up:: Quantum Computing MOC

Qubit

A qubit is the basic unit of information in a quantum computer, the quantum version of the classical bit. A classical bit is always either 0 or 1. A qubit can be 0, 1, or a superposition of both at the same time, and that ability to hold many possibilities at once is where a quantum computer’s power comes from. Qubits are also extremely fragile, so the number a machine can hold and keep stable is the single most-quoted, most-misunderstood measure of quantum-hardware progress, and it’s what decides whether a machine is anywhere close to breaking your encryption.

The short version:

  • A qubit is a quantum bit. A classical bit stores 0 or 1; a qubit can store a blend of 0 and 1 until it’s measured, at which point it snaps to a definite 0 or 1.
  • Qubits get built out of real physical systems: superconducting circuits, trapped ions, photons, and neutral atoms are the leading approaches, each with its own tradeoffs.
  • Qubits are fragile. They lose their quantum state through decoherence in fractions of a second, and every operation on them carries error. That fragility, not the raw count, is why a code-breaking quantum computer is hard to build.
  • The number that matters for cryptography is logical qubits (error-corrected and trustworthy), not the physical qubits vendors put in press releases. Breaking RSA-2048 needs roughly 4,000 to 6,100 logical qubits, which today means on the order of a million or more physical qubits.
  • A qubit-count record on a noisy machine doesn’t mean a CRQC is near. Progress toward breaking cryptography is a separate thing from progress in quantum computing generally.

What is a qubit?

A qubit is the smallest piece of information a quantum computer works with, exactly as a bit is the smallest piece a classical computer works with. NIST puts it plainly: “The basic unit of information in a quantum computer is called a quantum bit, or ‘qubit.‘”

Source: NIST, “What Is Post-Quantum Cryptography?”, nist.gov.

The difference is what a qubit is allowed to hold. A classical bit is a switch that’s either off (0) or on (1). A qubit obeys the rules of quantum physics, so before you look at it, it can hold a weighted combination of 0 and 1 at once, a state called superposition. The moment you measure it, that combination collapses to a single definite answer, either 0 or 1, and the blend is gone. So a qubit is a bit that gets to be undecided in a very specific, mathematically precise way right up until you read it.

Think of the qubit as the raw material. Everything else in a quantum computer, entanglement between qubits, the gates that manipulate them, the measurement that reads them out, is built on top of this one unit. When a vendor says “1,000 qubits,” they mean 1,000 of these physical carriers on a chip.

How is a qubit different from a classical bit?

The core difference is that a classical bit holds one value and a qubit holds a blend of two, and that blend is what lets a quantum computer explore many possibilities in parallel. NIST describes the payoff directly: a quantum computer “takes advantage of the quantum world’s counterintuitive properties, which enable a bit of data to act as both a 0 and 1 at the same time, to make calculations that would be difficult or impossible on a conventional computer.”

Source: NIST, “What Is Post-Quantum Cryptography?”, nist.gov.

The consequences of that difference are worth spelling out:

  1. Two bits vs. two values. One classical bit represents one of two values. One qubit represents a weighted combination of both, and the weighting can be tuned continuously.
  2. Exponential scaling with count. Combine 2 classical bits and you get one of 4 patterns at a time. Combine 2 qubits and they can hold a blend across all 4 patterns at once. With N qubits that’s a blend across 2 to the power of N patterns simultaneously. This exponential growth is the resource a quantum algorithm exploits, and it’s why a few thousand good qubits could do what no classical machine can.
  3. Reading destroys the blend. You can’t inspect a classical bit and change it just by looking. Measuring a qubit collapses its superposition to a single 0 or 1, so a quantum algorithm has to be cleverly arranged to steer the answer into the qubits before the final read, which is exactly what Shor’s algorithm does.
  4. Fragility. A classical bit sitting in memory is stable for years. A qubit’s quantum state degrades in fractions of a second from the faintest contact with its surroundings.

That last point is the one that governs whether any of this threatens cryptography, so it gets its own section below.

How is a qubit physically built?

