Quantum computing bombshells that are not April Fools
For those of you who haven’t seen, there were actually two “bombshell” QC announcements this week. One, from Caltech, including friend-of-the-blog John Preskill, showed how to do quantum fault-tolerance with lower overhead than was previously known, by using high-rate codes, which could work for example in neutral-atom architectures (or possibly other architectures that allow nonlocal operations, like trapped ions). The second bombshell, from Google, gave a lower-overhead implementation of Shor’s algorithm to break 256-bit elliptic curve cryptography.
Notably, out of an abudance of caution, the Google team chose to “publish” its result via a cryptographic zero-knowledge proof that their circuit exists (so, without revealing the details to attackers). This is the first time I’ve ever seen a new mathematical result actually announced that way, although I understand that there’s precedent in the 1500’s, when mathematicians would (for example) prove their ability to solve quartic equations by challenging their rivals to duels. I’m not sure how much it will actually help, as once other groups know that a smaller circuit exists, it might be only a short time until they’re able to find it as well.
Neither of these results change the basic principles of QC that we’ve known for decades, but they do change the numbers.
When you put both of them together, Bitcoin signatures for example certainly look vulnerable to quantum attack earlier than was previously known! In particular, the Caltech group estimates that a mere 25,000 physical qubits might suffice for this, where a year ago the best estimates were in the millions. How much time will this save — maybe a year? Subtracting, of course, off a number of years that no one knows.
In any case, these results provide an even stronger impetus for people to upgrade now to quantum-resistant cryptography. They—meaning you, if relevant—should really get on that!
When I got an early heads-up about these results—especially the Google team’s choice to “publish” via a zero-knowledge proof—I thought of Frisch and Peierls, calculating how much U-235 was needed for a chain reaction in 1940, but not publishing it, even though the latest results on nuclear fission had been openly published just the year prior. Will we, in quantum computing, also soon cross that threshold? But I got strong pushback on that analogy from the cryptography and cybersecurity people who I most respect. They said: we have decades of experience with this, and the answer is that you publish. And, they said, if publishing causes people still using quantum-vulnerable systems to crap their pants … well, maybe that’s what needs to happen right now.
Naturally, journalists have been hounding me for comments, though it was the worst possible week, when I needed to host like four separate visitors in Austin. I hope this post helps! Please feel free to ask questions or post further details in the comments.
And now, with no time for this blog post to leaven and rise, I need to go home for my family’s Seder. Happy Passover!
Follow
Comment #1 April 1st, 2026 at 9:01 pm
Matt Green’s comment in Quanta seemed ok to me. It’s an algorithm for a computer that’s at best years away from existing, so I’d say publish.
A similar thing happened in 2017 when someone announced the existence of an attack against a conventional (non-quantum) algorithm, while holding back the details. Within a week someone else had reverse-engineered the attack: https://blog.cr.yp.to/20171105-infineon.html
Comment #2 April 1st, 2026 at 9:58 pm
Still in practice as recently as the late 1600s when Hooke originally published his eponymous law for spring force – as an anagram of the latin phrase capturing the essential linear relationship, that he only decoded two years later.
Comment #3 April 2nd, 2026 at 2:20 am
Also Galileo’s anagrams to Kepler
https://judgestarling.tumblr.com/post/62652246148/galileo-kepler-two-anagrams-two-wrong
Comment #4 April 2nd, 2026 at 4:29 am
While the number of fault tolerant q bits increase, and improvements to shors algorithm are made, none of it is going to be relevant when it will turn out that “wavefunction collapse” is nothing more than a convenient way of conceptually simplifying a more complex, but at it’s heart deterministic, underlying physical reality.
My hope is that the enormous sums of money being poured into quantum computing will bring that moment forward, since it will launch a new era in physics progress.
Comment #5 April 2nd, 2026 at 4:51 am
Scott,
Both results improve theoretical resource estimates, which matters. But neither demonstrates a single new experimental capability, and I think the combined framing risks adding more fuel to the hype that the field has been stuck in for years.
The Caltech paper is the more substantive of the two. Using high-rate qLDPC codes with reconfigurable atom arrays is exactly the kind of hardware-code co-design that could actually make a real difference. But “10,000 qubits” hides a big space-time tradeoff — the SciRate discussion flagged that the space-efficient RSA-2048 variant implies ~117 years of runtime. The ECC-256 numbers are better (~10 days at 26k qubits), but assume a 1ms stabilizer cycle time nobody has demonstrated at scale. The largest neutral-atom array is ~6,100 atoms with gate fidelities below what this architecture requires. That’s where teh real fight is, and this paper doesn’t change it.
