When Will Quantum Computers Break RSA? Sooner Than You Think

Published 2026-04-14 · 9 min read · QVS Blog

The honest answer to "when will quantum computers break RSA" is: nobody knows precisely, and that's the problem. The expert consensus has shifted dramatically in the last 24 months — from "probably 2040, maybe never" in 2020 to "probably 2030-2035, possibly earlier" in 2026. The shift wasn't caused by one big announcement. It was caused by steady, compounding progress in three areas: physical qubit count, error correction, and algorithmic improvements that reduce the qubits needed to break RSA in the first place.

This article walks through what's actually required to break RSA-2048 with a quantum computer, where the field stands today, what the credible 2030 forecasts are based on, and why the planning horizon for cryptographic migration is now urgent rather than aspirational.

Where does your stack stand?

RSA-2048 is the current backbone of internet PKI. If your TLS certificates use it (most do), you have a clear migration target. Run a free QVS scan to see your exposure.

Scan now →

What it takes to break RSA-2048

Peter Shor's 1994 algorithm shows that factoring a 2048-bit integer takes polynomial time on a quantum computer. The exact resource cost depends on the implementation. The most influential modern estimate comes from Craig Gidney and Martin Ekerå's 2021 paper, "How to factor 2048-bit RSA integers in 8 hours using 20 million noisy qubits." That title is a useful framing but also misleading — let's unpack it:

20 million physical qubits. Today's largest quantum systems have around 1,000-5,000 physical qubits. Twenty million is a long way off.
Noisy qubits. The estimate assumes superconducting qubits with ~10⁻³ error rates — typical of what's been demonstrated.
8 hours. That's the runtime on the hypothetical machine. It's not "instant", but it's also not 1000 years.

The 20 million number is what you get when you wrap noisy physical qubits in error-correcting codes to produce reliable logical qubits. The actual logical qubit count needed for RSA-2048 is roughly 4,000. The 5,000-to-1 ratio between physical and logical qubits is the dominant cost — and it's the area where the most rapid progress is happening right now.

The three trends that are accelerating the timeline

1. Physical qubit count is growing fast

Year	Largest reported quantum processor	Vendor
2019	53 qubits (Sycamore)	Google
2021	127 qubits (Eagle)	IBM
2022	433 qubits (Osprey)	IBM
2023	1,121 qubits (Condor)	IBM
2024	1,180 qubits (Heron R2)	IBM
2025	~5,000 qubits (announced roadmaps)	IBM, IonQ, PsiQuantum

The qubit count is roughly doubling every 18-24 months. If that trend continues — and there's no clear physical reason it shouldn't, given continued investment — the path to 20 million qubits is real, even if it takes longer than the trendline suggests due to engineering challenges at scale.

But raw qubit count isn't the bottleneck anymore. Error rates and connectivity are.

2. Error correction is improving

The 5,000:1 physical-to-logical qubit ratio assumes today's error rates (~10⁻³). If error rates improve to 10⁻⁴, the ratio drops dramatically — perhaps to 1,000:1 or better. That changes the RSA-2048 break threshold from 20 million physical qubits to something like 4 million.

Several recent developments are pushing this:

Surface code improvements. Google's 2024 demonstration of a "below threshold" surface code patch showed that error correction can actually improve as you add more physical qubits — the long-promised crossover point that makes fault-tolerant computing feasible.
Qubit quality improvements. IBM's Heron processors have demonstrated 2-qubit gate fidelities above 99.9% — orders of magnitude better than 2019 hardware.
Alternative qubit types. Trapped ions (IonQ, Quantinuum) and neutral atoms (QuEra, Pasqal, Atom Computing) have intrinsically lower error rates than superconducting qubits, with 1,000+ qubit systems demonstrated by 2024-2025.

3. Algorithmic improvements reduce the qubits needed

Less famous but equally important: the algorithmic resources needed to factor RSA are themselves shrinking. The original Shor's algorithm needed roughly 4,096 logical qubits for RSA-2048. Modern variants with optimizations (Beauregard 2002, Häner-Roetteler-Svore 2017, Gidney-Ekerå 2021) bring this down to ~4,000 with better runtime. More recent papers are exploring even more aggressive reductions.

In late 2024, a Chinese research group claimed (controversially) to have factored a 50-bit RSA integer using a 372-qubit annealer with hybrid quantum-classical algorithms. The paper is disputed in detail, but the larger point stands: people are actively looking for shortcuts, and shortcuts have been found before in cryptographic history.

