up:: The Threat MOC
Quantum Computing
A quantum computer is a machine that stores and manipulates information using the rules of quantum physics, which lets it work through many possibilities at the same time in a way an ordinary computer cannot. That ability, aimed at the right math problem, is what threatens the public-key cryptography protecting nearly all digital communication. This pillar walks you from the single qubit up to a machine big enough to break RSA, but only as far as you need to see why the threat is real, why it isn’t here yet, and why a “1,000-qubit chip” headline says almost nothing about your risk. No math required.
Map of content
A short overview of how a quantum computer works, and the index that routes you to every note in this section. Skim it to get oriented, then follow the links to go deep.
The short version:
- The unit of a quantum computer is the qubit. A normal bit is always 0 or 1; a qubit holds a blend of 0 and 1 at once through superposition, and reading it collapses that blend to a single value.
- Entanglement links qubits so they act as one connected system, and that coordination is where the real computing power comes from. Neither property, on its own, lets the machine “try every answer at once” in any way you can use.
- Qubits are extremely fragile. Decoherence destroys their quantum state in a fraction of a second, so the raw count of qubits a chip holds is a poor gauge of how close it is to breaking cryptography.
- The number that matters is logical qubits (error-corrected and trustworthy), not the physical qubits vendors announce. Breaking RSA-2048 needs roughly 6,100 logical qubits, which today means on the order of a million or more physical ones.
- A machine that large and stable, a cryptographically relevant quantum computer, doesn’t exist in 2026. The reason to act early is lead time, because harvested encrypted data (harvest now, decrypt later) is exposed the day one turns on, and migration takes years.
An everyday way to picture it
Think of an ordinary computer as a row of light switches, each one firmly up or down, on or off. Every calculation is a pattern of switches, checked one setting at a time. A quantum computer replaces those switches with spinning coins. While a coin spins, it carries both faces at once, and a row of spinning coins carries an enormous number of head-and-tail patterns together. Here’s the catch, and it’s the whole story: the instant you slap a coin flat to read it, it’s just one face, and the spin is gone. So the cleverness all has to happen while the coins are still spinning, arranging them so that when they finally land, the pattern you want is the one most likely to appear. Keeping the coins spinning without the room bumping the table is the hardest problem in the field, and it’s why a code-breaking quantum computer is still years away.
What is a quantum computer?
A quantum computer is a machine that represents information in quantum states and processes it with the laws of quantum mechanics, so it can solve a small number of specific problems dramatically faster than any ordinary computer. NIST frames the payoff directly: a quantum computer “takes advantage of the quantum world’s counterintuitive properties, which enable a bit of data to act as both a 0 and 1 at the same time, to make calculations that would be difficult or impossible on a conventional computer.”
Source: NIST, “What Is Post-Quantum Cryptography?”, nist.gov.
The important word is specific. A quantum computer is a fundamentally different kind of machine, and it wins big only on a handful of problems that carry the right hidden structure, while ordinary computing stays faster for almost everything else. One of those handful of problems happens to be the math that public-key cryptography rests on. For a security professional, that single overlap is the entire reason quantum computing matters: it’s a targeted threat to one particular layer of your defenses.
Every quantum computer, whatever it’s built from, comes down to four moving parts:
- Qubits, the quantum unit of information, which hold superposition instead of a single fixed value.
- Entanglement, which links qubits so the machine computes on the whole connected group at once.
- A circuit of quantum gates, the ordered sequence of operations that steers the qubits toward an answer.
- Measurement, the final read-out that collapses the qubits back into ordinary bits you can see.
The rest of this page builds those pieces up one at a time, then shows why turning them into a cryptographic weapon is so much harder than a qubit-count press release makes it sound.
Why is a quantum computer different from a normal computer?
The core difference is what a single unit of information is allowed to hold. A classical bit is a switch pinned to one of two values, 0 or 1. A qubit obeys quantum rules, so before you read it, it can hold a weighted combination of 0 and 1 at once, a state called superposition. The moment you measure it, that combination collapses to a single definite answer and the blend is gone.
| Property | Classical bit | Qubit |
|---|---|---|
| Possible states | Exactly one value, 0 or 1 | A weighted blend of 0 and 1 at once, until measured |
| Combining many | N bits hold one of 2^N patterns at a time | N qubits hold a blend across all 2^N patterns at once |
| Reading it | You can read and copy it freely without disturbing it | Measuring collapses the blend to a single 0 or 1, and the state can’t be copied |
| Stability | Stable for years in ordinary memory | Fragile, lost to decoherence in a fraction of a second |
Source: NIST, “Quantum Computing Explained,” nist.gov.