The Google paper is technically competent circuit optimization, but let’s be honest about what it is: a whitepaper aimed at the crypto community, mixing Toffoli count improvements with policy advocacy about “digital salvage” of dormant assets. The zero-knowledge proof publication is interesting but feels a bit like marketing, and as you note, once people know a smaller circuit exists, finding it is a matter of time. When the company selling cloud services tells you that everything is about to break and you need to upgrade yesterday, some skepticism is healthy.
Meanwhile, the actual experimental state of affairs hasn’t changed much since. Gutmann and Neuhaus showed pretty convincigly that every published quantum factorization “record” can be matched by a VIC-20 from 1981. No quantum computer has reliably factored anything larger than 21 with Shor’s algorithm (and even that required prior knowledge of the answer). The engineering walls — coherence at scale, correlated noise, real-time decoding — are still very much there.
To me the takeaway is: the theoretical floor for quantum attacks on ECC-256 dropped significantly, and that matters for long-term planning. But the practical timeline is still dominated by engineering unknowns that crcuit optimization can’t resolve. If you have 30-year secrets, plan for PQC. Everyone else should probably patch their classical vulnerabilities first — those are the ones actually being exploited right now.
Happy Passover.
Comment #6 April 2nd, 2026 at 6:52 am
Hi Scott. Do you think quantum is going to go FOOM as per Craig Gidney’s post? https://algassert.com/post/2503 The reason for my question is that I suspect this is what is driving all the smart money going into the field (ignoring the people who invest without due diligence). I know there are considerations upon considerations, like it not being one large FOOM but lots of mini-FOOMs, but do you think people outside the field of quantum computing would be able to follow an explanation like this?
Comment #7 April 2nd, 2026 at 7:18 am
Are there quantum computing bombshells which are April Fools? This looks like a good one: “Quantum Suicide in Many-Worlds Implies P=NP”, https://arxiv.org/abs/2603.28869.
I am not impressed by the Google team’s choice of presenting “a zero-knowledge proof to validate these results without disclosing attack vectors”. It is not what they say it is. They generated a proof of circuit execution for a circuit committed only by its hash. How can we know if this hash is indeed the hash of the circuit they described, rather than something else? Of course, in the future, they can disclose the circuit, allowing everyone to verify the hash. However, the proof of execution of something we don’t know yet adds nothing to our current knowledge. While technically impressive, it is just an extremely complicated way to intentionally confuse oneself and hyperinflate the nonsense of the majority of blockchain innovations.
Comment #8 April 2nd, 2026 at 10:22 am
Agree with al. Both papers smell like marketing and shilling for their respective platforms. Hardware reality on the ground remains the same. Let’s not amplify the hype too much.
Comment #9 April 2nd, 2026 at 11:49 am
> [Danylo Yakymenko #7] How can we know if this hash is indeed the hash of the circuit they described, rather than something else?
The ZKP proves that the hash comes from the circuit that passed fuzz testing. See docs/getting_started.md from the zenodo upload ( https://zenodo.org/records/19196956 ).
Comment #10 April 2nd, 2026 at 12:34 pm
@Danylo #7:
I think you’ve misunderstood what the ZK proof shows. It’s not “just a hash” of the circuit, it’s a zero-knowledge proof that a circuit exists with these resource upper bounds. From the paper:
> The simulator also records the total number of non-Clifford gates (CCX+CCZ) executed by the circuit across the 9024 test runs. Finally, the program asserts that the input private circuit satisfies the demanded resource counts -verifying that C_low-qubit executes at most 2,700,000 Toffoli gates and requires at most 1175 logical qubits and C_low-gate executes at most 2,100,000 Toffoli gates and requires at most 1425 logical qubits.
It would be pretty silly indeed to publish just a hash of the circuit, that would clearly be meaningless! The ZK proof certifies indeed what it says on the tin.
Edit: Unless your objection is that the hash they publish doesn’t necessarily match the hash of the actual circuit? But that’s also checked by the ZK verification.
Comment #11 April 2nd, 2026 at 1:12 pm
It is hardly a detail that matters but those 1500’s duels featured cubic equations: https://www.quantamagazine.org/the-scandalous-history-of-the-cubic-formula-20220630/. I just thought it might be worth mentioning.
