Behind the news - is a cryptographically relevant quantum computer getting closer or further away?
Lots of recent headlines, but what does it really mean?
The first three months of 2026 have seen a flurry of stories about potential advances towards the capability, plus at least one saying it might never happen. In a previous article I discussed at a high level what this tells us and the conclusions that business and security leaders can draw. In this article I’ll go through some of specific articles and papers that have driven recent headlines.
As quantum computing technology advances and awareness grows, so does the potential threat it can pose to some of the encryption we rely upon for our cyber security. We know this is a long-term strategic risk that requires appropriate management and mitigation. However, the timescale for the threat is uncertain.
To provide some context, the main encryption methods that are widely used today that are potentially vulnerable to attack by a quantum computer are RSA and elliptic curve cryptography (ECC).
RSA is the most widely used, and the standard strength today is a 2048-bit key - or RSA2048. RSA2048 is the most well studied from a quantum vulnerability point of view, so most benchmarks have focussed on this. At the start of the year, the state of the art was generally considered to be a 2025 paper by Gidney that estimated around 1m qubits were needed to break RSA2048, with a runtime of about a week to calculate a single private key. If you wanted a faster runtime, Gidney and Ekera estimated a few years earlier that a system with 20m qubits could do that calculation in about 8 hours.
ECC has become more popular in recent years, especially because it provides smaller keys and certificates for what is thought to be a similar level of security against a conventional computer attack. 256-bit, or ECC256 is the normal standard used today. It is expected that ECC may be easier to break using a quantum computer because of the shorter key lengths, however.
Note: this article is longer than usual. If you’re pressed for time, see the summary and takeaways at the end - though you’ll miss the deep dives into each paper.
Recent progress?
In the first quarter of 2026, there have been various advances touted regarding the estimates of the time and number of qubits required to break certain types of modern commonly used encryption. Firstly, it’s important to note these are all theoretical papers. The authors may have run some example small scale circuits on current hardware and extrapolated results from there, but no-one has come close to running anything at the predicted scale required to break modern encryption.
Also, all of these have been a combination of a press release and a “preprint”. Preprints normally go through a peer-review process before being officially published - so the theoretical reasoning has not yet been validated. However, even if the theory turns out be all correct, they all involve making trade-offs about the different aspects of a quantum computer that would be relevant to breaking modern encryption. Headlines may tout ever lower numbers of qubits needed, but this doesn’t necessarily mean the systems will be easier to make or be practically usable. The nature of these trade-offs becomes clear if we consider the recent announcements in turn.
Note that I have no commercial interest in any of these companies or their competitors, so I’ll give you my honest opinion!
“Pinnacle paper”
This was published in February by a new company called Emergence Quantum set up in Australia. While they don’t make quantum computing hardware, their selling point is the ability to help in the software, control, and algorithms. The paper was announced at the same time as their funding raise, which probably wasn’t a coincidence.
It claimed to be able to improve on the Gidney 2025 estimate by an order of magnitude, requiring “only” 100,000 qubits to crack RSA2048. This relies on a new “pinnacle” architecture that they propose for quantum computers. The catch is that it requires the ability to manufacture these qubits with much more connectivity. Gidney assumed each qubit was only connected to its four nearest neighbours (think of points on a square grid), this proposed architecture needed each qubit to be potentially connected to ten other qubits. It also assumed the existence of “quantum memories” that can store intermediate results during the calculation in a stable way, which no-one has managed to create yet. It’s therefore far from obvious that it will be easier to make 100,000 such qubits than making the 1,000,000 that Gidney assumed.
There is also a catch on the runtime required - the time taken to calculate a single private key increases from a week to around a month. And this assumes that the quantum computer can still run at the same clock speed that Gidney assumed. The Pinnacle architecture includes a complex new error-correcting method, which means there will be a need to do more calculations to detect and correct errors between each step of the main algorithm. Depending on how fast these calculations can be done, there may be a need to slow down the quantum computational clock cycle.
