How long would it actually take to crack modern encryption? We hear "128-bit" and "256-bit" thrown around constantly, but what do these numbers mean in real terms? Let's break down the math with three classes of attackers: the most powerful laptops available today, the world's fastest supercomputers, and quantum computers at various qubit counts.
The Key Space: What You're Up Against
A brute-force attack means trying every possible key until you find the right one. The number of possible keys is determined by the key length:
Key Space Sizes
To put 1077 in perspective: there are roughly 1080 atoms in the observable universe.
On average, a brute-force search succeeds after trying half the key space. But even halving these numbers barely dents the timeline. Let's run the numbers.
Scenario 1: Modern High-End Laptops
The most powerful consumer laptops today (Apple M4 Max, Intel Core Ultra 9, AMD Ryzen 9) can perform roughly 1 billion (109) key tests per second using optimized AES-NI hardware instructions. Some estimates push this to 10 billion with multi-core parallelism, but let's be generous and use 1010.
Laptop vs 128-Bit
The universe is 1.38 × 1010 years old. This is 72 billion times the age of the universe.
Laptop vs 256-Bit
That's a number with 59 zeros. The heat death of the universe is estimated at 10100 years away. Even that timescale doesn't help.
Verdict: Laptops
Even running a billion of the most powerful laptops ever made in parallel (1019 keys/sec combined), 128-bit encryption would still take 1012 years — a trillion years. 256-bit is effectively infinite. No cluster of classical computers will ever brute-force either.
Scenario 2: The World's Most Powerful Supercomputers
Frontier (Oak Ridge National Laboratory) is the world's fastest supercomputer as of 2026, delivering 1.2 exaFLOPS — that's 1.2 × 1018 floating-point operations per second. China's reported exascale machines push similar numbers. Let's assume a hypothetical purpose-built cryptanalytic supercomputer running at 1018 keys/sec.
Supercomputer vs 128-Bit
Still 780× the age of the universe. Not even close.
Supercomputer vs 256-Bit
If every atom in the universe was a supercomputer (1080 machines at 1018 keys/sec each = 1098 keys/sec), it would still take 10-21 × 1077 = 3.7 × 10-22 ... no, wait. 1077 / 1098 = 10-21 seconds. Okay, that would work. But you'd need every atom in the observable universe to be a supercomputer. That's the threshold.
Verdict: Supercomputers
The world's top supercomputer can't brute-force 128-bit encryption even given a trillion years. 256-bit is beyond comprehension. Classical computing is fundamentally incapable of brute-forcing symmetric encryption at 128 bits or above.
Scenario 3: Quantum Computers
This is where it gets interesting. Quantum computers don't just search faster — they use a fundamentally different algorithm. Grover's algorithm provides a quadratic speedup for unstructured search, which effectively halves the key length:
Grover's Algorithm Impact
128-bit key → 264 quantum operations (~1.8 × 1019 operations)
256-bit key → 2128 quantum operations (~3.4 × 1038 operations)
This is why NIST doubled the AES key recommendation from 128 to 256 bits for post-quantum security. 256-bit under Grover's becomes equivalent to 128-bit classical — still unfeasible.
But how fast can a quantum computer execute Grover's iterations? That depends on qubits, error correction, and gate speeds. Let's break it down by qubit tiers.
Current State: 1,000 – 1,500 Qubits (2026)
IBM Condor (1,121 qubits) / Google Sycamore-class
All physical, noisy qubits (NISQ era)
These qubits have high error rates (~10-3 per gate) and decoherence times of ~100 microseconds. They cannot run Grover's algorithm on AES at any meaningful scale. The circuit depth required for a single AES oracle evaluation exceeds what these machines can sustain before errors overwhelm the computation.
Threat to 128-bit AES: None
Threat to 256-bit AES: None
Near-Term: 10,000 – 100,000 Qubits
Projected 2028–2032 era
With improving error rates (~10-4 to 10-6 per gate), this range begins enabling logical qubit extraction. Current estimates suggest roughly 1,000–3,000 physical qubits per logical qubit (using surface codes).
10,000 physical qubits → ~3–10 logical qubits (not enough for AES)
100,000 physical qubits → ~33–100 logical qubits (still far short)
Running Grover's on AES-128 requires an estimated 2,953+ logical qubits for the oracle circuit (AES key schedule + block cipher evaluation + ancilla/workspace qubits).
