QRI Research Note

When Quantum Can Break RSA-1024

Quantum Threat Level 60

The point where legacy systems move from risky to indefensible

RSA-1024 is no longer recommended for modern security, but it has existed in real systems, documents, certificates, and legacy products. A quantum RSA-1024 break would be a major transition point because it would show the machine can attack keys that were once widely trusted.

Index level60 / 100
Planning windowEarly to mid-2040s in conservative planning; sooner in aggressive scenarios
Bitcoin statusSafe from RSA-specific attack, but the warning level rises

RSA-1024 is not Bitcoin. But a quantum RSA-1024 break would be one of the clearest public signs that cryptographically relevant quantum computing is approaching modern targets.

What this level means

RSA-1024 sits between obsolete RSA-512 and modern RSA-2048. Many organizations already treat it as insufficient, yet legacy systems can persist for decades. A quantum break at this level would make any remaining RSA-1024 use impossible to defend.

Technically, this milestone requires roughly double the input size of RSA-512 and much more arithmetic work. It would test whether fault-tolerant quantum systems can scale in a way that tracks theory rather than stalling at intermediate sizes.

What technology needs to be developed to get here

The technology stack must now look like an early cryptanalytic computer, not a research processor. The bottlenecks are no longer isolated components; they are system throughput, uptime, and resource orchestration.

Large logical processors

The system needs enough logical qubits for large arithmetic registers, scratch space, and parallel operations. Efficient algorithms can reduce the requirement, but not remove the need for scale.

Reliable magic-state supply

RSA-1024 makes non-Clifford resource production a central engineering challenge. Factories must produce high-quality states continuously while the main computation consumes them.

Fast surface-code cycles

Resource estimates are sensitive to cycle time. Microsecond-scale or otherwise high-throughput correction cycles can change whether an attack takes hours, days, or far longer.

System uptime

A cryptanalytic run may require sustained operation over long periods. Automatic recalibration, fault handling, and robust scheduling become mandatory.

Classical control and decoding

A large error-corrected quantum computer is also a large real-time classical computing system. Decoders must process syndrome data without becoming the bottleneck.

Supply chain maturity

Manufacturing repeatability, component availability, cryogenic capacity, photonic integration, or laser stability must become industrial capabilities rather than lab exceptions.

Expected timeline and development path

RSA-1024 is where planning estimates become highly sensitive to hardware platform assumptions. It may arrive much later than RSA-512 if scaling overheads grow, or sooner if architecture breakthroughs reduce costs.

Prerequisite

A credible RSA-512 break, falling logical-error rates, and clear evidence that larger circuits remain controllable.

Development window

Early to mid-2040s is a conservative planning range, but aggressive roadmaps may try to pull this earlier through better codes, layouts, and arithmetic.

Operational checkpoint

QRI would ask whether the machine can repeat the break, attack new keys, and publish enough data for independent analysis.

What this means in real life

This level would be more relatable than smaller benchmarks because RSA-1024 has existed in real infrastructure.

Legacy websites

Old servers, appliances, or private systems that never upgraded could be exposed.

Industrial equipment

Long-lived industrial devices sometimes keep old cryptographic stacks because replacing them is expensive.

Archived signatures

Old signed documents and software could face new authenticity questions if weak RSA keys remain trusted.

Government records

Records with long confidentiality lifetimes would face stronger harvest-now-decrypt-later concerns.

Corporate mergers

Acquired infrastructure may contain forgotten RSA-1024 keys or certificates.

Compliance

Regulators would have little patience for organizations still relying on legacy public-key algorithms.

Bitcoin relevance

Bitcoin signatures are elliptic-curve signatures, not RSA. RSA-1024 does not directly break Bitcoin wallets.

However, RSA-1024 would be a strong warning that the same underlying quantum capabilities might eventually threaten elliptic-curve systems. Bitcoin planning should already be active by this point.

Signals QRI would look for

  • A verified RSA-1024 factorization by a quantum system
  • Evidence the result was not primarily classical factoring
  • Machine uptime long enough for cryptanalytic workloads
  • Commercial or government procurement of large fault-tolerant systems
  • Rapid updates to PQC migration deadlines after the milestone

Sources and framing

QRI treats these dates as planning ranges, not predictions. The references below inform the article series: NIST has finalized practical PQC standards, NIST NCCoE emphasizes inventory and migration planning, NSA/CNSA guidance says planning and budgeting should happen now, and Google has published both an accelerated PQC migration target and updated factoring-resource estimates.