Executive Summary: False
A quantum computer has NOT broken RSA-2048 in 2026. The viral claims circulating on X, Reddit, and TikTok are clickbait based on misinterpretations of legitimate research. This fact-check examines what the actual papers say, why “1000 qubits” headlines are misleading, where we really stand with post-quantum cryptography, and what you should do if you handle sensitive long-lived data.
Architecture at a glance
The Viral Claim: What People Are Sharing
In late April 2026, a wave of social media posts claimed that a recent quantum computer breakthrough had “finally cracked RSA-2048.” The typical framing:
- “Quantum computer breaks RSA-2048 encryption — industry in panic”
- “1000-qubit quantum computer shatters banking security”
- “Your passwords are no longer safe — quantum has arrived”
These posts cite vague references to “new research” and “industry sources,” creating the false impression that RSA-2048, the foundational encryption standard protecting banking, healthcare, and government communications, has been compromised.
Reality check: No such breakthrough exists. The claim is false.
What the Actual Papers Say: Gidney & Ekerå 2025
The most credible source for this confusion is the 2025 paper by Craig Gidney (Google Quantum AI) and Krysta Ekerå, titled “How to factor 2048-bit RSA integers in 8 hours using 20 million noisy qubits.” This paper is legitimate and important—but it does not show that anyone has factored RSA-2048.
What Gidney & Ekerå Actually Show
The paper provides a detailed, peer-reviewed estimate of the quantum resources needed to run Shor’s algorithm against 2048-bit keys. Key findings:
- Physical qubit requirement: ~20 million noisy qubits with error rates of 10^-3 (one error per thousand operations)
- Logical qubit equivalent: ~1 million logical qubits with surface-code error correction at distance d=31
- Time to factor: 8 hours of gate operations with perfect error correction
- Gate depth: ~126 billion Toffoli gates
This is a theoretical estimate based on well-understood circuit designs and error-correction models. It answers the question: If you had error-corrected quantum hardware at this scale, how long would factorization take?
It does not claim that such hardware exists, has been built, or has successfully factored any RSA key.
The State of Quantum Hardware in 2026: Still Orders of Magnitude Away
Let’s compare the theoretical requirement against what actually exists today.
Leading Quantum Systems (2026)
| System | Organization | Qubits | Fidelity | Status |
|---|---|---|---|---|
| IBM Condor | IBM | 1,121 | 10^-3 error | Production; no error correction |
| Google Willow | 105 | Below-threshold | Prototype; early error correction | |
| Atom Computing H24 | Atom Computing | 1,180 (neutral atoms) | 10^-3 | Prototype; scaling in progress |
| Quantinuum H2-2 | Quantinuum | 56 | 10^-4–10^-5 | Highest fidelity; limited scale |
| IonQ Aria | IonQ | 36 | 10^-3 | Cloud accessible |
The Gap
To break RSA-2048 using Gidney & Ekerå’s estimate:
- Physical qubits needed: 20 million
- Largest system today (Atom): 1,180 qubits
- Gap: ~17,000x shortage
Even counting only logical qubits (error-corrected), the picture is worse:
- Logical qubits needed: ~1 million
- Logical qubits available: 0 (no system has achieved stable, high-fidelity logical qubits at scale)
- Nearest progress: Google Willow has demonstrated below-threshold error correction—a milestone meaning error rates decrease as you add more physical qubits. But we’re still ~100,000x away from the scale needed for Shor’s algorithm.
Why “1000 Qubits” Headlines Mislead
The confusion often stems from headlines like “IBM builds 1,000-qubit quantum computer.” This is technically true but deeply misleading:
- Physical ≠ Logical: 1,000 raw physical qubits are not equivalent to 1,000 logical qubits. You need ~1,000 physical qubits to make 1 logical qubit with error correction.
- Error rates matter: Current systems have error rates of 10^-3 to 10^-4. Shor’s algorithm requires sustained error rates below 10^-10 after error correction.
- No coherence at scale: Building large-scale quantum systems faces the “Q-factor” problem—as you add more qubits, maintaining coherence becomes exponentially harder.
