←back to thread

Why haven't quantum computers factored 21 yet?

(algassert.com)
335 points ingve | 1 comments | 31 Aug 25 12:14 UTC | HN request time: 0s | source
Show context
owlbite ◴[31 Aug 25 14:08 UTC] No.45083253[source]
So how many gates are we talking to factor some "cryptographically useful" number? Is there some pathway that makes quantum computers useful this century?
replies(9): >>45083492 #>>45083705 #>>45084166 #>>45084245 #>>45084350 #>>45084520 #>>45085615 #>>45085735 #>>45088593 #
Strilanc ◴[31 Aug 25 18:37 UTC] No.45085735[source]
> So how many gates are we talking to factor some "cryptographically useful" number?

Table 5 of [1] estimates 7 billion Toffoli gates to factor 2048 bit RSA integers.

> Is there some pathway that makes quantum computers useful this century?

The pathway to doing billions of gates is quantum error correction. [1] estimates distance 25 surface codes would be sufficient for those 7 billion gates (given the physical assumptions it lists). This amplifies the qubit count from 1400 logical qubits to a million physical noisy qubits.

Samuel Jacques had a pretty good talk at PQCrypto this year, and he speculates about timelines in it [2].

(I'm the author of this blog post and of [1].)

[1]: https://arxiv.org/pdf/2505.15917

[2]: https://www.youtube.com/watch?v=nJxENYdsB6c

replies(5): >>45086449 #>>45087996 #>>45088391 #>>45089529 #>>45101520 #
rendaw ◴[01 Sep 25 04:42 UTC] No.45089529[source]
Is there a qubit-speed tradeoff, where you could factor 2048 bit RSA integers with fewer qubits but it would take more time? Or is it all or nothing?
replies(2): >>45092883 #>>45118844 #
1. adgjlsfhk1 ◴[01 Sep 25 14:21 UTC] No.45092883{3}[source]
there is a trade-off, but it doesn't help too much because of you take more time, you need more error correction which takes more qbits. the best trade-off probably comes from dropping the error correction to the point where you go from 99% reliability to 1% reliability. doing so will increase your rsa factor time from ~1 week to ~1 year and probably saves you ~an order of magnitude in qbits

The big thing that could change the numbers is more reliable qbits. Most of the calculations so far are done with qbits right at the edge of where error correction works (about 5x better than current qbits). if you get another 10x in qbit quality you probably drop the required qbits by ~100-1000x.