Despite this, many people fell for the press-release and catchy headline. Even New Scientist, a publication that we might expect to know better, led with “Breaking encryption with a quantum computer just got 10 times easier.” However, as we can see they swapped the difficulty of making 10 times more qubits for a runtime that was 4 times longer even if one can addresses the challenges of connectivity, manufacturing and the speed required for error correction calculations.
The “JVG algorithm”
Not to be outdone, later that month three researchers released a paper titled “A Novel Hybrid Quantum Circuit for Integer Factorization: End-to-End Evaluation in Simulation and Real Quantum Hardware” that introduced a new “JVG algorithm” (imaginatively named after their own initials). It was accompanied by a press release from the (apparently recently formed) Advanced Quantum Technologies Institute (AQTI) that claimed “The JVG algorithm requires thousand-fold less quantum computer resources, such as qubits and quantum gates. Research extrapolations suggest it will require less than 5,000 qubits to break encryption methods used in RSA and ECC.”
However, if you read the paper, it’s not clear where the figure of 5,000 even comes from. The paper makes some vague claims of needing “few thousand” qubits and 11 hours runtime for RSA2048 by extrapolating some results on problems that are more than 10x smaller.
To give them fair due, they took a valid and interesting approach - looking at a hybrid approach, asking which parts of the calculation are more efficient on a quantum computer, and which might be faster if run on a conventional computer. By offloading some intensive parts of Shor’s algorithm to a conventional computer, they were able to significantly reduce resources and runtimes compared to running the whole thing on today’s NISQ computers.
However, the problem is that trying to extrapolate measured performance on very small problems to much larger ones may miss parts of the problem that scale very badly. The picture below shows a toy example where the green line is a slower (what we call polynomial) scaling and the orange one scales rapidly (exponentially). Extrapolating from small values we might think the orange one is going to always be much quicker, but not realise how it grows rapidly beyond a certain size of problem, and hence the green one is actually better for larger problems.
And that is the problem. Scott Aaronson is normally a calm voice in this field, but he was moved to announce in his blog “the JVG algorithm is crap”. As he shows, a cursory inspection of their method shows that the part they are doing on a conventional computer is likely to scale exponentially with the key size - the very reason why we need quantum computers for this sort of code-breaking, to avoid such exponential scaling.
Although there was plenty of social media punditry and the occasional trade press headline that fell for the clickbait press release, generally this one is getting less credibility, and doesn’t seem to be being seriously considered.
Oratomic paper
More recently, a group of researchers released a paper which claimed “Shor’s algorithm is possible with as few as 10,000 reconfigurable atomic qubits”. Most of the researchers were associated with a new quantum computing hardware startup called Oratomic, which unsurprisingly plans to make reconfigurable atomic qubits. The publication of the paper was linked to the startup coming out of stealth mode, which is unlikely to be a coincidence.
The most obvious trade-off that this approach used for the reduced qubit count is massively increased runtime. The headline figure of “10,000 qubits” was for elliptic curve cryptography, and meant a runtime of 264 days to calculate a single private key. This is unlikely to be worthwhile except for a very small number of very high value targets. For RSA2048, around 11,000 qubits led to a runtime of probably several years - definitely of no practical use. Bringing this down to 10 days is predicted to require around 100,000 qubits - so similar to the Pinnacle paper.
This Oratomic paper also relied on assumptions of new hardware architectures to be able to individually control thousands of atomic qubits, and a high degree of connectivity between them that can be reconfigured as required. Similar to the Pinnacle paper, it also appears to rely on as yet unproven “quantum memory” to store intermediate states. Such an architecture could be possible using atomic qubits, although the authors even note in the abstract of the paper that there are “significant engineering challenges” to building such hardware. Presumably these are the sort of challenges that Oratomic has been set up to address. They do seem to have a number of well-respected experts onboard, so could have the potential to get there in the end.
However, they also seem to be playing the marketing game. The abstract also mischievously notes that there has been recent work on “trapping” 6,000 atomic qubits. Once again, the New Scientist headline writers fell for the bait, claiming “The first quantum computer to break encryption is now shockingly close”. Perhaps they missed the bit that said so far actual computation had only been achieved on an array of a few hundred qubits?
