up:: Quantum Computing MOC

Quantum Error Correction

Quantum error correction (QEC) is the machinery that combines many noisy physical qubits into a single reliable logical qubit, so a quantum computation can survive long enough to finish. Physical qubits fail constantly, losing their fragile quantum state to decoherence and picking up errors on every operation, and a long calculation would dissolve into noise without protection.

Classical computers protect data by copying a bit and taking a majority vote, but the no-cloning theorem forbids that trick for quantum states, so QEC uses entanglement and a technique called syndrome measurement to catch and repair errors without ever reading the protected information directly. It works, and it’s expensive: each logical qubit costs on the order of a thousand physical ones, which is exactly why the machine that could break RSA sits in the millions-of-qubits range that no hardware is close to.

The short version:

  • A physical qubit on a chip is noisy and errs often. A logical qubit is many physical qubits woven together with error correction so the group behaves like one qubit that almost never errs.
  • You can’t just copy a qubit and vote, the way classical error correction does, because the no-cloning theorem forbids copying an unknown quantum state. QEC gets around this with entanglement and syndrome measurement, which detect errors without reading the data.
  • The leading scheme is the surface code, which lays physical qubits in a grid where most of them do nothing but watch their neighbors for errors.
  • The overhead is steep. Building one cryptographic-grade logical qubit takes roughly 1,000 to 10,000 physical qubits (Fowler et al. 2012), and a Shor’s-algorithm attack needs thousands of logical qubits, so the physical count lands in the millions.
  • That overhead is the bottleneck to breaking RSA. It’s why estimates for cracking RSA-2048 call for on the order of a million or more physical qubits, and why a cryptographically relevant quantum computer doesn’t exist in 2026.

An everyday way to picture it

Imagine writing down one important number by handing a copy to a hundred people instead of trusting one person to remember it. Any single person might misremember, but if you poll all hundred and take the majority, a few mistakes get outvoted and the true number survives. A physical qubit is the one unreliable person, and a logical qubit is the whole crowd voting together, engineered so no small number of errors can change the answer. The wrinkle that makes the quantum version hard is that you’re not allowed to ask any one person what they wrote, because looking at a qubit destroys it. So quantum error correction has to figure out where a mistake happened by asking clever indirect questions (“do these two agree with each other?”) that reveal the error without ever revealing the number itself.

What is quantum error correction?

Quantum error correction is a set of techniques that protect quantum information by spreading one qubit’s worth of data across many physical qubits and continuously repairing the errors that decoherence and imperfect operations introduce. The goal is a logical qubit, an encoded qubit whose error rate is far lower than any of the physical qubits it’s built from, reliable enough to run a long computation to a trustworthy answer.

The need for it comes straight from the hardware. A physical qubit holds its quantum state only briefly before decoherence erases it, and every gate applied to it carries a meaningful chance of error, still on the order of once in a thousand tries for a two-qubit operation on today’s best machines. A useful cryptographic computation runs an enormous sequence of operations, and a single uncorrected error partway through corrupts the whole result. So the raw hardware can’t get there on its own, and QEC is the only known way to bridge the gap between the qubits that exist and a computation deep enough to matter.

Source: Austin G. Fowler, Matteo Mariantoni, John M. Martinis, Andrew N. Cleland, “Surface codes: Towards practical large-scale quantum computation,” Physical Review A 86, 032324, 2012, arXiv:1208.0928.

The concept isn’t new to computing. Classical systems have used error-correcting codes for decades to move data reliably over noisy channels and store it on imperfect media. What makes the quantum version its own hard problem is that the two tricks classical codes lean on, copying a bit and inspecting it to check, are both off the table for qubits, which is the next section.

Why can’t you just copy a qubit to protect it?

You can’t copy a qubit because the no-cloning theorem, a basic law of quantum mechanics, proves that no operation can make an exact copy of an unknown quantum state. Classical error correction depends entirely on copying: store a bit three times, and if one copy flips, the other two outvote it. That whole strategy is unavailable for quantum information, so QEC had to be invented from a different starting point.