The second row is where the power lives. NIST’s own example: “Three qubits can contain eight combinations; four qubits, 16 combinations and so on,” and the count doubles with every qubit you add, so a few hundred qubits in superposition could in principle represent more combinations than there are atoms in the observable universe. That staggering scale is the honest source of the excitement about quantum computing, and, as the next section shows, it’s also the source of the field’s most stubborn misconception.
Source: NIST, “Quantum Computing Explained,” nist.gov.
How does a quantum computer actually compute?
A quantum computer builds a superposition, links qubits with entanglement, steers them with a circuit of gates so that the right answers reinforce and the wrong ones cancel, and only then measures. That middle step, the steering, is what separates a real quantum computer from an extremely expensive random-number generator, and it’s the piece the popular “tries everything at once” description leaves out.
Here’s the shape of it, with no math:
- Load a superposition. Put the qubits into a blend that represents every candidate answer at the same time. This is the parallelism people get excited about, and on its own it’s useless, because measuring it just returns one random candidate.
- Entangle and operate. Entanglement links the qubits so an operation acts across the whole connected register, not one qubit at a time. This is where a quantum computer does work a classical machine can’t cheaply copy.
- Make the answer interfere into view. Quantum states behave like waves, so their amplitudes can add up or cancel out. A good algorithm arranges this interference so the wrong answers cancel each other and the right answer reinforces, before anything is measured.
- Measure. Reading the qubits collapses the blend to a single outcome. Because the interference was arranged first, that outcome is very likely the answer you wanted.
The catch that keeps everyone honest is step 4. Scott Aaronson, one of the field’s clearest explainers, puts it plainly: “if you look at an equal superposition of all possible answers, the rules of quantum mechanics say you’ll just see and read a random answer.” The speed comes from choreographing interference so the answer survives measurement, and the hard part is that you have to design that cancellation without knowing the answer in advance. Only certain problems have enough hidden structure to allow it, which is exactly why quantum speed-ups are rare and specific rather than universal.
Source: Scott Aaronson, “Why Is Quantum Computing So Hard to Explain?”, Quanta Magazine, June 8 2021, quantamagazine.org.
Why are qubits so fragile?
Qubits are fragile because a quantum state stays quantum only while it’s isolated, and perfect isolation is impossible. Every stray photon, vibration, magnetic ripple, or bit of heat that touches a qubit leaks information about its state into the surroundings, which quietly destroys the delicate 0-and-1 blend and drags the qubit back toward an ordinary value. That process is decoherence, and it’s the single biggest obstacle to building a useful quantum computer.
The window a qubit survives before decoherence wrecks it is its coherence time, and it’s short. On Google’s Willow superconducting processor, one of the most advanced chips publicly demonstrated, the qubits average a coherence time near 100 microseconds. Trapped-ion hardware holds a state far longer but operates much more slowly, so no single design has won. Either way, a physical qubit can run only a few thousand operations before decoherence and gate errors turn its output into noise.
Source: Google Quantum AI, “Meet Willow, our state-of-the-art quantum chip,” December 9 2024, blog.google.
This is the fact that governs the whole threat. Breaking cryptography needs a long, deep computation, and a single uncorrected error partway through ruins the answer. A qubit that decoheres after a few thousand operations can’t get anywhere close on its own. The only known way around it is quantum error correction, and the price of that correction is the reason a code-breaking machine is so hard to build, covered next.
What’s the difference between a logical qubit and a physical qubit?
A physical qubit is a single piece of quantum hardware, one noisy, error-prone unit on a chip. A logical qubit is a single reliable qubit built by spreading one quantum state across many physical qubits and using error correction to catch and repair their constant mistakes. The gap between the two is enormous, and it’s the distinction that lets you read quantum-threat headlines correctly.
