QRI Research Note
When Quantum Can Break 128-bit RSA and ECC
Quantum Threat Level 40
The first milestone that would feel like serious cryptanalytic engineering
A 128-bit RSA or ECC break would still not touch modern RSA-2048, ECC P-256, or Bitcoin. But it would signal that the quantum stack can execute a longer, more complex public-key attack with enough stability to matter as an engineering trend.
Level 40 is where QRI would expect the conversation to shift from can Shor run at all to how fast are the resource estimates falling.
What this level means
At 128-bit public-key scale, the quantum computer must handle larger registers, more arithmetic, and more opportunities for errors. This is the point where the quality of the whole stack matters: qubits, error correction, compilers, decoders, and scheduling.
The milestone is not about practical criminal use. It is about proving the slope. If 64-bit and 128-bit demonstrations arrive on a smooth curve, then the timeline to larger keys becomes easier to model and harder to dismiss.
What technology needs to be developed to get here
The technology requirements at this level are about sustained logical computation. A system must run many more operations than at tiny-demo scale, with fewer pauses, fewer resets, and better error handling.
Logical qubits must survive through a long chain of dependent gates. Memory alone is not enough; computation must remain coherent while data moves and arithmetic executes.
The failure budget tightens as circuits deepen. The system needs lower logical error per operation and better ways to detect, correct, and recover from faults.
Physical layout affects routing cost. Better chip, trap, atom-array, or photonic layouts can reduce communication overhead and shorten circuits.
Arithmetic circuits must be compressed aggressively. Fewer Toffoli gates, lower T depth, and better ancilla management directly reduce hardware requirements.
The system may need dedicated regions that manufacture high-fidelity resource states. The factory throughput can become the pace-setter for the whole attack.
A cryptanalytic run may need long uninterrupted operation. Calibration drift, thermal events, laser noise, microwave drift, and control faults become system-level risks.
Expected timeline and development path
A 128-bit public-key break is not expected immediately after 100 logical qubits. It likely requires an intermediate era of better logical gates and practical algorithm execution.
Reliable logical qubits and tiny Shor demonstrations establish that the algorithm pipeline works.
Hardware teams increase logical qubit counts and reduce logical error rates while software teams reduce circuit costs.
QRI would expect a credible Level 40 event only when the demonstration is repeatable, documented, and not dependent on hidden simplifications.
What this means in real life
The real-life meaning is still indirect, but more concrete. Security teams could no longer say quantum cryptanalysis is only a toy topic.
Not directly broken, but the owners of VPN infrastructure would need firm PQC upgrade schedules.
Code-signing systems would remain safe, but vendors would accelerate quantum-safe signature testing.
Long-lived encrypted health data becomes a stronger harvest-now-decrypt-later concern.
Documents that must remain confidential for decades would need PQC protection soon, not eventually.
Devices that cannot be updated easily would become planning liabilities.
Enterprises would ask cloud providers for quantum-safe roadmaps and cryptographic inventories.
Bitcoin relevance
Bitcoin is not at direct risk from a 128-bit public-key break. The gap to secp256k1 remains large.
But Bitcoin governance and wallet developers would need serious migration design work by this point, because protocol migrations can take years and require broad coordination.
Signals QRI would look for
- Repeatable 128-bit public-key quantum demonstration
- Clear separation from classical preprocessing shortcuts
- Published logical error rates during the run
- Improved Toffoli or T-gate resource estimates
- Vendor roadmaps using demonstrations as migration evidence
Sources and framing
QRI treats these dates as planning ranges, not predictions. The references below inform the article series: NIST has finalized practical PQC standards, NIST NCCoE emphasizes inventory and migration planning, NSA/CNSA guidance says planning and budgeting should happen now, and Google has published both an accelerated PQC migration target and updated factoring-resource estimates.