QRI Research Note
When Quantum Can Break 64-bit RSA and ECC
Quantum Threat Level 30
From toy demonstrations to recognizable cryptographic structures
A 64-bit RSA or ECC break would still be tiny by real-world security standards, but it would be a more serious algorithmic milestone. It would show that a quantum computer can handle a nontrivial public-key problem rather than a heavily simplified classroom example.
Do not confuse 64-bit toy public-key milestones with modern 128-bit symmetric security. RSA/ECC bit sizes and AES bit sizes are not comparable.
What this level means
Public-key cryptography depends on math problems that grow hard very quickly as key sizes increase. A 64-bit RSA modulus or tiny elliptic-curve group is not secure today, even classically. But breaking it with a fault-tolerant quantum circuit would show that qubit reliability, arithmetic depth, and software compilation are all improving together.
This level would be a bridge between proof-of-principle demonstrations and cryptographic engineering. It would not endanger modern TLS, code signing, passkeys, or Bitcoin, but it would make the quantum threat easier to measure.
What technology needs to be developed to get here
Reaching 64-bit RSA/ECC requires the machinery of Shor-style computation to survive longer and execute more structured operations than tiny demonstrations.
A 64-bit target may need enough logical workspace for registers, scratch space, and arithmetic operations. The exact number depends on circuit design, but the key point is that qubits must be logical and usable, not merely present.
The computation must run through many dependent operations. That means lower logical error rates, better scheduling, and a lower probability that one fault spoils the entire run.
Reusable quantum arithmetic blocks become important: adders, multipliers, modular reduction, and elliptic-curve group operations. These libraries must be optimized for a real hardware architecture.
Non-Clifford operations are often a bottleneck. Systems need a way to produce and consume high-quality magic states at a pace that does not stretch runtimes into impractical ranges.
Small cryptanalytic circuits can still be slow if every operation is serialized. Parallel control, routing, and measurement are needed to make circuit depth manageable.
At 64 bits, results are easy to verify classically. That makes this a useful checkpoint for comparing claimed quantum speed, reliability, and resource estimates.
Expected timeline and development path
This level is likely to follow credible tiny Shor demonstrations. If it arrives quickly after Level 20, that would suggest the field has found a scalable implementation path.
The system must first show repeatable tiny key breaks with transparent quantum resource accounting.
Researchers then scale arithmetic circuits, add error-corrected workspace, and improve logical operation depth.
QRI would treat mid-2030s as an aggressive public milestone and late-2030s as a more conservative range, depending on hardware progress.
What this means in real life
For everyday users, this milestone is still mostly symbolic. The relatable impact is in what it tells security teams to do, not in what it lets attackers do immediately.
The broken keys would look like training weights, not the keys protecting your bank or phone.
Large organizations would update risk dashboards because a real cryptographic benchmark had moved.
Quantum cryptanalysis would move from theory slides to repeatable lab demonstrations.
Software and hardware vendors would face stronger questions about PQC migration timelines.
Many people would hear 64-bit and think of modern security. The distinction between key types would need clear explanation.
Regulators could use the milestone as evidence that transition programs should not wait for a full RSA-2048 break.
Bitcoin relevance
Bitcoin remains safe at this level. A 64-bit elliptic-curve demonstration would be far below secp256k1, the curve used by Bitcoin signatures.
Still, this level would strengthen the case for Bitcoin ecosystem research into quantum-safe address types, migration paths, and wallet behavior long before emergency conditions.
Signals QRI would look for
- A fault-tolerant 64-bit factoring or discrete-log demonstration
- Published circuit depth and logical error assumptions
- Resource estimates that scale smoothly from 64 bits upward
- Independent verification of the target and result
- Evidence that runtime is improving, not only qubit count
Sources and framing
QRI treats these dates as planning ranges, not predictions. The references below inform the article series: NIST has finalized practical PQC standards, NIST NCCoE emphasizes inventory and migration planning, NSA/CNSA guidance says planning and budgeting should happen now, and Google has published both an accelerated PQC migration target and updated factoring-resource estimates.