The Cost of Factoring a 2048-bit Integer

EMV-SWG-NP49r2 EMVCo pre-read on RSA key strength The following paper was written by Sam Jaques for EMVCo. EMVCo is making this paper available as a pre-read for the EMVCo Special Interest Meeting organised by the EMVCo Security Working Group on 1st July 2025. EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo. Copyright © 2025 EMVCo, LLC. All rights reserved. The Cost of Factoring a 2048-bit Integer Samuel Jaques University of Waterloo, Waterloo, Canada 1 Summary By extrapolating trends in computer hardware, I estimate a cost of USD$5.5 trillion to factor RSA-1984 in 2035. (1) This cost is adjusted for inflation, i.e., in 2025 dollars. To arrive at this estimate, I made the following major assumptions: • costs to construct hardware are decreasing exponentially; • computer energy efficiency is increasing exponentially; • power costs are decreasing linearly, though slowly; • attackers in 2035 will use the same algorithms that are used today. Using my methodology for attacks that are feasible today, it underestimates the costs to break DES by 500× and is 450× lower than estimates based on cloud computing costs. That is, I erred in favour of underestimating the cost. Since my conclusion is that factoring will still remain so expensive that the dollar cost is essentially nonsense, I feel confident in this underestimate. Classical hardware trends have been remarkably steady, and unexpected developments are generally when hardware is worse than expected. In contrast, advances in factoring algorithms and in quantum hardware are much more chaotic. Either one could rapidly and unexpectedly reduce the cost of factoring. Specifically, quantum hardware and algorithm advances have rendered previous quantum resource estimates obsolete. This means quantum factoring may become significantly cheaper by 2035. 2 Cost Model Our concern is a monetary threat: an adversary will recover an RSA key and use this to cause economic damage. Thus, I will frame the attack in terms of its cost in some currency. If the cost of the attack is higher than the value of the recovered secrets, we can assume some safety. There are several costs to execute a large attack. Report prepared in 2025 for EMVco. 2 The Cost of Factoring a 2048-bit Integer 2.1 Hardware costs. Real-world targets and attacks are limited in time, forcing attacks to parallelize. For example, if an issuer public key expires in 2034, an attack must be completed by 2034. Even with a 4 GHz processor, that only allows 260 processor cycles; no relevant attack can be completed that quickly. This means all attackers are limited by the hardware they can commandeer. Attackers have several options for their hardware: • purchase their own off-the-shelf hardware; • build special-purpose custom hardware; • commandeer existing hardware. In [LWS21] the authors design circuits gate-by-gate for cryptographic attacks, to accurately gauge the cost of custom attack hardware. I will instead extrapolate from the hardware requirements of past factoring records, as the number field sieve is significantly more complicated and thus more challenging to accurately estimate from first principles. I use the extrapolated costs from [LWS21]1, adjusted for inflation. While I expect EMVco’s adversaries are less likely than nation-states to build custom hardware, this will give a “pessimistic” estimate2. I adjusted for inflation out of principle: I do not have the macroeconomic expertise to predict the fraction of the overall economy that is secured in credit card transactions compared to the fraction devoted to computational resources. 2.2 Energy Costs. Running an attack will consume significant energy. Thanks to Bitcoin, running any computational hardware for any purpose has an opportunity cost: one could instead use the hardware to mine Bitcoin. Bitcoin mining has settled into a steady return per kWh of energy consumed [Mel23]. Using inflation-adjusted electricity cost data for the United States [UIC22], electricity seems to be linearly decreasing in price at a rate of 0.047 cents per year. On the other side, computers have been steadily increasing in energy efficiency. Top500 maintains a “Green500” list of the most energy efficient computers [TOP24] which suggest an exponential increase in energy efficiency (FLOPS/watt)3 (Figure 1). It is worth pointing out that Landauer’s law gives a fundamental limit of roughly 600 PetaFLOPS/watt at room temperature, and the estimate for 2035 is 1.7 TerraFLOPS/watt, “only” 600,000× below the physical, fundamental maximum. 