New findings shorten the road to cryptographically relevant quantum computers

(Courtesy: istock/wavebreakmedia) Celebrity gossip might break the Internet, but not in the way that quantum computers could. “The advent of quantum computers poses a critical threat, as they could break widely deployed encryption schemes,” warns Lily Chen, a cryptography expert from the US National Institute of Standards and Technology (NIST). Systems at risk include banking encryption, digital signatures, secure messaging, secure shell tunnelling, cryptocurrency and more. Today’s quantum computers are still too small and error-prone to defeat gold-standard encryption. However, new results from Google Quantum AI and start-up Oratomic suggest that could change, with two widely-used cryptographic systems – elliptic curve cryptography (ECC) and the Rivest-Shamir-Adleman (RSA) algorithm – potentially coming under threat sooner than many scientists predicted. Space-time trade-off At present, anyone who wants to access encrypted information needs a secret digital key. To obtain this key, an attacker must first solve a difficult mathematics problem. For example, breaking the RSA algorithm boils down to factoring a large number into its prime components. Breaking ECC involves finding a secret number that connects two points on an elliptic curve. Classical computers might take billions of years to solve these problems. But if an attacker had access to a powerful enough quantum computer, they could solve the problems in mere minutes using an algorithm devised by Peter Shor in 1994. Several years ago, experts estimated that cracking a typical RSA scheme with 2048-bit keys (RSA-2048) would require tens of millions of physical quantum bits (qubits), which are the building blocks of quantum computers. A year ago, this value dropped to a million. By February 2026, it was down to 100,000. The latest results from California-based Oratomic push the floor even lower, to 10,000 physical qubits. The largest neutral-atom qubit array – realized last year in the lab of Oratomic co-founder Manuel Endres – stands at 6100 qubits. This makes the benchmark of 10,000 feel alarmingly close, though Endres’ array hasn’t yet been used for computation.

The team: Employees at Oratomic, a new neutral-atom quantum computing start-up. (Courtesy: Oratomic). There are, however, trade-offs. Quantum computers that use fewer qubits or more space-efficient hardware generally have longer computation times. Oratomic’s proposed 10,000-qubit platform would require three years to crack ECC with 256-bit keys (ECC-256) and 120 years to crack RSA-2048. The company’s predicted time-efficient alternative could solve ECC-256 in 10 days, but that would require 26,000 qubits. Solving RSA-2048 in 97 days would take 100,000 qubits. Oratomic’s numbers have not yet been peer-reviewed, and outside experts say they depend on different assumptions about future hardware developments. “The space-efficient [architecture] is mostly based on assuming aspects that have been demonstrated to work individually in state-of-the-art academic labs,” explains Maria Violaris, a quantum physicist at Oxford Quantum Circuits, who was not involved in the research. “Meanwhile, the time-efficient one relies on more speculative assumptions that need future innovation.” A second perspective On the same day as the Oratomic team posted its findings on the arXiv preprint server, researchers at Google Quantum AI released a white paper with their own updated resource estimates. They report that a computer with 500::000 physical qubits made from superconducting circuits could solve ECC-256 in 18 minutes – and potentially even less (see box). Google’s current state-of-the-art processor, Willow, has 105 physical qubits. However, the researchers warn against assuming gradual and predictable progress because quantum computing developments are driven by overcoming scaling barriers rather than by steady increases in processor size. The quantum threat to cryptocurrencies Elliptic curve cryptography (ECC) underpins the security of most blockchain networks, including Bitcoin and Ethereum. Bitcoin transactions take an average of 10 minutes, so if a quantum computer can crack ECC and determine the secret key during that window, the transaction could be intercepted and funds stolen in real time.

