Many people have absolutely no idea about how powerful an exponential growth is, and no idea about how large 2^128 and 2^256 are. The security of symmetric cryptography doesn't depend on the "absolute" computational cost of the algorithm - the security is created by the large number of operations alone, so that even if the cost of a single operation is negligible, the system remains secure.

Let's break some symmetric encryption algorithms.

We assume the hardware required to run a decryption routine is as easy as a binary counter, one of the simplest circuits in digital logic - it just counts numbers. (Of course, a real decryption routine requires much more resources, but let's make it infinitesimal for demonstration purpose.) And it takes one picosecond (10^-12) for each count, so the equivalent clock frequency is 1000 GHz. Let's call this machine "Doomsday Counter (TM)". Built by alien technology, this machine costs 1 dollar.

How long does it takes to crack DES (56-bit)? 20 hours. This is what the EFF and distributed.net did in 1999, they used an cracking machine with thousands of ASIC chips and a volunteer team of thousands of PCs. They exposed the U.S. Government's lies about how DES was secure and how it's a threat of nation security. And forced the NIST to start the AES competition for real security. The victory of the first crypto war.

But how long does Doomsday Counter take to crack a 64-bit encryption algorithm? 213 days. It's getting much longer, but it's still doable. If you build 213 Doomsday Counter units, you can crack it within a day. Okay, so now we have 213 of Doomsday Counter machines now and we run it in parallel. And the equivalent total clock frequency is 213,000 GHz, or 213 THz, and it costs 213 dollars (thanks to aliens).

Then, how long does it take for our 213 Doomsday Counters to crack 80-bit encryption - which, in the beginning of this century, still was a reasonable standard of security? 180 years. Oops. Clearly, we need to scale up our operations further. Let's get 1 million (10^6) of these Doomsday Counter, which costs us 1 million dollars, and equivalent to 1,000,000 THz, and try again. Then we are able to crack it within... 14 days.

Then, let's try some serious targets - Triple-DES (112-bit) - three layers of 56-bit DES encryption - which was used as a stop-gap solution when DES was broken but AES was not ready yet. Although it's triple, due to mathematics, it's actually only equilevant to two layers of DES, not three layers, so it's 112-bit. So, how long do it take for our 1 million of Doomsday Counter to crack it?

164,646,653 years.

Clearly, 1 million of Doomsday Counters, each attempting a trillion keys per second is not enough. Let's purchase 165 trillion units of Doomsday Counters. Now it costs 165 trillion dollars, more than the GDP of the entire world combined. And don't forget, even a single unit of Doomsday Counters need alien technology to build. So we finally are able to build a supercomputing center that is able to crack Triple-DES within 365 days.

Now let's do the real challenge - crack AES-128, with 165 trillion units of Doomsday Counters. How long does it take? 65,395 years.

And AES-256?

20,000,000,000,000,000,000,000,000,000,000,000,000,000,000 years.

The end of the story. This is why those people who believe "hardware acceleration" threats the security of symmetric encryption have no idea about how secure symmetric encryption is.

And for our reference, as an indicator of the current level of human technology - what is the most powerful and the most expensive counter the human civilization ever built? The Bitcoin network. The bitcoin miners all over the world currently have a total hashrate of 101,057,457 THz. If all Bitcoin miners are codebreakers (they are not, decryption is more computationally expensive than hashing), its computational power is roughly equivalent to 101 millions of Doomsday Counters, and capable of breaking a 92-bit encryption key within two years, or a 98-bit encryption key within 100 years.

And all we can say is - it's the upper limit of the human civilization. 128-bit encryption is perfectly fine, although we can never be sure about whether AES-128 is really 128-bit, but we have enough confidence to continue using it for a few decades.

Now introduce quantum computers to this picture. All encryption algorithms will be broken, right? No! Quantum computers would not solve hard search problems instantaneously by simply trying all the possible solutions at once. For quantum computers to solve a problem, the problem must have an exploitable mathematical structure. For example, integer factorization, discrete logarithm over a prime field, discrete logarithm over an elliptic curve - which are 99% of the public key encryption algorithms we deployed today, all have a structure that can be attacked by Shor's algorithm. If the problem size is O(N), Shor's algorithm only takes O(log(N)^3) steps, it makes the computation logarithmically simpler, this is serious - it effectively "linearized" your exponential growth, making quantum computers exponentially faster! For all practical size of the exponent, it will only have a small effect.

But surprisingly, for symmetric encryption, quantum computers doesn't do much at all! Yes, symmetric encryption has an exploitable mathematical structure as well. Grover's algorithm pointed out that, if you need to invert a blackbox function f(x), instead of O(N) of operations, on a quantum computer, you can do it with only O(sqrt(N)) operations. Thus, AES-128 (2^128) becomes AES-64 (2^64), and is vulnerable to quantum computers! Looks like a lot, but it's only a small speedup, simply upgrade AES-128 to AES-256 is enough to fix it, and it only makes the existence system 2x slower, not a lot to defend yourself from a quantum machine.

In the subfield of cryptography known as post-quantum cryptography, almost all major works are related to public key cryptography - for all things you need to worry about a large quantum computer, symmetric encryption is least of what you need to worry.

---

On the flip side, how much resource does it take to store an AES-128 secret key? Two 64-bit integers, or 16 bytes, or 10 English words from a dictionary of 7000 words, or 25 dice rolls of two 6-face dices. How about an AES-256 key? Four 64-bit integers, or 32-bit, or 20 English words, or 50 dice rolls of two 6-face dices. Also, going from 56-bit DES to 128-bit AES, only costs 2.28x more CPU time on your computer. This is the beauty of encryption: A linear increase of resources by the defender corresponding to an exponential increase of resources required by the attacker. So, decrypt a message simply doesn't make sense at all, but hacking (or stealing) your computer does.

This is true, as long as the algorithm itself lives up with its security claim, i.e. "it works as advertised", 128-bit AES really has 2^128 of possibilities to bruteforce, not 2^80 possibilities - which, we can never be sure, and it cannot be proved - but we are fairly confident that any major breakthrough require is extremely unlikely. Also, this is why 256-bit AES is standardized despite 128-bit is already much more than enough - cryptographers are one of the most conservative groups of people. And in fact, AES has already been broken, with its keyspace reduced to 126-bit, not 128-bit - which means, it's keyspace is now only 25% of what it's supposed to be. But if you understand how large 2^126 is, you'll see that it's irrelevant to practical applications.

The most brutal dictators in the world can build guns, bombs, tanks, planes, but they cannot decrypt a message if the key is destroyed, no matter what. It also transcends time - if you have a Commodore 64 in the 80s, you can write a AES-128 encryption routine in MOS 6502 assembly, it will only takes a few hours to encrypt a floppy disk, but the disk still remains secure today, and will remain secure tomorrow against the most powerful government in the world. (unfortunately, most people at that time, did not believe 128-bit encryption was necessary - Diffie and Hellman were the biggest advocate of 128-bit encryption and a vocal critic of the government's 56-bit DES).