Encryption Needs Millions of Qubits to Crack—Except It Doesn't
The qubit count required to break real encryption may be dramatically lower than anyone thought. A paper published to arXiv by researchers including John Preskill of Caltech, Manuel Endres of Caltech, and Dolev Bluvstein argues that Shor's algorithm could run at cryptographically relevant scales using just 10,000 reconfigurable atomic qubits — down from prior estimates in the millions. The paper dropped alongside the launch of Oratomic, a startup founded by the authors to commercialize the result.
The key technical advance is the use of high-rate quantum low-density parity-check codes (qLDPC). These achieve roughly 30 percent encoding rates versus around 4 percent for the surface codes used by most competing architectures, meaning more logical qubits fit inside the same physical hardware. The authors calculate that ECC-256, a widely deployed elliptic curve standard, could be broken in approximately 10 days with 26,000 physical qubits. RSA-2048, a larger encryption key, would take one to two orders of magnitude longer, according to the paper.
"We show that Shor's algorithm can be executed at cryptographically relevant scales with as few as 10,000 reconfigurable atomic qubits," the authors write. Preskill, who has spent decades on fault-tolerant quantum computing, was more guarded in Caltech's announcement of the result: "Now at last we're getting close."
The neutral atom architecture is what makes the 10,000-qubit figure plausible. Unlike superconducting qubits, which need rigid cryogenic wiring, neutral atoms are held in place by laser beams and can be optically rearranged between computational cycles. This reconfiguration is what allows the hardware to run stabilizer measurements — the error correction process — without physical rewiring. Endres previously built the largest neutral atom array assembled, at 6,100 trapped atoms. The gap between 6,100 and 10,000 is smaller than it looks: the paper's encoding efficiency closes most of it.
The startup layer complicates the story. Oratomic lists Bluvstein as CEO, Preskill as a co-founder, and Hsin-Yuan Huang as chief technology officer. Its launch announcement cites global guidelines calling for transition to post-quantum encryption by 2035 — a number that sounds urgent until you notice it predates this paper. The press coverage so far has focused on the lower qubit count, which fits a headline. What the headlines skip is the engineering distance between 10,000 atoms in a trap and a fault-tolerant machine running Shor's algorithm.
The critical gap is cycle time. The paper assumes a 1-millisecond stabilizer measurement cycle — the time between error syndrome reads — as an engineering target. No neutral atom system has demonstrated that at scale, according to PostQuantum.com's analysis. Faster cycles mean less error accumulation between corrections, which means fewer physical qubits are needed to achieve the same logical fidelity. The 10,000-qubit estimate is contingent on hitting that number. The paper establishes what the physics permits. Actually building it means meeting every cycle time and fidelity target simultaneously, at a scale no neutral atom system has reached.
There is also the question of which encryption the threshold actually threatens. The 10,000-qubit estimate is calibrated to ECC-256. RSA-2048 sits a step above it. Most enterprise and government systems use longer keys or hybrid post-quantum schemes that would push the hardware requirements back up. The threat model is real but selective.
Google has said it plans to complete its own post-quantum cryptography migration by 2029. That timeline does not depend on Oratomic's machine. It depends on migration progress today — not on when the next qubit record arrives.