The Enormous Energy Cost of Breaking RSA‑2048 with Quantum Computers

Quantum computers promise to crack encryption schemes that are effectively unbreakable by classical means. Chief among these is Shor’s algorithm for factoring large integers, which could one day break RSA-2048, a widely used public-key encryption standard. But one often overlooked aspect of this looming quantum threat is its staggering energy requirement. After a few other industry papers estimating the energy requirement, I will try to redo the research and calculation, draw on the latest published numbers, and give some estimates on how many qubits and how much time a cryptographically relevant quantum computer (CRQC) would need to factor a 2048-bit RSA key – and what that means in terms of power consumption, cost, and geopolitics.

Factoring RSA‑2048: Qubit Requirements and Runtime

Shor’s algorithm, discovered in 1994, showed in theory that a sufficiently large quantum computer could factor large numbers exponentially faster than any classical computer – threatening RSA encryption. Early resource estimates for applying Shor’s algorithm to break a 2048-bit RSA key were astronomical. For example, in 2012, Fowler et al. projected that on the order of a billion noisy qubits would be needed for RSA-2048. This was far beyond anything conceivable at the time. Fast-forward to 2021: researchers Craig Gidney and Martin Ekerå drastically reduced the estimated resources by combining numerous optimizations. They showed that RSA-2048 could be factored in about 8 hours using roughly 20 million physical qubits – a hundredfold reduction in “spacetime volume” (qubits × time) compared to earlier work. This was a milestone result: 20 million noisy superconducting qubits running for 8 hours (or equivalently fewer qubits running longer) could do what previously was estimated to require a billion qubits running for days.

Since then, researchers have continued to chip away at the problem. In 2024, Clémence Chevignard and colleagues introduced a new factoring algorithm that dramatically lowers the logical qubit count required. By clever circuit design, they showed RSA-2048 can be factored with about 1,730 logical qubits – roughly $$0.85n$$ for an n=2048-bit modulus. This is a far cry from earlier estimates that one would need about $$2n$$ (≈4096) or even $$1.5n$$ (~3072) qubits for Shor’s algorithm. In other words, the newest circuits can factor a 2048-bit RSA number using on the order of one or two thousand error-corrected qubits, rather than several thousand. However, there’s a catch: lowering the qubit count often means increasing the number of sequential operations. Chevignard et al. estimate their method would use about $$2^{36}$$ (roughly 68 billion) Toffoli gates per run and require about 40 repeated runs on average to succeed. This implies a very deep circuit and long total runtime. In contrast, Gidney and Ekerå’s 20-million-qubit approach was designed to finish in hours by massively parallelizing the computation. In effect, one can trade off qubits for time, but the overall spacetime cost remains huge.

Indeed, recent studies indicate that any approach to factor RSA-2048 with a feasible error-corrected quantum computer will demand an enormous computation. A 2023 RAND Corporation analysis surveyed various proposals and found that the estimates span a wide range – from as “fast” as ~10 minutes to as slow as ~6 years – depending on assumptions, but all require an exorbitant scale of resources. The most optimistic scenarios still call for on the order of $$10^5$$–$$10^9$$ physical qubits and correspondingly long runtimes. In terms of total operations, this works out to a spacetime volume above $$10^6$$ qubit-days in almost all cases. (For reference, one qubit-day means one qubit running for one day; a rough example would be 1 million qubits running for 1 day, or 1 thousand qubits running for 1000 days – either way, a huge effort.) Most estimates cluster around $$10^7$$ qubit-days for superconducting quantum computers with error rates similar to today’s best hardware. This aligns with Gidney & Ekerå’s figure (~$$6–7×10^6$$ qubit-days for 20 million qubits over 8 hours) and Chevignard et al.’s approach (fewer qubits but many more cycles). In short, breaking a single RSA-2048 key will likely require millions of qubits operating for hours or days, or thousands of qubits operating for months – either way, a level of effort utterly beyond the noisy quantum machines of 2025.

