up:: Quantum Computing MOC

NISQ (Noisy Intermediate-Scale Quantum)

NISQ, short for Noisy Intermediate-Scale Quantum, is the term for today’s quantum computers: machines with tens to a few hundred qubits that are too noisy and have no full error correction, so they cannot run the long, deep computations needed to break cryptography. The physicist John Preskill coined the term in 2018 to name exactly the era we’re still in. Every headline quantum chip shipping in 2026 is a NISQ device, which is why a record-setting qubit count does not mean encryption is broken. A NISQ machine and a cryptographically relevant quantum computer are different classes of machine, and the whole quantum-risk timeline turns on the distance between them.

The short version:

  • NISQ stands for Noisy Intermediate-Scale Quantum, a term John Preskill introduced in 2018 to describe near-term quantum computers with “a number of qubits ranging from 50 to a few hundred.”
  • The “noisy” part is the key limit. NISQ qubits run “unprotected by quantum error correction,” so errors pile up and cap how deep a computation the machine can finish.
  • Today’s leading chips are NISQ devices, including the ones with 1,000-plus qubits. A high physical-qubit count on a noisy machine is real hardware progress, not proof that a code-breaker is near.
  • A NISQ machine cannot run Shor’s algorithm at cryptographic scale. That attack needs thousands of error-corrected logical qubits, which is millions of high-quality physical qubits, far beyond anything NISQ.
  • The end of the NISQ era comes when machines cross into fault tolerance, meaning enough logical qubits and low enough error rates to run long algorithms reliably. That’s the CRQC threshold, and no such machine exists in 2026.

An everyday way to picture it

Imagine trying to whisper a long, exact message down a line of a few hundred people in a noisy room. Each person hears you a little wrong and passes on a slightly garbled version. Over a short phrase you can still get something usable out the far end. Over a long, precise instruction the errors compound until what comes out is scrambled. A NISQ computer is that line: it has a decent number of qubits, but every operation adds a little noise, and there’s no reliable way to catch and fix the mistakes as they happen. So it can do short, shallow computations and genuinely interesting physics experiments, and it falls apart on the long, deep computation that breaking a real encryption key would require.

What is a NISQ computer?

A NISQ computer is a quantum computer with an intermediate number of qubits and no full error correction, so noise limits it to relatively short computations. John Preskill defined both halves of the name precisely when he introduced it. On the size: “Here ‘intermediate scale’ refers to the size of quantum computers which will be available in the next few years, with a number of qubits ranging from 50 to a few hundred.” On the noise: “‘Noisy’ emphasizes that we’ll have imperfect control over those qubits; the noise will place serious limitations on what quantum devices can achieve in the near term.”

Source: John Preskill, “Quantum Computing in the NISQ era and beyond,” Quantum 2, 79, 2018, arXiv:1801.00862.

The defining feature, the one that decides what a NISQ machine can and can’t do, is the absence of error correction. Preskill is explicit: “When I speak of the NISQ era, I’m imagining quantum computers with noisy gates unprotected by quantum error correction.” That single fact is what separates a NISQ device from the machine that could threaten cryptography. Without error correction, every gate applied to a qubit carries a small chance of error, those errors accumulate as the computation runs, and decoherence erases the fragile quantum state within a fraction of a second. Preskill put a rough ceiling on it: at the error rates he was describing, a circuit much larger than about 1,000 gates gets overwhelmed by noise before it finishes.

Source: John Preskill, “Quantum Computing in the NISQ era and beyond,” Quantum 2, 79, 2018, arXiv:1801.00862.

So NISQ names a stage of maturity rather than a specific machine or vendor. It’s the era of quantum computers that are big enough to be interesting and too noisy to be trusted with a long computation, and in 2026 that’s still where the entire field sits.

Why is a NISQ machine “noisy”?

