How to factor 2048 bit RSA integers with less than a million noisy qubits

TL;DR

The paper investigates quantum factoring of RSA-2048 under fault-tolerant assumptions and demonstrates how to dramatically reduce the required physical qubits by leveraging approximate residue arithmetic, yoked surface-code storage for idle qubits, and magic-state cultivation. It refines the CFS approach with approximate modular arithmetic and Ekerå–Håstad period finding, complemented by extensive arithmetic optimizations to achieve a practical quantum factoring cost. The author presents concrete parameter sets yielding under a million physical qubits and a runtime of roughly a week, with a Toffoli count on the order of $6.5\times 10^9$, and provides detailed cost breakdowns across logical and physical layers. These results offer a concrete signpost for quantum factoring capabilities and inform timelines for deploying post-quantum cryptography.

Abstract

Planning the transition to quantum-safe cryptosystems requires understanding the cost of quantum attacks on vulnerable cryptosystems. In Gidney+Ekerå 2019, I co-published an estimate stating that 2048 bit RSA integers could be factored in eight hours by a quantum computer with 20 million noisy qubits. In this paper, I substantially reduce the number of qubits required. I estimate that a 2048 bit RSA integer could be factored in less than a week by a quantum computer with less than a million noisy qubits. I make the same assumptions as in 2019: a square grid of qubits with nearest neighbor connections, a uniform gate error rate of $0.1\%$, a surface code cycle time of 1 microsecond, and a control system reaction time of $10$ microseconds. The qubit count reduction comes mainly from using approximate residue arithmetic (Chevignard+Fouque+Schrottenloher 2024), from storing idle logical qubits with yoked surface codes (Gidney+Newman+Brooks+Jones 2023), and from allocating less space to magic state distillation by using magic state cultivation (Gidney+Shutty+Jones 2024). The longer runtime is mainly due to performing more Toffoli gates and using fewer magic state factories compared to Gidney+Ekerå 2019. That said, I reduce the Toffoli count by over 100x compared to Chevignard+Fouque+Schrottenloher 2024.

Figures (15)

• Figure 1: Historical estimates, with comparable physical assumptions, of the physical qubit cost of factoring 2048 bit RSA integers. Includes overheads from fault tolerance, routing, and distillation. Results are from Jones2012fowler2012surfacecodereviewOGorman2017gheorghiu2019cryptanalysisgidney2021factor. Results such as VANMETER2010 and litinski2022activearchitecture aren't included because they target substantially different assumptions or cost models.
• Figure 2: Pareto frontiers achieved by this paper for the Toffoli and logical qubit cost of factoring $n$ bit RSA integers, for various values of $n$. This paper uses notably fewer logical qubits than gidney2021factor (points labeled "GE21") and notably fewer Toffolis than chevignard2024reducing (points labeled "CFS24").
• Figure 3: Example Python code that approximates $\widetilde{V} \approx g^e \bmod N$ given a choice of $P$ and $f$. Registers that would store quantum values during the quantum factoring are prefixed with "Q_". All would-be-quantum registers are of size $O(\log \log N)$, except the input register Q_e. For simplicity, this code omits optimizations (like windowing) and crucial quantum details (like uncomputation). See \ref{['app:python']} for more detailed code.
• Figure 4: A small-scale example of how masking affects period finding. Left: a pre-measurement state, with white meaning zero amplitude and black meaning equal non-zero amplitude. Top right: probability of measuring different values of the output register. Masking has smoothed the distribution to be nearly uniform. Bottom right: probability of measuring different frequency peaks of the input register. Appears uniform (instead of spiky) because the frequencies are computed modulo the period P. Without masking, the bottom right distribution would be exactly uniform. With masking, the zero'th frequency is substantially more likely due to constructive interference from the masking. Certain frequencies are also less likely.
• Figure 5: Suppression of success rate due to the use of superposition masking, estimated by Monte Carlo sampling. Error bars are computed by separately computing likelihoods for the masked samples and the unmasked samples, finding the respective high/low hypothesis probabilities that have a likelihood within 100x of the max likelihood hypothesis given the sampled data, and then making the smallest/largest ratios possible with those high and low values.