Information security people are worried about Q-Day, and maybe not worried enough. That’s the date when quantum computing will render today’s encryption methods obsolete. Information security depends on cryptography – secret code keys that are uncrackable because of large numbers and hard math problems.
The good news from quantum computing is that we’ll have a new generation of more-powerful computers, with the usual benefits – discovering new medicines, powering AI, and generating cat videos. The bad news is that we will have to come up with more-robust cryptography, in time for Q-Day.
Breaking Crypto
Quantum computers are not literally faster than today’s binary ones, but they support a new class of algorithms made possible by the weirdness of quantum theory. Oddly, the algorithms getting all the attention are not the ones for medicine or astrophysics, but those that defeat public-key cryptography.
Suppose someone wanted to find your four-digit PIN. They would have to try 10,000 different combinations (or half that, on average). This algorithm is “order n,” meaning that it varies linearly with the number of digits. See Know Your Time Series for more on “order n.” Grover’s algorithm for quantum search is order √n, which means only 100 tries.
Shor’s algorithm for prime factorization is, in fairness, kind of the first thing you would do with a new computer anyway, cryptography or no. It was my first homework assignment in Fortran (Euclid’s, not Shor’s). Cracking a four-digit code is no big deal. The backbone of information security today, RSA, uses a 2,048-bit key, which is more than 600 decimal digits.
How Many Qubits
Early microprocessors, like the Intel 4004, had about 2,250 transistors. Each transistor is like a switch that can be on or off, representing a binary digit, or “bit.” Google is proud of their latest quantum computer, Willow, with 105 quantum bits, or qubits. Shown here is its refrigeration unit. IBM advertises 1,000 qubits, but counting them is tricky.
Computers today sacrifice about 12% of their capacity, to error correction. Every eight bits in memory require a spare bit for error checking. Error checking overhead varies depending on the application. For quantum computing, this overhead is massive. It can take thousands of physical qubits to make one good “logical” one.
That’s why Google bangs on about error correction. Their 105 qubits may be stronger than IBM’s 1,000, depending on error correction. The latest paper on breaking encryption makes specific assumptions about how reliable the qubits are. It’s called How to factor 2048-bit RSA integers with less than a million noisy qubits, or 1,400 logical qubits.
When is Q-Day
Progress toward breaking RSA 2048 is happening on several fronts: better hardware, better error correction, and better algorithms (that tolerate errors). Gidney’s previous work, just four years ago, required 20 million physical qubits.
IBM plans to deliver a real, commercial-grade computer, “the first fault-tolerant quantum computer,” with 200 logical qubits, in 2029, with 2,000 in prospect around 2032. Startup IonQ is targeting 1,600 in 2028. They’re growing by acquisition, and targeting this audacious goal by stacking a bunch of new technologies.
Google is also in the hunt, but their roadmap is more complicated. As you know from the link above, Google doesn’t use the popular logical/physical shorthand. They talk about computing benchmarks that explicitly include error correction – kind of like Gidney’s “one million noisy.”
Depending on how you assess the roadmaps, Q-Day probably happens around 2030. But then, there’s “harvest now, decrypt later.” Hackers can start collecting your encrypted information today, and saving it to use later, when RSA 2048 falls.
So, the real question is: do you have confidential data that will still be important five years from now? In that case, Q-Day is today.
