Quantum Computing Will Not Crack Encryption. It Is a Lie. Even If It Weren't, the Numbers Are Absurd.
The most damaging lie in quantum computing — and there is serious competition for that title — is the encryption story.
You have heard it. Quantum computers will break RSA. They will crack the encryption protecting banking, communications, government systems, and the internet. Nation-states are harvesting encrypted data today to decrypt it once their quantum computers are ready. The threat is imminent. Governments are mobilising. Billions are being spent on post-quantum cryptography in a race against the quantum computer that is coming to shatter the foundations of digital security.
This story is a fraud. It is built on a technology that does not exist, applied to a capability that cannot be derived from that technology even in principle within any timeline being discussed, sold to governments and security agencies and investors who are either incapable of reading the underlying physics or have chosen not to.
Let us go through it precisely.
The Claim
The claim is that quantum computers running Shor’s algorithm — a quantum algorithm published in 1994 by Peter Shor that would, on a sufficiently capable quantum computer, factor large integers in polynomial time — will break RSA encryption by exploiting the mathematical difficulty of factoring the product of two large primes that underlies RSA’s security.
RSA-2048, the dominant standard protecting most internet traffic, banking infrastructure, email, and digital certificates, uses a 2048-bit key — a number 617 digits long that is the product of two enormous primes. Classical computers cannot factor it in any practical timeframe. A quantum computer running Shor’s algorithm could, in principle, do it exponentially faster.
This is mathematically true. Shor’s algorithm is real. The speedup is real. The threat to RSA, if a capable quantum computer existed, would be real.
No capable quantum computer exists. None is coming within any timeline supported by the physics. The gap between what quantum hardware has demonstrated and what breaking RSA requires is not a gap of years. It is a gap of multiple simultaneous engineering miracles, none of which has been demonstrated, stacked on top of each other. And that is before we address the fact that no logical qubit — the foundational unit the entire capability rests on — has ever been built.
What Breaking RSA-2048 Actually Requires
The most credible, most carefully calculated, most optimistic resource estimates for breaking RSA-2048 using a quantum computer come from Craig Gidney, a researcher at Google Quantum AI, who has published two landmark papers on the subject.
In 2021, Gidney and Martin Ekerå published a paper establishing that RSA-2048 could be broken in approximately eight hours by a quantum computer with roughly 20 million physical qubits operating at a gate error rate of 0.1%, using the surface error-correction code. That 20 million qubit figure was itself a hundredfold improvement over the previous best estimate of around one billion physical qubits from 2012.
In May 2025, Gidney published a further optimisation reducing the physical qubit requirement to under one million — but at the cost of extending the runtime to less than one week rather than eight hours, using the same assumed error rate of 0.1% uniformly across all qubits.
These are the best numbers the field has. They come from the most optimistic assumptions consistent with known physics. They represent the floor, not the ceiling, of what would actually be required.
Now let us look at what those numbers mean in practice.
Logical qubits required. The Gidney-Ekerå 2021 construction requires approximately 20,000 logical qubits to factor RSA-2048 in eight hours. The 2025 optimisation uses fewer logical qubits — roughly 1,730 to 6,000 depending on the specific variant — but requires far more gate operations and several days of continuous runtime. In all cases, the requirement is thousands of logical qubits operating simultaneously, performing billions to tens of billions of sequential gate operations without a single uncorrected error cascading through the computation.
Physical qubits required. Each logical qubit requires multiple physical qubits — the overhead depends on the physical error rate. At 0.1% gate error rate using the surface code, the overhead is roughly 1,000 physical qubits per logical qubit. At worse error rates, the overhead grows substantially. At 0.1% error rate, the Gidney-Ekerå 2021 construction therefore requires approximately 20 million physical qubits. The 2025 optimisation requires fewer than one million physical qubits — but only at the same assumed 0.1% error rate uniformly maintained across all of them simultaneously.
Current physical qubit counts. Google’s best superconducting quantum processor has on the order of 1,000 physical qubits. IBM’s most advanced systems have more, but at lower uniformity and fidelity. The best two-qubit gate error rates demonstrated in any system are around 0.1% — for individual gates, in carefully controlled conditions, not sustained across an entire processor at scale.
The gap between demonstrated capability and required capability: approximately three orders of magnitude in physical qubit count, with uniform error rates maintained across the entire system, sustained for days of continuous operation.
Logical qubits currently demonstrated. Zero. Not one. As documented in the previous post in this series, no logical qubit has ever been built — no encoded qubit has ever outperformed the physical qubits it is built from. The foundational unit of the entire enterprise does not exist.
The Distance from Zero to Breaking Encryption
Let us be precise about the journey, because the lie depends on obscuring it.
Step one: Build one logical qubit. Has not been done. The Zhang et al. silicon paper, the Google surface code paper, the Harvard atom array papers — all demonstrate encoding and some error detection. None demonstrates a logical qubit that outperforms its physical components in both coherence and gates without postselection. This step has not been completed.