In my view, the overall conclusion from this paper is therefore similar to the Emergence paper - if we can manufacture more complex qubit structures, and be able to implement complex error correction schemes fast enough, then we could maybe get a cryptographically relevant quantum computer with 100,000 qubits. There is also an important insight that elliptic curve cryptography will be easier for a quantum computer to break than RSA.
Google’s paper
On the same day as the Oratomic paper, there was also a paper from Google’s Quantum AI division. This showed that the specific form of elliptic curve cryptography used in Bitcoin could be potentially be broken in around 20 minutes of runtime. However, this is predicted to require 500,000 qubits, with similar hardware assumptions to last years estimates from Gidney. Whether going from today’s NISQ computers to 500,000 or 1 million qubits, this is still a massive challenge - in hardware manufacturing, control electronics, calculating and correcting errors at scale and more.
However, if the proposed algorithm works, being able to recover a private key with around 20 minutes of runtime could actually make such a device practically useful for someone trying to attack certain aspects of the cryptocurrency ecosystem that depend on such cryptography. It is important to note, however, that the core Bitcoin hashing algorithm and related Bitcoin mining is unaffected - the attacks are on how people secure their wallets.
It is notable that this paper does reference the Pinnacle architecture discussed above, but essentially says they decided to focus on the architectures that Gidney proposed. This is because they decided it was probably going to be easier to make 500,000 qubits using that architecture than trying to make 100,000 qubits in the Pinnacle architecture.
This paper focusses specifically on breaking elliptic curve cryptography as used in Bitcoin and other cryptocurrencies. In fact, the title is “Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations”. Out of a 57 page paper, only 3 pages are devoted to the discussion of the resources estimates for a quantum attack on cryptography, the rest of the paper is a general discussion on where cryptocurrencies are and aren’t vulnerable to quantum attacks in general, and potential mitigations.
They note that their estimates only apply to the specific elliptic curve used in Bitcoin and other cryptocurrencies. This is different from the ones used for other applications such as securing web browser session. Insufficient detail is given on the method to be able to understand how easy it might be to adapt to other types.
This lack of details is an unusual feature of this paper. Although they present various results they have derived for what a quantum computer would need to break certain types of encryption, they don’t actually provide their proposed algorithm, instead using something called a “zero knowledge proof” that they have such an algorithm. It is claimed that this is a “responsible disclosure” approach, ie they don’t want to reveal something that could be used by an attacker.
In cybersecurity, “responsible disclosure” is normally only used to justify secrecy when there is an imminent threat. Another part of Google, Project Zero has a responsible disclosure policy where they wait 90 days from finding a vulnerability and reporting it to the responsible party and then actually publish the details. No-one is expecting an attacker to be able to use this proposed algorithm for several years. Therefore I find it difficult to understand the secrecy - and might cynically wonder whether it all just helps add to the drama and potential publicity?
Q-CTRL’s contribution to the discussion
Just when I thought it was safe to finalise this article and publish it, along came another preprint from Q-CTRL, claiming their own advances in reducing the size of a quantum computer needed to break modern encryption.
Again, it proposes different hardware architecture that could allow a reduction in the number of qubits required, the trade-off being the challenges of being able to build this new architecture. The innovations proposed by Q-CTRL are the overall architecture of the building blocks of a quantum processor rather than how individual qubits within the blocks. In particular, the authors noted in the traditional implementation of Shor’s algorithm, many of the qubits are doing nothing except storing some quantum states while operations take place on other qubits. This led them to propose separating out a quantum processing block from a quantum memory block, although this does rely on being able to create a high-capacity “quantum bus” that can move quantum states back and further between these blocks.
As an interesting aside, this architecture also provides a potential to use different types of qubits in each section. I’ve previously noted that no-one really knows the best type of qubit, but there may be one type well-suited to the processing operations, and one well suited to the memory block.
To summarise their results, from calculations and simulations they have estimated that breaking RSA2048 will need around 400,000 qubits, with a runtime of 5-10 days depending on the degree of modularisation and specialisation of the quantum blocks. These results assume similar simple qubit connectivity like the Gidney paper, but do depend on being able to build an architecture with the required “quantum bus” that doesn’t constrain the overall system speed and performance. They have considered who this approach could be combined with the Emergence approach, which leads to estimates of around 190,000 qubits with a runtime of 10 days.
