up:: Quantum Computing MOC

Logical vs Physical Qubits

A physical qubit is a single piece of quantum hardware, one transmon, trapped ion, photon, or neutral atom on a chip, and it’s noisy and error-prone. A logical qubit is a single reliable qubit built by spreading one quantum state across many physical qubits and using quantum error correction to catch and fix their mistakes. The ratio between the two is large: at today’s hardware quality it takes hundreds to thousands of physical qubits to make one trustworthy logical qubit. This is the distinction that lets you read quantum-threat headlines correctly, because the qubit counts vendors announce are physical qubits, and cryptography is only threatened by machines with enough logical ones.

The short version:

  • A qubit on a chip is a physical qubit. It’s fragile and makes frequent errors from decoherence and noise.
  • A logical qubit is many physical qubits woven together with error correction so the group behaves like one qubit that almost never errs. Building one costs hundreds to thousands of physical qubits at current hardware quality.
  • A “1,000-qubit chip” headline is counting physical qubits, so it says nothing on its own about cryptographic risk. Breaking cryptography takes logical qubits.
  • A CRQC, the machine that could run Shor’s algorithm against RSA-2048 or a 256-bit elliptic curve, needs thousands of logical qubits, which translates to millions of high-quality physical qubits. None exists in 2026.
  • The takeaway for reading the news: judge quantum progress by logical qubits, error rates, and demonstrated error correction, not by the raw physical-qubit record.

What’s the difference between a physical qubit and a logical qubit?

Picture writing down one important number by handing a copy to a hundred people instead of trusting a single person to remember it. Any one person might misremember, but if you ask all hundred and take the majority answer, a few mistakes get outvoted and the true number survives. A physical qubit is the single unreliable person. A logical qubit is the whole crowd voting together, engineered so that no small number of errors can change the answer.

The two are different in kind rather than degree:

  1. A physical qubit is the actual quantum hardware, one controllable two-state quantum system. It’s what a fabrication team builds and what a chip’s qubit count refers to. Left alone, it loses its quantum state in a fraction of a second through decoherence, and every operation on it carries a meaningful chance of error.
  2. A logical qubit is an abstraction built on top of many physical qubits. The quantum information is encoded redundantly across the group, and extra physical qubits are constantly measured to detect where errors crept in so they can be corrected without disturbing the stored state. The result behaves like one qubit with an error rate far lower than any of its physical parts.

The count that matters for capability is logical qubits. The count vendors usually publish is physical qubits. Reading the second as if it were the first is the single most common mistake in interpreting quantum news.

Why does one logical qubit need hundreds to thousands of physical qubits?

One logical qubit is expensive because error correction works by redundancy, and driving the error rate low enough for a long computation takes a lot of it. Physical qubits fail often. A useful cryptographic computation runs for a very long, deep sequence of operations, and a single uncorrected error partway through corrupts the whole result. To survive that, the encoding has to catch errors faster than they accumulate, and the more redundancy you add, the lower the residual error rate drops.

The leading scheme for this is the surface code, which lays physical qubits out in a two-dimensional grid where most of them do nothing but watch their neighbors for errors. Adding more layers of this redundancy suppresses the logical error rate further, at the cost of more physical qubits per logical qubit. Under the hardware error rates achievable today, that overhead lands in the range of hundreds to thousands of physical qubits for every single logical qubit, and the harder the computation, the deeper into that range you go.

Source: Austin G. Fowler, Matteo Mariantoni, John M. Martinis, Andrew N. Cleland, “Surface codes: Towards practical large-scale quantum computation,” 2012, arXiv:1208.0928.

A recent real-world demonstration makes the overhead concrete. In 2024, Google’s quantum team ran a surface-code logical qubit built from 101 physical qubits and showed that adding more physical qubits actually lowered the error rate rather than raising it, the first clear sign the approach scales the right way. That milestone produced one logical qubit out of 101 physical ones, which is exactly the ratio problem in miniature.

Source: Rajeev Acharya et al. (Google Quantum AI), “Quantum error correction below the surface code threshold,” Nature, 2024, arXiv:2408.13687.

How does quantum error correction bridge the two?

Quantum error correction is the machinery that turns a pile of noisy physical qubits into a few reliable logical ones, and it’s what makes the whole distinction possible. Classical computers do a simple version of this by keeping redundant copies of a bit and taking a majority vote. Quantum states can’t be copied that way, and you can’t even look at a qubit directly without collapsing it, so the quantum version is subtler.

