QRI Research Note

When Quantum Can Break RSA-2048

Quantum Threat Level 70

The classic cryptographically relevant quantum computer milestone

RSA-2048 is one of the central targets in quantum-risk planning. A machine that can factor RSA-2048 in a practical timeframe would be a cryptographically relevant quantum computer for a major part of today public-key infrastructure.

Index level70 / 100
Planning windowUncertain: aggressive estimates point to the 2030s; conservative planning extends into the 2040s or beyond
Bitcoin statusBitcoin not directly broken by RSA, but public-key risk becomes severe

This is the milestone that turns long-term PQC migration from prudent planning into proof that old public-key cryptography has failed for a modern target.

What this level means

RSA-2048 protects or has protected an enormous amount of digital infrastructure: certificates, VPNs, enterprise systems, identity systems, document signatures, and more. Many systems are already moving away from RSA for performance and architectural reasons, but RSA-2048 remains an iconic benchmark for quantum threat analysis.

Recent resource estimates have fallen substantially over time. Google Research published a 2025 estimate showing RSA-2048 factoring in less than a week using less than one million noisy qubits under specific assumptions. That does not mean such a machine exists today; it means the engineering target has become more concrete.

What technology needs to be developed to get here

RSA-2048 requires a full-stack fault-tolerant quantum computer with enough scale, speed, and reliability to finish a huge arithmetic computation. Every layer of the system matters.

Physical qubit scale

Depending on architecture and assumptions, the physical qubit requirement could range widely. The important point is that a cryptographic machine needs large numbers of high-quality physical qubits organized into logical qubits.

Low logical failure rate

A single high-level computation contains many operations. The logical error budget must be low enough that the total chance of failure remains acceptable.

Fast error-correction cycles

The runtime depends heavily on how quickly error-correction cycles can run. Slower cycle times can turn a theoretically possible attack into an impractical one.

Magic-state factories at scale

Large arithmetic circuits need vast non-Clifford resources. Efficient cultivation, distillation, factory layout, and scheduling can determine whether the attack is feasible.

Algorithmic optimization

Better arithmetic, lower Toffoli counts, improved residue methods, and smarter circuit layouts can reduce the required qubits or runtime. Algorithm progress is part of the threat curve.

Industrial operations

The machine must work as an engineered system: stable power, cooling or trapping, automated calibration, fault diagnosis, monitoring, and a workforce capable of running it.

Expected timeline and development path

No one can responsibly give a single date for RSA-2048. The right approach is scenario planning with triggers.

Aggressive scenario

If error correction, qubit scale, and factoring-circuit optimization continue improving rapidly, some organizations now plan PQC migration as if major risk could arrive in the 2030s.

Base planning scenario

Many risk programs use the 2030s to 2040s as the serious planning window because migration itself can take 10 to 20 years across large organizations.

Conservative scenario

If scaling overheads, control systems, or logical error rates stall, practical RSA-2048 attacks may remain beyond the 2040s. QRI still treats delay as uncertain, not safety.

What this means in real life

A practical RSA-2048 break would be visible in ordinary life because RSA has been woven into trust systems for decades.

Secure websites

TLS ecosystems would already need PQC in place. Any remaining RSA-based trust path would be a serious risk.

VPNs and remote access

Enterprise remote-access systems using vulnerable public-key exchange would need urgent replacement.

Software updates

Signature systems relying on vulnerable algorithms could allow forged updates if not migrated.

Legal documents

Old digital signatures could lose evidentiary strength if keys can be reconstructed.

Email and messaging

Messages protected by public-key encryption could be exposed if harvested and stored.

Critical infrastructure

Utilities, transportation, and industrial systems with long upgrade cycles would face acute migration pressure.

Bitcoin relevance

RSA-2048 is not the Bitcoin signature algorithm. A quantum RSA-2048 break does not automatically steal Bitcoin.

It would, however, demonstrate a level of fault-tolerant quantum capability that makes serious elliptic-curve attacks much more plausible. Bitcoin would need an active, tested, broadly adopted quantum-safe migration path before this point.

Signals QRI would look for

  • A public RSA-2048 factorization in days or weeks
  • Independent verification and peer-reviewed resource accounting
  • Large fault-tolerant systems with transparent logical qubit metrics
  • Emergency acceleration of PQC mandates by governments and major cloud providers
  • Updated ECC and Bitcoin-specific attack estimates

Sources and framing

QRI treats these dates as planning ranges, not predictions. The references below inform the article series: NIST has finalized practical PQC standards, NIST NCCoE emphasizes inventory and migration planning, NSA/CNSA guidance says planning and budgeting should happen now, and Google has published both an accelerated PQC migration target and updated factoring-resource estimates.