Two papers published on March 31, 2026 arrived at the same conclusion from different hardware architectures: ECC-256 falls before RSA-2048. The gap is large. One to two orders of magnitude in runtime.
The first, from Oratomic and Caltech, demonstrates that Shor’s algorithm can execute at cryptographic scale on as few as 10,000 reconfigurable neutral-atom qubits. With 26,000 physical qubits, the P-256 elliptic curve discrete logarithm completes in days. RSA-2048 factoring on the same architecture takes 10 to 100 times longer. The second, from Google Quantum AI, compiles two circuit variants for ECDLP-256 requiring fewer than 1,200 logical qubits and fewer than 500,000 physical superconducting qubits, executable in minutes. That represents a 20-fold reduction from prior estimates.
These results follow a consistent trajectory. The resource estimates for breaking classical cryptography have been compressing steadily for over a decade.
The shrinking target
In 2012, Fowler et al. estimated that factoring RSA-2048 would require roughly one billion physical qubits. In 2019, Gidney and Ekera brought that to 20 million physical qubits in eight hours. In May 2025, Gidney’s follow-up compressed it further to under one million qubits in under one week. The Pinnacle Architecture analysis in early 2026 reached approximately 100,000 qubits using QLDPC codes. Now Oratomic estimates 11,000 to 14,000 physical neutral-atom qubits, with a longer runtime tradeoff.
Five orders of magnitude in fourteen years. Each reduction came from a different source: better algorithms, better error-correcting codes, better circuit compilation, better hardware architectures. The reductions are accelerating. They are stacking.
ECC-256 followed the same trajectory. Roetteler et al. in 2017 estimated 2,330 logical qubits for P-256. By 2023, Gouzien et al. reached approximately 126,000 physical qubits with cat-code architectures. A 2026 paper by Chevignard, Fouque, and Schrottenloher brought the logical qubit count to 1,098. Now Google reaches fewer than 1,200 logical qubits with fewer than 500,000 physical superconducting qubits, and Oratomic reaches 10,000 to 26,000 neutral-atom qubits.
The direction is consistent across every hardware platform and every research group. The only variable is the rate of compression.
Current neutral-atom experiments have demonstrated trapping arrays with more than 6,000 qubits. Oratomic, which launched as a company alongside the paper, considers 10,000 qubits an engineering target rather than a physics problem. The gap between resource estimates and available hardware is closing from both sides.
The priority inversion
Most PQC migration guidance treats classical cryptography as a single category. Migrate away from RSA, ECC, and DH. The timelines, the urgency, the project plans all assume these algorithms share an expiration date.
They do not.
ECC became the dominant standard precisely because it offers equivalent classical security with smaller keys. P-256 provides 128-bit classical security with a 256-bit key. RSA-3072 achieves the same with keys 12 times larger. That efficiency made ECC the default for TLS 1.3 handshakes, code signing, authentication tokens, FIDO2/WebAuthn, and certificate authorities.
Shor’s algorithm does not care about classical security equivalence. It cares about the size of the numbers involved. Smaller keys mean fewer qubits. The property that made ECC dominant in modern infrastructure makes it the easier quantum target.
This creates a priority inversion for migration planning. The algorithm deployed most widely across modern systems is the one that breaks first.
What is actually deployed
The coverage of these papers has focused almost entirely on cryptocurrency wallets and Bitcoin’s secp256k1 curve. That is a narrow reading. ECC-256 secures far more than blockchain transactions.
TLS 1.3 negotiates ECDHE key exchange by default. ECDSA certificates are the standard for modern certificate authorities. SSH key pairs increasingly use Ed25519 or ECDSA over RSA. FIDO2 and passkeys rely on P-256 for device attestation. Code signing across Apple, Google, and Microsoft ecosystems uses ECC. Email encryption through S/MIME commonly uses ECC certificates.
RSA-2048 is still present in legacy infrastructure: older certificates, PGP keys, some SSH deployments, government systems running on long procurement cycles. But the trend over the past decade has been a migration from RSA to ECC, which means the most modern, most recently deployed systems are the ones most exposed to the nearer quantum threat.
Organizations that completed an RSA-to-ECC migration in the last five years and considered the job done now face a second migration sooner than they expected.
Measuring exposure
The operational question is what proportion of ECC versus RSA, and where.
A TLS scan returns the certificate key type (ECDSA or RSA), the key exchange group (ECDHE or DHE), and the specific curve or key size. This data already exists in every handshake. Most organizations have never aggregated it.
[PQ]probe captures this across 20+ protocols. The output distinguishes ECDSA-P256 from RSA-2048 at the scan level, which means you can measure your ECC exposure as a percentage of total endpoints, map it by protocol, and identify which systems fall into the nearer threat window.
The point is knowing which parts of your infrastructure are in line to break first when a cryptographically relevant quantum computer arrives.
Two threat windows, not one
These papers establish that PQC migration has at least two deadlines.
The first window is ECC: certificates, key exchange, authentication tokens, code signing, passkeys. The systems that upgraded to ECC in the last decade. The systems running the most modern cryptographic stacks.
The second window is RSA: legacy certificates, older SSH deployments, long-lived PGP keys, government and defense systems on slow upgrade cycles. Still exposed, but with more runway.
Harvest-now-decrypt-later does not distinguish between the two. An adversary capturing encrypted traffic today will decrypt the ECC-protected portion first when quantum capability arrives. But for active migration planning, the sequencing matters. Organizations with limited migration capacity should prioritize ECC-protected systems.
The compliance frameworks have not caught up. CNSA 2.0, BSI TR-02102, and NIST’s deprecation timelines treat RSA and ECC interchangeably. These papers suggest they should not.
What this changes
Migration project managers now have a sequencing input they did not have before. ECC-protected systems go first.
The irony is worth sitting with. The industry spent a decade migrating from RSA to ECC because ECC was better cryptography. It was. Against classical attackers, P-256 is elegant and efficient. Against a quantum attacker, that efficiency is a liability. The upgrade path led toward the threat.