Comment #12 April 2nd, 2026 at 1:58 pm
Every quantum computing advancement announcement is met by a ton of critics. Someone could announce they’ve broken 1024-bit RSA key with a quantum computer and the same number of critics saying the same things would appear. Do you think Dr. Aaronson is the type of guy publish things just because he’s being fooled by the marketing hype you critics see so easily?? Time will tell all things.
Comment #13 April 2nd, 2026 at 3:41 pm
anon #4
That would be very exiting, though I want to stress that the relevant question is not stochastic versus deterministic (that has no impact on computational capabilities) but linearity in the exponentially large Hilbert space.
Alas, I fear that nature may not be so kind as to give us a new era of progress but will punish us by breaking our cryptography instead.
al #5
Indeed. There’s an urgently needed effort to patch classical vulnerabilities, design protocols that avoid side-channels, and diversify algorithms resistant to classical attacks. It’s called (for marketing reasons) post-quantum cryptography.
Danylo Yakymenko #7
That April Fools paper fails to cite prior art. Their algorithm is a straightforward generalization of quantum bogosort and is in turn generalized by Scott’s (non-joke) proof that PostBQP=PP.
Comment #14 April 2nd, 2026 at 5:07 pm
Craig Gidney #9
Okay, I think I understood. We can think of a circuit as some secret data that is an input to a public program that outputs either “yes” or “no” (where “yes” means the secret has specified properties) and which can be executed via a public interpreter. The execution trace of the program in the interpreter can somehow be verifiably hashed, proving the output without disclosing the secret input or the execution process.
The program uses a hash of the circuit in its code for generating tests. It seems this is not necessary in general. So, if I’m correct, you don’t actually need to publish a circuit hash, only the proof of execution. Wrong circuit or some garbage would not produce the “yes” output. This is what confused me.
And sorry for my ignorance. I stopped following progress in the crypto field due to all the scams. This scheme looks plausible to me now. Thanks.
Comment #15 April 2nd, 2026 at 6:35 pm
Roger A. Grimes #12:
You seem not impressed by the “ton of critics” that speak up for each QC breakthrough.
However, those of us who don’t know or care about the details can still look at the big picture. One key application of QC from Day 1 is factoring, something obviously important that anyone can understand. Consider the main factoring milestones:
The number 15 was reported to have been factored by CQ a couple decades ago, maybe 2000, anyone remember exactly? Now, reportedly QC can almost, but not quite, factor 21 (see Al #5, above).
Assuming that 16, 18, and 20 have been factored, one can estimate that it takes about 5 years of worldwide work to factor each succeding composite number, and a reasonable target for factoring 100 is about 2426 or so. We can use this estimate to establish the “over/under” wager point. I will take the “over”, and will bet $10 that in 2426 CE the number 100 has not yet been factored by a QC.
So, getting back to the main point, while enthusiasts extol the dozen or so QC breakthroughs each week, skeptics reply: so when are you going to be able to factor 22?
Comment #16 April 2nd, 2026 at 9:40 pm
It really annoys the optimistic scientist in me that we are making this amazing progress in beating down requirements for breaking security protocols with QCs, but Shots algo remains the top and most clear application of the technology.
As someone at a neutral atom QC startup, this is all super exciting, but I really hope the more beneficial uses of QCs emerge sooner and dwarf these more murky (but still really cool) security breaking applications.
Scott, how realistic are these new protocols? The devil is in the details, but even after a careful read I’m not sure about the caveats (besides non locality which is easier for atoms)
Comment #17 April 2nd, 2026 at 11:38 pm
anon #4:
While the number of fault tolerant q bits increase, and improvements to shors algorithm are made, none of it is going to be relevant when it will turn out that “wavefunction collapse” is nothing more than a convenient way of conceptually simplifying a more complex, but at it’s heart deterministic, underlying physical reality.
I sometimes wish that I could’ve been born with the total, unquestioning self-assurance of anonymous commenters on my blog. With such confidence I could (as we now know) become President of the United States or the richest man in the world, and it wouldn’t even matter if I was wrong about everything.
You can’t possibly know what you confidently proclaim. A large part of me hopes you turn out to be right, as that would constitute a once-per-century revolution in physics, maybe even one that my own work on quantum supremacy would’ve helped to uncover. But it would be insanity to bet the security of the Internet on such hopes (which, of course, doesn’t mean some people won’t do it).
