No One Has Secretly Broken RSA-2048 or RSA-4096 — Here’s the Science

If someone is trying to sell you a product by claiming they, or a nation-state they’re connected to, already cracked RSA-4096, stop the meeting. Walk them out. Block their number. What follows is the scientific case for why.

Why I’m writing this, and who it’s for

Over the past several months, a pattern has been accelerating in my inbox and in conversations with clients. A growing number of post-quantum cryptography (PQC) vendors are approaching CISOs and security architects with a pitch that goes something like this: “RSA-2048 has already been broken. We can’t show you proof because it’s classified. But you need to buy our solution – now.”

The latest variant is even bolder. Over the past few weeks, a new player in the quantum FUD business has been on a full-court press – publishing sensationalist press releases and trying to convince even me personally, that they have already cracked RSA-4096 using a proprietary algorithm developed in partnership with national intelligence agencies since 2017. No peer review. No demonstration. No verifiable evidence of any kind. But trust them. (/s)

I’ve written extensively about this quantum panic industry before. I’ve taken apart specific claims from companies predicting a “cybersecurity apocalypse” based on toy-scale experiments and wild extrapolation. But the pitch is evolving. It’s no longer just “quantum computers will break RSA soon.” Now it’s “We broke the RSA, and only we can save you – but you’ll have to trust us, because the evidence is classified.”

If you’ve landed on this article from a search engine, there’s a decent chance someone just made this claim to you or your team. Good. You’re in the right place. What follows is a comprehensive, technically grounded explanation of why that claim is, as of early 2026, guaranteed to be false. Not “probably” false. Not “likely” false. Guaranteed.

I don’t say that lightly. I’ve spent over 25 years tracking quantum computing progress, and I take the quantum threat seriously – seriously enough to have built a structured capability framework for tracking it. (I wrote my first article on Quantum Snake Oil 25 years ago!!) The threat is real and approaching. But “real and approaching” is very different from “already here and secret,” and confusing the two is dangerous. It leads organizations to make panicked procurement decisions, to trust unvetted proprietary solutions over rigorously standardized algorithms, and to waste the credibility they’ll need when the real transition arrives.

What “cracking RSA-4096” actually means

Before we can evaluate the claim, we need to be precise about what it means. RSA’s security rests on a simple mathematical asymmetry: it’s easy to multiply two large prime numbers together, but extraordinarily difficult to reverse the process – to take the product and recover the original primes. An RSA-4096 key means the public modulus N = p × q is approximately 4,096 bits long – a number with roughly 1,233 decimal digits. If you can factor that number into its two prime components, you can derive the private key and break the encryption.

So when someone says “we cracked RSA-4096,” they’re implicitly claiming they can factor numbers of a size that is astronomically beyond what anyone has publicly demonstrated – by any method, classical or quantum, ever, in the history of computation.

Let that sink in. They’re not claiming a modest advance. They’re claiming a capability that would represent the single most consequential engineering achievement since the atomic bomb. And they’re telling you about it in a sales meeting.

The classical reality: the largest number ever publicly factored has 829 bits

The largest general-purpose factorization ever completed in public is RSA-250: a 250-decimal-digit (829-bit) semiprime, factored in February 2020 by an international team using the General Number Field Sieve (GNFS). That effort consumed approximately 2,700 CPU core-years on high-performance Intel Xeon processors.

Now here’s the part that makes “we extrapolated from small numbers” claims absurd. The GNFS scales subexponentially – better than exponential, but still brutally fast-growing. Using the standard asymptotic cost model as a rough intuition tool, scaling from 829 bits to 2,048 bits isn’t “2.5× harder.” It’s on the order of 10¹¹ times harder – a hundred billion times. Scaling from 829 bits to 4,096 bits? Roughly 10²³ times harder. That number is difficult to internalize. It’s roughly the number of all the grains of sand on ten thousand Earths – that’s how many times we would have to multiply the largest factorization humanity has ever completed to achieve what this vendor claims.