2.3 Expertise Costs. Managing this much hardware and fine-tuning a factoring algorithm is a complicated matter that has (to public knowledge) been restricted to expert academics. While nation-states could easily recruit or train experts, a criminal enterprise might have more difficulty. That said, a conservative assumption is that these costs are negligible for such an attacker: they could exfiltrate custom software from nation-states, a well-meaning academic could publish an open-source package that factoring “script kiddies” could use, or a factoring expert could find criminal factoring more lucrative. 1These estimates are 5 years out of date, but since this publication, AMD no longer publishes transistor counts and Apple does not publish individual component prices. 2Pessimistic from EMVco’s perspective; optimistic for the attacker. 3Throughout this document, “FLOPS” will mean “32-bit floating point operations per second”, while “FLOPs” means “32-bit floating point operations”. Samuel Jaques 3 103 Efficiency (GFLOPS/watt) 102 101 2010 2015 2020 2025 2030 2035 Year Figure 1: Energy efficiency over time, from the Green500 list. Beyond the implementation concerns, there is also maintenance of the hardware. Again, I will be pessimistic and assume these costs are negligible. Indeed, dedicated attackers might hijack other computing resources, a strategy that has happened before [BBC20]. 2.4 Comparison of Costs. My conclusion is that hardware and energy will be the limiting factors. Which is more impactful? Here I assume an attacker has a fixed time budget, and thus the hardware and energy costs will be approximately proportional: the complexity of factoring is a specific number of operations and it parallelizes nearly perfectly, so if an attacker needs to finish the attack within a specific time limit, each piece of hardware will run continuously for that time. I will assume 600 gates are necessary for each FLOP, based on a quadratic cost to multiply the 24-bit mantissa and rounded up. Since processor speeds plateaued at about 4 GHz around 2006, I will assume the number of FLOPS/transistor to stay constant as well. Currently AMD’s Instinct MI300A has 146 billion transistors and reaches 122.6 TFLOPS, giving 840 FLOPS/transistor. Given the extrapolated costs per transistor, an attacker buying one USD more of computing hardware and running it for 6 months would gain 261 FLOPs. An attacker buying one USD of energy would also get 261 operations. Thus, for any attack taking longer than 6 months, the energy cost is more significant. Because I assumed FLOPS/transistor to stay constant while energy costs decay only linearly and transistor costs decay exponentially, this tradeoff will change: by 2035, energy will be the dominant expense after only 5 months. For comparison, crack.sh currently charges USD$20 to crack DES. One DES operation is about 13 FLOPs so my estimate would predict $0.40 to break DES, suggesting I’m underestimating costs by a factor of about 500. 3 The Number Field Sieve The best known algorithm to factor large integers is the number field sieve (NFS) [BLP93]. It has a subexponential4 runtime of Ln [ 1 3 , 1 .923] , though Coppersmith provided a method 4Ln[α, c] = exp (c + o(1)) logα(n)(log log(n))1−α 4 The Cost of Factoring a 2048-bit Integer 70 Actual Complexity (log 2) 65 60 55 50 55 60 65 70 75 80 Predicted Complexity (log 2) Figure 2: Real versus predicted complexity of the number field sieve, from bit sizes 399,432, 466, 515, 768, 795, and 829. that could run at Ln[ 13 , 1.902] by solving subproblems with elliptic curve factoring; this may be more expensive in practice (see Section 3.4). The number field sieve parallelizes almost perfectly, though Bernstein claims that the the hardware-time product will grow as Ln [ 1 3 , 1. 976]. I will not use this cost and instead assume that if a competent adversary cannot fully utilize their hardware for factoring, they can dedicate the idle hardware to other profitable attacks like mining Bitcoin. The subexponential notation hides many small factors. At n ≈ 22048, I expect these small factors to genuinely be negligible compared to the dominant terms in the cost, but we still need to guess the constants. For this, I will use historic factoring records. In Figure 2 I compare the predicted cost, Ln[ 13 , 1.923], with the constants all set to 1, against the actual cost. The factoring records give core-years on specific CPUs; I translated this to FLOPs by assuming each core can compute 16 FLOPs per cycle. The smaller 4 values come from CADONFS benchmarks [Tea17] while the larger 3 are from factoring records [KAF+10, BGG+20]. The real-world data does not provide a clear picture. The records themselves nicely follow a cost curve of Ln [ 1 3 , 3 . 