Will IBM's Condor quantum processor run Shor's Algorithm to crack a 256-bit Elliptic Curve key?

Question

Yesterday IBM announced that they have a 433 bit quantum computer, called Osprey. There is nothing in the press releases I can find that says whether it can or cannot run Shor's Algorithm.

They also say they are on track to release "Condor", an 1121 bit processor next year.

Shor's algorithm, as far as I know, requires twice the number of bits in the key, so a 256 bit key requires 512 qubits to crack. Hence Osprey cannot do this, but apparently Condor will be able to.

256-bit keys are widely used - for example Ed25519 as used by Bitcoin, and is a valid TLS algorithm.

Is it expected that Osprey will be able to run Shor's algorithm?

If it can, how can the loss of security best be mitigated?

Answer 1

No. The issue here is the distinction between physical qubits and logical qubits. The back of the envelope estimate for Shor's algorithm for a 256-bit elliptic curve is 512 logical qubits, but a more accurate costing by Roeteller et al is 2330 logical qubits.

Logical qubits are idealised computational resources that would need a perfectly engineered physical qubit to achieve. The Osprey chip and its ilk have physical qubits that degrade over time and perform operations with a certain error rate. Instead several physical qubits of the Osprey sort would be need to emulate the behaviour of a logical qubit using quantum error correction. Estimates for the number of physical qubits required to break 256-bit ECC in one hour (and these physical qubits would still be to a high engineering specification, perhaps beyond that of Condor) is $317\times 10^6$ per work by Webber et al. Similarly, they quote $13\times 10^6$ physical qubits of this high quality to solve this problem inside a day.