It’s worth emphasizing how far current technology is from these requirements. As of today the largest publicly announced quantum processor is still three orders of magnitude smaller than the bare minimum qubits needed to even attempt RSA-2048 factoring. (In fact, 4,097 qubits is the minimum just to hold the necessary quantum registers for a 2048-bit number in Shor’s algorithm, assuming an ideal error-free machine – the reality is we need many times more due to error correction.) An expert consensus study concluded that a true cryptanalytically relevant quantum computer (CRQC) is unlikely to exist before 2030, and the U.S. National Security Agency stated it “does not know when or even if” such a quantum computer will be built. In other words, we still have significant engineering mountains to climb. But assuming those qubit-scaling challenges are eventually solved, there remains another mountain that gets far less press: the energy needed to power such a computation.

Watts per Qubit: The Power Demands of Quantum Hardware

Building a million-qubit quantum computer isn’t just a logical or fabrication challenge – it’s a power challenge. Superconducting quantum processors like those used by Google and IBM must be kept at extremely low temperatures (around 10–20 millikelvins) and require extensive control electronics. All of this comes with a hefty energy bill. For example, Google’s 53-qubit Sycamore processor (which achieved the first quantum “supremacy” demonstration) drew about 26 kW of power for its refrigeration unit and control systems. The vast majority of that power (~20 kW) went into the cryogenic cooling alone, with a few more kilowatts for microwave control electronics and supporting infrastructure. That works out to roughly 500 watts per qubit for the Sycamore system. By comparison, a commercial quantum annealer, the D-Wave 2000Q (with 2048 superconducting qubits, though of a different type), consumes under 25 kW in total. D-Wave’s cooling and support hardware accounts for most of this 25 kW, which means on a per-qubit basis it uses on the order of only 10–15 watts per qubit – significantly more efficient than Sycamore. The difference is partly because many overheads (like the base refrigeration) don’t scale linearly with qubit count. A larger cryostat can cool thousands of qubits for not much more power than cooling a few dozen qubits. These real-world examples suggest that as quantum computers scale up, we might get down to tens of watts or less per qubit with current technology.

How low can it go? IBM’s latest engineering indicates it’s possible to greatly reduce the per-qubit control overhead. Oliver Dial, IBM Quantum’s chief hardware architect, noted in 2022 that new control electronics and cabling techniques can cut the power needed to control a single qubit from around 100 watts down to about 10 milliwatts. This is an astonishing 10,000× improvement, achieved by moving from general-purpose room-temperature electronics to specialized cryogenic microwave controllers placed closer to the qubits. If such advances pan out, the active control power for a million-qubit system could conceivably be only a few kilowatts. Of course, there is still the cooling overhead to consider – even the best dilution refrigerators will require a significant continuous input of power to maintain millikelvin temperatures. Some studies have suggested that in a large-scale quantum data center, the cryogenic cooling might account for only 10–30% of the total power draw, with the rest going to control and classical processing systems. But until error-corrected quantum computers are actually built, these figures remain educated guesses.

For our purposes, let’s assume a ballpark figure of a few watts per physical qubit in a future CRQC. This is admittedly speculative – it represents an average that factors in cooling, control, and overhead, potentially leveraging the kind of efficiencies IBM is aiming for. A value on the order of 5–10 W/qubit is also consistent with the extrapolation made by the RAND Corporation analysis. RAND’s researchers gathered data from existing superconducting labs and projected that an eventual large-scale system might consume on the order of $$10^7$$ watts for every $$10^6$$ qubits (i.e. about 10 W/qubit). To see what this means in practice, consider Gidney & Ekerå’s scenario: ~20 million physical qubits running for 8 hours. If each qubit consumed, say, 6–7 W on average, the quantum computer would draw on the order of 125 megawatts of electrical power. That is roughly the output of a small power plant, continuously devoted to a single computation! In fact, RAND’s report explicitly estimated that operating a superconducting quantum computer to break one RSA-2048 key would require about 125 MW during the calculation and would expend on the order of $64,000 worth of electricity per key (at current energy prices). Put another way, tens of megawatt-hours of energy are likely needed to factor one 2048-bit RSA key on a quantum computer. Even if we assume future improvements cut the per-qubit power in half or more, we are still looking at tens of megawatt-hours and a five-figure dollar cost in electricity for one cryptographic break.