114], while the CADONFS benchmarks follow a curve of Ln [ 1 3 , 1 .663] , with neither fitting any of the theories. To reconcile this, I will use the theoretical formula Ln [ 1 3 , 1 .923] and adjust it by a constant based on the ratio of the predicted cost for the largest current factoring record (829) bits against the actual cost in estimated FLOPs (or equivalent operations). This gives Table 1. My justification is that there is no theoretical reason for cost scaling to improve on the the theory. While there are reasons to expect the theory to underestimate costs (memory access, challenges in sieving, etc.), I will continue to make assumptions favourable to an attacker. Broadly, factoring records may simply be incomparable: between different records there are improvements in hardware and substantial theoretical efforts to fine-tune particular instances. Indeed, this challenges my assumption of a “number field sieve script kiddie”, though my aim is still to be conservative. Finally, I note that the NFS predicts that 1984-bit RSA will be roughly 3 times cheaper to factor than 2048-bit RSA. Since the remainder of this section is based on the same cost scaling, this 3× factor will apply throughout. Samuel Jaques 5 Table 1: Predicted complexity of factoring, in FLOPs. The complexity for 829 bits is experimental data from [BGG+20]. Bit Size 829 1024 1536 1984 2048 Predicted Factoring Cost (log base 2) 71.3 78.9 95.5 107.5 109.0 $1000 trillion $1 trillion $1 billion 1024 bits 1536 bits 2048 bits 192 bits (ECDLOG) World GDP $1 million $1 thousand 2025 2030 2035 2040 2045 Year Figure 3: Estimated costs for factoring integers with the number field sieve. For comparison, 192-bit elliptic curve discrete log (ECDLOG) is also included; see Section 3.5 for more comparison between these problems. 3.1 Dollar Costs of Factoring Assuming an energy-limited computation, I can estimate the cost to factor in USD by combining the estimate of FLOPs/kWh, the cost of energy in USD/kWh, and the total number of FLOPs to factor, based on the extrapolations of these terms over time. This gives Figure 3. Table 2 summarizes the same data. I compared the costs to world GDP [Wor25] (assuming 3% GDP growth per year) to emphasize the absurd scale of these numbers. Factoring RSA-2048 will remain an almost unimaginable expenditure of resources until 2045, when it might be feasible for an extremely high-value target. Year 2025 2030 2035 2040 2045 Table 2: Estimated dollar costs of factoring. 1024 bits Cost $226,000 $56,000 $14,000 $3,500 $860 Cost $263 trillion $65 trillion $16 trillion $4 trillion $1 trillion 2048 Bits Cost as Percentage of World GDP 234% 50% 11% 2% 0.5% This estimate is 450× lower than the 2018 estimate of [DKL+18], who used current cloud computing costs to estimate $120,000 trillion to factor RSA-2048. 6 The Cost of Factoring a 2048-bit Integer 3.2 Memory Costs The number field sieve is a memory-intensive algorithm, as it needs to find Ln[ 13 , 1.9223 ] “relations”, which allow it to solve the final problem. Factoring an 829-bit number only required 233 such relations [BGG+20], so we should expect to need 252 relations to factor a 2048-bit number. Each relation is a list of prime factors of a number, which I estimate to need roughly 256 bits of space. This leads to a total memory cost of 260 bits. However, even at today’s costs, a 2 TB SSD (241 bytes) costs only around USD$80 for consumers. Purchasing 260 bits of memory at retail prices would only cost USD$7.8 million, so this is a negligible cost relative to the energy cost of the entire algorithm. One might wonder: could the algorithm be reparameterized to balance these costs, thus reducing the overall cost? Likely not: the final step of the NFS, a square root, has a complexity proportional to the square of the number of relations. 