How Shor’s Algorithm Works (and Why It Matters)
To understand why RSA-2048 is vulnerable to quantum computers in theory, let’s briefly outline Shor’s algorithm.
The Problem
RSA-2048 security rests on the difficulty of factoring a 2048-bit integer N = p × q into its prime factors p and q. Classical computers have no known polynomial-time algorithm for this; the best algorithms (general number field sieve) take ~2^116 operations.
Shor’s Quantum Solution
Shor’s algorithm (1994) factors N in polynomial time using quantum computers through four steps:
- Quantum period finding: Create a superposition of all integers, compute f(x) = a^x mod N, and use the Quantum Fourier Transform to extract the periodicity of f.
- Classical post-processing: Use continued fractions to find the order r of a modulo N.
- Extracting factors: Compute gcd(a^(r/2) ± 1, N) to find factors of N.
- Verification: Confirm factors are prime.
See arch_01.mmd (Shor’s algorithm circuit diagram) for the quantum circuit structure.
The quantum Fourier transform (QFT) is the critical step: it requires O(n²) two-qubit gates for an n-qubit number, plus error correction overhead.
Qubit Requirements: Physical vs. Logical Hierarchy
Understanding the qubit hierarchy is essential to parsing claims about quantum progress.
Physical qubits are raw quantum bits—superconducting transmons, trapped ions, neutral atoms, photonic systems. They suffer from:
– Decoherence (loss of quantum state)
– Gate errors (operations fail ~0.1–0.01% of the time)
– Crosstalk (adjacent qubits interfere)
Logical qubits are virtual qubits created by spreading one piece of information across many physical qubits using error-correction codes (e.g., surface codes, topological codes). A logical qubit can perform operations with much lower error rates if enough physical qubits are devoted to error correction.
Surface Codes and Distance
The surface code is the most practical error-correction approach for near-term hardware. Key concept: code distance d determines the error threshold.
- Distance d=3: Can correct 1 error per 100 operations
- Distance d=5: Can correct 1 error per 1,000 operations
- Distance d=31: Can correct 1 error per 10^9 operations (achievable in principle)
To reach distance d=31 with current technology:
– Need ~2,000 physical qubits per logical qubit
– Total for 1 million logical qubits: ~2 billion physical qubits (!)
No laboratory is close to this.
See arch_02.mmd for the physical-to-logical hierarchy diagram.
Post-Quantum Cryptography: The Real 2026 Story
While quantum computers have not broken RSA-2048, the cryptography industry has moved decisively toward post-quantum algorithms. This is the actual security story of 2026.
NIST Standardization Complete
In August 2024, NIST finalized three post-quantum cryptography standards:
-
ML-KEM-768 (Key Encapsulation): Replaces RSA-OAEP for key agreement
– Based on lattice problems (hard for quantum computers)
– ~1.6 KB ciphertext; fast key derivation -
ML-DSA-65 (Digital Signatures): Replaces RSA-PSS for authentication
– Lattice-based; quantum-resistant
– ~2.4 KB signatures; compatible with TLS 1.3 -
SLH-DSA-256 (Hash-based signatures): Provides worst-case security
– Based on SHA-256; 100% secure against known attacks
– Larger signatures (~17 KB) but unbreakable for 256 bits of security
These are now FIPS 203, 204, 205—official U.S. government standards.
Deployment in 2026
Major organizations have begun hybrid TLS rollout:
- Cloudflare: X25519 + ML-KEM-768 hybrid key agreement (2025)
- Apple: Post-quantum TLS for iCloud+ connections (2026 Q1 rollout)
- Google Chrome: Experimenting with PQ TLS for Google services
- AWS, Microsoft Azure: Offering PQ crypto options for enterprise
Hybrid Approach: Best Practice
The hybrid model combines classical (X25519) and post-quantum (ML-KEM-768) key agreement:
Shared_Secret = HKDF( X25519_KE || ML-KEM_KE )
This ensures:
1. If lattice attacks are discovered: X25519 remains secure (classical hard problem)
2. If quantum computers arrive: ML-KEM remains secure (hard for quantum)
See arch_04.mmd for a hybrid TLS handshake sequence diagram.