Extrapolating to RSA-2048 using GNFS complexity scaling yields an estimate exceeding 10²⁰ core-years – many trillions of times the age of the universe. No classical method comes close to threatening RSA-2048, let alone RSA-4096.

The quantum reality: Shor’s algorithm is real, but the machine it needs doesn’t exist

Peter Shor’s factoring algorithm, published in 1994, is mathematically devastating: on an ideal fault-tolerant quantum computer, it factors integers in polynomial time, turning RSA’s exponential security barrier into a manageable computation. This is not in dispute. The algorithm works.

But the “ideal fault-tolerant quantum computer” is the entire problem. Shor’s algorithm is not a trick you can run on today’s noisy, error-prone quantum hardware. It requires deep circuits: billions of high-fidelity quantum gate operations executed in sequence, with active quantum error correction running continuously throughout. It demands a machine that doesn’t exist, has never existed, and whose construction remains one of the greatest unsolved engineering challenges.

The resource estimates: what the best researchers in the world actually say

The question “how big a quantum computer do you need to break RSA?” has been studied rigorously by some of the field’s top researchers. The estimates have been improving – but “improving” still means “enormous.”

The landmark 2019 paper by Craig Gidney and Martin Ekerå, “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits” (published in Quantum after peer review), established the most widely cited estimate: approximately 20 million noisy physical qubits running for 8 hours, requiring around 3 billion Toffoli gates and ~6,168 logical qubits. This was already a 100× improvement over earlier estimates by Fowler et al. (2012), which called for ~1 billion qubits.

In May 2025, Gidney published a major update: “How to factor 2048 bit RSA integers with less than a million noisy qubits.” Through a series of algorithmic innovations – approximate residue arithmetic, yoked surface codes for tripled storage density, and magic state cultivation – the requirement dropped to fewer than 1 million physical qubits running for less than one week. Gidney’s own commentary was telling: he pursued this work not because he expects machines this large to exist by 2030, but because he prefers security not to be contingent on progress being slow. (I covered it here: Quantum Breakthrough Slashes Qubit Needs for RSA-2048 Factoring)

The most aggressive estimate to date came in February 2026 from the Pinnacle Architecture paper, proposing that quantum LDPC codes could reduce the requirement to fewer than 100,000 physical qubits. But it’s critical to understand what that headline number obscures: the Pinnacle approach doesn’t simply make the problem easier – it trades one set of extreme demands for another. The qubit count drops, but the runtime balloons to approximately one month of continuous, uninterrupted fault-tolerant operation at the ~98,000-qubit level – a sustained uptime requirement far beyond anything demonstrated. Reducing runtime to one week pushes the count back up to ~151,000 qubits; one day requires ~471,000. (My analysis of the paper here: Pinnacle Architecture: 100,000 Qubits to Break RSA-2048, but at What Cost?)

More fundamentally, the architecture relies on quantum LDPC codes, which require non-local measurements of error syndromes – meaning qubits that are physically distant on the chip must be measured together. As Scott Aaronson noted, LDPC codes are substantially harder to engineer than surface codes, particularly for superconducting platforms where qubit connectivity is inherently local. The paper also assumes physical error rates of 10^-3 and cycle times of 1 microsecond – assumptions that are at the aggressive edge of current capabilities, not conservative baselines. And it remains a non-peer-reviewed preprint. In short, the Pinnacle estimate lowered one number on the spec sheet while dramatically raising the difficulty on almost every other axis – exactly the kind of tradeoff my CRQC framework is designed to catch.

For RSA-4096, the requirements scale polynomially from RSA-2048: roughly double the logical qubits and eight times the dominant gate count (since Shor’s circuit complexity grows as ~n³). Using the Gidney 2025 framework, RSA-4096 would require approximately 2-4 million physical qubits and ~52 billion Toffoli gates, running for weeks. Even under the Pinnacle estimate, you’re looking at several hundred thousand qubits running for months. (Provided other engineering challenges in Pinnacle are solved).