Comment #18 April 2nd, 2026 at 11:49 pm
al #5: Both papers are substantive. No, they don’t mean that cryptographically relevant quantum computing is “imminent,” and you’ll notice I never claimed they did. But both of them plausibly do nontrivially move up the timeline from whatever it would’ve been otherwise. That alone makes them two of the top quantum computing papers of the year and obviously worthy of a post on this blog.
And no, I can’t give anyone reassurance that (say) a 3- or 4-year timeline from here to CRQC is out of the question, just like if someone reassured you in 2018 that it would be 30+ years before you could talk to your computer in English, that person might’ve sounded conservative and responsible but we now know they would’ve been wrong.
When talking about useful applications of QC, epistemic humility calls for erring on the conservative side with timelines, but when talking about cryptanalysis, the same humility calls for just the opposite.
Comment #19 April 2nd, 2026 at 11:55 pm
S B #6:
Do you think quantum is going to go FOOM as per Craig Gidney’s post?
If QC continues to progress like it’s done over the past couple years, then sure, eventually it will do something that will probably look from the outside like “FOOM,” as it rapidly progresses from tiny demos of fault-tolerant qubits to larger and larger fault-tolerant systems to breaking cryptosystems with larger and larger key sizes. But it will still be continuous if you zoom in closely enough, and I don’t pretend to know how long it will take.
Comment #20 April 3rd, 2026 at 12:04 am
Ion Trapper #8:
Agree with al. Both papers smell like marketing and shilling for their respective platforms. Hardware reality on the ground remains the same. Let’s not amplify the hype too much.
It’s deeply amusing to me that I spend 20 years on this blog battling hype about quantum machine learning imminently revolutionizing AI, etc. etc., and all the comments are: oh, Scott is just a relentlessly negative ivory-tower academic elitist who’s blind to the coming quantum revolution, or resentful of it, and who’s probably shorting IONQ stock.
Then I tell people, look, the cryptanalysis part at least is totally serious, and recent developments put it potentially sooner than you expect, so pay attention, and all the comments are: this is marketing hype, wake me up when they can factor 21.
Comment #21 April 3rd, 2026 at 12:21 am
Raoul Ohio #15: You actually can now factor 6- or 7-digit numbers with a QC, and people have (with annealing devices), but that isn’t interesting, because it doesn’t beat classical and it doesn’t scale.
Once you understand quantum fault-tolerance, asking “so when are you going to factor 35 with Shor’s algorithm?” becomes sort of like asking the Manhattan Project physicists in 1943, “so when are you going to produce at least a small nuclear explosion?”
In the latter case, slightly more informed questions would be “how much U235 and plutonium have you produced so far? what’s your current estimate for the critical mass? how much will you produce per month, once Hanford and Oak Ridge are operating at scale?” etc.
In the QC case, slightly more informed questions would be about, e.g., the current 2-qubit gate fidelities and best estimates for the fault-tolerance threshold and overhead. Before error correction works, no number you can factor on a QC will be impressive at all. Once it does work, the speed with which the numbers get bigger will astonish those who regarded “asymptotic,” “quadratic,” “exponential,” etc. as fancy words with no connection to reality.
Comment #22 April 3rd, 2026 at 5:10 am
Hello Professor Aaronson,
As per Google’s ZK, don’t they just protect their IP — at least for a while — ?
Happy Passover — Zissen Pesach!
Comment #23 April 3rd, 2026 at 8:45 am
I still wonder why both “bombshell” papers are so speculative. Lots of ifs and assumptions, see e.g. John Ye’s comments on the first one. And the second paper’s main focus seems to be on the future valuation of Bitcoin (“of course we are not shorting against any cryptocurrency assets…”).
This feels like the Wright brothers, instead of building a working airplane that actually flew, had just written a lots of papers explicating that “If we just had an efficient engine, light enough materials for the chassis and wings, good avionics, etc, etc, we could soon have airplanes capable of bombing enemy cities. So please give us more money now!”, and then somebody else had hailed that paper as a breakthrough in the history of aviation.
Regarding the “fission bomb” analog Scott gave above, I wonder, what is the minimum “explosion size” with Shor’s algorithm with error-correcting qubits? I.e., the minimal binary length of the semiprime that will eventually make sense to factor with that technique?