Two quantum facts block the classical approach, and the workaround handles both:

  1. No copying. The no-cloning theorem forbids duplicating an unknown qubit, so the triple-redundancy majority vote can’t be done directly. Instead, QEC entangles one qubit’s information across a block of physical qubits, spreading the state through the group without ever cloning it.
  2. No peeking. Measuring a qubit collapses its superposition to a single 0 or 1 and destroys the quantum information. So you can’t check a qubit’s value to see whether it drifted. QEC gets around this with syndrome measurement: it measures relationships between qubits (whether certain pairs still agree) rather than the qubits themselves, which reveals where an error struck while leaving the protected data untouched.

That second idea is the clever core of the whole field. By asking only “did these qubits stay consistent with each other?” the correction machinery learns exactly enough to fix an error and nothing that would collapse the state it’s protecting. The information about what went wrong leaks out; the information being protected stays sealed.

How does quantum error correction actually work?

Quantum error correction runs a continuous loop: encode the data across many qubits, measure error checks without disturbing the data, decode those checks to find the error, and apply a correction, all faster than errors pile up. Here’s the shape of it, with no math:

  1. Encode. One qubit’s worth of information is spread across a block of many physical qubits using entanglement, so the state lives in the group rather than in any single member. A local error on one physical qubit does no lasting damage, because the information is stored across the whole group rather than in any single member.
  2. Measure the syndrome. Extra physical qubits, called check or ancilla qubits, are measured over and over. Each measurement reports whether a particular group of data qubits is still consistent, which flags that an error occurred and where, without revealing or collapsing the protected state itself.
  3. Decode. A fast classical computer reads the stream of syndrome measurements and works out which physical error most likely caused that pattern of flags. This decoding has to keep up in real time, because errors keep arriving while it runs.
  4. Correct. The identified error gets reversed, cleaning up the damage before it accumulates into something the code can’t recover from.
  5. Stay below threshold. All of this only helps if the physical qubits are already good enough. Below a certain physical error rate, adding more redundancy drives the logical error rate down. Above that threshold, more qubits just add more noise, and no amount of encoding rescues the computation.

That last point, the error-correction threshold, is the hinge the whole enterprise turns on. Reaching it, and proving that a bigger code makes a more reliable logical qubit rather than a noisier one, was an open question for decades. It was finally demonstrated on real hardware in 2024, covered in the reality section below.

What is the surface code?

The surface code is the leading quantum error-correction scheme, and it works by laying physical qubits out in a two-dimensional grid where most of them do nothing but watch their neighbors for errors. Data qubits hold the encoded information, and check qubits sitting between them are measured continuously to detect the two basic kinds of quantum error (a bit flipping, and a phase relationship scrambling). It’s the front-runner because it tolerates a relatively high physical error rate and needs only local, nearest-neighbor connections, which matches how real superconducting chips are actually built.

Source: Austin G. Fowler, Matteo Mariantoni, John M. Martinis, Andrew N. Cleland, “Surface codes: Towards practical large-scale quantum computation,” Physical Review A 86, 032324, 2012, arXiv:1208.0928.

The knob that controls a surface code’s power is its distance, roughly the size of the grid. A larger distance spreads the information across more physical qubits and suppresses the logical error rate further, at the cost of using many more physical qubits per logical one. This is the direct tradeoff at the heart of the overhead problem: you buy reliability with qubits, and a cryptographic attack demands so much reliability that the qubit bill runs into the millions.

How many physical qubits does one logical qubit cost?

At today’s hardware quality, one logical qubit costs roughly 1,000 to 10,000 physical qubits, depending on how noisy the hardware is and how low the logical error rate has to go. The cleaner the physical qubits and the shallower the computation, the cheaper the ratio; the deeper the computation, the more redundancy it needs and the higher the count climbs.

ContextPhysical qubits per logical qubitWhat it meansSource
Surface-code estimate for a cryptographic-scale algorithm~1,000 to 10,000the overhead a deep, trustworthy computation needsFowler et al., 2012
Google’s 2024 below-threshold demonstration101 physical for 1 logical (distance-7)one modest logical qubit, a real milestone but far from cryptographic gradeAcharya et al., 2024

Sources: Austin G. Fowler, Matteo Mariantoni, John M. Martinis, Andrew N. Cleland, “Surface codes: Towards practical large-scale quantum computation,” Physical Review A 86, 032324, 2012, arXiv:1208.0928. Rajeev Acharya et al. (Google Quantum AI), “Quantum error correction below the surface code threshold,” Nature 638, 920-926, 2025, arXiv:2408.13687.