A NISQ machine is noisy because its qubits are real physical systems that can’t be perfectly isolated or perfectly controlled, and nothing on the machine repairs the resulting errors. Two effects combine:

  1. Decoherence. A qubit holds its quantum state only while it stays isolated, and perfect isolation is impossible. Stray heat, vibration, or electromagnetic ripple leaks the state into the environment, a process called decoherence, and it erases the delicate blend of 0 and 1 within microseconds to seconds depending on the hardware.
  2. Gate error. Every operation on a qubit is a slightly imperfect physical manipulation, so each step in a computation injects a little more error. On today’s leading hardware a two-qubit operation still fails on the order of once in a thousand tries.

A fault-tolerant machine would smother both effects with quantum error correction, spreading one reliable logical qubit across many physical ones and constantly detecting and repairing mistakes. A NISQ machine, by Preskill’s own definition, runs “unprotected” by that machinery. The errors are left to accumulate, which is exactly why the depth of computation a NISQ device can finish is capped. This is the property that governs everything else about NISQ, including whether it can touch your encryption.

Source: John Preskill, “Quantum Computing in the NISQ era and beyond,” Quantum 2, 79, 2018, arXiv:1801.00862.

Can NISQ machines break encryption?

No. A NISQ machine cannot break the public-key cryptography protecting the internet, and it stays far from being able to. Breaking RSA or elliptic-curve cryptography with Shor’s algorithm requires an enormous, deep sequence of operations run without error, and a NISQ device accumulates errors long before such a computation could finish. The most-cited peer-reviewed resource estimate for factoring RSA-2048 puts the circuit at roughly 2.6 billion Toffoli operations over an eight-hour run, against Preskill’s ceiling of around 1,000 gates before noise overwhelms a NISQ computation. The two numbers aren’t in the same universe.

Sources: Craig Gidney and Martin Ekerå, “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits,” Quantum 5, 433, 2021, arXiv:1905.09749. John Preskill, “Quantum Computing in the NISQ era and beyond,” Quantum 2, 79, 2018, arXiv:1801.00862.

The gap shows up as much in qubit quality as in qubit quantity. A cryptographic attack needs thousands of error-corrected logical qubits, roughly 6,100 for RSA-2048, and at today’s overhead each logical qubit costs hundreds to thousands of physical qubits, so the real requirement lands in the millions of high-quality physical qubits. NISQ machines have tens to a few hundred qubits with no error correction and zero logical qubits at cryptographic scale. Adding more noisy physical qubits doesn’t close that gap, because the axis that gates a Shor’s attack is error-corrected depth, and a NISQ device has none of it.

Source: Craig Gidney and Martin Ekerå, “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits,” Quantum 5, 433, 2021, arXiv:1905.09749.

The same holds for the weaker quantum attack. Grover’s algorithm against symmetric encryption like AES-256 also needs a long, fault-tolerant computation, so a NISQ machine can’t run it at any threatening scale either. For every credible cryptographic attack, the requirement is a fault-tolerant machine, and NISQ is defined by the absence of fault tolerance.

How is NISQ different from a CRQC?

NISQ and a CRQC are different classes of machine, separated by error correction and scale. A NISQ device is what exists now: intermediate qubit count, no error correction, short computations. A CRQC is the threshold machine that could actually derive a private key from a real RSA-2048 or 256-bit elliptic-curve public key, which takes full fault tolerance, thousands of logical qubits, and the circuit depth to run Shor’s to completion. Getting from one to the other is the central unsolved engineering problem of the field.

DimensionNISQ device (today)Fault-tolerant CRQC (needed to break RSA-2048)
Qubit typeNoisy physical qubits, uncorrectedError-corrected logical qubits
Qubit countTens to a few hundred by Preskill’s definition; leading chips have since crossed 1,000 physicalThousands of logical qubits (~6,100 for RSA-2048), meaning millions of physical
Error correctionNone; gates run “unprotected by quantum error correction”Full quantum error correction / fault tolerance
Computation depthCapped near ~1,000 gates before noise overwhelms itBillions of operations (~2.6 billion Toffoli over ~8 hours)
Runs Shor’s at cryptographic scale?NoYes
Exists in 2026?Yes, this is what every quantum chip isNo

Sources: John Preskill, “Quantum Computing in the NISQ era and beyond,” Quantum 2, 79, 2018, arXiv:1801.00862. Craig Gidney and Martin Ekerå, “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits,” Quantum 5, 433, 2021, arXiv:1905.09749. Rajeev Acharya et al. (Google Quantum AI), “Quantum error correction below the surface code threshold,” Nature 638, 920-926, 2025, arXiv:2408.13687.