3.3 Custom Hardware Various proposals for customized factoring hardware have been proposed. These still perform the number field sieve (NFS), but perform certain steps (mainly sieving) faster or more efficiently. To contextualize these proposals, one of the details of the NFS is that the most expensive step is sieving, where enormous quantities of smaller numbers (I will call them “candidate numbers”) must be factored (if all of their prime factors are small) or discarded (otherwise). Specifically, the number of such numbers to factor is Ln [ 1 3 , 1. 923], which is asymptotically equal to the total cost of the number field sieve. The time to sieve each of these numbers is clearly important, but the asymptotic expression hides this extra cost. In the most extreme case, the estimate assumes the sieve will factor these numbers with the elliptic curve factorization [Cop93], which would have a superpolynomial runtime for each of the Ln [ 1 3 , 1.923] candidate numbers5. However, the asymptotic expression means that Ln [ 1 3 , 1 .923] · Ln[ϵ, δ] = Ln [ 1 3 , 1.923] for any ϵ < 13 , so we ignore these costs. Thus, my previous estimates implicitly make the assumption that the sieving step for 2048-bit numbers will have the same cost, per candidate number, as sieving for 829- bit numbers, despite the candidate numbers necessarily being larger. This seems like a conservative assumption; however, specialized hardware and algorithms could make this cost smaller than the costs of previous factoring records, which used consumer hardware. Such specialized approaches mainly considered 1024-bit factoring, so to estimate their cost for 2048-bit factoring, I will simply inflate the estimates for 1024-bit factoring by a factor of 230 to estimate the complexity of 2048-bit factoring, since factoring 2048-bit numbers requires sieving 230 more candidate numbers. SHARK [FKP+05] is a system designed specifically for factoring 1024-bit numbers with the NFS. They estimate $261 million to build the machine and $98 million for the energy to factor6. The extrapolations from Sections 2.1 and 2.2 give a 546× reduction in hardware costs and a 3800× increase in energy efficiency from 2005 to 2035, leading to $556 trillion to build the same machine at the size necessary to factor 2048-bit integers, and $29 trillion in energy to run such a machine. Slightly earlier, TWIRL was published [ST03], which is a device proposed to use roughly 247 transistors to factor RSA-1024 in a year. Increasing that cost to the sizes for RSA-2048, and using the 2035 transistor costs from Section 2.1, gives a cost of $33 trillion to build this machine. As discussed in Section 2.4, a year-long computation will cost more in energy than hardware, making this a lower bound on the cost of such factoring. Together these results suggest that specialized hardware will not radically change the overall costs. My guess is that in the 15 years since these proposals were published, 5Technically only some are factored this way, but the principle holds. 6Adjusted for inflation to 2025 dollars. Samuel Jaques 7 factoring teams found better ways to use commodity hardware, shrinking the gap in cost. While this situation could change in the future, I tentatively guess that my estimate will remain a lower bound, since the cost to sieve per candidate number should increase with the bitlength of the number being factored. 3.4 Coppersmith’s Improvement Coppersmith [Cop93] proposed an improvement from Ln[ 1 3 , 1.923] to Ln[ 1 3 , 1.903]; however, as mentioned in the last section, it relies on a relatively more expensive subroutine of sieving (specifically elliptic curve factorization (ECM)). It is used partially in current factoring records [BGG+20]. Considering 2048-bit integers, the reduction in cost would theoretically only be 2.3×. Not only does this make it less plausible that the benefit outweighs the cost of using ECM, it also makes little difference in the cost estimates given previously: the 2035 energy cost would drop from $16 trillion to $7 trillion, which is still essentially impossible. 3.5 Comparison to Elliptic Curves To compare to elliptic curves, the fastest algorithm to solve the discrete logarithm (DLOG) problem for an n-bit prime-modulus curves is Pollard’s rho, with cost proportional to 2n/2. For a quick estimate of its real-world costs, an attack in 2010 solved this problem with 35.6 Playstation 3 years for n = 112 [BKK+12]. A Playstation 3 can supply 204.8 GLOPS, suggesting a constant of 28.04 FLOPs. Since the main subroutines of elliptic curve DLOG have a cost quadratic in the bitlength, I extrapolated this constant to 28.76 FLOPs for a 256-bit curve, giving a total cost of 2136.8 FLOPs to break ECC-256. This would make 256-bit elliptic curves 220 million times harder to break than RSA2048. In fact, 192-bit elliptic curves make a better point of comparison, at a cost of 2104.5 FLOPs to break, roughly 23× cheaper to attack than RSA-2048. 