Where the hardware actually stands in 2026

Now compare those requirements to reality. The world’s largest quantum processors by raw qubit count include IBM’s Condor at 1,121 superconducting qubits and Atom Computing’s 1,180-qubit neutral atom array. Google’s Willow processor has 105 qubits but achieved the field’s most significant error correction milestone. Quantinuum’s Helios processor demonstrated 48 logical qubits from 98 physical qubits — impressive, but these logical qubits are not yet at cryptographic fidelity.

On the metric that actually matters – logical error rates – Google Willow achieved 0.143% ± 0.003% per cycle at code distance 7, with a logical qubit lifetime exceeding the best physical qubit by 2.4×. This is a genuine breakthrough. But as Google’s own team acknowledged, there remains a gap of approximately one billion between current error rates (~10^-3) and the ~10^-12 rates needed for cryptographic computation.

The gap, stated plainly: the best quantum computers in the world have roughly 1,000 noisy physical qubits. Breaking RSA-2048 requires 100,000 to 20 million physical qubits, depending on architecture, all operating at error rates a billion times lower than currently achieved. Breaking RSA-4096 requires materially more than that. We are not close. We are not secretly close. The entire global quantum computing industry – Google, IBM, Microsoft, Quantinuum, IonQ, and every well-funded startup – is openly, publicly, visibly working toward machines that are still orders of magnitude short of what’s needed.

The extrapolation trap: why toy problems tell you nothing

Every few months, a paper or press release announces that a quantum computer has “factored” some number, and headlines briefly suggest RSA is in trouble. I’ve torn apart these claims before, and the pattern is always the same: the numbers being factored are trivially small, the methods don’t scale, and the extrapolation to RSA-2048 is either dishonest or delusional.

The largest number ever factored using a genuine implementation of Shor’s algorithm on real quantum hardware is 21 = 3 × 7. A five-bit number. Achieved in 2012. Even that required classical assistance. (To be clear: this doesn’t mean quantum computing hasn’t advanced enormously since 2012 – it has, across error correction, qubit quality, and system integration. It means that factoring records are a poor measure of progress, because the capabilities being developed are prerequisites for factoring, not factoring itself. The field is building the engine; it hasn’t yet turned the key.)

Craig Gidney of Google Quantum AI published a revealing analysis in 2025 that demonstrates why these small demonstrations are profoundly misleading. Factoring 15 requires just 21 entangling gates, because 15 = 2⁴ − 1 – a mathematical coincidence that makes modular multiplication trivial. Factoring 21 requires 2,405 entangling gates – a 115× increase for a number that’s only 40% larger. He then drove the point home with a satirical tour de force: he factored a 6,021-digit number using just 2 qubits, by exploiting extreme classical precompilation. The demonstration proved that “largest number factored by a quantum computer” is a meaningless metric when classical tricks do the heavy lifting.

The most notable recent claim came from Bao Yan et al. (December 2022), who used 10 superconducting qubits to factor a 48-bit number via a hybrid approach and extrapolated that only 372 qubits would break RSA-2048. Scott Aaronson called it one of the most misleading quantum computing papers he’d seen in 25 years, coining the term “Cargo Cult Quantum Factoring.” Peter Shor himself noted the team completely failed to address runtime and that it would still take millions of years. Bruce Schneier concluded that a miracle would be required for the approach to yield any benefit at all compared to running the classical algorithm on a laptop. And my analysis of that claim is in these two posts: Quantum Computer Factors Record 48-Bit Number – How Far Are We from Cracking RSA-2048? and Breaking RSA Encryption: Quantum Hype Meets Reality (2022-2025).

I covered the broader pattern of debunked claims – including the Wang Chao “RSA-2048 factorization” that actually factored a trivially structured number any calculator could crack, and the JVG/AQTI “cybersecurity apocalypse” paper built on five data points below 17 bits. And others in my comprehensive timeline of quantum RSA hype. The track record is 100%: every single public claim of breaking or nearly breaking RSA-2048 has been debunked, withdrawn, or exposed as misleading.

