←back to thread

Why haven't quantum computers factored 21 yet?

(algassert.com)
335 points ingve | 3 comments | 31 Aug 25 12:14 UTC | HN request time: 0.001s | source
Show context
owlbite ◴[31 Aug 25 14:08 UTC] No.45083253[source]
So how many gates are we talking to factor some "cryptographically useful" number? Is there some pathway that makes quantum computers useful this century?
replies(9): >>45083492 #>>45083705 #>>45084166 #>>45084245 #>>45084350 #>>45084520 #>>45085615 #>>45085735 #>>45088593 #
Strilanc ◴[31 Aug 25 18:37 UTC] No.45085735[source]
> So how many gates are we talking to factor some "cryptographically useful" number?

Table 5 of [1] estimates 7 billion Toffoli gates to factor 2048 bit RSA integers.

> Is there some pathway that makes quantum computers useful this century?

The pathway to doing billions of gates is quantum error correction. [1] estimates distance 25 surface codes would be sufficient for those 7 billion gates (given the physical assumptions it lists). This amplifies the qubit count from 1400 logical qubits to a million physical noisy qubits.

Samuel Jacques had a pretty good talk at PQCrypto this year, and he speculates about timelines in it [2].

(I'm the author of this blog post and of [1].)

[1]: https://arxiv.org/pdf/2505.15917

[2]: https://www.youtube.com/watch?v=nJxENYdsB6c

replies(5): >>45086449 #>>45087996 #>>45088391 #>>45089529 #>>45101520 #
1. rendaw ◴[01 Sep 25 04:42 UTC] No.45089529[source]
Is there a qubit-speed tradeoff, where you could factor 2048 bit RSA integers with fewer qubits but it would take more time? Or is it all or nothing?
replies(2): >>45092883 #>>45118844 #
2. adgjlsfhk1 ◴[01 Sep 25 14:21 UTC] No.45092883[source]
there is a trade-off, but it doesn't help too much because of you take more time, you need more error correction which takes more qbits. the best trade-off probably comes from dropping the error correction to the point where you go from 99% reliability to 1% reliability. doing so will increase your rsa factor time from ~1 week to ~1 year and probably saves you ~an order of magnitude in qbits

The big thing that could change the numbers is more reliable qbits. Most of the calculations so far are done with qbits right at the edge of where error correction works (about 5x better than current qbits). if you get another 10x in qbit quality you probably drop the required qbits by ~100-1000x.

3. Strilanc ◴[03 Sep 25 18:15 UTC] No.45118844[source]
Realistic Shor circuits have depth polynomial in n, but you can easily construct ones whose depth is polylogarithmic in n. Just do the multiplications as a binary tree instead of in a linear order, using log depth multiplication circuits, and then do the frequency basis measurement using a low depth QFT [1]. The only part that isn't known to be doable in polylog depth is the classical GCD computation hiding in the classical postprocessing, to find the closest fraction to get the period.

The result is that, if you keep adding qubits that can be operated on in parallel, Shor's algorithm basically just keeps getting faster and faster and faster. The energy cost doesn't go down, and the number of qubits required becomes frankly absurd, but the time can go really really low.

1: https://arxiv.org/abs/quant-ph/0006004