QRI Research Note

When Quantum Can Break 128-bit RSA and ECC

Quantum Threat Level 40

The first milestone that would feel like serious cryptanalytic engineering

A 128-bit RSA or ECC break would still not touch modern RSA-2048, ECC P-256, or Bitcoin. But it would signal that the quantum stack can execute a longer, more complex public-key attack with enough stability to matter as an engineering trend.

Index level40 / 100
Planning windowMid to late 2030s if fault-tolerant scaling compounds
Bitcoin statusSafe, but migration planning becomes harder to ignore

Level 40 is where QRI would expect the conversation to shift from can Shor run at all to how fast are the resource estimates falling.

What this level means

At 128-bit public-key scale, the quantum computer must handle larger registers, more arithmetic, and more opportunities for errors. This is the point where the quality of the whole stack matters: qubits, error correction, compilers, decoders, and scheduling.

The milestone is not about practical criminal use. It is about proving the slope. If 64-bit and 128-bit demonstrations arrive on a smooth curve, then the timeline to larger keys becomes easier to model and harder to dismiss.

What technology needs to be developed to get here

The technology requirements at this level are about sustained logical computation. A system must run many more operations than at tiny-demo scale, with fewer pauses, fewer resets, and better error handling.

Sustained logical operation

Logical qubits must survive through a long chain of dependent gates. Memory alone is not enough; computation must remain coherent while data moves and arithmetic executes.

Lower logical error rates

The failure budget tightens as circuits deepen. The system needs lower logical error per operation and better ways to detect, correct, and recover from faults.

Improved layouts

Physical layout affects routing cost. Better chip, trap, atom-array, or photonic layouts can reduce communication overhead and shorten circuits.

Compiler optimization

Arithmetic circuits must be compressed aggressively. Fewer Toffoli gates, lower T depth, and better ancilla management directly reduce hardware requirements.

Magic-state factories

The system may need dedicated regions that manufacture high-fidelity resource states. The factory throughput can become the pace-setter for the whole attack.

Operational stability

A cryptanalytic run may need long uninterrupted operation. Calibration drift, thermal events, laser noise, microwave drift, and control faults become system-level risks.

Expected timeline and development path

A 128-bit public-key break is not expected immediately after 100 logical qubits. It likely requires an intermediate era of better logical gates and practical algorithm execution.

Foundation

Reliable logical qubits and tiny Shor demonstrations establish that the algorithm pipeline works.

Scaling phase

Hardware teams increase logical qubit counts and reduce logical error rates while software teams reduce circuit costs.

Public milestone

QRI would expect a credible Level 40 event only when the demonstration is repeatable, documented, and not dependent on hidden simplifications.

What this means in real life

The real-life meaning is still indirect, but more concrete. Security teams could no longer say quantum cryptanalysis is only a toy topic.

Corporate VPNs

Not directly broken, but the owners of VPN infrastructure would need firm PQC upgrade schedules.

Software updates

Code-signing systems would remain safe, but vendors would accelerate quantum-safe signature testing.

Medical records

Long-lived encrypted health data becomes a stronger harvest-now-decrypt-later concern.

Legal archives

Documents that must remain confidential for decades would need PQC protection soon, not eventually.

IoT devices

Devices that cannot be updated easily would become planning liabilities.

Cloud customers

Enterprises would ask cloud providers for quantum-safe roadmaps and cryptographic inventories.

Bitcoin relevance

Bitcoin is not at direct risk from a 128-bit public-key break. The gap to secp256k1 remains large.

But Bitcoin governance and wallet developers would need serious migration design work by this point, because protocol migrations can take years and require broad coordination.

Signals QRI would look for

  • Repeatable 128-bit public-key quantum demonstration
  • Clear separation from classical preprocessing shortcuts
  • Published logical error rates during the run
  • Improved Toffoli or T-gate resource estimates
  • Vendor roadmaps using demonstrations as migration evidence

Sources and framing

QRI treats these dates as planning ranges, not predictions. The references below inform the article series: NIST has finalized practical PQC standards, NIST NCCoE emphasizes inventory and migration planning, NSA/CNSA guidance says planning and budgeting should happen now, and Google has published both an accelerated PQC migration target and updated factoring-resource estimates.