Comment #24 April 3rd, 2026 at 12:08 pm
[…] a 1 April blog post, Scott Aaronson, a quantum-computing researcher at the University of Texas at Austin, describes the […]
Comment #25 April 3rd, 2026 at 7:04 pm
Do you have any information either way about whether the google team’s result, hidden behind a ZKP, is likely to have significant room for further improvement? Ie, should we expect that this is more like “the factoring problem is blown open and more order of magnitude reductions are coming”, or more like “this is a one-off reduction and this is likely the true qubit-count requirement”?
Comment #26 April 3rd, 2026 at 8:25 pm
James Babcock #25: Further improvements are almost certainly possible, but at some point you do hit diminishing returns. Certainly the number of qubits needed to *write down* the key should be a lower bound, suggesting that we’re now at most 2 orders of magnitude from the floor whatever it is.
Comment #27 April 3rd, 2026 at 8:36 pm
>> there’s precedent in the 1500’s, when mathematicians would (for example) prove their ability to solve quartic equations by challenging their rivals to duels.
One of the formats of math competition in the USSR was “math fights” in which teams would take turns challenging each other with problems.
Some of the duels re cubic and/or quartic equations were competitions for professorships.
Comment #28 April 3rd, 2026 at 10:52 pm
Wow depressing to see comments that are clearly ai slop (al, ion trapper).
Any speculation on why Google wouldn’t publish? Competitive edge?
Comment #29 April 4th, 2026 at 12:47 pm
@Scott
Thanks for the reply, I get your frustration. You are my favorite voice of reason, and you have been a bulwark against hype from media. Do you think that hype from companies themselves might be the next frontier in fighting for sanity?
@skeptic
Why would I use AI to write a two line reply? Are accusations of “AI slop” the new Godwin’s law?
Comment #30 April 4th, 2026 at 6:23 pm
My comment #15 is about distinguishing between the hype and the reality.
The counter argument in #21, “once the hype is real, then …”, doesn’t mean much if the hype never turns out to be real.
Comment #31 April 4th, 2026 at 7:55 pm
Ralph Kelsey #30: In order to distinguish effectively between hype and reality — something I’ve tried to do on this blog for 20 years — you need some underlying model of what is actually happening in the physical world.
Quantinuum, Google, QuEra and others now have programmable devices with hundreds of qubits and 2-qubit fidelities around 99.9%, on which you can run quantum circuits of your choice with thousands of gates. These now exist. They work exactly like the theory says they should. You can demonstrate quantum error-correcting codes with them.
So, between this and (say) full fault-tolerance on a few thousand physical qubits, what is the specific step you believe is going to fail, and why? If you answer that, we can move forward, but otherwise we’re just wasting electrons.
Comment #32 April 5th, 2026 at 5:18 am
Hi Scott,
Did you ever get a chance to read that Tim Palmer paper? (Link: https://www.pnas.org/doi/10.1073/pnas.2523350123)
I’m really interested to hear what you think about it.
Comment #33 April 5th, 2026 at 12:58 pm
Dan #32: You’re like the 20th person to have sent me a link to Tim Palmer. I appreciate that he’s sticking his neck out and making a concrete prediction, that quantum computers will never break RSA, because of the speculative ideas he’s come up with that supersede quantum mechanics itself and render QC impossible. I expect that that prediction will before long refute his worldview more than any words I could write here. Of course, if he were right, it would be the biggest revolution in physics for at least a century, and QC not working would be the least of it.
Comment #34 April 5th, 2026 at 9:56 pm
1. How many logical qubits are necessary if 26000 physical qubits get 256bit ECC in few days and 2048 bit RSA in few years (two orders of magnitude higher as mentioned in the paper)?
2. I see they use LDPC and lifted product codes and maybe their combination. Do you know what each of the three categories give in terms of physical qubits?
3. Since I come from a different world wanted to ask. Shannon channel model is y=x+n where x is tx message and y is rx message and n is noise. What is the corresponding channel model based on which they map logical qubits to physical qubits? Is it an additive model? If so what is the x and n physically correspond to? In the Shannon model x could be an electrical signal high and low and n is thermal noise at the receiver. Is the noise thermal in nature or what is it?
My guess is x is some sort of encoder for the entropy such as the spin of an electron. What is n then? is it ‘spin’ added to something? I am looking for basic mathematical mechanisms. Apologize if the questions are extremely basic.
Comment #35 April 5th, 2026 at 10:40 pm
The reason I am asking 1 is because even to encode 256bit ECC point addition I believe the NAND gate count is on order of 10^4. Surely we can take decryption is at least 10 ECC point addition.
