The Quantum Threat Just Got Real

For decades, RSA-2048 has stood as a cornerstone of digitalsecurity - reliable, resilient, and presumed safe from quantum attacks for the foreseeable future. As days pass, that presumption is getting challenged.

In a striking new development, quantum computing researcher Craig Gidney from Google has released a paper that redefines the urgency of the quantum threat. His analysis claims that factoring a 2048-bit RSA key—the backbone of much of today’s secure internet—is possible with fewer than one million noisy qubits and under a week of runtime.

To appreciate the significance, Gidney himself had previously estimated, in a landmark 2019 paper, that 20 million qubits would be required to break RSA-2048. This 20x reduction in revision isn’t just are calibration, it’s a signal that quantum attacks on classical cryptography are moving from theory towards feasibility, faster than many anticipated. The window of opportunity for business at large to transition to quantum is becoming more imperative now than ever before.

A Leap in Architecture, Not Just Arithmetic

What makes this breakthrough remarkable isn’t just the reduced qubit count. It’s the innovation behind it - three architectural shifts that significantly lower the practical threshold for breaking RSA are:

• Approximate Residue Arithmetic: This method avoids full-precision modular exponentiation. By using truncated residue calculations, it conserves memory without compromising quantum period finding.
• Magic State Cultivation: An efficiency improvement technique that reduces the overhead needed for fault-tolerant quantum gates.
• Yoked Surface Codes: A novel memory encoding method that packs idle qubits more tightly, enhancing spatial efficiency and allowing denser logical qubit storage.

The most important aspect is that together, these advancements yield a design that operates under realistic quantum error assumptions: 0.1% gate error rate, 1µs cycle times, and 10µs classical feedback - all well within plausible near-future hardware specs.

What This Means for Cryptographic Resilience

Let’s be clear: RSA-2048 hasn’t been broken yet. But the perceived safety horizon has just collapsed from "several decades" to “within reach.” We’re no longer speculating in the abstract. This is an engineering target - one that national security labs, hyperscale cloud providers, or specialized quantum startups could realistically achieve with ever growing continuous innovation – thus the window of opportunity for migration continues to shrink for enterprises that seek to protect their data.

This shift thus has strategic consequences:

• "Harvest Now, Decrypt Later" is Here: Any sensitive data with a long lifecycle - defence communications, medical records, trade secrets - must now be considered vulnerable to quantum interception and deferred decryption.
• Crypto-Agility Becomes a Core Metric: RSA is embedded deep in authentication stacks across infrastructure, finance, telecom, and government. Systems must be measured not only for uptime, but for their ability to transition cryptographic protocols swiftly.
• Regulatory and Policy Lag Is Now a Risk: Compliance is no longer sufficient. Trust, continuity, and national security require policy frameworks that anticipate, not react to, the quantum timeline.

A Direct Message to CISOs, CTOs, and Policymakers

This paper isn’t about numbers. It’s about pace. The quantum future isn’t waiting for us to be ready - it’s accelerating toward us.

If you are responsible for safeguarding digital infrastructure, here are three imperatives:

1. Make Quantum-Safe Readiness a Board-Level Topic: This is no longer a niche research problem. Post-quantum cryptography (PQC) must become part of mainstream enterprise risk planning, akin to how we treat cyber hygiene or disaster recovery.
2. Start With High-Value, Long-Life Workflows: Don’t wait for full standards ratification. Begin piloting hybrid cryptography models in data-sensitive applications. Inventory where RSA is used, and prepare migration pathways.
3. Engage With the Standards Process Early: NIST’s PQC standardization is nearing its final phase. The organizations that contribute now will have influence, foresight, and better alignment when mandated adoption arrives.

The Roadmap Is Public. The Clock Is Ticking.

Every once in a while, a paper changes the nature of a conversation. This is one of those moments.

Gidney’s work doesn’t spell the end of RSA today. But it removes the illusion that we have time to waste. The quantum threat is no longer a distant future problem; it’s a present-day engineering challenge.

And for security leaders, technologists, and public sector strategists, the takeaway is clear:

The transition to quantum-safe infrastructure must begin not as a compliance checkbox, but as a strategic imperative.

‍

Source: https://arxiv.org/html/2505.15917v1