are considerable. According to a 2025 McKinsey estimate, global enterprise spending on post-quantum cryptographic migration was projected to reach $4.6 billion by 2027. A significant fraction of that expenditure targets symmetric cipher upgrades that may be unnecessary. For cloud service providers, the performance differential between AES 128 and AES 256 compounds across trillions of daily encryption operations: AWS alone processes an estimated 100 trillion API calls annually, many involving AES encryption. The 40% computational overhead of AES 256 versus AES 128 translates into meaningful cost and carbon footprint differences at hyperscale. For regulated industries, the message is nuanced. Government contractors handling classified material should continue to follow NSA CNSA guidance and deploy AES 256. Healthcare organisations, legal firms, and financial institutions operating under HIPAA, GDPR, or PCI DSS face no current requirement to move beyond AES 128 for symmetric encryption, though they must urgently address their asymmetric cryptography exposure.

Forward Outlook

The timeline for a cryptographically relevant quantum computer remains uncertain. IBM has projected its 100,000-qubit system for the early 2030s, while Google Quantum AI demonstrated its Willow processor with 105 qubits in December 2024. Neither is remotely close to the estimated millions of error-corrected logical qubits required to run Shor's algorithm against RSA-2048, let alone mount a meaningful Grover's attack on AES 128. Valsorda's intervention is well-timed: as enterprises commit billions to post-quantum transitions, accurate threat modelling becomes essential to avoid misallocated resources. We expect NIST to issue updated guidance on symmetric cipher requirements within the next 12 to 18 months, potentially affirming AES 128's post-quantum adequacy for non-classified use. The open question is whether commercial adoption patterns — already skewing heavily towards AES 256 — can be reversed by technical argument alone, or whether the precautionary principle will continue to dominate procurement decisions. History suggests the latter, but the economics of hyperscale computing may force a more rational calculus. Our ongoing quantum coverage will track these developments as they unfold.

Key Takeaways

• Filippo Valsorda's 21 April 2026 analysis confirms AES 128 remains secure against quantum attack because Grover's algorithm cannot be freely parallelised across multiple quantum processors.
• AES 128 has maintained zero practical vulnerabilities over 30 years; brute-forcing its 2128 key space would take 9 billion years using 2026's entire Bitcoin mining capacity.
• The genuine post-quantum threat is to asymmetric cryptography (RSA, ECC), not symmetric ciphers — enterprises should prioritise replacing RSA and ECDSA deployments.
• Enterprise migration from AES 128 to AES 256 carries a 40% computational overhead that is difficult to justify without specific regulatory or classification requirements.
• NIST is expected to update its symmetric cipher guidance within 12–18 months, potentially validating AES 128 for non-classified post-quantum use.

References & Bibliography

[1] Goodin, D. (2026, April 21). Contrary to popular superstition, AES 128 is just fine in a post-quantum world. Ars Technica.

[2] National Institute of Standards and Technology. (2001). FIPS 197: Advanced Encryption Standard (AES). NIST CSRC.

[3] Grover, L. K. (1996). A fast quantum mechanical algorithm for database search. arXiv:quant-ph/9605043.

[4] Zalka, C. (1999). Grover's quantum searching algorithm is optimal. arXiv:quant-ph/9711070.

[5] Bogdanov, A., Khovratovich, D., & Rechberger, C. (2011). Biclique Cryptanalysis of the Full AES. ASIACRYPT 2011.

[6] National Security Agency. (2015). Commercial National Security Algorithm Suite. NSA.

[7] National Institute of Standards and Technology. (2024). Post-Quantum Cryptography Standardization. NIST PQC Project.

[8] Shor, P. W. (1994). Algorithms for quantum computation: discrete logarithms and factoring. IEEE FOCS 1994.

[9] Intel Corporation. (2024). AES-NI Technology Overview. Intel.

[10] IBM. (2025). IBM Quantum Development Roadmap. IBM Quantum.

[11] Google Quantum AI. (2024). Willow Processor Announcement. Google Quantum AI.

[12] Amazon Web Services. (2025). AWS Cryptographic Services Overview. AWS.

[13] Google Cloud. (2025). Encryption at Rest in Google Cloud. Google Cloud.

[14] Microsoft Azure. (2025). Azure Encryption Overview. Microsoft Azure.

[15] Bank for International Settlements. (2025, March). Guidance on Quantum-Safe Cryptography. BIS.

[16] European Central Bank. (2025). Cyber Resilience Oversight Expectations. ECB.

[17] US Department of Health and Human Services. (2024). HIPAA Security Rule. HHS.

[18] European Union. (2018). General Data Protection Regulation (GDPR). GDPR.eu.

[19] Gartner. (2025). Cryptographic Agility Report. Gartner.

[20] McKinsey & Company. (2025). Post-Quantum Cryptographic Migration: Global Spending Forecast. McKinsey.

[21] Valsorda, F. (2026). Personal technical blog and analysis. Referenced via Ars Technica [1].