The picture, without the math: imagine writing down one important number by handing a copy to a hundred people instead of trusting one person to remember it. Any single person might misremember, but if you poll all hundred and take the majority, a few mistakes get outvoted and the true number survives. A physical qubit is the one unreliable person. A logical qubit is the whole crowd voting together, engineered so no small number of errors changes the answer.
The overhead is steep. Under the surface code, the leading error-correction scheme, building one logical qubit reliable enough to run a hard algorithm takes roughly 1,000 to 10,000 physical qubits, depending on how noisy the hardware is.
Source: Austin G. Fowler, Matteo Mariantoni, John M. Martinis, Andrew N. Cleland, “Surface codes: Towards practical large-scale quantum computation,” Physical Review A 86, 032324, 2012, arXiv:1208.0928.
A real 2024 milestone makes the ratio concrete. Google’s quantum team encoded one logical qubit in a distance-7 surface code built from 101 physical qubits, and showed that adding more physical qubits actually lowered the logical error rate rather than raising it, the first clear sign the approach scales the right way. That result produced one logical qubit out of 101 physical ones, which is the whole ratio problem in miniature.
Source: Rajeev Acharya et al. (Google Quantum AI), “Quantum error correction below the surface code threshold,” Nature 638, 920-926, 2025, arXiv:2408.13687.
The count that matters for capability is logical qubits. The count vendors publish is physical qubits. Reading the second as if it were the first is the single most common mistake in interpreting quantum news, and the full treatment lives in Logical vs Physical Qubits.
How many qubits does it take to break encryption?
Breaking real cryptographic key sizes with Shor’s algorithm takes thousands of error-corrected logical qubits, which at today’s overhead means on the order of a million or more high-quality physical qubits. That gap between a few thousand logical and a few million physical is the entire reason no code-breaking quantum computer exists yet. The most-cited peer-reviewed resource estimates:
| Target | Attack | Logical qubits | Physical qubits (with error correction) | Runtime | Source |
|---|---|---|---|---|---|
| RSA-2048 | factoring | ~6,100 | ~20 million noisy | 8 hours | Gidney and Ekerå, 2021 |
| RSA-2048 (optimized) | factoring | not stated | under 1 million noisy | under 1 week | Gidney, 2025 |
| 256-bit elliptic curve (ECDSA, ECDH) | discrete log | ~2,330 | millions after correction | not stated | Roetteler et al., 2017 |
Sources: Craig Gidney and Martin Ekerå, “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits,” Quantum 5, 433, 2021, arXiv:1905.09749. Craig Gidney, “How to factor 2048 bit RSA integers with less than a million noisy qubits,” 2025, arXiv:2505.15917. Martin Roetteler, Michael Naehrig, Krysta M. Svore, Kristin Lauter, “Quantum resource estimates for computing elliptic curve discrete logarithms,” 2017, arXiv:1706.06752.
Two things are worth reading off that table. The physical-qubit estimate for RSA-2048 has dropped fast as the engineering improves, from twenty million in a 2019 construction to under a million in a 2025 optimization, so the threshold is a moving research target rather than a fixed wall. And elliptic-curve cryptography needs fewer logical qubits than RSA at comparable classical strength, so ECC falls first against a quantum attacker even though it uses shorter keys.
Now set that against where the hardware actually is. As of 2026, the largest superconducting processors have crossed 1,000 physical qubits, with IBM’s Condor chip reaching 1,121, and those are noisy, uncorrected physical qubits, not the error-corrected logical ones a cryptographic attack requires.
Source: IEEE Spectrum, “IBM’s Condor Quantum Computer Has Over 1,000 Qubits,” spectrum.ieee.org.
Why isn’t a code-breaking quantum computer here yet?
Because the distance between a thousand-ish noisy physical qubits today and the millions of high-quality ones an attack needs, all error-corrected into thousands of logical qubits, is genuinely vast, and every axis of it is a hard, unsolved engineering problem. A cryptographically relevant quantum computer has to deliver several things at once:
- Enough logical qubits. Thousands of error-corrected logical qubits, each built from a large multiple of physical ones, so the physical count lands in the millions.
- Low enough error rates. The physical qubits have to be clean enough to sit below the error-correction threshold, where adding redundancy makes a logical qubit more reliable rather than more noisy.
