Quantum Computers Need Twenty Million Qubits

In 1994, a mathematician at Bell Labs named Peter Shor presented an algorithm that would eventually threaten the security of nearly every online transaction, encrypted email, and digital signature on the internet. The twist? His algorithm only works on computers that didn't exist then and barely exist now—quantum computers that harness the strange properties of subatomic particles to perform calculations impossible for conventional machines.

The Math That Protects Your Secrets

Modern encryption relies on a simple asymmetry: multiplying two large prime numbers together is easy, but factoring the result back into those primes is brutally hard. Take two 1,024-digit primes, multiply them, and you get a 2,048-digit number that would take classical computers thousands of years to factor. This is the foundation of RSA encryption, which secures everything from your bank account to classified military communications.

Shor's algorithm breaks this asymmetry. On a sufficiently powerful quantum computer, it could factor those enormous numbers exponentially faster than any conventional approach. The theoretical minimum needed? Just 4,099 perfect, error-free qubits—the quantum equivalent of bits.

That sounds achievable until you account for reality. Qubits are fragile. They lose their quantum properties—a phenomenon called decoherence—in one to two milliseconds. They make errors constantly. Building a practical quantum computer that could crack RSA requires roughly 20 million physical qubits to maintain the 4,099 logical qubits needed, along with error correction that can sustain billions of operations without falling apart.

Today's most advanced quantum computers have just crossed 1,000 qubits. In May 2024, researchers at Shanghai University managed to factor integers up to 50 bits using quantum-classical hybrid methods. Modern RSA uses 2,048 bits. The gap between 50 and 2,048 is so vast that Google's calculator rounds 2^2048 to "infinity."

Why We're Worried Anyway

If quantum computers capable of breaking encryption are decades away, why did the U.S. National Institute of Standards and Technology spend eight years developing new encryption standards, evaluating 82 algorithms from 25 countries, and urging immediate implementation?

The answer is a threat called "harvest now, decrypt later." Adversaries don't need to break your encryption today. They just need to collect it and wait. If you're transmitting data that must remain confidential for 10, 20, or 30 years—government records, defense plans, medical research, financial strategies—it's vulnerable to anyone patient enough to store it until quantum computers arrive.

And data collection is happening at alarming speed. A 2026 report from Unit 42 found that the fastest quartile of intrusions reached data exfiltration in just 72 minutes, down from 285 minutes the previous year. Nation-states and sophisticated actors are almost certainly already harvesting encrypted communications.

The probability estimates are sobering. U.S. regulators and the Global Risk Institute put the odds of quantum computers breaking public-key encryption at 19-34% by 2034, rising to 60-82% by 2044. NIST states that 2048-bit RSA should remain secure through 2030, but "should" is doing heavy lifting in that sentence.

The New Math

On August 13, 2024, NIST released three finalized post-quantum encryption standards. Unlike RSA and elliptic-curve cryptography, which quantum computers can crack using Shor's algorithm, these new standards are based on mathematical problems that would stymie both conventional and quantum computers.

The primary standard for general encryption, FIPS 203, is based on an algorithm called CRYSTALS-Kyber. It relies on lattice-based cryptography—imagine trying to find the shortest path through a multi-dimensional grid where the number of dimensions is enormous and the grid points are obscured by noise. Even quantum computers have no known efficient method for solving these problems.

For digital signatures, NIST standardized CRYSTALS-Dilithium (FIPS 204) and SPHINCS+ (FIPS 205), the latter based on hash functions rather than lattices. The diversity is intentional. If someone discovers a quantum algorithm that cracks lattice problems, hash-based alternatives provide a backup.

NIST mathematician Dustin Moody urged immediate implementation: "We encourage system administrators to start integrating them into their systems immediately, because full integration will take time." He's right. Migrating global infrastructure to new encryption standards is a years-long process. The U.S. defense and national security systems aren't expected to complete their transition until 2035.

The Economic Equation

A January 2026 report from Citi Institute estimated that a single-day quantum attack on one top-five U.S. bank's access to Fedwire could have an indirect economic impact of $2.0-$3.3 trillion—10-17% of U.S. GDP. The estimate assumes cascading failures as the financial system loses trust in its ability to authenticate transactions.

Cryptocurrency faces its own quantum reckoning. Approximately 25% of all Bitcoin—worth $500-600 billion—sits in addresses that have exposed their public keys, making them vulnerable to quantum attacks. Once a public key is known, a quantum computer running Shor's algorithm could derive the private key and drain the wallet.

These numbers assume quantum computers arrive on schedule. They might not. The technical challenges are immense. Moving from 1,000 noisy qubits to 20 million stable ones requires breakthroughs in error correction, materials science, and quantum architecture that may take decades—or may never come.

Racing the Exponential

The strange reality is that we're preparing for a threat that doesn't exist yet and might not exist for decades, while simultaneously racing to protect data that's being stolen right now. The migration to post-quantum cryptography isn't optional. The only question is whether we finish before quantum computers arrive—or before the data harvested today becomes valuable enough to decrypt with tomorrow's machines.