MIXED
AES-256 is quantum-safe
Grover's algorithm reduces AES-256 security to ~128 bits against quantum attacks. This is still considered secure, but 'quantum-safe' is an oversimplification.
The Claim
“AES-256 is quantum-safe, so we don’t need to worry about it.”
The Verdict: MIXED
While AES-256 is expected to remain secure against quantum computers, calling it “quantum-safe” oversimplifies the situation.
The Technical Reality
Grover’s Algorithm
Grover’s algorithm can search an unstructured database of N items in √N time. For symmetric ciphers, this effectively halves the key length:
- AES-256 → ~128-bit security against quantum
- AES-128 → ~64-bit security against quantum (potentially breakable)
AES-256 Remains Strong
128-bit security is still considered very strong. No known attacks can break this in any reasonable timeframe.
The Nuances
Why “Quantum-Safe” is Oversimplified
- The term is imprecise - It suggests complete immunity, which isn’t accurate
- Security level does decrease - From 256-bit to ~128-bit
- Implementation matters - Side-channel attacks could still be relevant
What’s Actually Recommended
NIST and other bodies recommend:
- Continue using AES-256 for symmetric encryption
- Consider AES-256 over AES-128 for quantum margins
- Focus PQC migration on public-key cryptography
Practical Guidance
- Don’t panic about AES - It’s expected to remain secure
- Do use AES-256 where possible
- Focus your PQC efforts on public-key algorithms (RSA, ECC)
- Understand the nuance - “Quantum-resistant” is more accurate than “quantum-safe”
Verdict: MIXED - AES-256 is expected to remain secure, but the “quantum-safe” label oversimplifies the reality.