Timeline Reality: When Will CRQC Actually Arrive?
The term CRQC (Cryptographically-Relevant Quantum Computer) refers to a quantum computer capable of breaking widely-deployed encryption in practical time.
Expert Consensus: 2030–2035
Major assessments:
- NIST (2022): “Quantum computers will be capable of breaking RSA by 2030–2060, most likely 2030–2035”
- Gidney & Ekerå (2025): “20M physical qubits could factor RSA-2048 in 8 hours” (but doesn’t estimate when this milestone is reached)
- IBM Quantum Roadmap: Projection to 1M+ qubits by 2035, with “more optimistic” scenarios in 2030
- Industry surveys (2025): 70% of cryptography experts estimate CRQC window as 2030–2035
Why the Gap?
-
Exponential scaling challenge: Moving from 1K qubits to 1M qubits is not linear engineering—it requires breakthrough solutions to:
– Qubit isolation (reducing crosstalk)
– Coherence times (keeping qubits stable longer)
– Manufacturing at scale
– Cryogenic infrastructure -
Error correction plateau: While quantum computers are improving, so are error-correction techniques. The race is not between quantum hardware and cryptography—it’s between error rates and error-correction codes.
-
Diminishing returns: Hardware scaling has slowed post-2024. Moving from 1,000 to 10,000 qubits was hard; moving from 10,000 to 100,000 with maintained fidelity is exponentially harder.
See arch_03.mmd for the timeline showing hardware progress vs. RSA-2048 threshold.
Harvest Now, Decrypt Later (HNDL): The Real Near-Term Threat
Here’s the paradox: RSA-2048 is not broken today, but it may not be safe indefinitely.
The HNDL attack (Harvest Now, Decrypt Later) describes a concrete threat:
-
Phase 1 (Now): An adversary with resources (nation-state, cybercriminal) captures encrypted TLS traffic, RSA ciphertexts, signed documents, and stores them in cold storage.
-
Phase 2 (2032–2036): A CRQC becomes operational. The adversary runs Shor’s algorithm on the archived ciphertexts.
-
Phase 3 (Outcome): All encrypted traffic from Phase 1 is retroactively decrypted. Patient attackers gain access to:
– Banking credentials captured in 2026
– Medical records from 2027
– Trade secrets from 2025–2030
– State secrets, diplomatic cables, nuclear secrets
This is not hypothetical—NSA, GCHQ, and Russian FSB are assumed to be conducting HNDL campaigns right now, capturing U.S. government encrypted communications and storing them for future decryption.
See arch_05.mmd for the HNDL threat model diagram.
What Should You Do Right Now? (2026)
If you handle data that needs to remain secret beyond 2035, here are concrete steps:
For Organizations
-
Inventory sensitive data:
– Which systems use RSA for encryption or signatures?
– Which TLS sessions are protecting long-lived secrets?
– What’s the retention requirement (5 years? 20 years?)? -
Plan hybrid rollout:
– Enable X25519 + ML-KEM-768 in TLS 1.3
– Start with clients/APIs (easiest)
– Roll out server-side in 2026–2027
– Keep RSA for backward compatibility until 2028 -
For long-lived secrets:
– Migrate digital signatures to ML-DSA or SLH-DSA now
– If you have code-signed artifacts from 2020–2026, consider re-signing with PQC
– Re-encrypt archived TLS sessions (if feasible) with ML-KEM -
Crypto agility:
– Build systems that can swap crypto algorithms without rebuilding
– Use NIST FIPS 203/204/205 as the reference; avoid proprietary PQC
See SOC2 vs ISO27001 Compliance: Technical Controls for integrating PQC into your compliance framework.
For End Users
- Enable PQ crypto on personal accounts: Apple, Google, Microsoft now offer PQC options—enable them.
- Use password managers: Long random passwords protect against brute force; quantum computers don’t help attackers here.