Here’s the shape of it, without the math:

  1. Encode. One qubit’s worth of information is spread across a block of many physical qubits, so the state lives in the group rather than in any single member.
  2. Watch without looking. Extra physical qubits, sometimes called check or ancilla qubits, are measured continuously. These measurements reveal whether an error occurred and where, without ever revealing or disturbing the protected information itself.
  3. Correct. A classical decoder reads those error checks in real time and works out which correction to apply, so mistakes get cleaned up faster than they pile up.
  4. Stay below the threshold. This only works if the physical qubits are already good enough. Below a certain physical error rate, adding more redundancy keeps driving the logical error rate down. Above it, more qubits just add more noise, and no amount of encoding helps.

That last point is why raw qubit count is a poor gauge of progress. A machine with a huge number of low-quality physical qubits can’t build a single good logical qubit, while a smaller machine with better qubits can. Quality gates capability, and error correction is the bridge only when the hardware is already over that quality bar.

Why doesn’t a “1,000-qubit chip” headline mean cryptography is at risk?

A “1,000-qubit chip” headline is counting physical qubits, and physical qubits, however many, can’t run a cryptographic attack on their own. Breaking RSA or elliptic-curve cryptography with Shor’s algorithm requires a long, deep computation that noisy physical qubits corrupt almost immediately. The attack has to run on logical qubits, and a thousand physical qubits at today’s error rates isn’t even enough to build a handful of logical ones.

So when a qubit-count record lands in the news, the useful follow-up questions are about quality and error correction, not the headline number:

  1. Physical or logical? Almost every announcement means physical unless it specifically says otherwise.
  2. What’s the two-qubit gate error rate? This decides whether error correction can work at all. Below the surface-code threshold it can, above it no count helps.
  3. Have they demonstrated error correction? A logical qubit whose error rate drops as you add physical qubits is the milestone that matters, not the raw total.
  4. How deep a computation can it sustain? Cryptographic attacks need enormous circuit depth, far beyond what current machines hold together.

Progress toward a CRQC is a different thing from progress in quantum computing generally. Quantum-advantage demonstrations run on problem types and qubit counts nothing like a Shor’s attack, so a record there moves the cryptographic clock very little.

How many logical qubits does breaking RSA or ECC actually take?

Breaking real cryptographic key sizes takes thousands of logical qubits, which at today’s overhead means millions of high-quality physical qubits. That gap between a few thousand logical and a few million physical is the entire reason a CRQC doesn’t exist yet. The most-cited peer-reviewed resource estimates:

TargetAttackLogical qubitsPhysical qubitsSource
RSA-2048factoring~6,100~20 million noisyGidney and Ekerå, 2021
RSA-2048factoring (optimized)not statedunder 1 million noisyGidney, 2025
256-bit elliptic curve (ECDSA, ECDH)discrete log~2,330millions after correctionRoetteler et al., 2017

Two things are worth reading off that table. The physical-qubit estimate for RSA-2048 has dropped fast as the engineering improves, from twenty million in a 2019 construction to under a million in a 2025 optimization, so the threshold is a moving research target rather than a fixed wall. And elliptic-curve cryptography needs fewer logical qubits than RSA at comparable classical strength, so ECC falls first against a quantum attacker even though it uses shorter keys.

Sources: Craig Gidney and Martin Ekerå, “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits,” Quantum 5, 433, 2021, arXiv:1905.09749. Craig Gidney, “How to factor 2048 bit RSA integers with less than a million noisy qubits,” 2025, arXiv:2505.15917. Martin Roetteler, Michael Naehrig, Krysta M. Svore, Kristin Lauter, “Quantum resource estimates for computing elliptic curve discrete logarithms,” 2017, arXiv:1706.06752.

How close is a machine with enough logical qubits?

The distance is large, and it’s now being measured from real hardware rather than only projected. As of 2026, the leading quantum processors have reached the low thousands of physical qubits, while a CRQC needs those turned into thousands of logical qubits, which is millions of physical qubits away on current overhead. Physical error rates remain too high to build cryptographic-scale logical qubits, and the coherence times and circuit depths needed to run Shor’s to completion are well beyond what today’s machines sustain.

