Two published numbers, five orders of magnitude apart, and the one sentence in Willow’s abstract that nobody quotes.
Somewhere right now a security team is sitting through a vendor deck with a slide that says quantum computers are about to break encryption, and a budget line right after it. The pitch leans on a real milestone, usually Google's, and lets urgency do the rest. The honest answer to "how far away is this, actually" exists, it is public, and it comes down to two published numbers that rarely appear on the same slide. This piece puts them side by side.
In 2019, Craig Gidney and Martin Ekerå published the most careful public costing of the canonical attack: use Shor's algorithm to factor a 2048-bit RSA key, the kind protecting most of the interesting traffic on the internet. Their paper, peer-reviewed in Quantum in 2021, put the bill at roughly 20 million noisy physical qubits running for eight hours.
That figure was not pessimism. It came with explicit, stated hardware assumptions, quoted here from their abstract: "a planar grid of qubits with nearest-neighbor connectivity, a characteristic physical gate error rate of 10⁻³, a surface code cycle time of 1 microsecond, and a reaction time of 10 microseconds." Hold onto those assumptions. They matter more than the headline number, because five years later the best public hardware arrived at almost exactly that spec.
In December 2024, Google's Willow processor demonstrated, in Nature, the thing the field had chased for decades: error correction that improves as you scale it. Each increase of the code distance by two cut the logical error rate by a measured factor of 2.14 ± 0.02, landing a 101-qubit logical memory at 0.143% ± 0.003% error per correction cycle, with the encoded qubit outliving the chip's best physical qubit by 2.4 ± 0.3 times. A real milestone, fairly earned. We covered what Willow did and did not prove, including the septillion-year number that belongs to a different experiment, in our earlier piece on the below-threshold result.
For today's question you need one more Willow number: the whole chip is 105 physical qubits.
Set the two published figures side by side. The best public estimate for breaking RSA-2048 wants twenty million qubits. The chip that just made history has one hundred and five. Neither number is disputed anywhere in the field, and the distance between them is five orders of magnitude. That is the gap, and everything else in the vendor deck is commentary.
Here is where careful reading pays. Gidney and Ekerå assumed a physical gate error rate of 10⁻³. Willow measured a logical error per cycle of 1.43 × 10⁻³. Those figures nearly coincide, and they describe different things. The former is an assumption about how often a raw hardware operation fails. The latter is a measurement of how often the error-corrected, encoded qubit fails per cycle at code distance 7. Fusing them into "the hardware hit the required error rate" is the single easiest mistake to make with this material, and a slide deck tightened for length will make it every time.
The honest connection between the two papers is more interesting than the fused version. Gidney and Ekerå did not price the attack against dream hardware. They priced it against hardware of roughly the class Willow turned out to be: planar grid, nearest-neighbor connections, gates failing about once in a thousand. Which means the milestone everyone celebrated did not shrink the 20-million-qubit estimate. It validated the assumptions the estimate was computed under. The price tag did not come down. The price tag got confirmed.
The arithmetic that follows is ours, from the two papers' published numbers; neither paper states it this way. Algorithms worth running fault-tolerantly want logical error rates near 10⁻¹⁰ per operation. Willow's measured 1.43 × 10⁻³ sits about ten million times above that. At one better-than-halving per two steps of code distance, covering that ratio takes roughly 22 more doublings of protection, which lands near code distance 50. A surface-code patch at distance 50 spends on the order of 2d², call it five thousand physical qubits, on a single logical qubit. Shor's algorithm on RSA-2048 needs thousands of logical qubits working at once, plus the factory overhead that supplies their special operating states. Multiply it out and you land in the tens of millions of physical qubits, which is exactly where Gidney and Ekerå landed. Their number and the post-Willow trajectory agree with each other.
There is a second limit, and it sits in Willow's own abstract, largely unquoted: "logical performance is limited by rare correlated error events occurring approximately once every hour, or 3 × 10⁹ cycles."
Error correction of this kind works because faults strike independently, letting redundancy outvote them. A correlated event, something that disturbs many qubits at once, breaks the assumption the whole scheme rests on. Against the failures the code models, more distance buys exponential protection; the 2.14 factor is that purchase, measured. Against a failure outside the model, more distance buys approximately nothing.
Now recall that the attack in question runs for eight hours. Setting that against an hourly rate is this essay's own arithmetic, and it earns the same warning as the last section's, in fact a stronger one. The once-an-hour figure was measured on a 105-qubit chip running a distance-7 code. The eight hours belong to a hypothetical machine five orders of magnitude larger. Treating a rate measured on one device as a property of the other is the exact fusion this piece has spent two sections complaining about, so take the multiplication as illustrative and not as a forecast.
What survives the caveat is the shape, and the direction. A failure mode that recurs on the scale of hours is not a footnote to a computation that runs for hours. And the direction is not comforting: a machine with something like two hundred thousand times the physical area presents a correspondingly larger target to whatever causes these events, so at scale the rate plausibly rises rather than falls. That is the point. You do not engineer around it by purchasing more of the thing whose assumptions it violates. Any roadmap that extrapolates the error-correction curve smoothly to RSA-breaking scale is assuming this problem away without saying so.
If you hold a security budget, the question you are being sold is "when," and the question that decides anything is different: is the secrecy lifetime of your data longer than the gap? Traffic recorded today can be decrypted by whatever exists when the gap closes. For data that must stay secret for decades, post-quantum migration is worth scheduling on data-lifetime grounds no matter whose chip is in the news, and that argument needed no urgency theater to begin with.
And when the next milestone lands, run it against the two numbers. Did it change the best published estimate of what the attack costs? Did it change the qubit count by an order of magnitude, or by a chip? Willow, read this way, moved the hardware number from double digits to triple, confirmed the assumptions behind the cost number, and surfaced a wall that neither number captures. The distance is measured from both ends. Watch both, and read the abstracts; the sentence that matters most is usually sitting there, unquoted.
This piece is about the distance between a claim and the number that settles it, and about how easily two different quantities get fused into one confident sentence. We build for the same problem one domain over. Chain-of-Consciousness gives an automated agent a tamper-evident, independent log of what it actually did: which check ran, what it returned, and whether the thing advanced anyway. It does not make an agent right. It makes the claim checkable, which is the only kind of trust that survives contact with a slide deck.
pip install chain-of-consciousnessnpm install chain-of-consciousness
More on provenance you can defend: Hosted Chain-of-Consciousness.