4 Algorithmic Improvements Based on the previous analyses, even by 2035 we should be safe against attacks from the number field sieve, and in 2045 attacks will still be extremely expensive. However, the creators of RSA made similar calculations in 1977 when they published their scheme, and estimated that 664-bit numbers would take 3.8 billion years to factor. With exponential scaling in computing power, it should have taken until 2025 before someone could factor such numbers within a year. Yet, the first 663-bit number was instead factored in 2005, 20 years ahead of schedule. The failure of the original estimate was that factoring algorithms improved in parallel with the hardware. Thus, we should consider algorithmic improvements as well. There must be a best algorithm which would factor 2048 bit integers with the fewest resources. If we discover this algorithm, how will we know? Lower bounds consistently stump modern approaches to complexity theory, meaning we would likely just be guessing. Naturally, the 263-trillion dollar question: is the number field sieve the best algorithm? To visualize this, Figure 4 shows how the costs would change with the values α and c in the asymptotic complexity Ln[α, c]. Notably, if a Ln [ 1 4 , 3] algorithm were discovered, 2048 bit integers could easily be factored. The surprising fact about factoring algorithms is the lack of fundamental progress since 1993. More than 30 years have passed without publication of a more powerful algorithm. There was roughly 4 years between the publication of RSA and the qudratic sieve, then a 12 year gap between the quadratic sieve and the number field sieve, and then a 32 year gap to now. If we did have the best factoring algorithm, it would not be surprising to see 8 1 TD (historical) 0.8 Constant “α” 0.6 QS (’81) 0.4 CF (’31) NFS (’93) 0.2 The Cost of Factoring a 2048-bit Integer Known Algorithms $1.8 · 1025 $1.7 · 1019 $162 trillion $15 million $15 <$1 <$1 <$1 0 0 1 2 3 4 Constant “c” Figure 4: Level cost curves of algorithms with running time Ln[α, c]. The legend shows the cost to factor 2048-bit integers in 2025, given the hardware assumptions in Section 2. TD = trial division, CF = continued fractions [LP31], QS = Quadratic Sieve [Pom85], NFS = Number Field Sieve [BLP93]. research “dry up” like this. On the other hand, social factors could easily cause this as well. If researchers perceived factoring research to dry up, they might stop putting effort into the problem. A recent breakthrough in deterministic factoring [Har20] suggests this may not be the case. Moreover, there is an enormous amount of wealth and power secured with RSA (including not only EMV chips but most root web certificates) to incentivize this research. As Henry Cohn puts it, “[T]he number of people who have seriously tried [to improve factoring algorithms] must be on the order of magnitude of 100. It would be ridiculous to say ‘100 smart people tried and failed to solve this problem, so it’s clearly impossible,’ but that’s what most claims regarding the difficulty of factoring amount to.” [Coh22]. It seems treacherous to suppose that the number field sieve is the best factoring algorithm, but a more relevant question is whether a better algorithm will be discovered before 2035. Even further, a sudden breakthrough would be catastrophic to many sectors of society, not just EMV; is this a particular risk worth considering? 