Cryptographically Relevant Quantum Computers

Updated 22 December 2025

CRQCs are fault-tolerant, error-corrected quantum computers designed to run Shor’s algorithm at key sizes used in modern cryptography.
They require massive logical and physical qubit counts with extremely low error rates to compromise systems like RSA, ECC, and Diffie–Hellman.
The development of CRQCs would drive a rapid transition to quantum-resistant cryptography, ensuring secure communication in a post-quantum era.

A Cryptographically Relevant Quantum Computer (CRQC) is a fault-tolerant, error-corrected quantum system of sufficient scale and fidelity to efficiently execute quantum algorithms that break widely deployed cryptosystems—most notably those based on integer factorization or discrete logarithms—at security levels currently standardized for real-world use. Engineering, mathematical, and security criteria for CRQCs are defined in relation to their capability to implement Shor’s algorithm at key sizes used in RSA, Elliptic Curve Cryptography (ECC), and Diffie–Hellman protocols, among others. A consensus has emerged that CRQCs require large logical and physical qubit counts, extremely low error rates, and deep circuit capability, and their practical realization would trigger a wholesale migration to quantum-resistant cryptography (Scholten et al., 2024, Mattsson et al., 2021, Bagourd et al., 17 Dec 2025).

1. Formal Definition and Security Context

CRQCs are formally defined as quantum computers that, by virtue of sufficient scale and fault tolerance, enable practical cryptanalytic attacks on “cryptographically relevant” problems. Specifically, a CRQC is any quantum processor capable of efficiently executing Shor’s algorithm at input sizes corresponding to deployed public-key cryptographic standards, yielding a practical attack runtime and success probability (Scholten et al., 2024, Mattsson et al., 2021).

The operational relevance of a quantum computer is context-specific and is frequently referenced within the QS classification paradigm:

QS1 (Post-Quantum Security): CRQCs can execute polynomial-time quantum algorithms (QPT) such as Shor’s, sufficient to compromise RSA, ECC, or DLP systems.
QS2 (Superposition-Oracular Attacks): CRQCs that can stably implement quantum oracle queries on classical functions (e.g., quantum-accessible hash or PRFs).
QS3 (Native Quantum Primitives): CRQCs supporting quantum-data cryptography, quantum memory, and full quantum encryption protocols (Gagliardoni, 2017).

A device qualifies as a CRQC of class QSi if it can instantiate at least one adversarial task in class QSi, matching the cryptanalytic hardware requirements for breaking the associated class of cryptosystems.

2. Resource Estimates and Engineering Thresholds

CRQC resource targets are determined by their ability to run known quantum cryptanalytic algorithms at cryptographically relevant sizes. For RSA-2048, ECC-256, and Diffie–Hellman key sizes, resource upper- and lower-bounds have been established (Scholten et al., 2024, Mattsson et al., 2021, Bagourd et al., 17 Dec 2025):

Parameter	Typical Target	Known Results / Estimates
Logical qubits	$n_L \sim 1{,}000$ – $10{,}000$	$n_L \approx 6\,158$ (RSA-2048)
Physical qubits	$N_{phys} \sim 10^7$ – $10^8$	$N_{phys} \approx 20{,}000\,000$ (RSA-2048)
Circuit depth	$d \sim 10^9$ - $10^{11}$	$d\approx 2.7\times10^9$ (RSA-2048)
Logical error	$p_L\lesssim (q\,d)^{-1}$	$p_L \lesssim 10^{-13}$ per logical step
Physical error	$p_{phys} \lesssim 10^{-3} {-} 10^{-4}$	Surface code threshold regime

Fault-tolerant surface-code error correction is standard, with $\sim$ 1,000–10,000 physical qubits required per logical qubit at $p_{phys}\approx 10^{-3}$ – $10^{-4}$ to drive logical error per algorithm below $10^{-9}$ – $10^{-13}$ (Scholten et al., 2024).

RSA and ECC resource counts follow from best-in-class algorithms:

For integer factorization (RSA- $n$ $n$ ):
- Logical qubits: $q = 3n + 0.002\,n\log_2 n$
- T-depth: $d = n^2 (\log_2 n+500)$ [Gidney 2021]
For ECC scalar multiplication (ECC- $n$ $n$ ):
- Logical qubits: $q=8n+10.2\lfloor\log_2 n\rfloor-1$ [Häner & Roetteler 2020]
- Depth: $d=120 n^3-1.67\cdot 2^{22}$

A direct implication is that to compromise RSA-2048 ( $n=2048$ ), a CRQC must marshal $q_L \approx 6{,}158$ , $d\approx 2.7\times10^9$ , and $N_{phys}\approx 2\times 10^7$ , maintaining $p_L\lesssim 10^{-13}$ (Scholten et al., 2024, Bagourd et al., 17 Dec 2025). Superconducting, trapped-ion, and photonic platforms remain the plausible candidates for hardware scaling (Mattsson et al., 2021).

3. Quantum Algorithms for Cryptanalysis

Shor’s algorithm is the critical quantum primitive for CRQC definition; its polynomial-time complexity $O(n^3\log n)$ and $O(n)$ logical qubit footprint enable exponential speedup over the best-known classical subexponential algorithms for both integer factorization (RSA) and discrete logarithms (ECC, DH) (Scholten et al., 2024, Harshvardhan et al., 2023).