The reality gap has started to show up as direct measurement. A 2026 study analyzed 680 order-finding distributions from IBM quantum systems and characterized exactly when classical post-processing can still recover the correct answer from a noise-distorted quantum result, which puts a hardware-reality floor beneath the timeline forecasts. Current machines are nowhere near threatening RSA-2048, and the size of that distance is now an empirical figure rather than a guess.

Source: Jinwei Yang and Stefano Markidis, “Analysis of Shor’s Algorithm order-finding on noisy quantum hardware,” 2026, arXiv:2605.16074.

None of this is a reason to wait, though, because the migration logic runs on lead time. Encrypted data harvested today is exposed the moment a CRQC arrives (harvest now, decrypt later), a full cryptographic migration across a large estate takes years, and there’s no patch for data already collected. The right response to an uncertain arrival date is to finish migrating before it lands, regardless of exactly when that turns out to be.

Common misconceptions

  • “A 1,000-qubit chip is close to breaking RSA.” Those are physical qubits, and breaking RSA-2048 needs thousands of logical qubits, meaning millions of physical ones. A thousand noisy physical qubits can’t build even a handful of logical qubits at today’s error rates.
  • “More qubits always means more capability.” Quality gates capability. A machine with many low-quality physical qubits can’t make a single reliable logical qubit, while a smaller machine with better qubits can. Above the error-correction threshold, adding qubits just adds noise.
  • “A logical qubit is just a fancy name for a good physical qubit.” They’re different in kind. A logical qubit is an encoded state spread across many physical qubits with active error correction running on top, not one especially clean piece of hardware.
  • “Error correction means the errors go away.” Errors still happen constantly at the physical level. Error correction detects and fixes them faster than they accumulate, so the logical qubit stays reliable while its physical parts keep failing underneath.
  • “Quantum-advantage demos prove a CRQC is near.” Those run on qubit counts and problem types unlike a cryptographic attack, and they don’t require the error-corrected logical qubits a CRQC does. They measure a different kind of progress.

Questions people ask

Do I need physics to understand the difference? No. The whole idea reduces to redundancy. A physical qubit is one unreliable piece of hardware, and a logical qubit is many of them combined with error correction so the group behaves like one reliable qubit. The rest is engineering detail, not physics you need to follow the threat.

Why can’t you just use physical qubits directly for the attack? Because they make errors too often. A cryptographic attack is a long, deep computation, and a single uncorrected error partway through ruins the result. Physical qubits lose their state through decoherence in a fraction of a second, so the computation has to run on error-corrected logical qubits to survive to the end.

How many physical qubits make one logical qubit? At today’s hardware quality, hundreds to thousands, depending on the error-correction code and how low you need the error rate to go. As a concrete data point, Google’s 2024 demonstration used 101 physical qubits to protect a single logical qubit (arXiv:2408.13687), and a cryptographic machine would need that error rate pushed far lower, which costs more physical qubits per logical one.

How many logical qubits does breaking RSA-2048 take? Roughly 6,100 logical qubits in the most-cited peer-reviewed estimate, realized as about 20 million noisy physical qubits in a 2021 construction and under a million in a 2025 optimization (arXiv:1905.09749, arXiv:2505.15917). A 256-bit elliptic curve needs about 2,330 logical qubits, so it falls first (arXiv:1706.06752).

Does a quantum computer with thousands of logical qubits exist yet? No. As of 2026, the largest machines have reached the low thousands of physical qubits and have demonstrated only a small number of logical qubits in the lab. A CRQC needs thousands of logical qubits, which is millions of physical ones, and that’s far beyond current hardware.

When a company announces a qubit record, is it logical or physical? Almost always physical, unless it explicitly says logical. The useful follow-ups are the gate error rate and whether the machine has demonstrated error correction, because those decide whether the physical qubits can ever be turned into logical ones.

Is quantum error correction solved? Not yet. The 2024 below-threshold result showed the approach scales the right way for one logical qubit, which is a real milestone, but going from a single logical qubit to the thousands a CRQC needs is a large, unsolved engineering problem. Error correction working in principle is different from running it at cryptographic scale.

So how should I read a qubit-count headline? Treat the raw number as physical qubits and ask about quality. The questions that matter are the error rate, whether error correction has been demonstrated, and how many logical qubits the machine can hold together. Judge cryptographic risk by logical qubits and error correction, not by the physical-qubit record.


Everything here is the map, given freely. When your team needs the quantum threat timeline translated into what it means for your own systems, that’s the work I do. Request an alignment briefing.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.