The bridge between the two is quantum error correction crossing its threshold, meaning physical qubits clean enough that adding redundancy makes a logical qubit more reliable instead of noisier. Google demonstrated that below-threshold behavior for a single logical qubit built from 101 physical qubits in 2024, a genuine milestone that also shows the scale of the remaining climb: that result produced one logical qubit, and a CRQC needs thousands.

Source: Rajeev Acharya et al. (Google Quantum AI), “Quantum error correction below the surface code threshold,” Nature 638, 920-926, 2025, arXiv:2408.13687.

Are today’s headline quantum chips NISQ devices?

Yes. Every quantum processor a company has announced through 2026, including the ones with more than 1,000 qubits, is a NISQ device, because none of them has the fault-tolerant error correction that would move it out of the category. IBM’s Condor chip reached 1,121 physical qubits, which sounds like it has left Preskill’s “few hundred” range behind, but those are noisy, uncorrected physical qubits, so by the defining feature of the term the machine is still firmly NISQ.

Source: IEEE Spectrum, “IBM’s Condor Quantum Computer Has Over 1,000 Qubits,” spectrum.ieee.org.

This is the trap in reading quantum headlines. A qubit-count record tells you the machine got wider, and it says almost nothing about whether it got closer to running a cryptographic attack, which depends on error rates and error-corrected depth. When a chip announcement lands, the useful questions are whether the qubits are logical or physical, what the two-qubit error rate is, and whether error correction has been demonstrated. As long as the answers are “physical, too noisy to correct, and no,” the machine is a NISQ device and your encryption is not at risk from it, however large the number in the press release.

What are NISQ computers actually good for?

NISQ machines are useful research tools rather than code-breakers. Preskill framed their value carefully in the founding paper: NISQ devices “will be useful tools for exploring many-body quantum physics, and may have other useful applications,” while cautioning that “the 100-qubit quantum computer will not change the world right away” and should be seen as “a significant step toward the more powerful quantum technologies of the future.” The active research areas include simulating quantum chemistry and materials, certain optimization problems, and early quantum machine-learning experiments, most of it exploratory and none of it a threat to cryptography.

Source: John Preskill, “Quantum Computing in the NISQ era and beyond,” Quantum 2, 79, 2018, arXiv:1801.00862.

For a security professional the takeaway is that NISQ progress and cryptographic risk are two different clocks. A NISQ machine doing something genuinely useful in chemistry is real and important, and it moves the code-breaking timeline very little, because the thing that gates the attack is fault tolerance at scale, which NISQ by definition lacks.

When does the NISQ era end?

The NISQ era ends when machines cross into fault tolerance, meaning enough error-corrected logical qubits and low enough error rates to run long algorithms reliably. Crossing it is a change of category, a genuinely different machine rather than a wider version of the same one, and it’s the same threshold that defines a CRQC for the specific case of cryptographic algorithms. As of 2026 the field is still solidly in the NISQ era. The 2024 below-threshold error-correction result showed the approach scales the right way for one logical qubit, and going from one to the thousands a CRQC needs is a large, unsolved problem.

Source: Rajeev Acharya et al. (Google Quantum AI), “Quantum error correction below the surface code threshold,” Nature 638, 920-926, 2025, arXiv:2408.13687.

Because the crossing date is uncertain, credible expert and government estimates for a CRQC span roughly 2030 to 2040 and beyond, the sound planning move runs on lead time rather than a predicted year. Encrypted data harvested today under harvest now, decrypt later is exposed the moment fault-tolerant machines arrive, a cryptographic migration across a large estate takes years, and there’s no patch for data already collected. The NISQ era being real today is a reason to migrate now, so the work is finished before the era ends.