While Google Quantum AI’s results predict that it would take 18 minutes to solve ECC on a 500,000-qubit quantum computer, they argue that the run time could be effectively shortened in some circumstances. To understand how, imagine planning a heist in which you need to open a safe. Although you won’t know the exact combination until you get your hands on the safe, if you know the model number in advance, you can prepare some tools to help you crack it faster. A quantum computer could do something similar. According to the Google Quantum AI researchers, half the ECC algorithm only depends on the elliptic curve and not on the specific transaction. A quantum computer could precompute this half, wait in a primed state until a Bitcoin transaction begins, then quickly solve the second half in only nine minutes, dropping below the 10-minute threshold. Quantum computing platforms that use superconducting, silicon, and photonic qubits are well-positioned for real-time attacks because they tend to compute faster than neutral-atom and ion-based computers. However, the latter could still pose a serious risk through “at-rest” attacks. Such attacks involve adversaries collecting archived and publicly available data, then decrypting it later with few time constraints. Which threat arrives first will depend on how different quantum computing architectures mature and scale, a path still marked with considerable uncertainty. “Ultimately, feasibility is difficult to say as it depends on how challenging it will be to increase scale or to take a novel approach by engineering [new] hardware,” notes Maria Violaris of Oxford Quantum Circuits. The high number of physical qubits required for quantum computation comes from the need to detect and correct errors. Google Quantum AI’s estimate is based on a well-known error-correction method known as the surface code. In this approach, physical qubits are arranged in a rectangular grid and interact with their nearest neighbours. Quantum information is spread redundantly across this grid, allowing errors on one physical qubit to be found and fixed. The entire grid is considered one logical qubit, and the ratio of logical to physical qubits is called the encoding rate. In the surface code, reducing error amounts to adding more physical qubits per logical qubit, and typical encoding rates range from a few hundred to a few thousand. In contrast, the Oratomic team based its estimates on a newer method of error correction called quantum Low-Density-Parity-Check (qLDPC), which reduces error more efficiently by making the physical qubits interact over large distances. Hengyun (Harry) Zhou, a physicist at the Massachusetts Institute of Technology in the US who was not involved in the research, explains that this longer-range connectivity can significantly increase the encoding rate. For qLDPC codes, a typical rate is around 1 to 10, but rates can now go as high as 1 to 2. Because neutral atoms are highly reconfigurable, neutral atom platforms like those used by Oratomic (and other companies, including QuEra Computing, Infleqtion, Pasqal, planqc and Atom Computing) are naturally suited to the required long-range connectivity that qLDPC codes require. However, Zhou argues that it’s “not completely out of the question” that superconducting qubit platforms could use these codes too. “There is some additional cost that the lack of reconfigurability in those platforms currently leads to, but I would say if we’re thinking about a beyond-10-year timescale, it’s quite imaginable that things could also change for other platforms as well,” he says. Responsible disclosure Google Quantum AI’s white paper may represent a turning point in another respect. Rather than being open about their circuit designs, its authors hid them behind a “zero-knowledge proof,” which provided enough information to verify claims while hiding details that they say could provide bad actors with an “instruction manual”. Superconducting quantum computing: Google Quantum AI’s Willow processing chip. (Courtesy: Google Quantum AI). This is a relatively novel approach within the quantum computing community, which has thus far followed the conventional academic practice of publishing results with full transparency. A Google blog post expresses hope that “our approach to responsible disclosure can spur an important conversation among quantum computing researchers and the broader public.” Certainly, it has already spurred a conversation among experts. “This is the first time I’ve ever seen a new mathematical result actually announced that way,” Scott Aaronson, a quantum physicist at the University of Texas at Austin, US, wrote on his blog. “I’m not sure how much it will actually help, as once other groups know that a smaller circuit exists, it might be only a short time until they’re able to find it as well.” Zhou echoes this sentiment. “These are the kind of results that could potentially have a lot of general societal safety implications, so you want to make sure that they’re safeguarded responsibly,” he observes. “That being said, I think it is also possible that other people, now that they know what is possible, might come up with related constructions.” What comes next? In the long run, protecting against threats likely means migrating away from RSA and ECC and towards new mathematical problems that are difficult for both classical and quantum computers to solve. Google recently introduced 2029 as an internal deadline for migrating major system to so-called post-quantum cryptography (PQC), and many experts believe the migration ought to begin now. NIST selects four ‘post-quantum’ encryption standards Read more “Migrating to PQC is a massive undertaking that won’t happen overnight. Starting migration today is a necessary risk management strategy,” urges Chen from NIST. She notes that NIST has been instrumental in guiding this migration, beginning with its 2016 call for cryptography experts to design and evaluate new algorithms for PQC, and culminating in its publication of the three most promising ones in 2024.

The Google Quantum AI researchers also outline recommendations to help cryptocurrency communities and policymakers prepare for the PQC era. And while urgency permeates their white paper, ongoing PQC efforts prompted them to end it on a positive note. “These trailblazing projects demonstrate that transition to post-quantum cryptography is realistic and instil hope that it will have been completed before the first [cryptographically relevant quantum computers] come online,” they write. Want to read more? Registration is free, quick and easy Note: The verification e-mail to complete your account registration should arrive immediately. However, in some cases it takes longer. Don't forget to check your spam folder. If you haven't received the e-mail in 24 hours, please contact customerservices@ioppublishing.org. E-mail Address Register