Why a secret RSA-4096 break is not just unlikely – it’s structurally implausible

This is the section that matters most if you’re evaluating a vendor claim. The argument for a secret breakthrough doesn’t just face one objection – it faces a dozen independent objections, any one of which is individually fatal.

The supply chain cannot be hidden

Building a quantum computer capable of breaking RSA-4096 is not a software problem. It is a massive, specialized industrial project requiring physical infrastructure that leaves traces everywhere.

A million-qubit superconducting quantum computer would require an unprecedented number of dilution refrigerators – the ultra-cold systems that cool qubits to 10-15 millikelvin, colder than outer space. Only a handful of companies worldwide manufacture these (primarily Bluefors and Oxford Instruments), and their order books are closely watched by industry analysts. You cannot secretly order thousands of dilution refrigerators any more than you can secretly order a thousand nuclear centrifuges. The procurement signatures would be visible to intelligence agencies worldwide.

Each refrigerator requires specialized cryogenic wiring – hundreds to thousands of coaxial cables per unit, custom microwave electronics, precision signal generators, and control systems. Microsoft’s Majorana 1 chip required an entirely new materials stack of indium arsenide and aluminum, much of it fabricated atom by atom. The fabrication of a million superconducting qubits would require semiconductor-grade clean room facilities operating at scales comparable to a major chip foundry – a multi-billion-dollar investment that cannot be disguised.

The energy footprint would be detectable

I’ve written about the enormous energy cost of quantum factoring in detail. Operating a 20-million-qubit quantum computer (per the Gidney-Ekerå 2019 estimate) would require approximately 125 megawatts of continuous power for 8 hours – the output of a small power plant – to crack a single RSA-2048 key. Even the more optimistic Pinnacle estimate (~100,000 qubits) would require substantial, sustained power consumption for weeks.

This kind of energy draw doesn’t happen invisibly. Power grid data is monitored by regulators, energy markets, and intelligence services. A facility consuming small-power-plant levels of electricity in an unusual pattern would be noticed – just as uranium enrichment facilities are tracked by their distinctive energy signatures.

The scientific prerequisite chain hasn’t been completed – even in public

Breaking RSA-4096 isn’t a single breakthrough. It requires successfully completing a long chain of scientific and engineering milestones, each of which is individually a major achievement – and which I track systematically in my CRQC Quantum Capability Framework across nine interdependent capabilities. In sequence, you would need to demonstrate:

Below-threshold quantum error correction (Capability B.3 in my framework) – the ability to add more physical qubits and actually reduce logical error rates, rather than just adding more noise. This was achieved publicly for the first time in December 2024 by Google Willow. If someone claims they’ve been breaking RSA since 2017 (as they do), they’re claiming they had the basic capability (not at cracking scale) seven years before the rest of the world’s best labs.

Long-lived logical qubits capable of millions of operations (what the framework calls Logical Operations Budget) – not just error correction that works for a few cycles, but sustained, reliable logical qubit operation over the billions of gate operations required by Shor’s algorithm. Nobody has publicly demonstrated this. The best demonstrations involve logical qubits surviving a few hundred cycles – roughly six to seven orders of magnitude short of what cryptographic factoring demands.

High-fidelity logical gates between logical qubits at scale (Capability C.1) – not just storing quantum information reliably, but performing precise computations on it while maintaining error correction. Current demonstrations involve a handful of logical qubits performing simple operations. Shor’s algorithm needs thousands of logical qubits performing billions of coordinated operations.

Continuous fault-tolerant operation for hours to weeks (what the framework calls Quantum Operations Throughput) – the classical control system must decode and correct errors across 10⁹ to 10¹¹ error correction cycles, in real time, without interruption. The real-time classical decoding alone – processing millions of syndrome measurements per second and feeding corrections back before the next cycle begins – is an engineering challenge that pushes against the limits of current FPGA and ASIC technology.