The gap between those two rows is the state of the art in one glance. Google’s 2024 result used 101 physical qubits to protect a single logical qubit, and that logical qubit was far more forgiving than a cryptographic attack would tolerate. Pushing the logical error rate down to where it needs to be for breaking RSA costs many more physical qubits per logical one, which is how the total lands in the millions. The full physical-versus-logical picture lives in logical versus physical qubits.

Why is QEC the bottleneck to breaking RSA?

Quantum error correction is the bottleneck because breaking RSA needs thousands of trustworthy logical qubits, each logical qubit costs a large multiple of physical qubits, and multiplying those together pushes the machine into the millions of physical qubits that no hardware is close to building. Shor’s algorithm against a real key runs an enormous, deep sequence of operations, and it has to run on logical qubits because noisy physical qubits would decohere long before it finished. The most-cited peer-reviewed resource estimates:

TargetLogical qubitsPhysical qubits (error-corrected)RuntimeSource
RSA-2048~6,100~20 million noisy8 hoursGidney and Ekerå, 2021
RSA-2048 (optimized)not statedunder 1 million noisyunder 1 weekGidney, 2025
256-bit elliptic curve (ECDSA)~2,330millions after correctionnot statedRoetteler et al., 2017

Sources: Craig Gidney and Martin Ekerå, “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits,” Quantum 5, 433, 2021, arXiv:1905.09749. Craig Gidney, “How to factor 2048 bit RSA integers with less than a million noisy qubits,” 2025, arXiv:2505.15917. Martin Roetteler, Michael Naehrig, Krysta M. Svore, Kristin Lauter, “Quantum resource estimates for computing elliptic curve discrete logarithms,” 2017, arXiv:1706.06752.

Set that against where the hardware actually is. As of 2026 the largest superconducting processors have crossed 1,000 physical qubits, and those are noisy, uncorrected physical qubits, not the error-corrected logical qubits an attack requires. So the cryptographic clock runs on QEC progress, not on raw qubit count. A vendor can announce a bigger chip while the axis that actually gates a Shor’s attack, driving the error rate low enough to build cryptographic-grade logical qubits, barely moves. That’s why “more qubits” in a headline doesn’t mean “closer to breaking RSA,” and why the honest read of quantum risk tracks error rates and demonstrated error correction rather than the qubit record.

How close is fault-tolerant quantum error correction?

The core science has been proven and the engineering is early, so a machine that could error-correct at cryptographic scale is still millions of physical qubits away. The milestone that matters landed in December 2024, when Google’s quantum team showed for the first time that a surface code operates below threshold, meaning a larger code produced a more reliable logical qubit rather than a noisier one:

  1. They encoded one logical qubit in a distance-7 surface code built from 101 physical qubits.
  2. That logical qubit’s error rate came out to 0.143% per cycle of correction.
  3. Growing the code’s distance suppressed the logical error rate by a factor of about 2.14 at each step, the signature of being below threshold.
  4. The encoded logical qubit outlived its best individual physical qubit by a factor of 2.4, so the error-correcting overhead finally paid for itself instead of adding net noise.

Source: Rajeev Acharya et al. (Google Quantum AI), “Quantum error correction below the surface code threshold,” Nature 638, 920-926, 2025, arXiv:2408.13687.

That result proves the approach scales the right way, and it also shows exactly how far off a cryptographic machine is. It took 101 physical qubits to make one modest logical qubit, and a Shor’s-algorithm attack needs thousands of logical qubits far more reliable than that, which pushes the physical count into the millions. Bridging that distance means both improving physical qubits and manufacturing them at a scale beyond anything demonstrated. This is the real content behind the quantum threat timeline: credible expert and government estimates for a CRQC still span roughly 2030 to 2040 and beyond, because the pacing item is error correction, a much harder problem than adding noisy qubits.