Comment #36 April 6th, 2026 at 4:38 pm
> (Scott #26) Certainly the number of qubits needed to *write down* the key should be a lower bound
That wasn’t true for RSA. If I had to guess at a lower bound, it would be the bit length of the period being found.
Comment #37 April 6th, 2026 at 5:51 pm
BasicQuestion #34:
1. As far as I can see, for ECC-256 the estimate is roughly 1200-1450 logical qubits, with the rest of the gap coming from fault-tolerance overhead. The gate-count is relevant for runtime, but it does not determine the logical-qubit count. Logical qubits measure the width of the computation, while NAND/Toffoli counts measure its time-volume cost. So a 256-bit ECDLP attack can require only about 1200-1450 logical qubits while still taking tens of millions of Toffoli gates.
2. qLDPC is the broad class of quantum codes with sparse parity-check matrices. Lifted-product (LP) codes are a large family within qLDPC, and the paper also uses bivariate bicycle (BB) codes, aka generalized bicycle, 2BGA, or generalized Haah codes, which form a special subfamily of LP codes. So these are not three separate overhead numbers that add independently. Rather, the architecture mixes different qLDPC blocks for different tasks, such as memory, processing, and factories.
3. The closest classical analogy is not additive Gaussian noise, but rather a discrete channel like BSC(p). In the simplest quantum error model, a qubit is transmitted correctly with probability 1-p and undergoes a bit-flip X with probability p, which is exactly the quantum analogue of a random bit flip. More generally, quantum noise also includes phase flips Z and combined errors Y, so the channel is usually modeled as a discrete channel rather than continuous y = x + n. Physically, x is the intended quantum state of the qubit, while the “noise” comes from decoherence, imperfect gates, faulty measurements, atom loss, and similar hardware imperfections.
Comment #38 April 6th, 2026 at 9:59 pm
Frisch and Peierls were hiding the idea that nuclear bombs were possible. Not the same thing.
We all know quantum computers should be possible, according to current physics theories, so there is no secret that’ll keep here. After knowing the claims, another team could become an expert in the relevant subjects, including reading Craig Gidney’s papers carefully, and then reach similar conclusion. Russia and China could easily replicate this work.
On the PQC list, Marcel Tippelt pointed out an earlier paper by Craig Gidney that “achieves results with the same magnitude of qubits/gates etc., but provide the details of the estimation.”
https://arxiv.org/pdf/2505.15917
“I find the results posted by Google are not so surprising (and are likely derived using similar optimizations”. And Marin Ivezic agreed that “Marcel is right that the results are consistent with the trajectory.”
Anyways, we’ve zero “responsible disclosure” reason for doing the zero-knowledge proof, so why bother?
It’s nice attention & hype, not just for your QC work, and for PQ, but for the ZKPs too. Also Justin Drake works for Ethereum, and they love pumping their zk roll up idea, which incurs insanely high prover costs. It’ll be funny when, not if, someone scoops them on the details though. lol
As an aside, Justin Drake spent ages pumping the verifiable delay function (VDF) idea, before djb pointed out old papers where the time space tradeoffs killed nice VDFs, and someone else modernised or reinvented better arguments that finally killed VDFs.
Around time-space trade offs, another PQC comment asked if the circuit randomises both sides of the EC addition or only one-side, because Shor needs only one-side, the other side being the base point, but if you do one-sided in the ZKP then you might’ve some knowledge about that point. 10 x is impressive if done two-sided, but maybe less if trading off somehow on one-side.
Comment #39 April 7th, 2026 at 12:50 am
@Pavel #37 On 1 then what is the claim about 26000 qubits? Is it the case 1000s of Toffoli gates constitute one physical qubit to account for the millions of Toffoli gates? Sorry don’t know much about QC.
So on 3 there is no way to parametrize the noise model? One can model y=x+n also crudely as a bsc(p) but you lose soft information as was done in the 50’s and 60’s and maybe even 70s.. and so no code you design for the bsc(p) approximation will beat the code you design for the model y=x+n. A useful parametric model might change the paradigm. Would Scott know any functional model for noise? If you have a model usually people figure out how to squeeze out effficiency from how to use the model.
