Breaking Research
For years, the most widely cited estimate for breaking RSA-2048 encryption with a quantum computer was 20 million qubits — a number large enough to feel comfortably distant. Then, between May 2025 and March 2026, three research papers quietly dismantled that assumption. The new estimate: fewer than one million qubits. Possibly far fewer.
This is not an incremental refinement. It is a 20-fold reduction in the resources required — the most significant shift in the quantum threat landscape since Peter Shor published his factoring algorithm in 1994. It is why Google has set 2029 as its internal deadline for completing its own post-quantum migration, and why security agencies that once pointed to the mid-2030s are now using language like "as early as 2029."
Paper 1 · May 2025
How to Factor 2048-Bit RSA Integers with Less Than a Million Noisy Qubits
Gidney — the same researcher who co-authored the 2019 estimate of 20 million qubits — published a revised analysis incorporating three major algorithmic improvements: approximate residue arithmetic, yoked surface codes for storing idle logical qubits, and improved magic state cultivation. The result: RSA-2048 could be factored in under a week by a quantum computer with fewer than one million noisy qubits. A 20× reduction from his own previous estimate, published six years earlier.
Paper 2 · October 2025
A Novel Hybrid Quantum Circuit for Integer Factorization
The JVG algorithm — named after its authors Jesse, Victor, and Gharabaghi — describes a hybrid classical-quantum factorization approach using a Quantum Number Theoretic Transform in place of the standard Quantum Fourier Transform. In simulation, the algorithm achieved approximately 99% reductions in gate counts and memory usage for small test cases. The authors extrapolated these results to project that RSA-2048 could potentially be broken with fewer than 5,000 qubits. This claim remains highly contested: critics note the extrapolation leaps from small test numbers to 2048-bit integers across many orders of magnitude. The methodology warrants scrutiny. What is not contested is the direction of travel.
Paper 3 · March 2026
JVG Algorithm v4: End-to-End Evaluation on Real Quantum Hardware
A fourth revision of the AQTI paper extended the analysis to real quantum hardware, reporting runtime reductions from 67.8 seconds to 2 seconds and over 98% reductions in quantum gate counts. The AQTI announced that their research "suggests it will require less than 5,000 qubits to break RSA and ECC encryption" — a claim that generated significant mainstream attention in March 2026 and prompted rapid responses from the cryptography research community.
Important context: The Gidney paper is peer-reviewed and broadly accepted by the cryptography community. The JVG algorithm claims are more controversial — independent researchers have raised questions about the extrapolation methodology. Even so, the broader trend is clear: the resource requirements to break RSA are falling faster than previously modelled.
The significance of these papers is not that a quantum computer capable of breaking RSA exists today — it does not. The significance is what they imply about the rate of progress.
In 2019, Gidney estimated 20 million qubits were needed. Today's most advanced quantum processors — Google's Willow, IBM's Condor — operate in the thousands of qubits, with serious error correction challenges still to overcome. On the surface, one million qubits still sounds distant.
But progress in quantum computing has not been linear. Error correction techniques are improving rapidly. Physical qubit counts are doubling every few years. The algorithmic improvements documented in these papers mean that the hardware finish line has moved closer — without the hardware itself changing at all. Every algorithmic efficiency gain compresses the timeline.
Google has set 2029 as its internal target for completing its post-quantum cryptography migration. For years, this date seemed aggressive — a precautionary overreaction from a company that happens to also be building quantum computers. In light of Gidney's May 2025 paper — published by Google's own quantum AI team — the 2029 deadline reads differently. It reflects an internal assessment, not a public relations position.
When the organisation best positioned to know how fast quantum hardware is advancing sets a migration deadline of 2029, it is worth taking seriously.
Cryptographic migrations at large organisations take five to ten years. If Q-Day arrives in 2029 — or even 2031 — organisations that begin their post-quantum migration in 2026 are already late. Those that haven't started a cryptographic inventory have not yet reached the starting line.
These three papers did not create the quantum threat. But they collapsed the comfortable assumption that preparation could be deferred to the next decade. The window for orderly migration is narrowing.
Sources