QRI Research Note

When Quantum Can Break 64-bit RSA and ECC

Quantum Threat Level 30

From toy demonstrations to recognizable cryptographic structures

A 64-bit RSA or ECC break would still be tiny by real-world security standards, but it would be a more serious algorithmic milestone. It would show that a quantum computer can handle a nontrivial public-key problem rather than a heavily simplified classroom example.

Index level30 / 100
Planning windowMid-2030s in an aggressive scenario; later if logical gates scale slowly
Bitcoin statusSafe; far below Bitcoin and modern internet cryptography

Do not confuse 64-bit toy public-key milestones with modern 128-bit symmetric security. RSA/ECC bit sizes and AES bit sizes are not comparable.

What this level means

Public-key cryptography depends on math problems that grow hard very quickly as key sizes increase. A 64-bit RSA modulus or tiny elliptic-curve group is not secure today, even classically. But breaking it with a fault-tolerant quantum circuit would show that qubit reliability, arithmetic depth, and software compilation are all improving together.

This level would be a bridge between proof-of-principle demonstrations and cryptographic engineering. It would not endanger modern TLS, code signing, passkeys, or Bitcoin, but it would make the quantum threat easier to measure.

What technology needs to be developed to get here

Reaching 64-bit RSA/ECC requires the machinery of Shor-style computation to survive longer and execute more structured operations than tiny demonstrations.

More logical qubits

A 64-bit target may need enough logical workspace for registers, scratch space, and arithmetic operations. The exact number depends on circuit design, but the key point is that qubits must be logical and usable, not merely present.

Deeper circuits

The computation must run through many dependent operations. That means lower logical error rates, better scheduling, and a lower probability that one fault spoils the entire run.

Arithmetic libraries

Reusable quantum arithmetic blocks become important: adders, multipliers, modular reduction, and elliptic-curve group operations. These libraries must be optimized for a real hardware architecture.

Magic-state throughput

Non-Clifford operations are often a bottleneck. Systems need a way to produce and consume high-quality magic states at a pace that does not stretch runtimes into impractical ranges.

Hardware parallelism

Small cryptanalytic circuits can still be slow if every operation is serialized. Parallel control, routing, and measurement are needed to make circuit depth manageable.

Verification methods

At 64 bits, results are easy to verify classically. That makes this a useful checkpoint for comparing claimed quantum speed, reliability, and resource estimates.

Expected timeline and development path

This level is likely to follow credible tiny Shor demonstrations. If it arrives quickly after Level 20, that would suggest the field has found a scalable implementation path.

Prerequisite

The system must first show repeatable tiny key breaks with transparent quantum resource accounting.

Likely buildout

Researchers then scale arithmetic circuits, add error-corrected workspace, and improve logical operation depth.

Planning range

QRI would treat mid-2030s as an aggressive public milestone and late-2030s as a more conservative range, depending on hardware progress.

What this means in real life

For everyday users, this milestone is still mostly symbolic. The relatable impact is in what it tells security teams to do, not in what it lets attackers do immediately.

Old lab keys

The broken keys would look like training weights, not the keys protecting your bank or phone.

Security dashboards

Large organizations would update risk dashboards because a real cryptographic benchmark had moved.

University courses

Quantum cryptanalysis would move from theory slides to repeatable lab demonstrations.

Vendor pressure

Software and hardware vendors would face stronger questions about PQC migration timelines.

Public confusion

Many people would hear 64-bit and think of modern security. The distinction between key types would need clear explanation.

Regulators

Regulators could use the milestone as evidence that transition programs should not wait for a full RSA-2048 break.

Bitcoin relevance

Bitcoin remains safe at this level. A 64-bit elliptic-curve demonstration would be far below secp256k1, the curve used by Bitcoin signatures.

Still, this level would strengthen the case for Bitcoin ecosystem research into quantum-safe address types, migration paths, and wallet behavior long before emergency conditions.

Signals QRI would look for

  • A fault-tolerant 64-bit factoring or discrete-log demonstration
  • Published circuit depth and logical error assumptions
  • Resource estimates that scale smoothly from 64 bits upward
  • Independent verification of the target and result
  • Evidence that runtime is improving, not only qubit count

Sources and framing

QRI treats these dates as planning ranges, not predictions. The references below inform the article series: NIST has finalized practical PQC standards, NIST NCCoE emphasizes inventory and migration planning, NSA/CNSA guidance says planning and budgeting should happen now, and Google has published both an accelerated PQC migration target and updated factoring-resource estimates.