A qubit is an abstract idea, a two-state quantum system, and engineers realize it in several completely different physical materials. The four leading approaches encode the qubit in different things, and the choice affects how stable the qubit is, how fast it can be operated, and how cold the machine has to run. The abstract qubit is the same in every case.

PlatformWhat physically stores the qubitOperating realitySource
SuperconductingEnergy states of a tiny superconducting circuit built on a Josephson junction (the transmon design)Runs near absolute zero in a dilution refrigerator; used by IBM, Google, RigettiKrantz et al. 2019
Trapped ionTwo internal energy levels of a single charged atom held in an electromagnetic trapLong-lived states, strong qubit-to-qubit connectivity; used by IonQ, QuantinuumBruzewicz et al. 2019
PhotonicA property of a single particle of light, such as its polarization or pathCan run at room temperature and moves naturally through fiber; used by PsiQuantum, XanaduSlussarenko and Pryde 2019
Neutral atomInternal states of uncharged atoms held in place by focused laser beams (optical tweezers)Scales into the hundreds-to-thousands range with reconfigurable layouts; used by QuEra, Atom ComputingHenriet et al. 2020

Sources: Krantz, Kjaergaard, Yan, Orlando, Gustavsson, Oliver, “A Quantum Engineer’s Guide to Superconducting Qubits,” Applied Physics Reviews 6, 021318, 2019, arXiv:1904.06560. Bruzewicz, Chiaverini, McConnell, Sage, “Trapped-Ion Quantum Computing: Progress and Challenges,” Applied Physics Reviews 6, 021314, 2019, arXiv:1904.04178. Slussarenko and Pryde, “Photonic quantum information processing: A concise review,” Applied Physics Reviews 6, 041303, 2019, arXiv:1907.06331. Henriet, Beguin, Signoles, Lahaye, Browaeys, Reymond, Jurczak, “Quantum computing with neutral atoms,” Quantum 4, 327, 2020, arXiv:2006.12326.

For projecting a cryptographic threat, the platform underneath matters less than four platform-independent numbers: how many qubits there are, how reliably a two-qubit operation can be performed, how long the qubits hold their state, and which qubits can talk to each other directly. A headline qubit count answers only the first of those.

Why are qubits so fragile?

Qubits are fragile because a quantum state is only quantum while it stays isolated, and perfect isolation is impossible. Every stray photon, vibration, magnetic ripple, or bit of heat that touches a qubit leaks information about its state into the environment, which quietly destroys the delicate 0-and-1 blend and drags the qubit toward an ordinary, classical value. That process is called decoherence, and it’s the reason a quantum state can’t just be left sitting in memory.

Source: Zurek, “Decoherence, einselection, and the quantum origins of the classical,” Reviews of Modern Physics 75, 715, 2003, arXiv:quant-ph/0105127.

Two kinds of error follow from this:

  1. Decoherence over time. Left alone, a qubit holds its quantum state only for a limited window, ranging from microseconds on superconducting hardware to seconds on trapped-ion systems, before decoherence erases it (Krantz et al. 2019; Bruzewicz et al. 2019, cited above).
  2. Operation error. Every gate applied to a qubit is a physical manipulation that’s slightly imperfect, so each step in a computation adds a little error. On today’s leading hardware a two-qubit operation still fails on the order of once in a thousand tries, far too often to run a long computation to a trustworthy answer.

A classical computer sidesteps all of this because a bit is stored as a robust, macroscopic voltage that you can refresh and copy at will. A qubit can’t be copied (the no-cloning theorem forbids it) and can’t be casually refreshed without disturbing its state, so the fragility can’t be engineered away as easily. It has to be actively corrected, which is where the difficulty of building a useful machine comes from.

Why does qubit fragility make a code-breaking quantum computer so hard to build?

Because breaking cryptography needs a long, deep computation, and a single uncorrected error partway through ruins the answer. Shor’s algorithm against a real key runs an enormous sequence of operations, and today’s qubits accumulate errors far faster than that sequence can finish cleanly. The fix is quantum error correction: you combine many noisy physical qubits into one reliable, error-corrected logical qubit that can survive the full computation.