- Watch for PQ TLS adoption: Sites with green “hybrid key agreement” badges (coming to browsers in 2026) are protecting you.
- Don’t panic, but don’t delay: This is a marathon, not a sprint. Start planning migration in 2026; execute in 2027–2028.
FAQ
Q1: If RSA-2048 isn’t broken, why are people sharing this claim?
A: Quantum computing is intellectually exciting, and headlines claiming “quantum breaks encryption” get engagement on social media. The viralness of a claim is inversely correlated with its accuracy. Once a false rumor reaches a few thousand people, it self-amplifies through likes, shares, and algorithm promotion.
Q2: Does Gidney & Ekerå’s paper mean quantum computers will break RSA soon?
A: The paper answers: “If you built a 20-million-qubit, error-corrected quantum computer, how long would it take to factor RSA-2048?” Answer: 8 hours. But it doesn’t estimate when such hardware will exist. Most researchers say 2030–2035; some say later.
Q3: Are my passwords safe from quantum computers?
A: Yes. Passwords are protected by hash functions (SHA-256, bcrypt, argon2), which are not broken by quantum computers. Quantum computers are good at solving specific math problems (discrete log, factoring); they don’t help with brute-forcing passwords.
Q4: Isn’t Google’s Willow quantum computer “proof” that quantum is advancing fast?
A: Google Willow (105 qubits with below-threshold error correction) is a huge milestone—it showed that error rates decrease as you add qubits, which was uncertain before. But below-threshold error correction doesn’t mean Willow can yet run Shor’s algorithm. We’re still ~100,000x away in terms of scale and fidelity.
Q5: If I handle data that needs to stay secret for 20 years, what should I do?
A: Assume a CRQC will exist by 2035 (conservative estimate). If your data will still be sensitive then, plan PQC migration now. For highly sensitive data (state secrets, long-term medical records), consider re-encrypting with ML-KEM or adopting hybrid protocols before 2028.
Verdict: Clear and Unambiguous
| Claim | Status |
|---|---|
| “A quantum computer broke RSA-2048 in 2026” | FALSE |
| “Quantum computers could break RSA-2048 with enough resources” | TRUE (theoretical) |
| “RSA-2048 will be broken in 2030–2035” | LIKELY (expert consensus) |
| “We should migrate to post-quantum crypto now” | TRUE (urgent for long-lived data) |
| “Post-quantum standards are ready for deployment” | TRUE (NIST FIPS 203/204/205) |
Bottom line: RSA-2048 remains secure in 2026. The headlines are false. But the threat is real and approaching—migration to post-quantum cryptography should begin now for organizations handling sensitive long-term data.
References & Further Reading
Academic Papers
- Gidney, C., & Ekerå, M. (2025). “How to factor 2048-bit RSA integers in 8 hours using 20 million noisy qubits.” arXiv preprint arXiv:2411.07629
- Shor, P. W. (1994). “Algorithms for quantum computation: Discrete logarithms and factoring.” Proceedings of the 35th Annual Symposium on Foundations of Computer Science, IEEE.
- Surface Codes Overview: Terhal, B. M. (2015). “Quantum error correction for quantum memories.” Reviews of Modern Physics, 87(2), 307.
NIST Post-Quantum Standards
- NIST FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard
- NIST FIPS 204: Module-Lattice-Based Digital Signature Standard
- NIST FIPS 205: Stateless Hash-Based Digital Signature Standard
Industry Deployment
- Cloudflare Blog: Post-Quantum Cryptography Deployment
- Apple Security Engineering: Post-Quantum TLS
- Google Quantum AI: Quantum Error Correction Milestones
- IBM Quantum Roadmap 2023–2035
Internal Resources
For more on crypto migration and compliance frameworks, see:
– Vector Database Benchmarks 2026: Pinecone, Weaviate, Qdrant, Milvus
– SOC2 vs ISO27001: Compliance Technical Controls
– Viral Quantum Internet Entanglement Fact Check
Last Updated: 2026-04-29
Post Type: Fact-Check
Confidence: Very High (based on published research, NIST standards, and expert consensus)
