Quantum Threat Is Both Smaller and Bigger Than You Think
The number 10,000 qubits sounds small until you understand what it means. These are not the qubits that exist in today's machines. They are logical qubits, each encoded across hundreds or thousands of physical qubits via quantum error correction. The press release saying quantum computers need just 10,000 qubits to break encryption is technically accurate in a way that obscures almost everything that matters.
Two papers published in late March 2026 have revised Shor's algorithm resource estimates downward by orders of magnitude. Neither is peer-reviewed. Both matter.
The first, from researchers at Caltech and the startup Oratomic, appears on arXiv as Shor's algorithm is possible with as few as 10,000 reconfigurable atomic qubits (Cain, Xu, Endres, Preskill, Huang, Bluvstein, et al., arXiv:2603.28627, submitted March 30). The key innovation is a new error-correction architecture using lifted product codes on neutral-atom qubits. Neutral atoms arranged in optical tweezers can be shuttled around and entangled with distant neighbors, giving non-local connectivity that superconducting or trapped-ion systems cannot easily achieve. This allows error-correction overhead to drop by two orders of magnitude compared to previous estimates. Under the paper's assumptions, 26,000 physical qubits could break ECC-256 in days. RSA-2048 would take one to two orders of magnitude longer.
The second paper is from Google Quantum AI, released as a white paper with an accompanying zero-knowledge proof. The researchers showed they could break the elliptic curve underlying Bitcoin and other cryptocurrencies in under ten minutes using roughly 500,000 physical qubits, twenty times less than the same team's 2025 estimate. They did not publish the algorithmic improvements that made this possible. They released a mathematical proof that the improvement exists without disclosing the mechanism. The stated rationale: progress has reached the point where publishing detailed cryptanalytic techniques poses misuse risk.
Both papers are algorithm and architecture results, not hardware demonstrations. The gap between these estimates and a working machine is years of engineering. But the direction is consistent and the gap is narrowing.
John Preskill, the Caltech theorist whose name is attached to both the paper and the press release, said he has been working on fault-tolerant quantum computing "longer than some of my coauthors have been alive." His addition to the Cain et al. paper is a significant signal about the credibility of the error-correction claims. The same Preskill who coined "quantum supremacy" as a provocation is now saying fault-tolerant quantum computing is close enough to take seriously.
The framing in Live Science's headline — quantum computers "need just 10,000 qubits" — is wrong in the way that most quantum security headlines are wrong. It treats the logical qubit count as if it were the physical qubit count, as if a machine with 10,000 physical qubits could run Shor's algorithm. It cannot. The paper says the logical qubit count is 10,000; the physical qubit count is in the tens of thousands. And those physical qubits need to be high-coherence neutral atoms arranged in dynamically reconfigurable arrays, which does not yet exist at that scale.
Dolev Bluvstein, the CEO of Oratomic, appears as a senior author alongside Preskill. This is not purely academic research. Oratomic is a company. The press release quotes the CEO and the CTO. That does not make the result false. It makes the framing worth scrutinizing.
The more important question is what this means for PQC migration timelines. NIST has standardized post-quantum algorithms. The migration of classical infrastructure to PQC is underway. These papers provide a new data point for organizations estimating when their encrypted data becomes at risk: not today, not in the next five years, but possibly sooner than the decade-long timelines that have been the working assumption. Brian LaMacchia, who ran Microsoft's post-quantum transition from 2015 to 2022, told Ars Technica he does not think either paper gives a new hard date. Matt Green at Johns Hopkins called the cryptocurrency framing "more of a PR trick than a serious concern." Both are reasonable reads.
The Ars Technica article is also notable for what it reports about Google's decision to withhold the algorithmic improvements in its white paper. The company that built Project Zero's 90-day disclosure policy is now arguing that publishing detailed quantum cryptanalysis is too risky to release publicly. That is a reversal of a twenty-year norm. It is also, as Green noted, concentrated on cryptocurrency rather than TLS, digital certificates, or the broader public-key infrastructure that protects most internet communications.
These are two papers, submitted within days of each other, arriving at similar conclusions about Shor's algorithm resource requirements using different architectures. That is the story. Not that quantum computers can now break encryption. That they are closer to being able to than the field assumed a year ago, and two independent teams found the same thing in the same week.