Asymptotic time: $T=O(n^3\log n)$
Space: $Q=O(n)$

For AES and hash functions, Grover’s algorithm offers a quadratic search speedup—requiring $O(2^{n/2})$ circuit calls for key size $n$ , rendering AES-128 still classically secure ( $2^{64}$ iterations, $2^{75}$ logical gate depth, billions of years on single CRQC) (Mattsson et al., 2021, Scholten et al., 2024). No known quantum algorithm currently reduces collision resistance below $2^{N/2}$ for an output size $N$ .

Approximate and NISQ-era approaches—variational quantum algorithms (VQAs), error mitigation, and circuit knitting—can extend the utility of near-term hardware for standard applications, but do not diminish CRQC cryptanalytic thresholds (Scholten et al., 2024).

4. Error Correction and Physical Realizability

Quantum error correction is central to the viability of CRQCs. Surface code remains the leading error correction paradigm:

Logical error rate: $p_L \approx C (p_{phys}/p_{th})^{(d_C+1)/2}$ , $C\leq0.1$
Required $p_{phys} \lesssim 10^{-4}$ to suppress $p_L \lesssim 10^{-13}$ for RSA-2048 (code distance $d_C\sim 50$ )
Physical-to-logical qubit overhead: $1{,}000$ – $10{,}000$ per logical qubit

Implementation timelines for the required levels of quality and scale remain long. As of 2023, platforms are in the $10^2$ qubit regime, far below CRQC targets. Surface code overheads, low-fidelity gates, and limited connectivity set key bottlenecks, with fault-tolerant prototypes (10s of logical qubits) projected for 2028–2030, and CRQC-level (>1,000 logical qubits) possibly realizable in the late 2030s–2040s (Scholten et al., 2024, Bagourd et al., 17 Dec 2025).

5. Security Implications and Transition Strategies

The advent of CRQCs would render virtually all commonly deployed public-key cryptosystems (RSA, ECC, finite-field DSA, DH) insecure. Consequently, quantum-safe or post-quantum cryptography (PQC), based on problems believed hard for quantum computers (lattice, code, and hash-based schemes), is under ongoing standardization (NIST PQC) (Scholten et al., 2024, Mattsson et al., 2021). Core recommendations:

Migrate to PQC for key exchange and signature as early as feasible (draft standards by 2024, broad adoption by 2030).
Deploy hybrid schemes (PQC+classical) to ensure "crypto-agility" during the transition.
Accelerate key rotation and minimize retention windows for legacy-encrypted data (“harvest now—decrypt later”).
AES-128, SHA-256, and other symmetric primitives retain adequate security margins even against full-scale CRQCs.

Quantum Key Distribution (QKD) and Quantum Random Number Generation (QRNG) provide additional information-theoretic resilience, subject to practical implementation limitations (Scholten et al., 2024).

6. Timeline Projections, Open Questions, and Roadmapping

Expert consensus is that CRQCs are “extremely unlikely” (<1%) by 2028, with a 50% probability by ~2037–2040; practical realization is conditional on major advances in qubit yield, control, and error-correcting code performance (Scholten et al., 2024). Corporate and national roadmaps align with this assessment, forecasting multi-decade timescales from 100~qubit prototypes (2025–2026) to million-qubit systems (post-2035) (Bagourd et al., 17 Dec 2025, Mattsson et al., 2021).

Major open engineering and scientific questions include:

Reducing surface code overheads and error-correction factors,
Improving two-qubit gate fidelities and minimizing classical control bottlenecks,
Identifying feasible applications for noisy intermediate-scale devices to sustain investment,
Vetting QKD/QORAM and device-independent cryptography against real-world adversaries (Mattsson et al., 2021, Gagliardoni, 2017).

A plausible implication is that practical, large-scale CRQCs—i.e., those placing standard public-key infrastructure at risk—are not expected before the late 2030s, and even then likely to be state-scale operations for many years after (Scholten et al., 2024, Bagourd et al., 17 Dec 2025).

7. CRQC Classification and Application Spectrum

The QS1/QS2/QS3 taxonomy allows rigorous classification of CRQC threat models and deployment scenarios:

QS1-CRQC: Sufficient for “post-quantum” attacks (e.g., Shor’s on RSA).
QS2-CRQC: Able to implement coherent quantum queries (superposition access to oracles).
QS3-CRQC: Native quantum cryptography, including quantum encryption, QKD, and quantum data primitives.

Determination requires assessment of qubit quality, algorithm implementation capability, oracle interfaces, and mid-circuit measurement or quantum memory capabilities (Gagliardoni, 2017). As a device class achieves higher QS-level, the range of cryptosystems that must be replaced or augmented with quantum-resistant schemes expands accordingly.

This layered attack and defense paradigm ensures that cryptographic migration is mapped to actual and imminent hardware capabilities, rather than hypothetical future advances, providing a structured risk assessment for both researchers and practitioners (Scholten et al., 2024, Mattsson et al., 2021, Gagliardoni, 2017).