To put this into perspective, breaking a single encryption key could easily consume more energy than 20 average U.S. homes use in a whole year (about 10 MWh per home). No wonder researchers believe a CRQC will be the domain of nation-states and large organizations for quite some time. The massive upfront cost to build a million-qubit quantum computer will be one barrier; the massive ongoing power cost to operate it is another. While classical supercomputers also draw enormous power (the fastest classical supercomputer draws on the order of 10–20 MW when running full tilt), the difference is that a quantum computer at 125 MW for one task is using an order of magnitude more power to accomplish something very specific – cracking a single key – that classical computers simply would not attempt at all (since it would take longer than the age of the universe by brute force). In essence, quantum cryptanalysis might replace computational infeasibility with economic infeasibility: the task becomes doable, but at a extremely high price in joules, watts, and dollars.

The High Cost per Key Means Selective Targets Only

The implication of these energy estimates is clear: when the first cryptographically relevant quantum computers come online, they will not be used to indiscriminately crack every encrypted message. Just because a technology is theoretically capable of breaking encryption doesn’t mean it will be cheap or easy to use widely. If it costs on the order of $50,000–$100,000 in electricity (not to mention wear-and-tear on a very expensive machine) to break one RSA-2048 key, an attacker will be extremely choosy about what targets are worth that cost. We’re talking about high-value, high-priority targets – for example, the encrypted communications of rival nation-states’ leadership, military command and control messages, intelligence intercepts, or the most sensitive financial transactions. These are the kinds of secrets for which an agency might deem a $100k computing bill (and perhaps a $100 million quantum computer) a worthwhile investment.

On the other hand, your average corporate VPN traffic or a personal encrypted email is not going to be worth expending megawatt-hours of scarce quantum computing resources. At least in the early era of quantum codebreaking, usage will likely be limited to a handful of keys where the payoff justifies the enormous expense. In practice, this means that nation-state adversaries will be the primary actors with access to CRQCs, and they will deploy them sparingly. The RAND study reinforces this point: even if someone builds a CRQC, “merely operating it would probably remain the domain of nation-states and large organizations for a significant period of time”. For companies and individuals outside the national security or critical infrastructure realm, this suggests there may be a grace period of a few years where you are simply not an interesting enough target to crack with a quantum computer. In essence, the sky will not fall overnight for every user of RSA-2048 when a large quantum computer appears – the threat will roll out gradually, focused on the highest stakes.

However, this is no reason for complacency. Relying on the idea that “maybe I won’t be targeted” is risky for two reasons. First, timelines have a way of accelerating. The moment a breakthrough is achieved – say a CRQC factors its first RSA-2048 – it will spur intense efforts to improve and optimize the technology. What costs $60k per key in 2030 could cost perhaps a few hundred dollars a few years later as both quantum hardware and energy technology improve. History has shown that today’s exotic, expensive capabilities (think of early supercomputers or niche military technologies) can rapidly become mainstream and affordable in a couple of tech generations. Second, and importantly, encrypted data can be stored now and cracked later. An adversary might not spend $64k to decrypt your messages today – but they might quietly record those intercepted ciphertexts and wait. If in 5–10 years the cost drops sufficiently or a cheaper method emerges, previously collected data could suddenly be decrypted. This “harvest now, decrypt later” threat is a key reason experts urge a proactive transition to post-quantum cryptography. Even if you personally are not a high-priority target for the first CRQC, you should act as if your encrypted data will eventually be subject to quantum decryption attempts down the line.

In summary, the exorbitant energy and hardware costs of quantum factoring mean the risk timeline is graduated: critical government and infrastructure systems face the earliest risk and must lead the way in adopting quantum-resistant encryption, while less critical sectors get a bit more breathing room. But everyone is on the clock to migrate, because the cost curves – both technological and economic – will only bend downward. The goal is to switch our cryptography to quantum-safe alternatives before quantum codebreaking becomes cheap enough to threaten a broad range of actors.