5 Quantum Computing An entirely orthogonal direction of hardware advance is quantum computing, which can factor in polynomial time with Shor’s algorithm. Unfortunately, quantum computing is in such early stages that there are no consistent trends to extrapolate from. Despite this, the main consensus is that quantum computers capable of factoring will need substantial overhead devoted to error correction, with the “surface code” taking the lead for most plausible error correction method. The authoritative estimate for quantum resources to factor RSA-2048 is from a 2019 paper appropriately titled “How to factor RSA-2048 in 8 hours with 20 million noisy qubits” [GE21]. In my opinion Google’s quantum computer is the largest and most powerful today thanks to its compelling demonstrations of the error correction necessary for a large-scale algorithm like factoring [Goo24]. Google’s device has 105 qubits. Thus, we are a factor of 20 million/105 = 190,000× away from factoring RSA-2048. Samuel Jaques 9 Ideally, we could simply multiply the cost of Google’s device by 190,000, but this information is not public. As an order-of-magnitude estimate, Rigetti spent $53 million on research and development in 2023 [Rig24] and manufactured an 83-qubit device. While this budget undoubtedly covered other costs, this gives a back-of-the-envelope estimate of $640,000 per qubit, suggesting $12.8 trillion to build a quantum computer capable of factoring RSA-2048. Even without any assumptions of costs decreasing over time, this is already cheaper than my projections for classical factoring. However, I caution that my margin of error in this estimate is extremely wide, and I expect the costs to decrease significantly in the coming years. There are two main reasons for my uncertainty, detailed in the sections below. 5.1 Inconsistent Hardware Progress As research and development continues in quantum computing, the cost of $640,000 per qubit is almost certain to decrease. But at what rate? In Section 2, the trends in energy efficiency and hardware costs were remarkably steady: R2 values for the trends are 0.975 and 0.942 respectively. In contrast, quantum computing progress is chaotic. Even restricted just to superconducting quantum computers from 2007 to 2020, [SR20] give a 90% confidence interval with a factor of 100 between the lowest and highest estimate for number of qubits in 2035. Moreover, even to get this, they needed to extrapolate based on just the best quantum processor reported in each year. Extrapolating based on all reported quantum processors shows barely any progress. That is, many published results were far worse than the best quantum computer, so much so that the average quantum device showed nearly no improvement. On top of that, there are many other possible quantum technologies. Currently there are ion traps, neutral atoms, bosonic systems, diamond vacancies, and more. Microsoft recently claimed to show Majorana qubits [Mic25], and Amazon is pursuing cat qubits [PNH+25]. Both approaches would change the amount and/or structure of the error correction necessary, which would change the target of 20 million qubits to a smaller value – possibly only 350 thousand [GRLR+23]. In short, I cannot accurately estimate how quantum computing will progress in the coming years because there are currently no trends in quantum computing. Again from [SR20], they estimate that RSA-2048 will be “feasible” to attack with quantum computers between 2039 and 2058 with a 90% confidence, with a median in early 2050. 5.2 Recent Research Progress My cost estimate for quantum factoring is based on the 2019 estimate [GE21], but this is likely out-of-date. There have been several advances in the years since: • new factoring algorithms [Reg25, CFS24] which may outperform Shor’s algorithm; • new multiplication algorithms [KMY24] (which are necessary subroutines of Shor’s algorithm); • new methods for operations on encoded qubits [GSJ24]. Combining these results could reduce the cost significantly. For example, the new methods in [GSJ24] make so-called “T states” about 100× cheaper than estimated in [GE21]. Creating T states was the most expensive step in the previous estimate, forcing the authors to use quantum addition circuits specifically designed to minimize T states at the expense of other metrics like qubit count and runtime. With cheap T states, other addition circuits might be more economical and could reduce costs by even more than a factor of 100. In turn, different addition circuits may favour the new multiplication or factoring algorithms, or not. 10 The Cost of Factoring a 2048-bit Integer Hence, it will take significant effort by experts in the field to carefully estimate these costs and update the 2019 resource estimate. This means that the margin of error in my estimate of the quantum costs is not only much wider than the margin of error for classical cost estimates, but the recent research progress represents a “known unknown” in the cost: we know that these results will reduce the quantum cost of factoring, but we do not yet know by how much. I recommend monitoring the literature for a new estimate in the near future. References [BBC20] [BGG+20] [BKK+12] Europe’s supercomputers hijacked by attackers for crypto mining. 