As you specifically asked for comparisons of the 128-bit security with concrete things, here is some food for thoughts (to complement the other answers):
- $2^{61} ≈$ SHA-1 chosen-prefix collision (i.e. definitively practical) from the recent SHA-mbles attack.
- $2^{63} ≈$ the initial SHA-1 collision from SHAttered attack (which ran over multiple months). (i.e. practical for Google, 3-letters agencies, and other large scale actors.)
- $2^{66} ≈$ current Bitcoin hashrate per seconds! (i.e. shows the limits of current computing power)
Notice how the $2^{80}$ level is already attained by the raw computing power leveraged by the Bitcoin network: every ~4.5 hours the bitcoin network has performed $2^{80}$ SHA computation.
This also means that the 64-bit and 80-bit levels are broken, and we should definitively move away from 64-bit block ciphers.
To quote the above-mentioned "SHA-mble" research:
As a side result, this shows that it now costs less than 100k USD to break cryptography with a security level of 64 bits (i.e. to compute $2^{64}$ operations of symmetric cryptography).
Now, you might have heard of Bruce Schneier, and his book "Applied Cryptography", in which he says:
One of the consequences of the second law of thermodynamics is that
a certain amount of energy is necessary to represent information. To
record a single bit by changing the state of a system requires an
amount of energy no less than kT, where T is the absolute temperature
of the system and k is the Boltzman constant. (Stick with me; the
physics lesson is almost over.)
Given that $k = 1.38×10^{-16}$ erg/°Kelvin, and that the ambient temperature of the universe is 3.2°Kelvin, an ideal computer running
at 3.2°K would consume $4.4×10^{-16}$ ergs every time it set or cleared a
bit. To run a computer any colder than the cosmic background radiation
would require extra energy to run a heat pump.
Now, the annual energy output of our sun is about $1.21×10^{41}$ ergs. This is enough to power about $2.7×10^{56}$ single bit changes on our ideal
computer; enough state changes to put a 187-bit counter through all
its values. If we built a Dyson sphere around the sun and captured all
its energy for 32 years, without any loss, we could power a computer
to count up to $2^{192}$. Of course, it wouldn't have the energy left over
to perform any useful calculations with this counter.
But that's just one star, and a measly one at that. A typical supernova releases something like $10^{51}$ ergs. (About a hundred times as
much energy would be released in the form of neutrinos, but let them
go for now.) If all of this energy could be channeled into a single
orgy of computation, a 219-bit counter could be cycled through all of
its states.
These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And
they strongly imply that brute-force attacks against 256-bit keys will
be infeasible until computers are built from something other than
matter and occupy something other than space.
Sadly, this is advocating for the security of the 256-bit level, and when converted for the 128-bit level, it just tells us that we would need to use all of the sun's energy for roughly 0.1 nanoseconds in order to flip through all the possibles states of a 128-bit counter.
Thermodynamics doesn't really help us with impressive comparison with the 128-bit level, because it is still relatively small.
