AES-128 is safe against quantum computers. SHA-256 is safe against quantum computers. No symmetric key sizes have to change as part of the post-quantum transition. This is a near-consensus opinion amongst experts and standardization bodies and it needs to propagate to the rest of the IT community. The rest of this article backs up this claim both technically and with references to relevant authorities.
Original article: https://words.filippo.io/128-bits/
TL;DR: https://hackaday.com/2026/04/25/quantum-computers-are-not-a-threat-to-128-bit-symmetric-keys/
I’ll keep using AES 256 because why the heck not? The additional cost is a rounding error.
I mean, sure, don’t panic. But also, don’t hit the brakes. You might as well use the best encryption that’s readily available. Encrypted data does not have a short enough or predictable enough lifespan to justify using less than the state of the art.