2020. URL: https://www.bbc.com/news/technology-52709660. Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thomé, and Paul Zimmermann. Comparing the difficulty of factorization and discrete logarithm: A 240-digit experiment. In Daniele Micciancio and Thomas Ristenpart, editors, Advances in Cryptology – CRYPTO 2020, Part II, volume 12171 of Lecture Notes in Computer Science, pages 62–91. Springer, Cham, August 2020. doi:10.1007/978-3-030-56880-1_3. Joppe W. Bos, Marcelo E. Kaihara, Thorsten Kleinjung, Arjen K. Lenstra, and Peter L. Montgomery. Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction. Int. J. Appl. Cryptol., 2(3):212–228, February 2012. [BLP93] J. P. Buhler, H. W. Lenstra, and Carl Pomerance. Factoring integers with the number field sieve. In Arjen K. Lenstra and Hendrik W. Lenstra, editors, The development of the number field sieve, pages 50–94, Berlin, Heidelberg, 1993. Springer Berlin Heidelberg. [CFS24] [Coh22] [Cop93] [DKL+18] [FKP+05] [GE21] Clémence Chevignard, Pierre-Alain Fouque, and André Schrottenloher. Reducing the number of qubits in quantum factoring. Cryptology ePrint Archive, Report 2024/222, 2024. URL: https://eprint.iacr.org/2024/222. Henry Cohn. Factoring may be easier than you think. Web Article, 2022. URL: https://cohn.mit.edu/factoring/. Don Coppersmith. Modifications to the number field sieve. Journal of Cryptology, 6(3):169–180, March 1993. URL: http://dx.doi.org/10.1007/ BF00198464, doi:10.1007/bf00198464. M. Delcourt, T. Kleinjung, A. K. Lenstra, S. Nath, D. Page, and N. Smart. Using the cloud to determine key strengths – triennial update. Cryptology ePrint Archive, Paper 2018/1221, 2018. URL: https://eprint.iacr.org/ 2018/1221. Jens Franke, Thorsten Kleinjung, Christof Paar, Jan Pelzl, Christine Priplata, and Colin Stahlke. SHARK: A realizable special hardware sieving device for factoring 1024-bit integers. In Josyula R. Rao and Berk Sunar, editors, Cryptographic Hardware and Embedded Systems – CHES 2005, volume 3659 of Lecture Notes in Computer Science, pages 119–130. Springer, Berlin, Heidelberg, August / September 2005. doi:10.1007/11545262_9. Craig Gidney and Martin Ekerå. How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits. Quantum, 5:433, April 2021. doi: 10.22331/q-2021-04-15-433. Samuel Jaques 11 [Goo24] Google Quantum AI. Quantum error correction below the surface code threshold. Nature, 638(8052):920–926, December 2024. URL: http://dx.doi. org/10.1038/s41586-024-08449-y, doi:10.1038/s41586-024-08449-y. [GRLR+23] Élie Gouzien, Diego Ruiz, Francois-Marie Le Régent, Jérémie Guillaud, and Nicolas Sangouard. Performance analysis of a repetition cat code architecture: Computing 256-bit elliptic curve logarithm in 9 hours with 126 133 cat qubits. Phys. Rev. Lett., 131:040602, Jul 2023. URL: https://link.aps.org/doi/10.1103/PhysRevLett.131.040602, doi:10. 1103/PhysRevLett.131.040602. [GSJ24] Craig Gidney, Noah Shutty, and Cody Jones. Magic state cultivation: growing t states as cheap as cnot gates, 2024. URL: https://arxiv.org/abs/2409. 17595, arXiv:2409.17595. [Har20] David Harvey. An exponent one-fifth algorithm for deterministic integer factorisation. Math. Comput., 90:2937–2950, 2020. URL: https://api. semanticscholar.org/CorpusID:222291006. [KAF+10] Thorsten Kleinjung, Kazumaro Aoki, Jens Franke, Arjen K. Lenstra, Emmanuel Thomé, Joppe W. Bos, Pierrick Gaudry, Alexander Kruppa, Peter L. Montgomery, Dag Arne Osvik, Herman J. J. te Riele, Andrey Timofeev, and Paul Zimmermann. Factorization of a 768-bit RSA modulus. In Tal Rabin, editor, Advances in Cryptology – CRYPTO 2010, volume 6223 of Lecture Notes in Computer Science, pages 333–350. Springer, Berlin, Heidelberg, August 2010. doi:10.1007/978-3-642-14623-7_18. [KMY24] Gregory D. Kahanamoku-Meyer and Norman Y. Yao. Fast quantum integer multiplication with zero ancillas, 2024. URL: https://arxiv.org/abs/2403. 