Analysis: Quantum computing does not pose a threat to 128-bit symmetric key encryption, and there is a misconception about "post-quantum cryptography."

BlockBeats News, April 21st - Cryptography engineer Filippo Valsorda argued that even in the most optimistic scenario, real-world quantum computers will not be able to break 128-bit symmetric encryption in the foreseeable future. The current "post-quantum cryptography" panic is based on a misunderstanding. In his article "Quantum Computers Pose No Threat to 128-Bit Symmetric Keys," he stated that quantum computers do not pose a practical threat to 128-bit symmetric keys (such as AES-128), and the industry does not need to upgrade key lengths.

Filippo Valsorda pointed out that many people are worried that quantum computers will "halve" the effective security strength of symmetric keys using the Grover algorithm, making a 128-bit key only provide 64 bits of security. This is a misconception stemming from overlooking a crucial limitation of the Grover algorithm in actual attacks. The main issue with the Grover algorithm is its inability to efficiently parallelize. Its steps must be executed sequentially, and attempting parallelization significantly increases the total computational cost. Even with an idealized quantum computer, the total computational effort required to break an AES-128 key is astronomical, needing about 2^104.5 operations, orders of magnitude higher than the cost of breaking current asymmetric encryption algorithms, making it entirely impractical. Standard bodies such as NIST in the United States, BSI in Germany, and quantum cryptography experts have definitively stated that algorithms like AES-128 are sufficient to withstand known quantum attacks and are used as a benchmark for post-quantum security. NIST explicitly advises in its official FAQs that "doubling the AES key length is not recommended to address quantum threats."

Finally, Filippo Valsorda suggested that the only pressing task in current post-quantum migration is to replace vulnerable asymmetric encryption methods (such as RSA, ECDSA). Using limited resources to upgrade symmetric keys (e.g., from 128 bits to 256 bits) is unnecessary and would dissipate efforts, increase system complexity, and coordination costs. The focus should be entirely on areas that truly require replacement.