- Enough depth and stability. The machine has to keep a computation coherent across a circuit billions of operations deep, which a 2021 estimate put at roughly 2.6 billion Toffoli gates over an eight-hour run for RSA-2048.
Because of all that, credible expert and government estimates for a CRQC still span roughly 2030 to 2040 and beyond. A qubit-count record on a noisy machine is real hardware progress and still nowhere near a cryptographic threat, because it advances width while the axis that actually gates a Shor’s attack, depth run under error correction, barely moves. Progress toward a CRQC is a separate thing from progress in quantum computing generally.
Source: Craig Gidney and Martin Ekerå, “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits,” Quantum 5, 433, 2021, arXiv:1905.09749.
Why does this threaten cryptography?
It threatens cryptography because one specific quantum algorithm, Shor’s algorithm, solves the exact math problems that public-key cryptography relies on. RSA hides its private key inside the difficulty of factoring a huge number; elliptic-curve systems hide theirs inside a discrete-logarithm problem. Those problems are so slow for a classical computer that the security holds, and Shor’s algorithm, running on a large enough quantum computer, converts them into a fast period-finding problem the machine can solve in hours. The moment that happens, key exchange, digital signatures, and the certificates behind PKI and TLS lose their guarantee.
The damage is targeted rather than total. Symmetric encryption like AES-256 and hash functions like SHA-256 face only Grover’s algorithm, a much weaker quantum attack that a longer key or digest handles, so those survive the quantum era with minor adjustments. The whole migration is about replacing the public-key layer, and the replacements are covered in the new standards.
The reason this is urgent well before any machine exists is lead time. Encrypted data recorded today under harvest now, decrypt later is exposed the day a CRQC turns on, a full cryptographic migration across a large estate takes years, and there’s no patch for data already collected. Mosca’s theorem turns that into a simple arithmetic of deadlines, and the whole picture of how close the machine is lives in the risk models.
Common misconceptions
- “A 1,000-qubit machine is close to breaking RSA.” Those are noisy physical qubits. Breaking RSA-2048 needs thousands of error-corrected logical qubits, each built from roughly 1,000 to 10,000 physical ones, so the real requirement is in the millions of physical qubits.
- “A quantum computer tries every answer at once and reads out the best one.” Measuring a superposition of every answer returns one random answer. The useful result comes from interference arranged before measurement, and only some problems allow it.
- “A qubit is just a faster bit.” A bit stores one definite value; a qubit stores a tunable blend of 0 and 1 until measured. The parallelism that comes from that blend, across many entangled qubits, is something a classical bit fundamentally can’t do.
- “Quantum computers will break all encryption.” They threaten public-key cryptography through Shor’s algorithm. Symmetric ciphers and hashes stay standing, facing only the weaker Grover’s algorithm, which a bigger key defeats.
- “More qubits always means more cryptographic risk.” Adding physical qubits without lowering the error rate enough to build logical qubits leaves the axis that actually gates a Shor’s attack roughly where it was. Quality gates capability, not raw count.
- “Entanglement lets a quantum computer send or compute faster than light.” Entanglement produces correlations, and correlations alone carry no controllable message. It’s a computing resource, not a faster-than-light channel.
Questions people ask
Do I need physics to understand quantum computing? No. For security purposes you need a few ideas: a qubit holds a blend of 0 and 1 until measured, many qubits hold many combinations at once, measurement returns just one of them, and the blend is fragile. That’s enough to see why the threat is aimed at specific algorithms and why a code-breaking machine is hard to build. The math underneath doesn’t change any decision you’d make.
Does a quantum computer that can break encryption exist yet? No. The largest machines today hold on the order of 1,000 noisy physical qubits (spectrum.ieee.org), while breaking RSA-2048 needs thousands of error-corrected logical qubits, meaning on the order of a million or more physical ones (arXiv:1905.09749, arXiv:2505.15917). That machine is a CRQC, and none exists in 2026.
Why can’t you just keep adding qubits until RSA breaks? Because a cryptographic attack is a long, deep computation, and every noisy qubit adds error along the way. Past a point, more physical qubits without lower error rates make the machine bigger, not more capable of finishing a Shor’s computation cleanly. You need error-corrected logical qubits, and those cost a large multiple of physical qubits each.
