A team at Google Quantum AI, led by researcher Craig Gidney, has shown that breaking RSA-2048 encryption could require roughly 20 times fewer physical qubits than previously estimated, collapsing the resource barrier from 20 million noisy qubits to less than 1,000,000 (about 20× fewer, not 10×). The finding, laid out in a May 2025 preprint, trades speed for efficiency: factoring a 2048-bit RSA key would take less than a week instead of eight hours, but on hardware that is far closer to what labs are actually building. For anyone who relies on RSA encryption to protect financial transactions, government communications, or personal data, the timeline for quantum-era risk just compressed significantly.
From 20 Million Qubits to Under a Million
In 2019, Gidney co-authored a paper estimating that factoring 2048-bit RSA integers would require 20 million noisy qubits and about eight hours of compute time (under the assumptions in that work). That figure was large enough to feel safely distant from any near-term hardware. The new 2025 paper upends that calculus. It argues that RSA-2048 can be factored using less than 1,000,000 noisy physical qubits arranged on a 2D nearest-neighbor grid architecture, assuming a 0.1% gate error rate and a surface code cycle time of 1 microsecond (per the preprint’s stated model). The tradeoff is runtime: the job would take less than a week rather than hours. But the qubit count, which is the harder engineering constraint, dropped by a factor of roughly 20.
A key enabler behind this efficiency gain is a technique called “magic state cultivation,” described in a separate paper from late 2024. That method achieves order-of-magnitude reductions in qubit-rounds needed to reach very low logical error rates under realistic noise conditions, specifically 10-3 depolarizing noise. In practical terms, magic state cultivation lets a quantum computer perform the high-fidelity operations required for cryptanalysis while burning through far fewer physical resources. Combined with algorithmic improvements to how modular exponentiation is structured, these advances represent a genuine shift in how close current hardware trajectories sit to the threshold for breaking widely deployed encryption.
Why Standards Agencies Are Not Waiting
The National Institute of Standards and Technology has been building defenses well ahead of this latest research. In August 2024, NIST released three finalized standards for post-quantum key encapsulation and digital signatures: FIPS 203 (ML-KEM) for key encapsulation, FIPS 204 (ML-DSA) for digital signatures, and FIPS 205 (SLH-DSA) as an alternative signature scheme. These algorithms are designed to resist attacks from future large-scale quantum computers, and NIST has urged organizations to begin migrating away from RSA-based systems immediately. The formal approval of FIPS 203, 204, and 205 fits alongside existing recommendations from the computer security division for legacy key establishment and digital signatures, creating a roadmap for gradual but decisive transition.
NIST did not stop there. In March 2025, the agency selected HQC as a fifth algorithm for post-quantum encryption, intended to serve as a backup key encapsulation mechanism in case vulnerabilities emerge in ML-KEM. A draft standard for HQC is expected after approximately one year, with a final standard targeted for 2027. The decision to add a backup algorithm signals that NIST views the transition to quantum-safe cryptography not as a single event but as an ongoing, layered process that needs redundancy built in from the start, much like its broader catalogue of official publications that evolve as scientific understanding and engineering practice advance.
Industry Moves Faster Than Expected
The private sector has started to respond. Keeper Security, a zero-trust and zero-knowledge identity security provider, announced quantum-resistant encryption in February 2026 from its Chicago headquarters, positioning its password and secrets management products as ready for a world where Shor’s algorithm is more than a theoretical threat. Meanwhile, an IBM spokesman stated that quantum low-density parity-check (qLDPC) codes would be central to the company’s quantum computing roadmap, though the spokesman did not comment on specific timelines for achieving the qubit counts described in Gidney’s research. These corporate moves suggest that large technology firms are treating the quantum threat as a near-term engineering problem rather than a distant theoretical concern, even if fully fault-tolerant machines remain out of reach today.
Yet there is a real risk that the existence of finalized standards creates a false sense of security. Organizations may assume that adopting FIPS 203 or FIPS 204 alone is sufficient, when the actual challenge lies in hybrid implementations that layer quantum-safe algorithms on top of existing classical encryption during the transition period. Many enterprises still lack a comprehensive inventory of where public-key cryptography is used across their infrastructure, from VPN gateways and TLS terminators to firmware update channels and internal service meshes. Without that visibility, even the best algorithms cannot be deployed effectively or consistently, leaving pockets of legacy RSA and elliptic-curve cryptography exposed long after quantum-safe options are technically available.
The Hidden Migration Work
Planning a migration to post-quantum cryptography is less about swapping algorithms and more about managing operational risk over a decade or longer. Every protocol stack that embeds RSA or elliptic-curve primitives—TLS, SSH, IPsec, S/MIME, code-signing, and countless proprietary variants—needs to be reviewed, updated, and tested. For many organizations, this means coordinating software vendors, hardware appliance makers, and cloud providers that may each be on different upgrade schedules. The result is a patchwork of versions and configurations that must interoperate securely, especially when deploying hybrid key exchange mechanisms that combine classical and post-quantum components to hedge against unforeseen weaknesses in either.
Security teams also have to reckon with long-lived data that may be harvested today and decrypted later once a capable quantum computer exists. Sensitive archives such as health records, legal documents, and industrial control logs often have confidentiality requirements measured in decades. That reality makes “store now, decrypt later” attacks a serious concern. Even if a practical RSA-2048-breaking quantum machine is still years away, adversaries can already capture encrypted traffic and wait. This is why standards bodies emphasize early adoption: the cryptographic protection applied in 2025 must still hold when quantum hardware catches up, not just when it is first deployed.
Beyond Algorithms: Ecosystems and Monitoring
While the headline focus is on Shor’s algorithm and the cost of factoring RSA, the broader security ecosystem around cryptography is just as important. Vulnerabilities in implementations, libraries, and protocols routinely show up in the national vulnerability database, and post-quantum schemes will be no exception. Side-channel resistance, constant-time coding practices, and robust key management will all need renewed scrutiny as new algorithms are rolled out under real-world constraints such as constrained devices and high-latency networks. A theoretically secure lattice-based primitive can still fail in practice if deployed with weak randomness, misconfigured parameters, or leaky hardware.
At the same time, quantum research is reshaping how other scientific domains think about precision and data integrity. Reference datasets and models that underpin everything from materials science to thermodynamics—including resources like the online chemistry tables that many engineers rely on—will increasingly intersect with quantum-simulated results and quantum-assisted measurements. Ensuring the authenticity and provenance of such data will require cryptographic assurances that remain robust in a post-quantum world, tying fundamental research infrastructure to the same migration pressures facing banks and cloud providers. The shift that began with a revised qubit estimate for breaking RSA-2048 is therefore not just a story about encryption, but about how trust is engineered across the entire digital and scientific landscape.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