Magic state distillation at industrial scale (Capability C.2) – Shor’s algorithm relies heavily on T gates (or equivalently, Toffoli gates), which cannot be performed directly in most error correction codes. Instead, they require a process called magic state distillation, which consumes enormous numbers of physical qubits to produce high-fidelity “magic states.” In the Gidney-Ekerå framework, the magic state factories are the dominant consumer of physical qubits. Getting this process to work reliably and at the throughput required – billions of Toffoli gates worth – has never been demonstrated at any scale.

The idea that any entity has secretly accomplished all of these milestones – while the open scientific community is still celebrating its first below-threshold error correction result – requires believing in a technology gap measured not in years but in decades.

The talent pool is small, visible, and actively surveilled

The global community of researchers with the expertise to design, build, and operate a fault-tolerant quantum computer is remarkably small – perhaps a few thousand people worldwide, concentrated at a handful of institutions and companies. These people know each other. They attend the same conferences (QIP, APS March Meeting, IEEE Quantum Week). They publish in the same journals. They review each other’s papers. They move between Google, IBM, Microsoft, Quantinuum, and university labs, and their career movements are tracked by the community in real time.

If a government or private entity recruited a team capable of building a cryptographically relevant quantum computer, that team’s absence from the public research community would be noticed immediately – just as it would be noticed if all the world’s top nuclear physicists suddenly stopped publishing and disappeared from conferences. When Scott Aaronson discussed NSA quantum computing capabilities based on the Snowden leaks, he pointed out precisely this: we know who the best experimentalists are, and they haven’t been hoovered up into a classified program. Their publication records are continuous and public. They’re still at Google, still at IBM, still at MIT, and they’re still working on the same problems they were working on last year.

And it’s not just the academic community that’s watching. Intelligence agencies from multiple nations are actively tracking quantum computing talent and progress – because they understand exactly what a cryptographically relevant quantum computer would mean for national security. I know this from personal experience. As I’ve written about on PostQuantum.com, I’ve been personally surveilled by foreign intelligence services interested in quantum technology developments – and I don’t even know how to build a quantum computer. I’m a CISO and analyst who writes about quantum security. If intelligence agencies are tracking commentators in this space, you can be absolutely certain they are tracking every significant researcher, every major procurement order, every unusual hiring pattern, and every lab producing results anywhere near the frontier. The idea that someone built a million-qubit machine without any intelligence agency noticing is, frankly, laughable.

The Manhattan Project analogy actually disproves the vendor story

Vendors sometimes invoke the Manhattan Project to suggest that large-scale scientific secrets can be kept. They’re right that it was kept from the general public for a time. But the analogy catastrophically backfires on closer inspection.

First: the Manhattan Project was not secret from adversaries. The Soviet Union knew about it almost from inception. Klaus Fuchs, a senior physicist at Los Alamos, passed complete bomb designs to Soviet intelligence throughout the war. Theodore Hall independently provided additional information. The Rosenberg network operated for years. The Soviets detonated their own bomb in 1949, just four years after Hiroshima, largely because of this espionage. The most heavily guarded secret in human history, backed by wartime censorship and military compartmentalization, leaked comprehensively to the one adversary it was designed to be kept from.

Second: the Manhattan Project employed approximately 125,000–130,000 workers and cost roughly $2.2 billion in 1940s dollars (about $30 billion today). It required purpose-built cities (Oak Ridge, Hanford, Los Alamos), dedicated industrial facilities, and the diversion of a meaningful fraction of the nation’s electrical power. It was, in every sense, a civilization-scale effort – and it left signatures everywhere, despite the most extreme secrecy apparatus ever constructed.

Third, and this is the point that directly kills the vendor story, the Manhattan Project never had a sales funnel. It was characterized by disciplined silence, institutional control, and an absolute prohibition on commercial exploitation. The moment someone says “we have a secret capability, and by the way, here’s our product catalog,” they’ve departed from every historical precedent for how actual classified capabilities are handled. Real secrecy looks like Bletchley Park, where the ULTRA secret was kept for decades – through silence, not through winks and sales calls.

Governments are behaving as if RSA is not broken

Perhaps the most telling evidence is the behavior of the organizations that would know, or would be most desperate to know, if RSA had been broken.

NIST is methodically standardizing post-quantum cryptographic algorithms (ML-KEM in FIPS 203, ML-DSA in FIPS 204) and adding backup algorithms (HQC) on a timeline that extends through 2035. The NSA’s CNSA 2.0 roadmap plans phased transitions and deprecations for national security systems, with final deadlines in 2033–2035. The UK’s National Cyber Security Centre has published a measured, multi-year migration roadmap. None of these organizations – the ones with the deepest intelligence access on the planet – are acting like RSA is already broken.

If any Five Eyes intelligence agency had evidence that RSA-4096 was compromised, you would see emergency mandates, not measured multi-year transition plans. You would see classified briefings to financial regulators requiring immediate action, not blog posts about migration best practices. The absence of panic in the organizations with the most to lose and the best information is itself powerful evidence.

The verification argument: if they could, they could prove it – and here’s exactly how to call the bluff

Here’s the final nail – and the most practical one. If you can truly factor RSA-4096, you can demonstrate that capability without revealing anything about intelligence targets, methods, or sources. Here’s exactly how a CISO should call this bluff:

Using any standard cryptographic library (OpenSSL will do), generate a fresh RSA-4096 key pair yourself. Hand the vendor only the public key – specifically, the modulus N. Ask them to return the two prime factors, p and q. Verification is trivial and instantaneous: you multiply p × q and check that it equals N. The whole exercise takes minutes on your end.

This challenge is perfectly clean. The modulus was generated by you, moments ago. It has never been used to encrypt anything. It’s not associated with any intelligence target, any government system, or any sensitive communication. There is literally nothing classified about it. It’s a fresh number you just made up.

Now anticipate the objections – because they will come. I know – I heard them:

• “We can’t reveal our methods.” – You’re not asking them to reveal methods. You’re asking for a result: two numbers. Providing the factors of a number reveals nothing about how you found them, just as handing someone a solved Rubik’s Cube reveals nothing about the algorithm you used. The output (two primes) contains zero information about the process (quantum computer, classical algorithm, divine inspiration – it doesn’t matter).
• “We can only crack specific targets, not arbitrary keys.” – This makes no sense. RSA-4096 is RSA-4096. Shor’s algorithm, or any general factoring method, works on any modulus of a given size. There is no property of an “intelligence target’s” RSA key that makes it easier to factor than a freshly generated one. If anything, keys generated by intelligence targets using proper random number generators are harder to factor than poorly generated ones.
• “Our access is restricted / we can’t use the capability for demonstrations.” – Then they’re not claiming a capability. They’re claiming they once heard a rumor about a capability. That’s not a basis for a procurement decision – it’s gossip.
• “We’d need time / we can’t do it on demand.” – Fine. Give them a week. A month. The point isn’t speed. The point is whether they can produce two prime factors for a 4,096-bit modulus by any method, at any speed. If they can, they’ve made history. If they can’t, they’ve confirmed what the science already tells us.

No vendor making this claim has ever accepted such a challenge. Not once. Not under NDA. Not with an independent evaluator. Not with any conditions at all. Draw your own conclusions.

Science doesn’t work like this

There is a deeper, epistemological reason to reject the “secret breakthrough” narrative. The history of science and technology shows that major breakthroughs are almost never truly isolated events. They emerge from a visible progression of published work, and they are rapidly reproduced and extended by the broader community.

The transistor was invented at Bell Labs, but the physics underlying it was understood by researchers worldwide. The laser was invented almost simultaneously by multiple groups. CRISPR gene editing was developed through a visible chain of publications that the entire molecular biology community could follow. In every case, the breakthrough built on publicly visible foundations and was replicated quickly once announced.

