Bruce Schneier and others[1] have done the math on brute forcing 256 bit keys: even with a perfectly efficient computer using the least amount of energy possible, you would have to deplete the entire energy content of the Sun to just iterate over a 225 bit keyspace once, let alone do anything meaningful with those keys.
It's estimated there are 10^80 atoms [1] in the visible universe, so 2^256 is definitely a huge number. I didn't realize 256 bit brute force was nigh feasible with only a solar system.
I'm a bit surprised the quantum algorithm only gives a polynomial speedup.
It's all down to probabilities, yes our hypothetical attacker could guess your key correctly the first time or within a few years but the chances are so tiny it approaches zero for practical purposes on practical timescales.
quantum computers, at best, divide the bit-strength of a symmetric key like AES in half[1]. Brute forcing a 128 bit key is theoretically possible (in the sense that you can do it if you marshal the entire world energy output to the cause, you could crack 1 key/yr), but not a 5 minute process.
that is assuming that there is no better quantum algorithm for aes specifically. grover's algorithm is only optimal if brute force search is the only possible approach and there are no other exploitable properties.
considering that there already theoretical attacks that (marginally) faster than brute force on classic computers who knows how much more one could squeeze out with quantum algorithms.
It's very obvious how special structure exists in cryptosystems that use finite cyclic groups, such as in discrete log cryptosystems.
But in AES? that sounds unlikely and really unfortunate.
I think it's more likely that large quantum computers would aid in mathmatical exploration that uncovers currently unknown vulnerabilities that could be exploited by classical systems.