Free Trial
Contact Us
Podcast

Root Causes 517: The Cost of Quantum Factoring

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
July 25, 2025

Jason walks us through an important recent paper from Google tracking the cost of quantum factoring.

Podcast Transcript

Tim CallanTim CallanSo Jason, I think Google recently had an announcement about quantum factoring.
Jason SorokoJason SorokoYes. Back in 2019, Google put out some research that said it would take – and I'm reading from my notes here. There you go. I'm going to read this exactly from their blog. In 2012, is estimated that a 2048 bit RSA key could be broken by a quantum computer with a billion physical qubits.
Tim CallanTim CallanBillion. Billion with a b.
Jason SorokoJason SorokoB a billion physical. Now remember, that's an awful lot. And I think when people first saw that, they were like, well, you're never going to get that. Like, as big as quantum computers ever get, you’re just never going to get a quantum computer that big. Therefore, it's not a problem. It's a boogeyman. It's an interesting science experiment. But once Google stated that people realized it's just too tough of a problem.
However, in 2019, exact same physical assumptions, they lowered it to 20 million, physical qubits.
And so we're talking about, what is it? A 20 fold decrease since 2019 and this is the thing. So the constant, the absolute, just the constant improvement in error handling within the system has meant that we've gone from a probably an impossible situation for quantum computers to use Shor's algorithm to break RSA 2048, to now coming into the realm of, oh yeah, we could probably build that quantum computer in a short period of time. And here's really, if you look at the rate at which error handling is improving, and therefore the number of stable qubits that's necessary to actually use Shor's algorithm to break RSA 2048, it's shrinking and shrinking and shrinking at a very, very substantial rate. And that should make people realize one simple conclusion. And I think this was the conclusion from this most recent blog from Google, which is, it's gonna be possible. And I think that's gonna be a shock to some people. It's not gonna be easy. I think the engineering behind building that level of quantum computer is really going to be something else.
But as we've said in previous podcast, just getting to the first levels of building stable quantum fields with a certain number of stable qubits, nobody thought we'd get this far. But we did. We did. And now, people have done the math about all right, let's think hard about RSA 2048. How many stable qubits is going to take?
I remember on previous podcasts, we talked about how one of the big reasons why you need so many stable qubits is because you can't do it in one shot. You have to do multiple shots to cluster around an answer.
In other words, within the 2048 bit space, basically trying to guess prime numbers, you're never going to get the exact prime number on the first guess. You're going to cluster around a prime number, and how many shots is that going to take? In other words, how many stable qubits within one single go do you need in order to be able to do all those shots against your targets? And that's if you can focus your shots better. Think about bow and arrow, how many of your shots are dead center versus clustering around the center.
And as you get better and better and better as a bow and arrow enthusiast, you narrow towards the center. And that's exactly what Google is talking about is their ability to narrow towards the center of what Shor's algorithm is doing with a quantum computer is just improving and improving and improving. Therefore, the need for so many quantum bits or qubits is lessening and lessening by such a massive degree that the reality of a quantum computer using Shor's algorithm is starting to itself come into focus, and now it's seemingly like it's a lot, a lot more of a possibility, Tim.
So this was an extremely consequential paper by Google and I highly recommend people look at it. Now let me get you the title to it.
It’s on the Google security blog. May 23, 2025. The title is Tracking the Cost of Quantum Factoring.
Tim CallanTim CallanTracking the cost of quantum factoring. Thank you, Jason.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud