Reading the 2025 Gidney result on RSA-2048
In 2025, Google Quantum AI researcher Craig Gidney published a resource estimate showing that a fault-tolerant quantum computer could factor a 2048-bit RSA key with under one million noisy qubits over several days — roughly 20× fewer qubits than his own widely-cited 2019 figure of ~20 million. It is an estimate, not a demonstrated attack: no machine today comes close. But because XDC's secp256k1 ECDSA rests on the same problem Shor's algorithm solves, the steadily falling estimates are exactly why a post-quantum migration should begin before any working attack exists.
What Gidney actually showed
The headline of the 2025 preprint is a number: a fault-tolerant machine could factor RSA-2048 with fewer than one million noisy physical qubits, given several days of continuous operation. The improvement over the prior baseline is the real story — it comes from better algorithms and error correction, not a hardware breakthrough.
For context on the hardware gap: Google's Willow processor demonstrated 105 qubits with below-threshold error correction (Dec 2024), and IBM's Condor reached 1,121 physical qubits (Dec 2023). A cryptographically-relevant machine needs many thousands of error-corrected logical qubits — IBM targets roughly 10,000 by around 2030. The estimate and the hardware are still separated by orders of magnitude.
This is a resource estimate, not a demonstrated attack. No quantum computer today can run millions of high-quality qubits error-free for days. The result tells you where the goalposts are moving — not that the game is over.
Why it matters for XDC
RSA-2048 and the secp256k1 ECDSA used by XDC — and by Bitcoin and Ethereum — both rest on problems that Shor's algorithm solves in polynomial time. They are different problems (integer factoring vs. the elliptic-curve discrete logarithm), but a sharp drop in the estimated cost of one is a leading indicator for the other. When the factoring estimate falls 20× in six years, the prudent assumption is that the signature-forging estimate is on a similar trajectory.
Not everything in XDC is exposed. The chain's hash-based components — Keccak-256 addresses and state roots — remain quantum-safe, because Grover's algorithm only offers a quadratic speedup against hashes, which is readily offset by output size. The exposed surface is ECDSA: the signatures that authorize transactions and, on a trade-finance chain, the signatures that prove a document's authenticity.
The trajectory, not the number
Fixating on "one million qubits" misses the point. The planning signal is the direction of travel: published estimates for breaking RSA- and ECC-class cryptography have fallen by roughly an order of magnitude in a few years. That pulls the planning horizon forward even though no cryptographically-relevant quantum computer (CRQC) exists yet.
This is what Mosca's theorem formalizes: if the time to migrate (T) plus the lifetime your data must stay secure (L) exceeds the time until a CRQC arrives (Q), you are already late. For XDC's use case the numbers are stark — a migration takes an estimated 4–7 years, trade documents must stay valid for 20–30 years, and common CRQC estimates land at roughly 8–12 years out. T + L comfortably exceeds Q.
For tokenized trade documents the risk has a name: Trust-Now-Forge-Later. An adversary does not need a quantum computer today — they only need to keep a copy of a signed document. When CRQCs arrive, every ECDSA-signed letter of credit or bill of lading on-chain becomes forgeable, decades after it was issued.
What XDC does about it
XDC's answer is XDSS-PQ — a post-quantum signature standard built on the NIST-selected algorithms (ML-DSA / FIPS 204 and the Falcon family), designed as a hybrid in which classical ECDSA and post-quantum signatures coexist throughout the transition. Hybrid migration means nothing breaks on day one, and signatures stay verifiable through the cutover. The full reasoning — Shor vs. Grover, the CRQC timeline table, and the migration phases — lives in the technical deep-dive and the XDSS-PQ specification.
Frequently asked
Did a quantum computer break RSA-2048 in 2025?
No. Gidney's 2025 paper is a resource estimate showing RSA-2048 could be factored with under one million noisy qubits over several days. It is not a demonstrated attack — no machine today comes close to millions of high-quality qubits running error-free for days.
Is XDC Network at risk from this result?
Not today, but it is a leading indicator. XDC's secp256k1 ECDSA signatures rest on the same Shor-vulnerable foundation as RSA. XDC's hash-based components — Keccak-256 addresses and state roots — remain quantum-safe; the exposed surface is ECDSA, which is why the XDSS-PQ standard adds NIST-selected post-quantum signatures.
How much did the qubit estimate fall?
About 20×. The 2025 estimate of under one million noisy qubits compares to Gidney's own 2019 figure of roughly 20 million qubits for the same RSA-2048 task — a reduction driven by algorithmic and error-correction improvements, not a hardware leap.
Sources
- Gidney, C. "How to factor 2048-bit RSA integers with less than a million noisy qubits." Google Quantum AI, 2025 (preprint). arxiv.org/abs/2505.15917
- Gidney, C. & Ekerå, M. "How to factor 2048-bit RSA integers in 8 hours using 20 million noisy qubits." Quantum, 2021 — the 2019 baseline the 2025 estimate improves on. arxiv.org/abs/1905.09749
- NIST Post-Quantum Cryptography — FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA). csrc.nist.gov/projects/post-quantum-cryptography