I'm a graduate student in physics, and I’m looking for academic papers that estimate the number of logical qubits required for real-world quantum computing applications, particularly: Breaking RSA cryptography
I want to cite reliable sources in my final work to provide readers with a clear picture of how far the current logical qubit benchmarks are across different quantum computing platforms. If there are recent papers that analyze these requirements, I would greatly appreciate any references.
In "Reducing the Number of Qubits in Quantum Factoring" (2024), Chevignard et al prove you can factor an $n$ bit number with $(0.5 + \epsilon)n$ logical qubits. Concretely, they estimate 1730 logical qubits to factor a 2048 bit semiprime.
Before 2024 the best lower bound was $1.5n$ logical qubits from Zalka, though a full construction was never provided. There have also been various $2n \pm O(\log n)$ constructions from Beauregard, from Häner, and from me.
Note that these estimates very commonly exclude fault tolerance overheads, routing overheads, and magic state distillation overheads. Those costs are not negligible. For real space cost estimates, you don't necessarily want to minimize logical qubits. For example, in the 2019 cost estimate we used a $3n$ logical qubit construction because the physical qubit savings from a lower code distance due to running faster outweighed using fewer logical qubits.
How many logical qubits are needed for RSA breaking?
It depends on many things, as the other answer has pointed out.
However, the most straight-forward textbook answer is that $x$ logical qubits are needed, where $$ x = 3n + 1 + \lceil{\log(2+\frac{1}{2\epsilon})}\rceil\tag{1} $$
In Eq. (1), the bit length of the RSA number is $n$ and the probability to succeed is $1-\epsilon$. The $\epsilon$ dependence is mercifully weak. (Of these $x$ qubits, $2n + 1 + \lceil{\log(2+\frac{1}{2\epsilon})}\rceil$ are initialized to $|0\rangle$ and $n$ are initialized to $|1\rangle$ in the textbook algorithm.)
The number shown in Eq. (1) is the number of qubits used in the order-finding part of the RSA factoring algorithm. The other steps can be handled classically, so the order-finding is the only place you really need a quantum computer.
Citation: M. Nielsen & I. Chuang "Quantum Computation and Quantum Information" at Chapter 5.