Step two: Demonstrate that logical performance improves as code distance increases. This is the core theorem of fault-tolerant quantum computation. Add more physical qubits to the encoding, get better logical performance. This has been partially suggested in one memory experiment by Google but has not been demonstrated in gate-based computation at any relevant scale. This step has not been completed.
Step three: Scale to thousands of logical qubits. Even accepting the most optimistic algorithmic estimates, breaking RSA-2048 requires between roughly 1,700 and 20,000 logical qubits operating simultaneously. Each requires its own error correction infrastructure. The physical qubit count at that scale ranges from under one million to twenty million, all at uniform error rates below 0.1%. No system of more than a few dozen physical qubits has demonstrated uniform error rates below 0.1% simultaneously across the entire device. This step has not been started.
Step four: Sustain the computation. The Shor’s algorithm computation for RSA-2048 requires billions of sequential logical gate operations. At current physical gate speeds, even with a million-qubit system operating at the required error rates, this takes days of continuous, error-corrected operation. Any failure in the error correction during those days requires restarting from the beginning. This step has not been demonstrated in any system, at any scale, for any duration remotely approaching what is required.
Step five: Build the classical control infrastructure. Error correction in a surface-code quantum computer requires reading syndrome measurements in real time, running a classical decoding algorithm to determine what errors occurred, and applying corrections — all within the coherence time of the physical qubits. For superconducting qubits with microsecond coherence times, this means classical processing on microsecond timescales across millions of qubits simultaneously. The classical computing infrastructure required to control a million-qubit fault-tolerant quantum computer does not exist and has not been demonstrated at any scale approaching what is needed.
Every one of these five steps is an open engineering problem. None has been solved. They must all be solved simultaneously in a single integrated system. Solving steps one through four and failing on step five gives you nothing. The computation fails.
The lie is that these steps are on a credible roadmap with a defined timeline. They are not. They are a sequence of engineering challenges each of which has no demonstrated solution at the required scale, stacked into a dependency chain where each requires the previous.
The Cost, If It Were Real
Now let us engage with the absurdity on the terms the hype sets for itself. Assume, counterfactually, that someone built the machine. Assume all five steps above are solved. What does breaking one RSA-2048 key actually cost?
Power. A RAND Corporation analysis estimated that large-scale superconducting quantum systems consume approximately ten watts per physical qubit, accounting for cooling, control electronics, and overhead. The Gidney 2025 optimistic scenario uses under one million physical qubits. At ten watts per qubit, that is ten megawatts of continuous power draw for the duration of the computation — days. At grid electricity prices, the energy cost alone for a single key factorisation runs into the hundreds of thousands of dollars. The older 20-million-qubit scenario runs at approximately 200 megawatts — comparable to a small city — for eight hours per key.
Infrastructure. Building a million-qubit fault-tolerant quantum computer, if it were possible, would cost tens to hundreds of billions of dollars based on the trajectory of current hardware costs. Amortised over even thousands of key-cracking operations, the capital cost per key is in the tens to hundreds of millions of dollars.
Time per key. The optimistic 2025 estimate: under one week per RSA-2048 key, in the best case, with perfect hardware. In practice, error rates slightly above the threshold, hardware imperfections, and the need for repeated attempts because probabilistic algorithms sometimes fail on the first run mean the effective time per key is longer. A realistic estimate for a real, imperfect machine — assuming one somehow existed — is weeks to months per key, not hours.
Throughput. A machine capable of breaking one key per month, running continuously, at these power and infrastructure costs, would be processing RSA keys at a cost of millions of dollars per key. This is not a practical attack on RSA infrastructure, which deploys new keys continuously. Breaking yesterday’s key tells you what was encrypted yesterday. TLS sessions use ephemeral keys. The damage is real but bounded by the economics: even a nation-state operating such a machine could target specific high-value historical communications, not conduct mass surveillance of current traffic.
The threat model being sold — quantum computers silently breaking internet encryption at scale, rendering all digital security obsolete — requires not one such machine but many, each cracking keys continuously at a cost that makes the entire enterprise economically ludicrous even for the most resourced adversaries.
None of this analysis requires quantum computers to be a fraud. This is the arithmetic of the optimistic case, taking the best published estimates at face value. The conclusion is still: one key, weeks of computation, millions of dollars, at a scale of engineering that has not been demonstrated and has no credible timeline for demonstration.
Why the Lie Is Being Told
There are multiple groups with strong incentives to sustain the encryption-cracking narrative.
The quantum computing industry benefits directly. Governments spending on post-quantum cryptography generate demand for quantum-resistant products. More importantly, the narrative that quantum computers will break encryption creates urgency for quantum computing investment: if the adversary is building a cryptographically relevant quantum computer, you need to build one too. The threat narrative drives both offensive investment (build the attack machine) and defensive investment (build post-quantum cryptography) simultaneously. The industry sits at the intersection of both flows.
Intelligence and defence agencies benefit from the narrative because it justifies budget. A quantum computing program that might break adversary encryption in fifteen years is a compelling funding argument in a way that a quantum computing program that might, eventually, simulate some molecules is not. The encryption angle creates mission-critical urgency. Whether the timeline is real is secondary to whether it supports the programme.
