Now that we can store data with qubits and we can execute mathematical operations on those values with quantum gates, it is just a matter of how many qubits we can pack together to increase the compute capacity. As this is happening at the level of basic particles, size is not a problem for the qubit… but it is a problem for the housing and cooling system that keeps the system near 0°K. Apart from having more qubits for computation, we can also leverage superposition in each qubit – multiple states at once with different probabilities to collapse into one value or another. Superposition allows us to shorten the number of steps necessary for certain calculations.
The best trick, however, is to use interference. You may remember interference from any physics class on waves. Waves that are “in phase” interfere constructively and generate a stronger signal. Waves that are “out of phase” interfere destructively and generate a lower signal or no signal at all. This is not a purely quantum concept, but a general property of any type of waves and basic particles behaving as waves. When creating quantum algorithms, programmers will strive to manipulate qubits in a way that correct answers will interfere constructively and incorrect answers destructively. This means that from a starting state, you can move to a closer state to the solution by checking how the interference changes. If a step gives a higher signal output, we have constructive interference and we know we are going in the right direction. And if a step gives a lower signal output, we have destructive interference and we better change course. With this kind of algorithm, we can find a small set of answers with the highest probability of being correct more quickly. This is very useful when modelling complex systems that don’t need an absolute single answer but just the best approximation (for example, weather patterns).

Quantum computers have limits. They are not faster at solving every type of problem presented to them (and some problems they can’t solve at all). But for those problems that they are good at… they are super-fast.
The fastest quantum computers today operate with around 1000 qubits. The largest quantum array created accumulated as many as 6100 qubits (Caltech, USA). Most the time, quantum computers will provide an exponential increase of speed (2x with x= number of qubits) and an enormous decrease in time to solution; with some of them taking only seconds to solve problems that would take decades (or more) to solve in a classic supercomputer.
With great power comes… great danger
The biggest worry right now regarding quantum computing is the fact that quantum computers will “soon” be able to beat some of our best cryptography weapons.
Most cryptography is done with either symmetric (for example, AES) or asymmetric key encryption algorithms (for example, RSA). There are two quantum algorithms that, given enough qubits, can theoretically break such cryptography algorithms. The first is Grover’s algorithm which targets symmetric key algorithms; the second is Shor’s algorithm which threatens asymmetric key algorithms.
Grover’s algorithm
Grover’s algorithm goal is to find a specific item in a set. It performs an unstructured search in an unsorted database. It utilises quantum superposition to evaluate all possible solutions simultaneously (as opposed to classic methods that examine each option sequentially). It also utilises constructive interference to amplify the amplitude for the correct solution. Grover’s algorithm threatens AES encryption by speeding up a brute force attack by effectively halving the number of operations needed:
- for AES-128 we need 264 operations (instead of 2128)
- for AES-256 we need 2128 operations (instead of 2256)
In terms of speed, Grover’s brings a quadratic speed-up over classical compute attacks, not exponential.
To break AES-256, we would require almost 7000 logical qubits (6681 is the exact number) – not to be confused with physical qubits. You may wonder… what is a logical qubit? What is the difference with a physical qubit? Definition time…
Physical qubit (PQ): An actual real physical device that behaves like a two-state quantum system. These are fragile and susceptible to external factors, and therefore prone to errors.
Logical qubit (LQ): Units of highly reliable quantum information. They are achieved by grouping physical qubits into a single quantum error-corrected (QEC) logical qubit. The logical qubit is the result of encoding being applied to the group of physical qubits using entanglement. The number of physical qubits required to create a single logical qubit can vary hugely, from 100 to up to a 1000. And, with the continuous advancement in this area of technology, we could be looking at a ratio of 10 in the future.
Logical qubits are groups of entangled physical qubits. Because of the encoding used in creating the grouping, the quantum state of the group is resistant to changes and errors that may occur in the individual physical qubits. This reminds me of how encoding is used in wireless transmissions for the same purpose: reducing noise, loss, and errors. In wireless, we lose individual bits in the transmission all the time… but if enough of them arrive at the receiving antenna, we can decipher the encoded information based on the ones that do arrive.
We mentioned before that the largest number of qubits in a single system so far is 6100. These are physical qubits. Even with a small ratio of physical to logical qubits (PQ:LQ = 100:1), that leaves us with about 60 logical qubits. Not nearly enough for almost 7000 needed to break AES-256. With a more realistic ratio (PQ:LQ of about 500:1), we would need more than 3.5M physical qubits to brute force AES-256 with a quantum computer and Grover’s algorithm.
But wait, there’s more. Let’s say we have 3.5M qubits. Can we break the encryption now?! We mentioned the speed improvement of Grover’s algorithm which is only quadratic over classical computing and not exponential. Let’s say our quantum computer is also super-fast for every evaluation of the key. It has been estimated that it would still take at least 30.000 years to break AES-256.
That was a very long-winded way of saying… AES-256 is, for all practical purposes, SAFE from quantum computing brute force attacks. For now.
So, where is the danger?
Let me tell you about asymmetric key encryption…

