Sophie Schmieg1d ago

Are we having fun yet?

https://arxiv.org/abs/2603.28627

Shor's algorithm is possible with as few as 10,000 reconfigurable atomic qubits

Quantum computers have the potential to perform computational tasks beyond the reach of classical machines. A prominent example is Shor's algorithm for integer factorization and discrete logarithms, which is of both fundamental importance and practical relevance to cryptography. However, due to the high overhead of quantum error correction, optimized resource estimates for cryptographically relevant instances of Shor's algorithm require millions of physical qubits. Here, by leveraging advances in high-rate quantum error-correcting codes, efficient logical instruction sets, and circuit design, we show that Shor's algorithm can be executed at cryptographically relevant scales with as few as 10,000 reconfigurable atomic qubits. Increasing the number of physical qubits improves time efficiency by enabling greater parallelism; under plausible assumptions, the runtime for discrete logarithms on the P-256 elliptic curve could be just a few days for a system with 26,000 physical qubits, while the runtime for factoring RSA-2048 integers is one to two orders of magnitude longer. Recent neutral-atom experiments have demonstrated universal fault-tolerant operations below the error-correction threshold, computation on arrays of hundreds of qubits, and trapping arrays with more than 6,000 highly coherent qubits. Although substantial engineering challenges remain, our theoretical analysis indicates that an appropriately designed neutral-atom architecture could support quantum computation at cryptographically relevant scales. More broadly, these results highlight the capability of neutral atoms for fault-tolerant quantum computing with wide-ranging scientific and technological applications.

arXiv.org
Show threadJohn Deters21h ago
@sophieschmieg When people question the aggressive quantum readiness timelines given that 100 qubit computers are all we have today, I have to explain that it's not just a matter of building a computer with a million qubits, but that researchers are still publishing optimizations that may cut that by a factor of 10, or 100, or more. And we simply don't know if or when they'll figure out something better.
Show threadEric McCorkle21h ago

@targetdrone @sophieschmieg

It's that, plus the fact that the day you migrate to PQC, all your *future* comms are safe, but all your past comms *will* be vulnerable some day.

If those comms contain other key / authentication materials for other parts of the system, then the Adversary will gain access to those as well.

That, and the unfortunate reality that a lot of orgs will drag their feet on this and you'll have vulnerable crypto in prod probably even after the first utility scale machines.

Show threadJohn Deters

@emc2 @sophieschmieg On the flip side, quantum attacks will remain expensive for a long time. Nobody's going to spend coin to crack rabbitfanciersforum.com when they could instead profit from cracking verylargebank.com.

If I were an attacker, I'd go after the CAs like digicert et al. With a signing key I would forge any site certs I wanted. PQ preparedness won't stop this until the bad CA certs are out of everyone's trust stores.

Mar 31 at 4:33pmMona for iPhone
Show threadSophie Schmieg19h ago
@targetdrone @emc2 yeah, CAs and CT logs are the keys you want.
Show threadEric McCorkle19h ago

@targetdrone @sophieschmieg

Yes, it will be stuff like "we're going to spend the next two months cracking the key agreement on this intercept from such and such embassy we intercepted in 2007", probably for decades after the first utility scale machines exist.

However, I could see seemingly lower-value targets getting hit in order to set up aggregation, supply chain, or other attacks.

Show threadSophie Schmieg19h ago
@emc2 @targetdrone yeah. In fact I'm worried that in some sense slower and less accessible CRQC paradoxically pose a greater risk to the common people: if, at the extreme but imaginable end, it takes two months to break a key, and you only have one quantum computer, exploiting SNDL for random cables very quickly becomes unsatisfying. And breaking fairly few supply chain keys (CA, CT logs, identity providers, software signing etc) becomes very tempting, even if it risks giving away that you have a CRQC at your disposal. And those supply chain risks in turn put everyone at risk, not just some limited spy games between embassies.
Show threadEric McCorkle18h ago

@sophieschmieg @targetdrone

This is very true, and in fact I would expect targeting more public infrastructure that would allow massive disruption (e.g. Central banks, public utilities in major cities, CAs, etc) to be a better ROI, if you're after disruptive effects.

Show threadJohn Deters18h ago

@emc2 @sophieschmieg Breaking a 2048-bit RSA key will likely take a year or more of quantum compute time initially. Using the going rate of $98USD/minute for access to an (inadequate) 100-qubit machine, we can ballpark an initial cost of 8 or 9 figures.

You'd have to be absolutely certain of the value of the key you are cracking to realize a return on that kind of investment.

Show threadEric McCorkle18h ago

@targetdrone @sophieschmieg

I can't go into too much detail (propin, ndas, etc) but the actual cost of a utility scale machine will be in the hundreds of thousands per day. The time will vary depending on the architecture, but you're looking at order months to hit the P-256 curve. RSA is more of a moving target, but expect similar.