When does your RSA key break?
Enter a key size. See the quantum resources Shor's algorithm needs to break it — and the year quantum-hardware roadmaps are projected to get there.
Why this matters
RSA secures most of today's internet — banking, email, software updates, government records. Its safety rests on one assumption: factoring large integers is computationally infeasible.
Peter Shor showed in 1994 that a large enough quantum computer factors integers in polynomial time, breaking RSA outright. Today's hardware is far from that scale — but the requirement is falling and the hardware is rising. The only real question is when. The estimator below puts a number on it.
Nothing is sent anywhere — analysis runs entirely in your browser. Generate a real RSA pair locally with OpenSSH, then paste rsa_demo.pub into the box above:
ssh-keygen -t rsa -b 2048 -f rsa_demo -N ""
Bump -b to 4096 and watch the break-year move out.
Resource model anchored to Gidney & Ekerå 2019 (arXiv:1905.09749, ~3n logical qubits, ~0.3 n³ Toffoli gates, ~20M physical for RSA-2048) and the qLDPC «Pinnacle» architecture 2026 (arXiv:2602.11457, <100k physical for RSA-2048). Break-year extrapolated from public vendor roadmaps. Surface code and qLDPC bracket a continuum of estimates that has fallen ~200× in six years — the chart below traces it.
When the lines cross
The requirement is falling as the hardware rises. Plot both on a log scale and the picture is a convergence — the open question is only when, not whether.
Algorithmic requirement to break RSA-2048 (black) versus best-demonstrated quantum hardware (superconducting, ion trap). Solid = demonstrated; dashed = vendor roadmaps. Where the falling requirement meets the rising hardware lies the plausible window for a cryptographically relevant quantum computer (CRQC). Figure data: Fowler et al. 2012; Gidney & Ekerå 2019; Pinnacle 2026; vendor roadmaps (IBM, Quantinuum, IonQ).
The fix: post-quantum cryptography
Shor breaks RSA and elliptic-curve cryptography — both reduce to the same hidden-subgroup problem a quantum computer solves efficiently. The mitigation is already standardised: cryptography built on problems Shor cannot touch.
| Standard | Algorithm | Use | Hard problem | Status |
|---|---|---|---|---|
| FIPS 203 | ML-KEM (Kyber) | Key encapsulation | Module lattice (MLWE) | Final · 2024 |
| FIPS 204 | ML-DSA (Dilithium) | Signatures | Module lattice (MLWE) | Final · 2024 |
| FIPS 205 | SLH-DSA (SPHINCS+) | Signatures | Hash functions | Final · 2024 |
| FIPS 206 | FN-DSA (Falcon) | Signatures | NTRU lattice | Draft · 2025/26 |
Why Shor can't break them
Shor solves the abelian hidden-subgroup problem — exactly what factoring (RSA) and discrete log (ECC) reduce to. Lattice and hash problems do not, so Shor gives no exponential speedup; only Grover's quadratic speedup applies, defeated by modestly larger parameters.
Harvest now, decrypt later
An adversary can record encrypted traffic today and decrypt it once a quantum computer arrives. Any secret that must stay confidential into the 2030s should migrate to post-quantum algorithms now — the deadline is set by your data's lifetime, not the computer's arrival date.
JoS QUANTUM works the defensive side of this story: quantum key distribution and ML-based security proofs for quantum communication protocols. See our patent portfolio and QKD as a Quantum Machine Learning task (npj Quantum Information, 2025).
Honest caveats
- Order-of-magnitude estimates. The resource figures come from idealised fault-tolerant compilations (Gidney & Ekerå 2019; Pinnacle 2026) — accurate to a factor of a few, not engineering specifications.
- Roadmaps are projections, not guarantees. Physical-qubit roadmaps (IBM, Quantinuum, IonQ) are aspirational targets that historically slip. The break-year is a trend extrapolation, not a prediction.
- Counts assume specific error rates. All figures assume ~10−3 physical gate error, a ~1 µs surface-code cycle and ~10 µs reaction time. Worse error rates inflate the surface-code overhead super-linearly; the qLDPC figures are blueprint-stage, not yet demonstrated at scale.
- «Break-year» counts only qubits. It marks when enough physical qubits should exist — not classical pre/post-processing, system integration, calibration, or the gap between a hero-experiment qubit count and a stable, RSA-scale machine.