Common misconceptions

  1. “Error correction makes the errors go away.” It manages errors, it doesn’t remove them. Physical qubits keep failing constantly underneath, and QEC detects and repairs the damage faster than it accumulates, at the cost of many physical qubits per logical one.
  2. “You just copy each qubit a few times and vote, like classical error correction.” The no-cloning theorem forbids copying an unknown quantum state, so the classical majority-vote trick can’t be applied directly. QEC spreads the state with entanglement and finds errors through syndrome measurement instead.
  3. “A chip with thousands of qubits must be close to breaking encryption.” Those are noisy physical qubits. Without enough error correction to build cryptographic-grade logical qubits, they can’t run a deep algorithm to completion, and the real requirement for RSA-2048 is in the millions of physical qubits.
  4. “The surface code is the only way to do QEC.” It’s the current front-runner because it tolerates high error rates and needs only local connections, but other codes exist and the field is actively researching lower-overhead schemes. The surface code is the leading bet, not the last word.
  5. “Google’s 2024 result means QEC is basically solved.” That demonstration produced one logical qubit and proved the approach scales the right way, which is a genuine milestone. Going from a single logical qubit to the thousands a CRQC needs is a large, unsolved engineering problem.
  6. “Longer qubit coherence alone gets us there.” Coherence time is one factor. Gate fidelity, qubit count, connectivity, real-time decoding, and the error-correction scheme all have to advance together for fault-tolerant computation at cryptographic scale.

Questions people ask

Do I need physics to understand quantum error correction? No. The one idea that matters is redundancy under a constraint: a logical qubit is many noisy physical qubits combined so the group behaves like one reliable qubit, and the trick is doing that without copying or looking at any single qubit. Everything else is engineering detail that doesn’t change a security decision you’d make.

Why can’t quantum computers just use the same error correction as classical ones? Because classical error correction copies bits and inspects them, and both moves are forbidden for qubits. The no-cloning theorem blocks copying an unknown quantum state, and measuring a qubit collapses it. QEC works around both by encoding the state across entangled qubits and measuring error checks that reveal where a fault occurred without revealing the protected data.

What is a logical qubit versus a physical qubit? A physical qubit is one raw, noisy qubit on the chip. A logical qubit is one reliable qubit built by combining many physical ones with error correction, roughly 1,000 to 10,000 of them for a cryptographic-scale computation under the surface code (arXiv:1208.0928). Cryptographic estimates are always quoted in logical qubits; vendor press releases are almost always physical. See Logical vs Physical Qubits.

How many physical qubits does one logical qubit need? At today’s hardware quality, hundreds to thousands, depending on the code and how low the error rate has to go. Google’s 2024 demonstration used 101 physical qubits for one logical qubit (arXiv:2408.13687), and a cryptographic machine would need that error rate driven far lower, which costs more physical qubits per logical one.

Why does QEC decide when RSA can be broken? Because a Shor’s-algorithm attack has to run on logical qubits, and each logical qubit costs a large multiple of physical qubits. Breaking RSA-2048 needs roughly 6,100 logical qubits, which today translates to on the order of a million or more physical qubits (arXiv:1905.09749, arXiv:2505.15917). The pace of error-correction progress, not the raw qubit count, sets the timeline.

Is quantum error correction solved? Not yet. The 2024 below-threshold result showed the approach scales the right way for one logical qubit, a real milestone, but reaching the thousands of logical qubits a CRQC needs is a large, open engineering challenge. Working in principle is different from running at cryptographic scale.

What’s the surface code, in one line? It’s the leading QEC scheme, a two-dimensional grid of qubits where most of them exist only to watch their neighbors for errors, chosen because it tolerates realistic error rates and needs only nearest-neighbor connections.

If a code-breaking machine is years away, why does this matter now? Because the timeline that matters is your data’s, not the hardware’s. Encrypted data captured today under harvest now, decrypt later is exposed the moment a CRQC exists, and a full cryptographic migration takes years, so the work has to finish before error correction is tamed at scale, whenever that turns out to be.


Everything here is the map, given freely. When your team needs the quantum error-correction reality translated into a risk picture and a dated plan for your own systems, that’s the work I do. Request an alignment briefing.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.