QRI Research Note
When Quantum Can Break RSA-2048
Quantum Threat Level 70
The classic cryptographically relevant quantum computer milestone
RSA-2048 is one of the central targets in quantum-risk planning. A machine that can factor RSA-2048 in a practical timeframe would be a cryptographically relevant quantum computer for a major part of today public-key infrastructure.
This is the milestone that turns long-term PQC migration from prudent planning into proof that old public-key cryptography has failed for a modern target.
What this level means
RSA-2048 protects or has protected an enormous amount of digital infrastructure: certificates, VPNs, enterprise systems, identity systems, document signatures, and more. Many systems are already moving away from RSA for performance and architectural reasons, but RSA-2048 remains an iconic benchmark for quantum threat analysis.
Recent resource estimates have fallen substantially over time. Google Research published a 2025 estimate showing RSA-2048 factoring in less than a week using less than one million noisy qubits under specific assumptions. That does not mean such a machine exists today; it means the engineering target has become more concrete.
What technology needs to be developed to get here
RSA-2048 requires a full-stack fault-tolerant quantum computer with enough scale, speed, and reliability to finish a huge arithmetic computation. Every layer of the system matters.
Depending on architecture and assumptions, the physical qubit requirement could range widely. The important point is that a cryptographic machine needs large numbers of high-quality physical qubits organized into logical qubits.
A single high-level computation contains many operations. The logical error budget must be low enough that the total chance of failure remains acceptable.
The runtime depends heavily on how quickly error-correction cycles can run. Slower cycle times can turn a theoretically possible attack into an impractical one.
Large arithmetic circuits need vast non-Clifford resources. Efficient cultivation, distillation, factory layout, and scheduling can determine whether the attack is feasible.
Better arithmetic, lower Toffoli counts, improved residue methods, and smarter circuit layouts can reduce the required qubits or runtime. Algorithm progress is part of the threat curve.
The machine must work as an engineered system: stable power, cooling or trapping, automated calibration, fault diagnosis, monitoring, and a workforce capable of running it.
Expected timeline and development path
No one can responsibly give a single date for RSA-2048. The right approach is scenario planning with triggers.
If error correction, qubit scale, and factoring-circuit optimization continue improving rapidly, some organizations now plan PQC migration as if major risk could arrive in the 2030s.
Many risk programs use the 2030s to 2040s as the serious planning window because migration itself can take 10 to 20 years across large organizations.
If scaling overheads, control systems, or logical error rates stall, practical RSA-2048 attacks may remain beyond the 2040s. QRI still treats delay as uncertain, not safety.
What this means in real life
A practical RSA-2048 break would be visible in ordinary life because RSA has been woven into trust systems for decades.
TLS ecosystems would already need PQC in place. Any remaining RSA-based trust path would be a serious risk.
Enterprise remote-access systems using vulnerable public-key exchange would need urgent replacement.
Signature systems relying on vulnerable algorithms could allow forged updates if not migrated.
Old digital signatures could lose evidentiary strength if keys can be reconstructed.
Messages protected by public-key encryption could be exposed if harvested and stored.
Utilities, transportation, and industrial systems with long upgrade cycles would face acute migration pressure.
Bitcoin relevance
RSA-2048 is not the Bitcoin signature algorithm. A quantum RSA-2048 break does not automatically steal Bitcoin.
It would, however, demonstrate a level of fault-tolerant quantum capability that makes serious elliptic-curve attacks much more plausible. Bitcoin would need an active, tested, broadly adopted quantum-safe migration path before this point.
Signals QRI would look for
- A public RSA-2048 factorization in days or weeks
- Independent verification and peer-reviewed resource accounting
- Large fault-tolerant systems with transparent logical qubit metrics
- Emergency acceleration of PQC mandates by governments and major cloud providers
- Updated ECC and Bitcoin-specific attack estimates
Sources and framing
QRI treats these dates as planning ranges, not predictions. The references below inform the article series: NIST has finalized practical PQC standards, NIST NCCoE emphasizes inventory and migration planning, NSA/CNSA guidance says planning and budgeting should happen now, and Google has published both an accelerated PQC migration target and updated factoring-resource estimates.