That correction is expensive, and the price is the whole reason no CRQC exists yet:

  1. One good qubit costs many raw ones. Under the surface code, the leading error-correction scheme, building a single logical qubit reliable enough to run a hard algorithm takes roughly 1,000 to 10,000 physical qubits, depending on how noisy the hardware is.
  2. A cryptographic attack needs thousands of logical qubits. Multiply those together and the physical-qubit requirement lands in the millions.
  3. You also need depth and time. Beyond count, the machine has to sustain low error rates across a very long circuit, which is a separate engineering problem from simply having more qubits.

Source: Fowler, Mariantoni, Martinis, Cleland, “Surface codes: Towards practical large-scale quantum computation,” Physical Review A 86, 032324, 2012, arXiv:1208.0928.

This is why “more qubits” in a press release doesn’t automatically mean “closer to breaking RSA.” Adding noisy physical qubits without driving the error rate down enough to build logical qubits is progress on one axis while the axis that actually gates a cryptographic attack barely moves.

How many qubits does it take to break RSA-2048?

Breaking RSA-2048 with Shor’s algorithm takes thousands of error-corrected logical qubits, which today translates to somewhere between roughly a million and twenty million noisy physical qubits, depending on the construction. Elliptic-curve keys fall with fewer logical qubits than RSA at comparable classical strength. The most-cited peer-reviewed resource estimates:

TargetLogical qubitsPhysical qubits (with error correction)RuntimeSource
RSA-2048~6,10020 million noisy8 hoursGidney and Ekerå, 2021
RSA-2048 (optimized)not statedunder 1 million noisyunder 1 weekGidney, 2025
Elliptic curve, 256-bit (ECDSA)~2,330millionsnot statedRoetteler et al., 2017

Sources: Gidney and Ekerå, “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits,” Quantum 5, 433, 2021, arXiv:1905.09749. Gidney, “How to factor 2048 bit RSA integers with less than a million noisy qubits,” 2025, arXiv:2505.15917. Roetteler, Naehrig, Svore, Lauter, “Quantum resource estimates for computing elliptic curve discrete logarithms,” 2017, arXiv:1706.06752.

Set that against where the hardware actually is. As of 2026, the largest superconducting processors have crossed 1,000 physical qubits (IBM’s Condor chip reached 1,121), and those are noisy, uncorrected physical qubits, not the error-corrected logical qubits a cryptographic attack requires.

Source: IEEE Spectrum, “IBM’s Condor Quantum Computer Has Over 1,000 Qubits,” spectrum.ieee.org.

The gap between a thousand-ish noisy physical qubits today and the millions of high-quality ones an attack needs, all error-corrected into thousands of logical qubits, is why credible expert and government estimates for a CRQC still span roughly 2030 to 2040 and beyond. The physical-qubit estimate has also been dropping fast as the engineering improves, from twenty million in a 2019 analysis to under a million by 2025, a reminder that the threshold is a moving research target rather than a fixed wall.

Why does the qubit count matter for cryptography at all?

Qubit count matters because it’s the closest thing to a public yardstick for how far a machine is from a CRQC, and it’s the number that gets abused most. A qubit total on its own, with no mention of logical-versus-physical, error rate, or connectivity, can’t tell you anything about cryptographic risk. The honest read of a “1,000-qubit” milestone comes down to a few follow-up questions:

  1. Are those logical (error-corrected) qubits or physical (raw) ones? Almost always physical.
  2. What’s the two-qubit error rate? A high error rate means those qubits can’t be error-corrected into logical ones.
  3. Has the machine demonstrated any cryptographically relevant computation, or only a qubit count?

When the answers are “physical, too noisy to correct, and no,” the milestone is real hardware progress and still nowhere near a cryptographic threat. This is the distinction that anchors every quantum risk model, from the CRQC threshold to the migration timeline it drives, and it’s why the qubit note sits underneath all of them.