What the experts are actually saying

The current landscape of expert forecasts:

Global Risk Institute Quantum Threat Timeline 2024 report: Surveyed 47 quantum computing experts. Median estimate: 30% probability of a cryptographically relevant quantum computer (CRQC) by 2034. 50% probability by 2039. Five years ago the same survey put 50% probability at 2050+.
NSA / NIST framing: Both organizations explicitly cite 2030-2035 as the planning horizon. CNSA 2.0 mandates full PQC migration by 2030 — this is a planning decision, not a prediction, but it reflects the assessed risk window.
NSA Director Paul Nakasone (2023): "Adversaries are stockpiling encrypted data now in the expectation that quantum computers will allow them to decrypt it later." This was a public acknowledgment of the harvest-now-decrypt-later threat being treated as operational, not theoretical.
IBM's published roadmap: Targets a 100,000-qubit system by 2033. With improving error correction, this is in the range needed for RSA-relevant computation.
Cloudflare's 2024 PQC deployment rationale: "We are deploying post-quantum cryptography now because we believe it will be needed within the lifetime of the data we are currently protecting."

The convergence is striking. Researchers who built quantum computers, regulators who set cryptographic standards, intelligence agencies that consume cryptography, and operators who deploy cryptography at scale — all of them are planning around a 2030-2035 window. When the people most informed about both the offensive capability and the defensive cost are aligned on a timeline, that timeline is the one to plan against.

Why your migration timeline matters even if RSA doesn't break until 2040

Even in the optimistic scenario where RSA-2048 isn't actually broken until the 2040s, the deadlines you should be planning against are much earlier. Three reasons:

Harvest now, decrypt later

An attacker capturing your encrypted traffic today can decrypt it whenever the quantum computer arrives — 2032, 2038, 2045, doesn't matter. If the data has any confidentiality value beyond that point (medical records, financial information, intellectual property, source code, government communications, biometric data), you are already exposed. The only defense is to stop using quantum-vulnerable algorithms before the data has long-term value.

Migration is a 4-year project

Realistic enterprise PQC migration takes 36-48 months: discovery and inventory (6-9 months), pilot deployments (12 months), rollout to production (12-18 months), validation and exception handling (6 months). If you start in 2026 and target completion in 2030, you're on a comfortable timeline. If you wait until 2028 hoping the threat doesn't materialize, you'll be doing the same work in 18 months under regulatory pressure — which is much more expensive and much more likely to introduce mistakes.

The disclosure event is sudden

Cryptographic breaks don't unfold gradually. The history is clear: MD5 collision attacks went from theoretical to practical to deployed in malware over about 18 months in 2008. SHA-1 went from "weak" to "broken" with the SHAttered attack in 2017, and Microsoft/Google deprecated trust in SHA-1 certs within months. When (not if) the first practical demonstration of breaking RSA-2048 lands, the time window between "possible" and "everyone is being attacked" will be measured in months, not years. Anyone not already in late-stage migration will be in crisis mode.

The bottom line

The honest answer to "when will quantum computers break RSA" is: somewhere between 2030 and 2040, with substantial probability mass at the early end of that range. The expert consensus has been moving earlier every year for the last decade, the standards bodies have set 2030 as the binding deadline, and major operators are already migrating in production.

But the actual question your team should be answering isn't "when will it happen" — it's "when do we need to be done migrating." And the answer to that is dictated less by the quantum hardware timeline than by:

Your regulatory exposure (NIST IR 8547, CNSA 2.0, PCI DSS 4.0, NIS2, DORA — all targeting 2030 or earlier).
Your data confidentiality requirements (anything sensitive beyond 5 years is at HNDL risk now).
Your migration capacity (4 years from start to finish for a typical enterprise stack).

Combining those three factors, the practical answer is: start now, target completion by end of 2029. If RSA isn't broken until 2040, you'll have moved early at moderate cost. If it's broken in 2031, you'll be one of the few organizations that aren't scrambling. Either way, the cost-of-being-early is much lower than the cost-of-being-late.

Start with a baseline. Find out which of your systems are using RSA, ECDSA, or ECDHE today. The migration plan starts there.

Get your RSA exposure baseline

QVS scans your TLS endpoints and identifies every quantum-vulnerable algorithm in use, including RSA key sizes, ECDSA curves, and ECDHE key exchange. Free, no signup, 30 seconds.

Scan your stack →