Common misconceptions

  1. “A 1,000-qubit chip means we’re past the NISQ era.” No. NISQ is defined by the absence of error correction, not by a qubit ceiling. A 1,121-qubit chip with noisy, uncorrected qubits is still a NISQ device.
  2. “NISQ machines can already break weak encryption.” No. Every credible cryptographic attack, including Shor’s and Grover’s, needs a long fault-tolerant computation, and NISQ machines lack the error correction to run one at any threatening scale.
  3. “NISQ is a specific machine or vendor.” No. NISQ names a stage of hardware maturity, the era of noisy, non-error-corrected quantum computers, and it covers every current machine regardless of who built it.
  4. “NISQ is useless, so quantum computing is hype.” No. NISQ devices do genuinely useful physics and chemistry research. They just aren’t cryptographic threats, and confusing the two is the actual source of the hype.
  5. “Once NISQ machines get a few thousand qubits they’ll break RSA.” No. A few thousand noisy physical qubits is not a few thousand logical qubits. Breaking RSA-2048 needs thousands of error-corrected logical qubits, which is millions of physical ones, and no amount of adding noisy qubits substitutes for error correction.
  6. “The NISQ era and the CRQC are on the same track, so more NISQ progress means an imminent CRQC.” Progress in NISQ hardware and progress toward a fault-tolerant CRQC are related but distinct. Crossing into fault tolerance is a change of kind, and that’s the step that actually gates a cryptographic attack.

Questions people ask

What does NISQ stand for? Noisy Intermediate-Scale Quantum. John Preskill coined it in his 2018 paper “Quantum Computing in the NISQ era and beyond.” “Intermediate-scale” refers to a qubit count from 50 to a few hundred, and “noisy” refers to the imperfect control and lack of error correction that limit what the machines can do (arXiv:1801.00862).

Who coined the term NISQ and when? The physicist John Preskill introduced it in a 2018 paper published in the journal Quantum, based on a keynote he gave in 2017. The term stuck because it named the exact stage of quantum computing the field was entering and still occupies (arXiv:1801.00862).

Is a NISQ computer the same as a quantum computer? It’s the kind of quantum computer that exists today. All current quantum computers are NISQ devices: they’re real quantum machines, but noisy and without error correction. A fault-tolerant quantum computer, the kind that could break cryptography, would be a different and much harder-to-build class that doesn’t exist yet.

Can a NISQ machine run Shor’s algorithm at all? Only on toy inputs, never at cryptographic scale. Demonstrations have factored tiny numbers, but scaling to a real RSA-2048 key needs roughly 2.6 billion operations run without error, against a NISQ ceiling near 1,000 gates before noise overwhelms the result. The gap is why a NISQ machine poses no cryptographic threat (arXiv:1905.09749, arXiv:1801.00862).

How many qubits does a NISQ computer have? Preskill’s definition put the range at 50 to a few hundred, and hardware has since pushed past that on the physical-qubit axis, with IBM’s Condor reaching 1,121 (spectrum.ieee.org). The count matters less than the fact that those qubits are noisy and uncorrected, which is what keeps the machines in the NISQ category.

What’s the difference between NISQ and fault-tolerant quantum computing? Fault-tolerant machines use quantum error correction to build reliable logical qubits that can run long computations, while NISQ machines run their raw physical qubits with no such protection. That difference is the whole gap between the quantum computers we have and the ones that could threaten encryption.

If NISQ can’t break encryption, why migrate to post-quantum cryptography now? Because migration takes years and the threat clock runs on your data, not the hardware. Data harvested today under harvest now, decrypt later is exposed the moment a fault-tolerant machine arrives, and there’s no way to protect information already collected. Finishing the migration before the NISQ era ends is the only way to stay ahead of it.

Does the current lack of a code-breaking machine mean quantum risk is overblown? No. The honest read sits in between. NISQ machines can’t break cryptography today, and the long-run threat from fault-tolerant machines is real enough that standards bodies have already published post-quantum replacements. The overblown part is timing claims that treat a noisy qubit-count record as if a code-breaker were imminent.


Everything here is the map, given freely. When your team needs the difference between a NISQ headline and real cryptographic risk translated into a plan for your own systems, that’s the work I do. Request an alignment briefing.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.