Common misconceptions

  1. “A 1,000-qubit machine is close to breaking RSA.” No. Those are noisy physical qubits. Breaking RSA-2048 needs thousands of error-corrected logical qubits, each built from roughly 1,000 to 10,000 physical ones, so the real requirement is in the millions of physical qubits.
  2. “A qubit is just a faster bit.” No. A bit stores one definite value; a qubit stores a tunable blend of 0 and 1 until measured. The parallelism that comes from that blend, across many entangled qubits, is what a classical bit fundamentally can’t do.
  3. “You can read a qubit without disturbing it, like a bit.” No. Measuring a qubit collapses its superposition to a single 0 or 1, which is why quantum algorithms have to arrange the answer before the final read.
  4. “Qubits can be copied and backed up.” No. The no-cloning theorem forbids copying an unknown quantum state, which is part of why fragility is so hard to engineer around and why error correction is needed instead.
  5. “More qubits always means more cryptographic risk.” No. Adding physical qubits without lowering the error rate enough to build logical qubits leaves the axis that actually gates a Shor’s attack roughly where it was.
  6. “All qubits are basically the same, so the hardware type doesn’t matter.” The abstract qubit is the same, but superconducting, trapped-ion, photonic, and neutral-atom qubits differ sharply in stability, speed, and connectivity, which is exactly why the field is still running multiple approaches at once.

Questions people ask

Do I need physics to understand what a qubit is? No. For security purposes you need one idea: a classical bit is 0 or 1, and a qubit can be 0, 1, or a blend of both until it’s measured. That blend is what gives a quantum computer its parallelism, and the fragility of that blend is why a code-breaking machine is hard to build. The math underneath doesn’t change any decision you’d make.

How is a qubit different from a normal bit, in one line? A bit holds one definite value and is rock-solid stable; a qubit holds a weighted combination of both values and is extremely fragile, losing its state in a fraction of a second unless it’s actively protected.

Does a quantum computer with enough qubits to break encryption exist yet? No. The largest machines today have on the order of 1,000 noisy physical qubits (spectrum.ieee.org), while breaking RSA-2048 needs thousands of error-corrected logical qubits, which means on the order of a million or more physical qubits (arXiv:1905.09749, arXiv:2505.15917). That’s a CRQC, and none exists in 2026.

What’s the difference between a logical qubit and a physical qubit? A physical qubit is one raw, noisy qubit on the chip. A logical qubit is one reliable qubit built by combining many physical ones with error correction, roughly 1,000 to 10,000 of them under the surface code (arXiv:1208.0928). Cryptographic estimates are always quoted in logical qubits; vendor press releases are almost always physical. See Logical vs Physical Qubits.

Why can’t you just keep adding qubits until RSA breaks? Because a cryptographic attack is a long computation and every noisy qubit adds error along the way. Past a point, more physical qubits without lower error rates make the machine bigger, not more capable of finishing a Shor’s computation cleanly. You need error-corrected logical qubits, and those cost a large multiple of physical qubits each.

Why are there so many different kinds of qubit? Because no single physical platform has solved every problem at once. Superconducting qubits are fast but need near-absolute-zero cooling; trapped ions are stable and well-connected but slower; photonic qubits move easily and run warm; neutral atoms scale well. The field runs all of them because each trades stability, speed, and scalability differently (Krantz et al. 2019; Bruzewicz et al. 2019; Slussarenko and Pryde 2019; Henriet et al. 2020, cited above).

Is quantum computing just hype, then? No, and the honest position is in between. The hardware is advancing genuinely, and a qubit really can do things a bit can’t, so the long-run cryptographic threat is real and standards bodies are acting on it. What’s overstated is nearness: a qubit-count headline on a noisy machine is a long way from a CRQC, and the two shouldn’t be confused.

Which cryptography does a qubit-powered attack actually break? Public-key cryptography (RSA, Diffie-Hellman, and elliptic-curve systems) via Shor’s algorithm, once a CRQC exists. Symmetric encryption and hashing face only Grover’s algorithm, a much weaker quantum attack that a longer key handles, so AES-256 and SHA-384 stay safe.


Everything here is the map, given freely. When your team needs the qubit-count reality translated into a risk picture for your own systems and timeline, that’s the work I do. Request an alignment briefing.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.