18006, arXiv:2403.18006. [LP31] D. H. Lehmer and R. E. Powers. On factoring large numbers. Bulletin of the American Mathematical Society, 37(10):770–776, 1931. URL: http://dx.doi.org/10.1090/S0002-9904-1931-05271-X, doi:10.1090/ s0002-9904-1931-05271-x. [LWS21] Patrick Longa, Wen Wang, and Jakub Szefer. The cost to break SIKE: A comparative hardware-based analysis with AES and SHA-3. In Tal Malkin and Chris Peikert, editors, Advances in Cryptology – CRYPTO 2021, Part III, volume 12827 of Lecture Notes in Computer Science, pages 402–431, Virtual Event, August 2021. Springer, Cham. doi:10.1007/978-3-030-84252-9_14. [Mel23] Jaran Mellerud. Energy arbitrage: Analyzing bitcoin mining’s historical revenue per kWh. 2023. URL: https://hashrateindex.com/blog/ energy-arbitrage-analyzing-bitcoin-minings-historical-revenue-per-kwh/. [Mic25] Microsoft Azure Quantum. Interferometric single-shot parity measurement in inas–al hybrid devices. Nature, 638(8051):651–655, February 2025. URL: http://dx.doi.org/10.1038/s41586-024-08445-2, doi:10.1038/ s41586-024-08445-2. [PNH+25] Harald Putterman, Kyungjoo Noh, Connor T. Hann, Gregory S. MacCabe, Shahriar Aghaeimeibodi, Rishi N. Patel, Menyoung Lee, William M. Jones, Hesam Moradinejad, Roberto Rodriguez, Neha Mahuli, Jefferson Rose, John Clai Owens, Harry Levine, Emma Rosenfeld, Philip Reinhold, Lorenzo Moncelsi, Joshua Ari Alcid, Nasser Alidoust, Patricio Arrangoiz-Arriola, 12 [Pom85] [Reg25] [Rig24] [SR20] [ST03] [Tea17] [TOP24] [UIC22] The Cost of Factoring a 2048-bit Integer James Barnett, Przemyslaw Bienias, Hugh A. Carson, Cliff Chen, Li Chen, Harutiun Chinkezian, Eric M. Chisholm, Ming-Han Chou, Aashish Clerk, Andrew Clifford, R. Cosmic, Ana Valdes Curiel, Erik Davis, Laura DeLorenzo, J. Mitchell D’Ewart, Art Diky, Nathan D’Souza, Philipp T. Dumitrescu, Shmuel Eisenmann, Essam Elkhouly, Glen Evenbly, Michael T. Fang, Yawen Fang, Matthew J. Fling, Warren Fon, Gabriel Garcia, Alexey V. Gorshkov, Julia A. Grant, Mason J. Gray, Sebastian Grimberg, Arne L. Grimsmo, Arbel Haim, Justin Hand, Yuan He, Mike Hernandez, David Hover, Jimmy S. C. Hung, Matthew Hunt, Joe Iverson, Ignace Jarrige, Jean-Christophe Jaskula, Liang Jiang, Mahmoud Kalaee, Rassul Karabalin, Peter J. Karalekas, Andrew J. Keller, Amirhossein Khalajhedayati, Aleksander Kubica, Hanho Lee, Catherine Leroux, Simon Lieu, Victor Ly, Keven Villegas Madrigal, Guillaume Marcaud, Gavin McCabe, Cody Miles, Ashley Milsted, Joaquin Minguzzi, Anurag Mishra, Biswaroop Mukherjee, Mahdi Naghiloo, Eric Oblepias, Gerson Ortuno, Jason Pagdilao, Nicola Pancotti, Ashley Panduro, JP Paquette, Minje Park, Gregory A. Peairs, David Perello, Eric C. Peterson, Sophia Ponte, John Preskill, Johnson Qiao, Gil Refael, Rachel Resnick, Alex Retzker, Omar A. Reyna, Marc Runyan, Colm A. Ryan, Abdulrahman Sahmoud, Ernesto Sanchez, Rohan Sanil, Krishanu Sankar, Yuki Sato, Thomas Scaffidi, Salome Siavoshi, Prasahnt Sivarajah, Trenton Skogland, Chun-Ju Su, Loren J. Swenson, Stephanie M. Teo, Astrid Tomada, Giacomo Torlai, E. Alex Wollack, Yufeng Ye, Jessica A. Zerrudo, Kailing Zhang, Fernando G. S. L. Brandão, Matthew H. Matheny, and Oskar Painter. Hardware-efficient quantum error correction via concatenated bosonic qubits. Nature, 638(8052):927–934, February 2025. URL: http://dx.doi.org/10.1038/s41586-025-08642-7, doi:10.1038/s41586-025-08642-7. Carl Pomerance. The quadratic sieve factoring algorithm. In Thomas Beth, Norbert Cot, and Ingemar Ingemarsson, editors, Advances in Cryptology, pages 169–182, Berlin, Heidelberg, 1985. Springer Berlin Heidelberg. Oded Regev. An efficient quantum factoring algorithm. J. ACM, 72(1), January 2025. doi:10.1145/3708471. Rigetti Computing, Inc. Annual report (form 10-k), 2024. URL: https://www.annualreports.com/HostedData/AnnualReports/PDF/ NASDAQ_RGTI_2023.pdf. Jaime Sevilla and C. Jess Riedel. Forecasting timelines of quantum computing, 2020. URL: https://arxiv.org/abs/2009.05045, arXiv:2009.05045. Adi Shamir and Eran Tromer. Factoring large number with the TWIRL device. In Dan Boneh, editor, Advances in Cryptology – CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 1–26. Springer, Berlin, Heidelberg, August 2003. doi:10.1007/978-3-540-45146-4_1. The CADO-NFS Development Team. CADO-NFS, an implementation of the number field sieve algorithm, 2017. Release 2.3.0. URL: http://cado-nfs. inria.fr/. Green500. 2024. URL: https://top500.org/lists/green500/. Electricity prices by year and adjusted for inflation. 2022. URL: https://www.usinflationcalculator.com/inflation/ electricity-prices-adjusted-for-inflation/. Samuel Jaques 13 [Wor25] World Bank Group. World development indicators databank, 2025. URL: https://databank.worldbank.org/reports.aspx?source=2&series=NY. GDP.MKTP.CD.