How to factor 2048 bit RSA integers with less than a million noisy qubits

TL;DR

This paper demonstrates that factoring 2048-bit RSA integers could be achieved in less than a week using under a million noisy qubits by optimizing quantum algorithms and resource management, significantly reducing previous qubit estimates.

Contribution

The paper presents a substantial reduction in the estimated number of noisy qubits needed to factor 2048-bit RSA integers, improving previous estimates by over an order of magnitude through advanced quantum techniques.

Findings

Factoring 2048-bit RSA in less than a week with under a million qubits.

Reduction of qubit requirements by using approximate residue arithmetic and optimized resource management.

Over 100x reduction in Toffoli gate count compared to previous estimates.

Abstract

Planning the transition to quantum-safe cryptosystems requires understanding the cost of quantum attacks on vulnerable cryptosystems. In Gidney+Eker{\aa} 2019, I co-published an estimate stating that 2048 bit RSA integers could be factored in eight hours by a quantum computer with 20 million noisy qubits. In this paper, I substantially reduce the number of qubits required. I estimate that a 2048 bit RSA integer could be factored in less than a week by a quantum computer with less than a million noisy qubits. I make the same assumptions as in 2019: a square grid of qubits with nearest neighbor connections, a uniform gate error rate of $0.1\%$, a surface code cycle time of 1 microsecond, and a control system reaction time of $10$ microseconds. The qubit count reduction comes mainly from using approximate residue arithmetic (Chevignard+Fouque+Schrottenloher 2024), from storing idle logical qubits with yoked surface codes (Gidney+Newman+Brooks+Jones 2023), and from allocating less space to magic state distillation by using magic state cultivation (Gidney+Shutty+Jones 2024). The longer runtime is mainly due to performing more Toffoli gates and using fewer magic state factories compared to Gidney+Eker{\aa} 2019. That said, I reduce the Toffoli count by over 100x compared to Chevignard+Fouque+Schrottenloher 2024.