Threat to 128-bit AES: None
Threat to 256-bit AES: None
Medium-Term: 1 Million Qubits
Projected 2032–2038 era
At 1 million physical qubits with error rates of ~10-6:
~1,000,000 physical → ~330–1,000 logical qubits
Getting closer to the ~2,953 logical qubits needed for AES-128 Grover's, but not quite there. Even if achievable, the clock speed matters. Quantum gate operations run at roughly 1–10 MHz (microsecond-scale gate times). Each Grover iteration on AES requires thousands of sequential gates.
Optimistic estimate: ~103–106 Grover iterations per second
Grover's on 128-bit requires 264 = 1.8 × 1019 iterations:
At 106 iterations/sec: 1.8 × 1013 seconds ≈ 570,000 years
Threat to 128-bit AES: Theoretical but impractical
Threat to 256-bit AES: None (would need 2128 iterations = 1032 seconds ≈ 1025 years)
Far-Future: 10+ Million Qubits
Projected 2040+ era
At 10 million+ physical qubits with near-perfect error correction:
~3,000+ logical qubits achievable — enough to construct the full AES-128 Grover oracle.
With parallelism and improved gate speeds (~100 MHz):
Optimistic: ~108 Grover iterations per second
Grover's on 128-bit: 1.8 × 1019 / 108 = 1.8 × 1011 seconds ≈ 5,700 years
Still thousands of years, but now within the realm of "nation-state might try it for the most valuable target imaginable."
Threat to 128-bit AES: Real but very expensive
Threat to 256-bit AES: None (5,700 years × 1019 more iterations = 1022+ years)
The Complete Comparison Table
| Attacker | Speed | vs 128-bit | vs 256-bit |
|---|---|---|---|
| High-end laptop | 1010 keys/sec | 1021 years | 1059 years |
| 1,000 laptops in parallel | 1013 keys/sec | 1018 years | 1056 years |
| Frontier supercomputer | 1018 keys/sec | 10.8 trillion years | 1051 years |
| All supercomputers combined | 1020 keys/sec | 108 billion years | 1049 years |
| Quantum (1K qubits, 2026) | N/A (can't run) | Impossible | Impossible |
| Quantum (100K qubits, ~2030) | N/A (insufficient) | Impossible | Impossible |
| Quantum (1M qubits, ~2035) | ~106 Grover/sec | ~570,000 years | 1025 years |
| Quantum (10M+ qubits, ~2040+) | ~108 Grover/sec | ~5,700 years | 1022 years |
How Fast Quantum Breaks Today's Standard Encryption
Everything above covers symmetric encryption (AES), where Grover's algorithm only provides a quadratic speedup. But the encryption that actually secures most of the internet today — HTTPS, banking, email, VPNs, digital signatures — relies on public-key cryptography: RSA and Elliptic Curve Cryptography (ECC). Against these, quantum computers wield a far more devastating weapon: Shor's algorithm.
Where Grover's halves the effective key length, Shor's completely destroys the mathematical problems that RSA and ECC depend on. Integer factorization (RSA) and discrete logarithm (ECC/Diffie-Hellman) both collapse to polynomial time on a quantum computer. The speedup isn't 2× — it's exponential.
What "Standard Encryption" Actually Means Today
When you connect to your bank, load a website over HTTPS, or send an encrypted email, here's what's typically protecting you:
- TLS 1.3 (HTTPS): ECDHE key exchange (P-256 or X25519) + AES-256-GCM
- Banking/Financial: RSA-2048 or RSA-4096 certificates + ECC key agreement
- Email (S/MIME, PGP): RSA-2048+ signatures + AES-256 symmetric
- VPN (IPSec/WireGuard): Diffie-Hellman or ECDH key exchange + AES/ChaCha20
- Code signing & certificates: RSA-2048 or ECC P-256 signatures
The pattern is the same everywhere: public-key crypto (RSA/ECC) handles the handshake and key exchange, then symmetric crypto (AES) encrypts the actual data. Shor's algorithm targets the first part — and once the handshake is broken, the symmetric key is exposed.
Shor's Algorithm: The Quantum Wrecking Ball
Shor's algorithm factors large integers and computes discrete logarithms in polynomial time on a quantum computer. Here's what that means for today's standard key sizes:
| Algorithm | Classical Break Time | Logical Qubits Needed | Quantum Break Time |
|---|---|---|---|
| RSA-2048 | ~300 trillion years | ~4,000 | ~8 hours |
| RSA-4096 | Heat death of universe | ~8,000 | ~3.5 days |
| ECC P-256 (ECDSA/ECDH) | ~1031 years | ~2,330 | ~10 minutes |
| ECC P-384 | ~1048 years | ~3,484 | ~30 minutes |
| Diffie-Hellman 2048-bit | ~300 trillion years | ~4,000 | ~8 hours |
| Ed25519 (SSH, WireGuard) | ~1031 years | ~2,330 | ~10 minutes |
Read that table again. RSA-2048 — the algorithm protecting most banking certificates and government systems — goes from 300 trillion years to 8 hours. ECC P-256 — the default curve for HTTPS everywhere — drops from 1031 years to 10 minutes.
The Scale of the Collapse
Classical computers need ~300 trillion years to break RSA-2048. A sufficiently powerful quantum computer does it in 8 hours. That's not a 2× speedup — it's a speedup factor of roughly 1018 (a quintillion times faster). No amount of increasing the RSA key size fixes this. RSA-4096 just buys you days instead of hours. RSA-8192 buys you weeks. The fundamental math is broken.
When Does This Become Real?
The quantum break times above assume a cryptographically-relevant quantum computer (CRQC) with enough error-corrected logical qubits. Here's the timeline based on current hardware roadmaps:
- 2026 (today): ~1,000–1,500 physical qubits. Nowhere near enough. No threat.
- 2028–2030: 10,000–100,000 physical qubits. Still only ~10–100 logical qubits after error correction. No threat to RSA/ECC.
- 2030–2035: 1 million physical qubits. Potentially ~330–1,000 logical qubits. Getting closer but not enough for RSA-2048 (needs ~4,000).
- 2035–2040: 10–50 million physical qubits with improved error rates. 4,000+ logical qubits becomes achievable. RSA-2048 and ECC P-256 are at risk.
- 2040+: 100M+ physical qubits. RSA-2048 broken in hours. ECC P-256 broken in minutes. All classical public-key cryptography is dead.
Harvest Now, Decrypt Later
Here's the part that should worry you today: nation-states are already recording encrypted internet traffic in bulk. The strategy is called "harvest now, decrypt later" (HNDL). Even though quantum computers can't break RSA/ECC yet, any data encrypted today with classical public-key crypto can be stored and decrypted once quantum hardware catches up.
If your data has a secrecy shelf-life longer than ~10–15 years — medical records, financial data, government communications, trade secrets, biometric data — it's already at risk from HNDL attacks right now.
The Real Quantum Threat: Summary
Symmetric encryption (AES-256): Quantum reduces effective security from 256-bit to 128-bit via Grover's. Still takes 1022+ years to break. You're fine.
Public-key crypto (RSA, ECC, DH): Quantum completely obliterates the underlying math via Shor's. RSA-2048 falls in hours, ECC P-256 in minutes. No classical public-key algorithm survives.
The catch: Most "encrypted" connections today (HTTPS, TLS, VPN) use public-key crypto for key exchange. Break the handshake, and the AES key is exposed. The symmetric encryption doesn't help if the key was negotiated using RSA or ECC.
Why H33 Uses 256-Bit Across the Stack
H33's entire authentication pipeline operates at 256-bit security or higher:
- FHE (BFV): 128-bit classical security with lattice-based problems resistant to both Shor's and Grover's
- ZKP (STARK): SHA3-256 hash-based — quantum-resistant by design
- Signatures (Dilithium/ML-DSA): Post-quantum lattice signatures, NIST FIPS 204
- Key Exchange (Kyber/ML-KEM): Post-quantum lattice KEM, NIST FIPS 203
- Attestation: SHA3-256 digests with Dilithium signing
No RSA. No ECC. No algorithms vulnerable to Shor's. The entire pipeline is built for a post-quantum world — today.
The Bottom Line
128-bit symmetric: Safe from all classical computers forever. Theoretical quantum threat only with million+ qubit machines decades away.
256-bit symmetric: Safe from everything — classical and quantum — for the foreseeable lifetime of the universe.
RSA/ECC (any key size): Will eventually fall to quantum. Migrate to post-quantum algorithms now.
H33 does all of this in a single API call, in 1.28 milliseconds. Post-quantum security isn't a future feature — it's production today.
Ready to Go Quantum-Secure?
Start protecting your users with post-quantum authentication today. FHE + STARK + Dilithium in one API call.
Get Free API Key →