Comment by fnands
9 hours ago
*ends as soon as practical quantum computers, something which might never happen, exist.
The author mentions: > RSA-2048: ~4096 logical qubits, 20-30 million physical qubits > 256-bit ECC: ~2330 logical qubits, 12-15 million physical qubits
For reference, we are at ~100 physical qubits right now. There is a bit of nuance in the logical to physical correlation though.
Scepticism aside, the author does mention that it might be a while in the future, and it is probably smart to start switching to quantum resistant cryptography for long-running, critical systems, but I'm not a huge fan of the fear-mongering tone.
And no clear quantum Moore law emerging for the yearly increase in qbits (https://arxiv.org/abs/2303.15547)... The quantum panic pushes people to deploy immature solutions, and the remedy sure sometimes looks worse than the illness...
About those sizes: they increase with the size of the key, right? So I would think the author's claim that RSA-8192 is just as vulnerable as RSA-4096 isn't quite as straight-forward. It would require considerably more qbits.
You mean it will come right when AGI comes?
Fusion powered AGI!
Fusion powered Quantum AGI! (on the blockchain?) ;-)
3 replies →
sota for rsa 2048 is <1 million physical qbits
Yeah, I was taking the author's numbers there, and there is a lot of nuance to the logical vs physical qubits relationship. Not super up to date on the latest work there, you got any links?
"How to factor 2048 bit RSA integers with less than a million noisy qubits" (https://arxiv.org/abs/2505.15917) is the most up to date paper here, and uses ~1400 logical and ~900k physical
1 reply →
The fear-mongering tone is likely due to the fact that this was posted (though probably not written) by a company promoting quantum-safe cloud storage.
Anyway, here is what Scott Aaronson recently said about quantum computing progress:
> Indeed, given the current staggering rate of hardware progress, I now think it’s a live possibility that we’ll have a fault-tolerant quantum computer running Shor’s algorithm before the next US presidential election. And I say that not only because of the possibility of the next US presidential election getting cancelled, or preempted by runaway superintelligence! (...)
> To clarify — if, before the 2028 presidential election, a fully fault-tolerant Shor’s algorithm was used even just to factor 15 into 3×5, I would view the “live possibility” here as having come to pass.
> The point is, from that point forward, it seems like mostly a predictable matter of adding more fault-tolerant qubits and scaling up, and I find it hard to understand what the showstopper would be.
https://scottaaronson.blog/?p=9325
I was actually reading his blog again last night (after chatting with a friend about QQ), and he has a follow up post, titled: "Quantum Investment Bros: Have you no shame?"
Relevant quote:
> It’s like this: if you think quantum computers able to break 2048-bit cryptography within 3-5 years are a near-certainty, then I’d say your confidence is unwarranted. If you think such quantum computers, once built, will also quickly revolutionize optimization and machine learning and finance and countless other domains beyond quantum simulation and cryptanalysis—then I’d say that more likely than not, an unscrupulous person has lied to you about our current understanding of quantum algorithms.
And:
> In any case, the main reason I made my remark was just to tee up the wisecrack about whether I’m not sure if there’ll be a 2028 US presidential election.
So I would be careful posting those quotes without context, it makes Scott angry.
...and 100, quite useless qubits too, with insane error rates and extremely fast decoherence times.