Quantum computing follows the same pattern. Every advance – from Google’s quantum supremacy demonstration in 2019 to Willow’s below-threshold error correction in 2024 – built on years of publicly visible foundational work and was immediately analyzed, critiqued, and extended by the global community. The idea that someone has secretly leapfrogged the entire field by multiple generations, without any of the prerequisite breakthroughs appearing in the public literature, contradicts everything we know about how science progresses.

The economics make no sense

Step back from the technology for a moment and consider the economics of the claim. A working, reliable machine that can break RSA-4096 would be, without exaggeration, the most strategically valuable intelligence asset in human history. It would give its possessor the ability to decrypt virtually all protected government communications, financial transactions, military command-and-control systems, and diplomatic traffic worldwide. The intelligence value of such a capability is not measured in millions or even billions – it is incalculable. Any nation-state that possessed it would guard it more closely than nuclear launch codes.

Now ask yourself: if a vendor truly had access to this capability – or even credible knowledge of its existence – why are they in your conference room trying to sell you a PQC subscription for a few tens or hundred thousand dollars a year? Any government on Earth would pay tens or hundreds of billions of dollars for a working RSA-4096 factoring machine, or for reliable intelligence confirming one exists. The vendor story requires you to believe that someone with access to the most valuable secret in the history has decided to monetize it by… selling post-quantum encryption software to mid-market enterprises. The business logic collapses on contact with reality.

Revealing classified capabilities is a crime – and no one is going to prison for your sales cycle

Consider the legal implications of the claim. If a nation-state had secretly built a cryptographically relevant quantum computer, that capability would be classified at the highest levels – almost certainly above Top Secret/SCI in the U.S. system, or equivalent classifications in allied nations. The existence of such a machine, let alone its capabilities, would be one of the most tightly compartmented secrets in the intelligence community.

Unauthorized disclosure of such information is a serious federal crime – in the United States, it falls under the Espionage Act, carrying penalties of up to life imprisonment. This isn’t hypothetical: people have gone to prison for far less consequential intelligence leaks. The idea that a vendor has been authorized to hint at this capability in commercial sales meetings – or that vendor employees are voluntarily committing what would amount to treason by doing so – is not credible. Intelligence agencies don’t authorize commercial sales teams to use classified capabilities as marketing collateral. If the capability existed and was classified, anyone revealing it would face prosecution, not a commission check.

Ask the vendor directly: “If what you’re telling me is true, are you aware that you’re disclosing classified intelligence? Are you prepared to face the legal consequences?” Watch how quickly the story changes.

A field guide to evaluating “we broke RSA” claims

You don’t need a physics PhD to spot these claims. Treat them like any extraordinary security claim and apply basic due diligence:

What exactly was broken? Was it RSA key recovery (factoring N)? A padding oracle exploit? A side-channel on a specific device? A key-generation vulnerability? These are completely different classes of break, and most “RSA is broken” claims quietly slide between them.

Where’s the artifact? If they claim factoring capability, ask for a live demonstration on a challenge modulus. If they can’t reveal intelligence targets, fine – use a clean-room modulus. If they can’t even do that, the claim is not operational.

Are they confusing logical and physical qubits? This is the most common “sounds technical, means nothing” error. The gap between physical qubit count and usable logical computation is the defining story of quantum computing right now.

Do they cite peer-reviewed resource estimates – and match the assumptions? Legitimate estimates state their assumptions loudly: error rates, cycle time, decoding latency, architecture. Compare any claim against the best-known public estimates.

Do they claim “we know from intelligence agencies”? This is not evidence; it’s an authority costume. If there’s no verifiable demonstration, treat it like any other “my uncle works at Nintendo” argument – especially when it’s attached to a quarterly sales cycle.

Will they factor a challenge modulus? As I described above, generate a fresh RSA-4096 key pair and hand them the public modulus. If they can return the prime factors, they’ve earned your attention – and a place in history. If they won’t even try, the conversation is over.

“If this capability exists, why are you here selling me software?” A working RSA-4096 factoring machine would be worth hundreds of billions in intelligence value. Any government would pay almost anything for it. The vendor’s presence in your conference room, hawking PQC licenses, is itself evidence that they don’t have what they claim.