Comment #40 April 7th, 2026 at 7:27 am
@Scott
> Before error correction works, no number you can factor on a QC will be impressive at all. Once it does work, the speed with which the numbers get bigger will astonish
I don’t really understand. People are doing stunt-factorizations and increasing the numbers all the time. Only those are supposedly worthless. Is it impossible to factor 15 using full Shor on a real QC?
I noticed Nvidia wrote a circuit for their quantum simulator and even they only used the compiled version of Shor. Would it be infeasible to factor 15 on a simulator using real Shor?
Comment #41 April 7th, 2026 at 9:41 am
Mike #40: One more time:
Stunt-factorizations using quantum annealing are worthless, because that’s an approach that doesn’t win against classical, doesn’t scale, and has nothing to do with Shor’s algorithm.
Factoring using Shor’s algorithm is what matters. There, people did stunt-factorizations of 15 on real quantum devices already decades ago. And you can also of course run Shor on small numbers in simulators.
But the actual goal is to factor using Shor’s algorithm on a fault-tolerant QC. That has not yet been done. That’s the thing where, once it’s done for 15, doing it for 2048-bit RSA composites should “merely” be a matter of scaling up.
Comment #42 April 7th, 2026 at 10:40 am
> Frisch and Peierls were hiding the idea that nuclear bombs were possible. Not the same thing.
Around this, Heisenberg never believed the nuclear weapons were possible. It’s partially that he never knew about secret plutonium enrichment techniques, but that’s not the whole story, since he could’ve easily redone the Frisch and Peierls calculations. It maybe his wishful thinking: London and Berlin are relatively close, and repeatedly at war, while the Americans lived far away from Germany and Japan.
Anyways Heisenberg would’ve quickly redone the Frisch and Peierls calculations if someone had shown him a zero-knowledge proof of even a partial conclusion. 😉
I think your analogy only starts becoming valid only when some APT has a quantum computing effort headed by some super-determinism fan like Hossenfelder, or outright skeptics like Gil Kalai. lol We donno who runs the secret quantum computing efforts, but we kinda know such people accept the copenhagen interpretation.
As for hardware, we should expect major APTs have semi-independent teams pushing different approaches. We know the NSA only had one approach going before Snowden, but they would’ve diversified by now, so even hardware QC researchers have no secrets that’ll stay secret.
Just publish and hope it helps the good people know what’s going on.
Comment #43 April 7th, 2026 at 11:19 am
BasicQuestion #39:
The ~1200-1450 figure is the number of ideal, noiseless qubits, that is, the logical qubits; whereas the ~26000 figure is the number of real physical qubits. Each logical qubit is encoded into many physical qubits, so even one ideal logical gate must be implemented through many operations on physical qubits. You also need additional hardware resources for syndrome extraction, routing, and especially magic-state factories.
As for the noise model, yes, people do parametrize it, but usually not in the form y = x + n. The standard framework is a quantum channel acting on the density matrix. Common examples include depolarizing noise, dephasing, amplitude damping, erasure, leakage, and more detailed circuit-level models with separate error rates for one-qubit gates, two-qubit gates, measurements, and idle periods. So they are definitely parametric noise models.
The reason many papers use BSC-like models is not that more refined models are impossible, but that they are analytically easier and closer to what current decoders can handle. In principle, better hardware-specific noise models and the use of soft information should indeed improve efficiency, just as in classical coding. In fact, there are already researchers working in exactly this direction. We are simply still in the early stages of quantum error correction.
Comment #44 April 7th, 2026 at 11:45 am
Hi Scott,
My partner, Andrew Klaber and I, started Bedford Ridge Capital five years ago when we spun out of John Paulson’s hedge fund with ~$230m in assets. Today, we manage ~$3bn. I have spent about the last two years learning about quantum computing by speaking with academics, diligencing start ups, and taking courses at MIT on QC. I have found your site extraordinarily helpful. So, thank you. My firms most recent investment was into a quantum computing company based out of Israel called Quantum Art. I currently sit on the board. It would be great to connect by zoom if you have some time to catch up. I think we could have a fruitful conversation.
Comment #45 April 7th, 2026 at 3:15 pm
@Scott
Thanks for replying. I wasn’t talking about the annealers, because everyone knows those can’t run Shor.
My question was, if anyone ran Shor on anything yet. On real Hardware but also in simulators. I could only find applications of the compiled Shor version. (compiled Shor is cheating, is it?)
IDK. Maybe there are still to few usable QBits to factor a 4-bit number.
But I trust your word, that it will be done, when error correction works.
