Skip to content
QRIA BriefingsRSS · QRIA
Series · Part 55 of 55
The Chokepoint Doctrine
The Inequality Has Already Been Violated
Chokepoint DoctrineJuly 10, 202614 min read

The Inequality Has Already Been Violated

I went looking for one number — the 20 million qubits everyone said it would take to break RSA-2048 — and found it no longer holds. Not because the hardware moved, but because the mathematics did: three papers in ten months (Gidney's under-a-million, Iceberg's contested sub-100,000, and a Caltech–Berkeley–Oratomic team's 'as few as 10,000') have compressed the requirement more than a thousandfold. Applied honestly to a decade-long harvest and multi-decade confidentiality periods, the Mosca inequality no longer rules out that the most sensitive data already collected is compromised in waiting. The full arithmetic — and what it means for AUKUS, the harvest, and a policy response that has not caught up.

~24 min

How This Started

I did not set out to write the most alarming thing this platform has published. I was trying to verify a number.

A specific number, the one that appears in the regulatory guidance governments and standards bodies have used to justify their post-quantum migration timelines: the estimated qubit count required to break RSA-2048, the encryption protecting most internet banking, most government email, most diplomatic cable traffic, and most of the encrypted data the world's intelligence services have been systematically collecting for a decade under the harvest-now-decrypt-later doctrine.

The number I was trying to verify was twenty million. That was the figure from the 2019 paper by Craig Gidney and Martin Ekerå at Google — twenty million physical qubits, running roughly eight hours. It became the benchmark. The largest publicly available quantum processors in 2026 hold somewhere between a thousand and a few thousand qubits. Twenty million was the number that made Q-Day feel safely distant. It justified migration timelines stretching to 2030, 2032, 2035. It let governments treat quantum-resistant cryptography as a prudent long-term investment rather than an emergency.

I went looking for that number and found that it no longer holds — not because the hardware moved, but because the mathematics did. This article is the calculation done honestly. I write it in the first person because the path to the conclusion matters as much as the conclusion: the reason it has not yet reached the people who must act on it is not that the information is classified. It is that nobody has assembled it in one place and done the arithmetic in public.

The Number That Changed

In May 2025, Craig Gidney — the same Google researcher behind the 2019 benchmark — published a follow-up, "How to factor 2048-bit RSA integers with less than a million noisy qubits" (arXiv:2505.15917). The estimate: fewer than one million physical qubits, in under a week. A roughly twentyfold reduction from the same researcher, using the same error-rate assumptions and the same hardware parameters. The bar did not fall because the hardware improved. It fell because the algorithm and the error-correction did — approximate residue arithmetic, yoked surface codes, magic-state cultivation. Better mathematics describing what existing hardware types would need to do.

That should have been the moment every government that built its migration timeline around twenty million qubits revised it. In some cases it was: Google moved its internal migration deadline to 2029. But the Gidney paper was not the end of the compression. It was the start of a sequence.

In February 2026, the startup Iceberg Quantum published its "Pinnacle" architecture, using quantum low-density parity-check (QLDPC) codes rather than surface codes, and argued RSA-2048 could fall with fewer than 100,000 physical qubits — another order of magnitude. I flag this one honestly: it is contested. Gidney himself has said he has specific problems with its assumptions, and QLDPC codes carry their own unsolved engineering — connectivity, decoding latency, fabrication — that has not been validated at scale. Treat the 100,000 figure as a claim under dispute, not a settled result.

Then, on 31 March 2026, a team from Caltech, UC Berkeley, and the neutral-atom startup Oratomic — with lead author Madelyn Cain, alongside Manuel Endres, John Preskill, Hsin-Yuan Huang, and Dolev Bluvstein — published what is, in my assessment, the most significant single paper in the quantum-threat literature to date: Shor's algorithm is possible with as few as 10,000 reconfigurable atomic qubits (arXiv:2603.28627). Not names on the fringe of the field. The paper's headline result is that Shor's algorithm can be run at cryptographically relevant scales with as few as 10,000 reconfigurable atomic qubits — roughly 26,000 physical qubits for a time-efficient elliptic-curve (P-256) attack, with RSA-2048 sitting above the 10,000 floor at a runtime one to two orders of magnitude longer than the elliptic-curve case. This is the same atomic-array architecture Caltech demonstrated at 6,100 atoms in September 2025.

Let me state the progression plainly so the compression is fully visible.

  • 2019: ~20,000,000 qubits to break RSA-2048.
  • May 2025: under 1,000,000 (Gidney) — roughly a twentyfold cut.
  • February 2026: under 100,000 (Iceberg — contested) — another order of magnitude.
  • March 2026: as few as ~10,000 for cryptographically relevant Shor's, ~26,000 for a fast elliptic-curve attack (Caltech, UC Berkeley, and Oratomic); RSA-2048 above the 10,000 floor.
Log-scale chart of the qubit count required to break RSA-2048, falling from 20 million (Gidney and Ekerå, 2019) to under 1 million (Gidney, May 2025), under 100,000 (Iceberg, February 2026, contested), and about 10,000 (Caltech/Berkeley/Oratomic, March 2026) — a reduction of more than a thousandfold in seven years, driven by algorithms and error correction rather than hardware.
The requirement collapsed by more than a thousandfold in seven years — and not one qubit of it came from a hardware breakthrough. Every drop was mathematics: better algorithms, better error correction. "As few as 10,000" is the crypto-relevant floor; RSA-2048 sits above it, and these remain resource estimates, not a built machine.

From twenty million to the low tens of thousands in seven years — a reduction of more than a thousandfold, and not from hardware advances. From mathematics. The Quantum Insider captured the moment in its own headline: "Q-Day Just Got Closer: Three Papers in Three Months Are Rewriting the Quantum Threat Timeline."

Now the caveat that keeps this honest, because it is exactly where a serious technical reader will test me. These are resource estimates, not demonstrations. Caltech's 6,100-atom array is a genuine milestone — 6,100 caesium atoms held in optical tweezers, ~13-second coherence, high-fidelity single-qubit control. But trapping and controlling atoms is not the same thing as running Shor's algorithm. Between a 6,100-atom array and a machine that factors RSA-2048 lies the hardest unsolved problem in the field: high-fidelity two-qubit gates and quantum error correction at scale, sustained across tens of thousands of qubits for days. Nobody has built that. My assessment is precise: the gap between demonstrated hardware and a cryptographically relevant quantum computer is no longer measured in orders of magnitude of qubit count. It is now measured in fault tolerance — a real, hard, engineering gap, but one whose timeline is no longer measured in decades, and whose remaining distance the March 2026 paper has quietly redefined from "millions of qubits away" to "the fault-tolerant version of a machine we have already partly built."

The Mosca Inequality — And Why the Condition May Already Be Met

Michele Mosca, the cryptographer who formalised the harvest-now-decrypt-later risk, gave us a framework that is elegant and, applied honestly, devastating.

The Mosca inequality: if migration time plus required confidentiality period exceeds the time to Q-Day, the data is already at risk.

QRIA Advisory

This analysis is published. Your decision isn't.

We run the same cross-domain, scenario-based foresight on the decision in front of you — a deal, a market entry, a supplier dependency. Board-ready in five days, with a foresight indicator watchlist.

Commission a Predictive BriefBook a 30-min strategic call