Panic, in the technology industry, has a way of outrunning evidence. Nowhere is this more visible right now than in the corporate scramble to abandon AES-128 encryption in anticipation of quantum computers that, by most credible estimates, remain years or decades from posing a practical threat. The argument for abandoning AES-128 rests on a single theoretical construct — Grover’s algorithm — and a misreading of what that algorithm actually implies. A careful look at the mathematics suggests that enterprises treating AES-128 as a liability are solving the wrong problem at significant cost.
Grover’s algorithm, proposed by computer scientist Lov Grover in 1996, offers a quadratic speedup for searching unsorted databases on a quantum computer. Applied to symmetric encryption, this means a quantum computer could in principle search through AES-128 key space roughly as efficiently as a classical computer searching AES-64 key space. The leap that many corporate security teams have made — that this renders AES-128 “broken” — does not survive contact with the arithmetic. AES-128 has a key space of 2 to the power of 128. Grover’s algorithm, at best, reduces that to an effective 2 to the power of 64 operations on a quantum machine. Performing 2 to the power of 64 operations, even on a quantum computer of a scale that does not yet exist, would require extraordinary resources and time — far beyond anything feasible in any realistic threat horizon.
The distinction matters enormously in practice. Asymmetric encryption — the RSA and elliptic-curve algorithms that protect most public-key infrastructure — is genuinely threatened by quantum computing via Shor’s algorithm, which offers exponential rather than quadratic speedup for the specific mathematical problems those systems rely on. That is a real and urgent migration challenge. The US National Institute of Standards and Technology has published post-quantum cryptography standards precisely to address Shor-vulnerable algorithms. AES, being a symmetric cipher, is not among them. NIST explicitly recommends AES-256 for situations requiring the highest security margin, but it has not deprecated AES-128, and for good reason.
“There is a conflation happening in a lot of boardroom conversations between the quantum threat to public-key cryptography and the quantum threat to symmetric encryption,” said Dr. Sana Qureshi, a cryptography researcher affiliated with a leading technology university in the UAE. “They are categorically different threats requiring categorically different responses. Organisations that are migrating away from AES-128 on quantum grounds are consuming engineering resources that would be far better spent replacing RSA and ECDH before those actually become vulnerable.”
The business implications of this confusion are not trivial. AES-128 is deeply embedded in performance-sensitive applications: real-time payment processing, high-throughput database encryption, embedded systems, and IoT devices where computational overhead is a genuine constraint. Migrating to AES-256 doubles the key size and increases encryption overhead — measurably so in constrained environments. For UAE fintech companies processing millions of transactions daily, or for smart city infrastructure deployments across Dubai and Abu Dhabi, the performance costs of an unnecessary migration from AES-128 to AES-256 are real, while the security gain is theoretical and marginal under any plausible quantum threat model.
This is not an argument for complacency. The post-quantum cryptography transition is urgent and enterprises that have not begun migrating their asymmetric key infrastructure are genuinely exposed. Harvest-now-decrypt-later attacks — in which adversaries collect encrypted data today with the intention of decrypting it once quantum computers mature — pose a legitimate near-term risk for data with long confidentiality horizons, such as state secrets, medical records, or long-term financial positions. The guidance from NIST, CISA, and equivalent bodies in the GCC is to prioritise replacing RSA, Diffie-Hellman, and elliptic-curve algorithms with CRYSTALS-Kyber, CRYSTALS-Dilithium, and related post-quantum standards.
What the guidance does not say — and what the evidence does not support — is that AES-128 requires replacement on quantum grounds. The security community’s leading voices have been remarkably consistent on this point. Bruce Schneier, one of the most widely cited cryptographers in enterprise security circles, has noted publicly that organisations conflating the symmetric and asymmetric quantum threats are misprioritising their remediation efforts. The NIST post-quantum project team has echoed similar sentiments in its published documentation.
For CISOs in the Gulf region navigating vendor pressures, board-level anxiety about quantum computing, and genuinely limited engineering bandwidth, the practical message is clarifying: AES-128 is not your quantum problem. Your quantum problem is the public-key infrastructure underpinning your VPNs, your certificate chains, your key exchange protocols, and your digital signatures. Fix those first — and fix them soon, because the migration is complex and time-consuming. AES-128 can wait, not because quantum computing is not coming, but because when it does arrive, AES-128 will still be standing.
The broader lesson here is about the cost of cryptographic panic. Misallocated security spending driven by misunderstood threat models does not make organisations safer — it exhausts finite budgets and engineering capacity on the wrong targets while leaving genuine vulnerabilities unaddressed. In a region where digital infrastructure investment is accelerating rapidly, that kind of misdirection carries compounding costs. Quantum readiness is a serious discipline. It deserves serious analysis, not reflexive reaction to algorithm names that sound threatening without reading the underlying mathematics.