AES-128 stays safe in quantum era

Hot take: this is a useful correction to a widespread but sloppy security meme, and it matters because bad crypto folklore can create real interoperability and compliance pain.

• –Grover’s algorithm gives a quadratic speedup in theory, but practical attacks still face extreme depth, width, and parallelization costs.
• –NIST guidance already treats 128-bit symmetric primitives as sufficient for post-quantum security categories, so key-size churn is not the priority.
• –The operational risk is wasted migration effort: teams may overreact by changing AES/SHA key sizes instead of focusing on broken public-key primitives.
• –CNSA 2.0’s 256-bit symmetric requirement is a policy target, not proof that AES-128 is weakened by quantum computers.
• –For developers, the clean takeaway is to keep symmetric keys as-is unless a specific standard or system profile explicitly demands otherwise.