The post-quantum cryptography industry has the most direct interest of all. NIST’s post-quantum cryptography standardisation process, completed in 2024, and the subsequent mandate for government and critical infrastructure to migrate to quantum-resistant algorithms, is a multi-billion dollar market. The migration effort is real, the new standards are real, and to a significant extent the precaution is reasonable even if the timeline is not. But the industry selling migration services and products has every incentive to keep the threat perception as high as possible.
Journalists and analysts benefit from a coherent, frightening narrative. “Quantum computers may eventually help simulate some drug molecules at an incremental improvement over classical methods, depending on whether several engineering problems are solved over a multi-decade timeline” does not generate clicks. “Quantum computers could break all encryption within a decade” does.
The encryption-cracking lie is therefore sustained not by any single dishonest actor but by a coalition of interests, each of which benefits from the narrative, none of which has a strong incentive to correct it.
What Is Actually True About Post-Quantum Cryptography
To be clear about what is real: post-quantum cryptography — cryptographic algorithms that are hard for both classical and quantum computers — is legitimate and important. The NIST standardisation process produced real algorithms. Migrating away from RSA and elliptic curve cryptography to post-quantum standards is a reasonable long-term security posture. The concern that sufficiently advanced quantum computers would threaten these systems if they ever existed is mathematically correct.
The problem is not the preparation. The problem is the timeline and the threat framing. NIST recommends deprecating vulnerable systems after 2030 — a reasonable engineering planning horizon for large infrastructure migrations. That recommendation does not require believing that cryptographically relevant quantum computers will exist in 2030 or anywhere near it. It requires only that major infrastructure migrations take years and should be started well in advance.
The “harvest now, decrypt later” threat — where adversaries collect encrypted traffic today intending to decrypt it once quantum computers are available — is real in principle. Traffic encrypted today with RSA will remain encrypted data. If a cryptographically relevant quantum computer is ever built, that data could potentially be decrypted. For data whose secrecy matters over multi-decade horizons — some government communications, some industrial secrets, some long-term intelligence — this is a legitimate concern.
But “harvest now, decrypt later” requires quantum computers to eventually exist at the required scale. Every year that passes without a logical qubit being demonstrated is a year of evidence that the timeline is longer than assumed. The physics has not cooperated with the roadmaps.
The Gap in Plain Language
No logical qubit has ever been built.
The best demonstrated physical qubit systems have a few hundred to a few thousand physical qubits at error rates that are marginal for the surface code threshold, not sustained uniformly across the full device at scale.
Breaking RSA-2048 requires, in the most optimistic credible estimate, under one million physical qubits at uniform 0.1% error rates running continuously for days. In less optimistic but still theoretically possible estimates, it requires twenty million physical qubits running for eight hours.
The gap between zero working logical qubits and a cryptographically relevant quantum computer is not a decade of hard engineering work. It is an unknown number of decades of solving problems that have not been solved at any scale, with no demonstrated path to solution at the required scale, requiring capital investment in the hundreds of billions of dollars, energy infrastructure equivalent to a large power station, and classical control systems that do not exist.
The people telling you this is coming soon — from major quantum computing companies, from government program offices, from cybersecurity vendors selling post-quantum migration services — are either lying or have not read the physics.
Conclusion
The encryption-cracking narrative around quantum computing is a fraud. It takes a mathematical fact — Shor’s algorithm would break RSA if run on a sufficiently capable quantum computer — and converts it into an implied near-term threat by hiding the distance between what the algorithm requires and what the hardware has or can plausibly deliver.
What the hardware has delivered: no logical qubit. Ever.
What the algorithm requires: thousands of logical qubits, each encoding approximately a thousand physical qubits, all operating simultaneously at error rates that have not been demonstrated uniformly at scale, sustaining a computation lasting days without a single catastrophic error cascade, controlled by classical infrastructure that does not exist.
The cost of a single RSA-2048 factorisation, on a machine that somehow existed, is millions of dollars and weeks of computation time. The machine itself would cost tens to hundreds of billions to build and require tens of megawatts to operate.
Even if every engineering problem were solved — which they have not been, which none of them show a credible near-term path to being — the economics of quantum-based RSA cracking make it a tool for targeting specific, known, high-value communications by the most resourced actors in the world, not a general threat to internet encryption.
The lie being sold is that this threat is imminent. It is not. The lie being sold is that quantum computers are on a trajectory that makes this threat real within the decade. They are not. The lie is built on thirty years of milestones that are not milestones, roadmaps without foundations, and the systematic removal of caveats from honest scientific papers.
The encryption is not breaking. The quantum computer that would break it does not exist. The foundational unit it would need — a single logical qubit — has never been demonstrated. The distance from here to there is not years. It is an unknown number of decades and an unknown number of engineering problems, stacked behind the one that hasn’t been solved yet.
The money flowing into this narrative is real. The threat is not.