Comment #46 April 7th, 2026 at 3:50 pm
@Pavel #43 Really great detailed answer.
“As for the noise model, yes, people do parametrize it, but usually not in the form y = x + n. The standard framework is a quantum channel acting on the density matrix. Common examples include depolarizing noise, dephasing, amplitude damping, erasure, leakage, and more detailed circuit-level models with separate error rates for one-qubit gates, two-qubit gates, measurements, and idle periods. So they are definitely parametric noise models.
The reason many papers use BSC-like models is not that more refined models are impossible, but that they are analytically easier and closer to what current decoders can handle. In principle, better hardware-specific noise models and the use of soft information should indeed improve efficiency, just as in classical coding. In fact, there are already researchers working in exactly this direction. We are simply still in the early stages of quantum error correction.”
Can you post comprehensive list of references on both 1) noise models and 2) current efforts on ‘appropriate soft information models’ currently attempted to be exploited in quantum error correction research?
Comment #47 April 7th, 2026 at 7:42 pm
BasicQuestion #46
Noise models:
– iOlius et al., “Decoding algorithms for surface codes”
https://arxiv.org/abs/2307.14989
– Ghosh et al., “Understanding the effects of leakage in superconducting quantum-error-detection circuits”
https://arxiv.org/abs/1306.0925
– Gidney, “Stim: a fast stabilizer circuit simulator”
https://quantum-journal.org/papers/q-2021-07-06-497/
Soft/analog information:
– Raveendran et al., “Soft Syndrome Decoding of Quantum LDPC Codes for Joint Correction of Data and Syndrome Errors”
https://arxiv.org/abs/2205.02341
– Berent et al., “Analog Information Decoding of Bosonic Quantum Low-Density Parity-Check Codes”
https://journals.aps.org/prxquantum/abstract/10.1103/PRXQuantum.5.020349
– Hanisch et al., “Soft information decoding with superconducting qubits”
https://arxiv.org/abs/2411.16228
– Majaniemi and Matekole, “Reducing quantum error correction overhead using soft information”
https://arxiv.org/abs/2504.03504
– Bausch et al., “Learning high-accuracy error decoding for quantum processors”
https://www.nature.com/articles/s41586-024-08148-8
Comment #48 April 8th, 2026 at 4:23 pm
Scott, what do you make of Oratomic’s claim that AI was “instrumental in accelerating the development of their algorithm”? You may be uniquely well placed to assess it …
Comment #49 April 8th, 2026 at 4:58 pm
Larry #48: I don’t know anything about it beyond what’s in the paper. But I also don’t regard it as implausible, since these days, just about everyone uses AI to help do everything faster. Nothing special about quantum computing there.
Comment #50 April 8th, 2026 at 5:06 pm
@Pavel #47 Thank you. I will look at the noise models closely. I looked at first paper ” iOlius et al., “Decoding algorithms for surface codes” https://arxiv.org/abs/2307.14989” for instance. It says something analog to ‘noise is Gaussian’. The analog for ‘x +’ is missing. Unless the ‘ x +’ (that is the functional f(x,n) which is the model for the channel) is properly formulated ‘analog of soft information’ cannot be correct. For eg all the soft information talked about is based on voltage levels which cannot be the right soft information (although obviously is capable of giving gains).
Comment #51 April 10th, 2026 at 7:00 pm
This from your friend John Preskill’s lab seems worthy of comment too.
https://quantumfrontiers.com/2026/04/09/unleashing-the-advantage-of-quantum-ai/
Comment #52 April 15th, 2026 at 8:39 am
Scott #19 “But it will still be continuous if you zoom in closely enough, and I don’t pretend to know how long it will take”
Exponentials are continuous. C-infinity in-fact.
Comment #53 April 17th, 2026 at 11:03 am
An interesting continuation of the ZKP story: https://blog.trailofbits.com/2026/04/17/we-beat-googles-zero-knowledge-proof-of-quantum-cryptanalysis/
Comment #54 April 29th, 2026 at 3:19 am
[…] Notably, the situation evolved even while we were writing our position paper—for example, with the major recent papers from Google and Caltech/Oratomic that I blogged about a month ago. […]
Comment #55 May 4th, 2026 at 12:35 pm
Scott, I stopped by to ask about the paper from Zhao et al, too, which evidently went up on arXiv a week after this post: https://arxiv.org/pdf/2604.07639. To my untutored eyes, this looks at least as big as the other two.