The surprising truth is that AES, the gold standard for symmetric encryption today, is already safe against quantum computers, at least for a while.
Let’s see it in action. Imagine you have a secret message, say "Meet me at noon." You want to encrypt it using AES-128. You pick a secret key, perhaps 0123456789abcdef0123456789abcdef.
echo -n "Meet me at noon" | openssl enc -aes-128-cbc -K 0123456789abcdef0123456789abcdef -iv 00000000000000000000000000000000 -out encrypted.bin
This encrypted.bin file now holds your secret. To decrypt it, you’d use the same key and IV (initialization vector):
openssl enc -d -aes-128-cbc -K 0123456789abcdef0123456789abcdef -iv 00000000000000000000000000000000 -in encrypted.bin -out decrypted.txt
cat decrypted.txt
This would output "Meet me at noon". Pretty neat, right?
The concern with quantum computers is their ability to break asymmetric encryption (like RSA) very quickly using Shor’s algorithm. Shor’s algorithm can factor large numbers exponentially faster than any classical algorithm, which is the basis of RSA’s security. However, AES is a symmetric encryption algorithm. It uses the same key for both encryption and decryption.
The primary quantum threat to symmetric encryption comes from Grover’s algorithm. Grover’s algorithm can speed up the search for a specific item in an unsorted database. In the context of cryptography, this "database" is the set of all possible keys. A classical computer trying to brute-force an AES-128 key would, on average, need to try 2^127 keys. Grover’s algorithm, however, can find the key in roughly the square root of the number of items, meaning about 2^64 operations.
This is a significant speedup, but it’s quadratic, not exponential like Shor’s algorithm for asymmetric crypto. Doubling the key length of AES effectively squares the quantum advantage, negating it. So, if AES-128 is vulnerable to 2^64 quantum operations, AES-256 would be vulnerable to 2^128 quantum operations. Since 2^128 is still an astronomically large number, far beyond the capabilities of even hypothetical future quantum computers, AES-256 remains secure.
The real problem is that many systems today rely on a hybrid approach: they use fast symmetric encryption (like AES) for the bulk of the data, but use slower asymmetric encryption (like RSA) to securely exchange the symmetric key. This key exchange is where quantum computers pose an immediate and severe threat. Once an attacker can break the key exchange, they can intercept the symmetric key and then decrypt all the AES-encrypted data.
This is why the world is rushing to develop and deploy post-quantum cryptography (PQC). PQC algorithms are designed to be resistant to attacks from both classical and quantum computers. NIST, the U.S. National Institute of Standards and Technology, has been running a multi-year competition to standardize these new algorithms. They’ve selected several algorithms for standardization, including CRYSTALS-Kyber for key establishment and CRYSTALS-Dilithium for digital signatures, which are based on lattice-based cryptography. Other approaches include code-based cryptography, hash-based cryptography, and multivariate cryptography.
The reason AES-256 is considered safe against quantum computers, even with Grover’s algorithm, boils down to the nature of the speedup. Grover’s algorithm provides a quadratic speedup. To break AES-128, a quantum computer would need to perform roughly 2^64 operations. This is a lot, but potentially achievable in the distant future. However, to break AES-256, it would require roughly 2^128 operations. This is a number so large that it’s considered infeasible for any foreseeable quantum computer. The key is that for every bit of security you lose due to Grover’s algorithm, you can regain it by doubling the key size.
The immediate concern isn’t breaking AES itself, but breaking the mechanisms used to establish AES keys, which are typically based on public-key cryptography vulnerable to Shor’s algorithm. Once that key is compromised, the AES encryption is trivially broken.
The next major hurdle will be migrating existing infrastructure and protocols to use these new post-quantum algorithms for key exchange and digital signatures.