Shor’s algorithm
Shor’s algorithm is a quantum algorithm whose purpose is to find the prime factors of an integer.
RSA encryption relays heavily on large prime numbers to keep encrypted data secure. RSA utilises two large prime numbers. And when we say large… we mean LARGE. For RSA-2048 for example, we use 1024 bits per prime number, which allows for an integer more than 300 digits long. These two large prime numbers are then multiplied, and the resulting value – the modulus – is utilised in the public and private key creation. The resulting public and private keys are used for RSA asymmetrical encryption.
Breaking RSA encryption relies on factoring a number which is the multiplication of two prime numbers. Factoring, in this case, means finding those two large prime numbers that multiplied result in the modulus used to create the keys. Basically, we need to revert the multiplication operation. This is impossible to achieve with classical computers as it would take several million years. But Shor’s algorithm can theoretically achieve it with a quantum computer.
The number of logical qubits we need to break RSA-2048 is 1600. This means that, with a conservative estimate of PQ:LQ of about 500:1, we will need about 800.000 physical qubits to factor that number and break RSA-2048. Although this is still quite a large number of qubits, it is a much smaller quantity compared to the 3.5M requirements to break AES-256.
As quantum computers are developed with more physical qubits and the PQ:LQ ratio decreases, the requirements to implement Shor’s algorithm get closer to be met.
But wait, it gets worse. Shor’s algorithm is not only less resource heavy, but it is also a lot faster. The improvement on speed is exponential compared to traditional computing. Given enough qubits, breaking RSA could take hours, days or months, depending on how many qubits we have at our disposal.
So, can we break RSA-2048 today? No. We don’t have enough qubits today. Then, when?
Y2Q
Years to Quantum (Y2Q) is the term used for the number of years until quantum computers will be able to break public key algorithms as RSA. These future quantum computers are called CRQC – Cryptographically Relevant Quantum Computers.
Some organisations predict that CRQCs will be available as early as 2030. Others predict a wait of more than a decade or two. Most experts consider that Y2Q (sometimes called Q-day) is somewhere between 3 and 25 years.

Even if CRQCs are not here yet, the threat is already here. Attackers can collect data now and decrypt it when the means become available. And, if we consider the optimistic (or pessimistic, depends how you look at it…) case of Y2Q being 3-5 years, that is all the time we available to reinforce the encryption methods used across all systems so that attackers can’t access our data in the future.
The Harvest Now, Decrypt Later (HNDL) method is already a threat and data that has been encrypted with today’s asymmetrical encryption algorithms can be collected any time to be decrypted later using Shor’s algorithm.
This is why we need start implementing PQC (Post Quantum Cryptography) today. Even if quantum computers are not ready yet, the methods are known and it is just a matter of time before our data is decrypted. The Cloud Security Alliance has actually created a countdown clock based on their own prediction of Y2Q. It may be a bit dramatic, but it gets the point across quite effectively.

Read this guide for a high level and strategic view of the quantum threat.
To learn more about Post Quantum Cryptography, the options available today to strengthen your systems and the future of encryption with quantum resistant algorithms, stay tuned for my next blog.