To summarise….
All these papers suggest potential approaches that could reduce the size of quantum computer that is needed to break commonly used modern encryption - but at the expense of other trade-offs such as runtime and complexity of architecture. The table below summarises the key points.
Overall, I don’t think any of these recent papers meaningfully change the likely date at which there will be widespread capability to break RSA2048. It provides more options for how we get there, and hence increases the chances that we will, eventually. It does seem to show an important insight however - ECC256 may be much more vulnerable than RSA2048, whereas previously this has been a matter of debate. If the runtimes are faster to break ECC256 and/or it can be done with smaller numbers of qubits, then attackers with a quantum computer are likely to attack such systems first.
One step forward and two steps back?
While there have been various papers that claim advances in quantum computers being able to crack encryption, all with a fair degree of hype around them, another notable publication in the last few weeks was what I’ve termed “anti-hype”. A recent article has suggested that quantum computers may never actually be able to break modern day encryption, by proposing a theory of “rational quantum mechanics”. Unlike the above papers, this one has actually been peer-reviewed and published in a scientific journal, so has withstood a fair amount of scrutiny.
As ever, this was seized on by various armchair commentators to suggest there was now no need to worry about migrating to PQC. This is as wrong, and as dangerous, as allowing yourself to be panicked by the headlines in the other direction. Again, the commentators are missing the fact that we are seeing the scientific method play out in the public eye.
The theory put forward in this paper is purely a conjecture or hypothesis, that may be testable in a few years time. There is no evidence for or against it at this stage. You can safely ignore the mischievous phrasing in the opening sentence of the article - “Is there a fundamental reason why quantum computers cannot factor large integers used for encryption today?”. We know today’s limitations are to do with fabrication, control and error correction at scale - some of the challenges discussed in reaching the point where we can prove or disprove the other theories by Emergence, Oratomic, Google and others.
As we overcome these and make bigger quantum computers, we will find out more about what was correct and what was wrong. For this particular paper, either we will prove this conjecture wrong, or we will learn something fundamentally new about the nature of quantum mechanics when we get there. However, in the same way the other papers aren’t portents of an imminent apocalypse, this paper is in no way a sign that you can ignore the quantum threats.
The takeaway lesson from this
To those of us following the evolving research and development in this field, most of the recent flurry of publications has been of significant academic interest (possibly with the exception of the JVG algorithm). We are seeing innovative ideas about how we can use quantum computers more efficiently, to go with the various proposed innovations to build them and scale them up to the point where these ideas can be tested. However, research is, by definition something which has an uncertain outcome - it may succeed or it may fail. Some of these ideas will fail, hopefully some will succeed and we will eventually reach the promised land of useful quantum computers.
The problem is that this research agenda is overlapping with the commercial imperatives. As the quantum sector gets more private investment (which is undoubtedly a good thing), there is a need to drive marketing to attract investors, impress shareholders and seek early revenues. This leads to sensational press releases, which are then picked up by people who don’t really understand the topic and leads to misleading headlines - often from people who should know better.
The broader risk is that scary headlines drive panicked behaviours, and rushed mistakes in implementing the wrong solutions, probably for the systems with lowest risk. Then when the doom-mongering turns out to be wrong, fatigue sets in and everyone ignores the real long-term threat and the need to act strategically.
If you remember nothing else….
The world isn’t going to end, no-one is going to break your encryption tomorrow, no matter what headlines you might have read. However, there is a long term risk to the core assumptions you rely on for key parts of your cyber security. Right now you probably don’t understand what is at risk and how much work it would take to mitigate it. While the biggest myth may be that useful quantum computing is just around the corner, the threats to some aspects of cyber security are real, and now is the time to start assessing, prioritising and planning your mitigation.
But try to ignore all the speculation about the latest research, mixed with companies trying to hype their products and panic you into buying them!
MDR Quantum helps organisations to understand and assess their quantum risk and to respond accordingly. Our services include executive briefings, policy development, risk assessment and PQC migration strategy and planning - please reach out if you’d like to learn more about how we may be able to help.