How many qubits does it take to break RSA-2048? Roughly 6,100 logical qubits in the most-cited peer-reviewed estimate, realized as about 20 million noisy physical qubits in a 2021 construction and under a million in a 2025 optimization (arXiv:1905.09749, arXiv:2505.15917). A 256-bit elliptic curve needs about 2,330 logical qubits, so it falls first (arXiv:1706.06752).
Which cryptography does a quantum computer actually break? Public-key cryptography (RSA, Diffie-Hellman, and elliptic-curve systems) through Shor’s algorithm, once a CRQC exists. Symmetric encryption and hashing face only Grover’s algorithm, a much weaker attack, so AES-256 and SHA-384 stay safe with a larger parameter.
When will a code-breaking quantum computer arrive? Nobody knows exactly, and honest estimates span a range rather than a date. Credible expert and government forecasts land roughly between 2030 and 2040 and beyond, and the resource estimates keep dropping as the engineering improves, which is why the sound approach plans around lead time instead of betting on a single year. Mosca’s theorem is the tool for turning that uncertainty into a deadline.
If a quantum computer is years away, why worry now? Because the timeline that matters is your data’s, not the hardware’s. Encrypted traffic captured today under harvest now, decrypt later is exposed the moment a CRQC exists, and a migration across a large estate takes years, so the work has to be finished before the machine arrives, whenever that turns out to be.
Is quantum computing just hype, then? No, and the honest read sits in between. The hardware is advancing genuinely, and a qubit really can do things a bit can’t, so the long-run cryptographic threat is real and standards bodies are already acting on it. What’s overstated is nearness, because a qubit-count headline on a noisy machine is a long way from a CRQC, and the two shouldn’t be confused.
Go deeper
The building blocks: Qubit · Superposition · Quantum Entanglement · Quantum Measurement · No-Cloning Theorem · Quantum Decoherence · Logical vs Physical Qubits · Quantum Error Correction · Quantum Fidelity · Quantum Circuit · NISQ (Noisy Intermediate-Scale Quantum)
Why a code-breaking machine is so hard to build: The Threshold Theorem (why staying below a fixed error rate makes long computation possible and forces millions of physical qubits), Magic State Distillation (why the non-Clifford gates dominate the resource cost), and Quantum Hardware Modalities (superconducting vs trapped-ion vs photonic vs neutral-atom, judged against the DiVincenzo criteria).
What turns it into a threat: Shor’s Algorithm breaks public-key cryptography, with the Quantum Fourier Transform (QFT) as the period-finding subroutine at its heart, Grover’s Algorithm only dents symmetric, and the machine that could run either at scale is the Cryptographically Relevant Quantum Computer (CRQC).
The evidence base under the timeline: Quantum Resource Estimation (how many physical qubits and hours to break RSA-2048 and ECC, honestly presented as a falling range), Quantum Volume and Benchmarking (why raw qubit counts mislead and what QV and CLOPS actually measure), and Quantum Advantage and Quantum Supremacy (the terms, the 2019 Google claim and the walk-backs, and why none of it means cryptography is broken).
The vendor plans, read against the hype filter: Quantum Hardware Roadmaps walks the published roadmaps of IBM (Starling), Google (Willow), IonQ, and Quantinuum, weighting demonstrated milestones over the forward-looking target years that slip, and shows why even a first fault-tolerant machine is far short of a CRQC.
The annealer question: Quantum Annealing and the D-Wave Question explains why a quantum annealer like D-Wave’s is an analog optimizer that can’t run Shor’s algorithm, why its thousands of qubits don’t compare to gate-model logical qubits, and why the recurring “annealer factored a number” and “close to RSA” headlines don’t scale to real keys.
How the threat gets measured and timed: the risk models, Mosca’s Theorem, the quantum threat timeline, and Harvest Now, Decrypt Later (HNDL).
What replaces the broken cryptography: the new standards and crypto-agility.
Field notes: How to Tell Real Quantum Progress From Hype (a board-grade checklist for reading a quantum headline, physical vs logical qubits, fidelity over qubit count, NISQ vs a CRQC, peer review vs press release).
Everything here is the map, given freely. When your team needs the qubit-count reality translated into a risk picture and a dated plan for your own systems, that’s the work I do. Request an alignment briefing.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.