Fusion Power: Removing the Energy Barrier to Quantum Attacks

Thus far we’ve treated the energy cost of quantum computing as a fixed constraint – a limiting factor that (luckily) slows the advance of quantum attacks. But what if that constraint were suddenly lifted? It’s no coincidence that discussions of fusion energy are entering the strategic conversation at the same time as quantum computing. Fusion promises to provide virtually limitless energy at low marginal cost. If realized, it could fundamentally change the game for energy-intensive endeavors like cryptanalysis. Imagine a future in which nation-states (or tech giants) have access to cheap  fusion power plants pumping out hundreds of megawatts of electricity. Running a 125 MW quantum computer for hours would no longer be a budget-breaking exercise – it would be trivial compared to the available power output. In such a scenario, the bottleneck to breaking encryption shifts back to qubits and algorithms, rather than energy. A quantum computing center powered by fusion could undertake many key-breaking computations in parallel, moving from today’s one-key-for-$64k paradigm to potentially mass-scale decryption operations.

This might sound like science fiction, but consider the rapid progress in fusion research in recent years. In late 2022, the U.S. National Ignition Facility achieved a fusion ignition milestone, producing more energy from a fusion reaction than was input by the lasers – a proof of principle that fusion energy is attainable. In January, China’s Experimental Advanced Superconducting Tokamak (EAST), dubbed the “artificial sun,” set new records for sustained fusion plasma. It achieved a stable high-temperature plasma for 1,066 seconds (nearly 18 minutes), more than doubling its previous record and inching closer to the long durations needed for practical reactors. Meanwhile in France, the international ITER project is under construction, with a goal to produce 500 MW of fusion power for at least 400 seconds in its experimental reactor by the 2030s. These are still experimental milestones, but they signal that fusion energy is moving from the realm of theory to engineering reality. The ultimate goal is a self-sustaining fusion power plant that could continuously deliver huge quantities of electricity at low cost.

When fusion reaches maturity the cost of electricity could drop dramatically. At that point, the energy constraint on quantum codebreaking essentially disappears. A nation with a fusion-powered quantum computer farm could run as many Shor’s algorithm instances as needed, potentially decrypting masses of intercepted traffic or stored ciphertexts. In other words, the “tens of thousands of dollars per key” barrier would no longer hold back large-scale quantum cryptanalysis. What was once a surgical tool used only for the most valuable targets could become a broad-spectrum strategic capability. This would fundamentally shift the strategic balance in cybersecurity. The defense advantage we currently enjoy – that breaking our encryption is too costly – would evaporate. Every additional qubit and every speedup in quantum algorithms at that point directly translates to more keys cracked per hour, with energy no longer a limiting factor.

From a geopolitical risk perspective, the convergence of quantum computing and fusion energy is a nightmare scenario for those charged with protecting information. It would enable an adversary with sufficient technological prowess to brute-force decrypt secure communications at scale, essentially nullifying the protective value of classical encryption across the board. Of course, this is precisely why there is a parallel push to develop and deploy post-quantum cryptography (PQC) – new cryptographic algorithms believed to be resistant to quantum attacks. The window for action is now, before these two revolutions (quantum computing and fusion power) fully materialize. There is a race underway: Can we transition the world’s cryptography to quantum-safe methods before quantum codebreaking becomes not only technically feasible, but also economically feasible at scale?

Conclusion

The energy requirements for breaking RSA-2048 with a quantum computer underscore how different the post-quantum threat is from conventional hacking. It’s not just about qubits and math; it’s about megawatts, cooling systems, and power grids. Today, that reality means only the most potent actors would even contemplate such attacks, and even then only for the crown jewels of intelligence. Tomorrow, advances in both quantum engineering and energy production could erode even that barrier. The enormous costs – in dollars and joules – of quantum cryptanalysis serve as a stark warning and a call to action. They buy us time to fortify our cryptographic defenses, but not an indefinite amount of time. In the end, whether or not our data remains secure in the quantum age may depend as much on developments in high-energy physics as on breakthroughs in quantum algorithms. The prudent course for defenders is clear: assume the worst-case scenario (a powerful CRQC powered by abundant energy) will eventually come to pass, and move urgently toward encryption that can withstand that future. The clock is ticking, but we are not powerless – at least not yet – to secure our information before the full storm arrives.