So “if this is true” — if time is quantized rather than continuous — then we don’t need to worry about our bitcoins being looted by the first person with a sufficiently powerful quantum comp...
My take on quantum computer attacks is that qubits, due to their supposed theoretical continuous superposition (note: continuous, not discrete, which is an assumption that hasn't been tested), allow Shor's algorithm for factorizing and calculating roots over an EC curve finite field dramatically faster than any von Neumann-but-parallel computing system "supercomputer."
Outside of that one case—which I must reinforce is entirely hypothetical and based on a not fully confirmed property of these expensive, supercooled memory cells—current examples of these machines perform calculations at about 50% of standard supercomputers (probably partly because the qubits have less resistance, in my opinion), even with cooling costs included.
I think you can say the threat is quite exaggerated. A big part of what's going on with this quantum crypto situation is just a grift to win grants and government funding.
Here's Claude's take on it. Note that aside from occasional errors from rounding and other issues inherent in gradient descent systems, Claude tends to be extremely brutally honest:
## Shor's Algorithm: Actual Implementation Progress
### What's Actually Been Factored
The results are humbling. On real quantum hardware, implementations have only successfully factored very small numbers:
- 15 and 21 remain the benchmark—these were first demonstrated over two decades ago. Despite massive increases in qubit counts, recent experiments on IBM's 127-qubit hardware still struggle with these same numbers due to noise and decoherence.
- 91 was factored on IBM Qiskit using 127 qubits, but results highlighted how much noise degrades real runs vs. simulators.
- 253 was factored using a variational (hybrid) approach on real hardware. On a classical simulator, the same approach handled up to ~1 million—but that's the simulator doing the heavy lifting.
### Why Qubit Counts Are Misleading
Headlines about "1000+ qubit machines" don't translate to cryptographic threat. What matters is:
- **Gate error rates** — Two-qubit gate errors on real systems are around 10^-2, far too high for the billions of operations Shor's algorithm needs at scale.
- **Error correction overhead** — Factoring a 2048-bit RSA key requires millions of logical qubits, each built from many physical qubits. Current machines have hundreds to low thousands of physical qubits.
- **Connectivity and coherence time** — Qubits decohere faster than large circuits can complete.
### Cryptographic Threat Timeline
The consensus is that practical quantum attacks on real cryptographic key sizes (RSA-2048, ECC-256) remain well out of reach on current and near-term hardware. Estimates for a practical threat sit at 10-15+ years out, requiring on the order of a million physical qubits with dramatically lower error rates.
Industry roadmaps (IBM targeting ~200 logical qubits, Google/IonQ/PsiQuantum targeting ~1M physical qubits by ~2030) are ambitious but unproven at scale.
### Post-Quantum Migration
NIST finalized post-quantum cryptographic standards in 2024. Widespread adoption is expected between 2025-2030—well ahead of any realistic quantum threat to current cryptography.
### Bottom Line
Shor's algorithm is mathematically sound and proven in principle, but real quantum hardware can still only factor numbers smaller than what a pocket calculator handles instantly. The gap between "factoring 21" and "factoring a 617-digit RSA key" is enormous, and closing it requires breakthroughs in error correction and hardware scaling that haven't happened yet.
**Sources:**
- https://arxiv.org/html/2512.15330v3
- https://en.wikipedia.org/wiki/Shor's_algorithm
- https://towardsdatascience.com/where-are-we-with-shors-algorithm/
- https://www.nature.com/articles/s41598-021-95973-w
- https://www.quantamagazine.org/thirty-years-later-a-speed-boost-for-quantum-factoring-20231017/
- https://link.springer.com/chapter/10.1007/978-981-96-8901-9_5
Outside of that one case—which I must reinforce is entirely hypothetical and based on a not fully confirmed property of these expensive, supercooled memory cells—current examples of these machines perform calculations at about 50% of standard supercomputers (probably partly because the qubits have less resistance, in my opinion), even with cooling costs included.
I think you can say the threat is quite exaggerated. A big part of what's going on with this quantum crypto situation is just a grift to win grants and government funding.
Here's Claude's take on it. Note that aside from occasional errors from rounding and other issues inherent in gradient descent systems, Claude tends to be extremely brutally honest:
## Shor's Algorithm: Actual Implementation Progress
### What's Actually Been Factored
The results are humbling. On real quantum hardware, implementations have only successfully factored very small numbers:
- 15 and 21 remain the benchmark—these were first demonstrated over two decades ago. Despite massive increases in qubit counts, recent experiments on IBM's 127-qubit hardware still struggle with these same numbers due to noise and decoherence.
- 91 was factored on IBM Qiskit using 127 qubits, but results highlighted how much noise degrades real runs vs. simulators.
- 253 was factored using a variational (hybrid) approach on real hardware. On a classical simulator, the same approach handled up to ~1 million—but that's the simulator doing the heavy lifting.
### Why Qubit Counts Are Misleading
Headlines about "1000+ qubit machines" don't translate to cryptographic threat. What matters is:
- **Gate error rates** — Two-qubit gate errors on real systems are around 10^-2, far too high for the billions of operations Shor's algorithm needs at scale.
- **Error correction overhead** — Factoring a 2048-bit RSA key requires millions of logical qubits, each built from many physical qubits. Current machines have hundreds to low thousands of physical qubits.
- **Connectivity and coherence time** — Qubits decohere faster than large circuits can complete.
### Cryptographic Threat Timeline
The consensus is that practical quantum attacks on real cryptographic key sizes (RSA-2048, ECC-256) remain well out of reach on current and near-term hardware. Estimates for a practical threat sit at 10-15+ years out, requiring on the order of a million physical qubits with dramatically lower error rates.
Industry roadmaps (IBM targeting ~200 logical qubits, Google/IonQ/PsiQuantum targeting ~1M physical qubits by ~2030) are ambitious but unproven at scale.
### Post-Quantum Migration
NIST finalized post-quantum cryptographic standards in 2024. Widespread adoption is expected between 2025-2030—well ahead of any realistic quantum threat to current cryptography.
### Bottom Line
Shor's algorithm is mathematically sound and proven in principle, but real quantum hardware can still only factor numbers smaller than what a pocket calculator handles instantly. The gap between "factoring 21" and "factoring a 617-digit RSA key" is enormous, and closing it requires breakthroughs in error correction and hardware scaling that haven't happened yet.
**Sources:**
- https://arxiv.org/html/2512.15330v3
- https://en.wikipedia.org/wiki/Shor's_algorithm
- https://towardsdatascience.com/where-are-we-with-shors-algorithm/
- https://www.nature.com/articles/s41598-021-95973-w
- https://www.quantamagazine.org/thirty-years-later-a-speed-boost-for-quantum-factoring-20231017/
- https://link.springer.com/chapter/10.1007/978-981-96-8901-9_5
1