“Are you aware that disclosing classified intelligence is a federal crime?” If they’re claiming insider knowledge from intelligence agencies, ask them point-blank whether they’ve been authorized to share this information commercially. If yes, ask for the authorization in writing. If no, ask whether they’re prepared to face prosecution under the Espionage Act. Either the claim crumbles, or you’re talking to someone committing a crime – neither is a basis for a purchase order.

“Which specific capabilities on the CRQC stack have been achieved?” Use my CRQC framework as a structured interrogation tool. Ask them to specify, concretely, which of the nine capability milestones – from physical qubit quality through logical gate fidelity to continuous fault-tolerant operation – have been secretly achieved. If they can’t engage at this level of specificity, they don’t understand the technology they’re claiming to describe.

This is why I keep returning to the CRQC framing I developed in my capability framework: what matters is not a qubit count headline but whether real systems have crossed the capability thresholds for fault-tolerant execution at the depth and correctness required by cryptanalytic workloads. Track the actual capability stack – error correction, decoding, logical gate quality, continuous operation – not the sales pitch.

The bottom line: extraordinary claim, zero demonstration, no credibility

As of early 2026, the evidence is unambiguous:

The largest number factored by Shor’s algorithm on real quantum hardware is 21 – a five-bit number. The largest number factored by any method, classical or quantum, is 829 bits. RSA-4096 is 4,096 bits. The gap between demonstrated capability and the claimed capability is not a rounding error – it’s a chasm wider than almost any in the history of technology.

Even the most aggressive, optimistic, non-peer-reviewed theoretical estimate for breaking RSA-2048 requires approximately 100,000 physical qubits with error rates a billion times lower than currently achieved, running for a month. RSA-4096 is materially harder than that. Current hardware has ~1,000 noisy qubits. The world’s best labs are openly celebrating their first baby steps in error correction.

If someone tells you RSA-2048 or even RSA-4096 has been secretly cracked, they are either lying to you or have been lied to. There is no third option that is consistent with physics, engineering, the observable behavior of governments and intelligence agencies, the visible state of the global research community, the industrial supply chain for quantum hardware, or the entire published history of quantum computing.

Don’t reward unverifiable claims with procurement decisions.

The grown-up response: prepare without panicking

Rejecting Q-FUD does not mean ignoring the quantum transition. I want to be crystal clear about this: the quantum threat to RSA is real. Shor’s algorithm works. The hardware is advancing. Resource estimates are dropping. My own estimate places Q-Day around 2030 ±2 years. The harvest-now-decrypt-later threat means that data encrypted today may be vulnerable to future quantum decryption – and for any information that may need to remain confidential for years or decades, that’s a serious concern.

The sane response is the boring one. Follow NIST’s post-quantum standards – ML-KEM (FIPS 203), ML-DSA (FIPS 204) – and monitor its continuing work on backup algorithms like HQC. Align with the NSA’s CNSA 2.0 roadmap, which explicitly plans phased transitions rather than implying “it’s already broken.” Use practical migration timelines like the UK NCSC roadmap to avoid rushed, fragile deployments.

Start with a cryptographic inventory. Know where RSA lives in your infrastructure. Prioritize systems with long data-retention requirements or long-lived signing keys. Evaluate ML-KEM-768 as your primary key encapsulation mechanism. Build a migration plan measured in quarters, not in the panic-stricken hours after a vendor sales pitch.

And if a vendor tries to shortcut this process by telling you the sky is already falling – that RSA-4096 is broken and only their proprietary solution can save you – remember what you’ve read here. Show them the door. The sky is not falling today. But it will darken eventually, and the organizations that prepared methodically will be the ones still standing when it does.

Related Content

Ready for Quantum: Practical Steps for Cybersecurity Teams

Shor’s Algorithm: A Quantum Threat to Modern Cryptography

Glossary of Quantum Computing Terms

CRQC Readiness Benchmark vs. Quantum Threat Tracker (QTT)