IQM and Fraunhofer FOKUS compile Shor's algorithm for 2048-bit RSA keys

RSA-2048 encryption protects a significant share of internet traffic, banking transactions, and government communications. Breaking it has long been the theoretical endpoint of quantum computing research, a benchmark cited in academic papers but treated as a distant engineering problem. IQM Quantum Computers and Fraunhofer FOKUS have now moved that benchmark into concrete territory. Their update to the Eclipse Qrisp framework, version 0.8, produced the first complete gate-level compilation of Shor's algorithm targeting 2048-bit RSA keys, complete with an exact qubit count and a gate-by-gate assembly running at 109 gates per second.

That last detail matters more than it might seem. Previous estimates of what it would take to break RSA-2048 using a quantum computer were largely theoretical, built on asymptotic analysis and rough resource approximations. This compilation produces a precise engineering target. Security teams and cryptographers now have an actual number to work with rather than a range of estimates spread across academic literature.

What gate-level compilation actually means

Quantum algorithms are typically described at a high level of abstraction, specifying operations in terms of mathematical gates without accounting for the specific hardware they will run on. Gate-level compilation is the step that translates that abstract description into a sequence of physical operations a real quantum processor can execute. It accounts for qubit connectivity, error rates, and gate fidelity on actual hardware.

For Shor's algorithm, which factors large integers by exploiting quantum superposition and interference, the gap between a high-level description and a hardware-ready implementation is enormous. The circuit depth required to factor a 2048-bit number is staggering. What IQM and Fraunhofer FOKUS did was complete that translation in full, producing a circuit that specifies every gate operation in sequence. The 109 gates per second figure reflects how quickly the Qrisp compiler generates that circuit, which is relevant for iterating on optimizations.

The qubit budget and why it changes the security conversation

Prior estimates for the number of logical qubits needed to run Shor's algorithm against RSA-2048 have varied widely, with figures in academic literature ranging anywhere from a few thousand to several million depending on the error correction assumptions used. The Qrisp 0.8 compilation produces a specific qubit budget tied to concrete circuit parameters rather than asymptotic bounds. That specificity is useful in both directions: it tells hardware builders what they need to hit, and it tells security planners exactly how far current quantum hardware sits from being a real threat.

Current fault-tolerant quantum computers operate with logical qubit counts in the hundreds at most. The gap between that and what Shor's algorithm needs for RSA-2048 remains large. But having a precise target means the timeline for closing that gap can be tracked with actual milestones rather than vague projections. That is a different kind of pressure on the organizations responsible for cryptographic infrastructure.

What Eclipse Qrisp 0.8 adds beyond this compilation

Qrisp is an open-source quantum programming framework developed under the Eclipse Foundation. Version 0.8 introduced compiler improvements that enable automatic gate synthesis at a scale not previously supported by the framework. The Shor's algorithm compilation is the largest circuit the framework has produced, but the underlying compiler changes apply to any sufficiently complex quantum circuit.

IQM contributed hardware-specific optimizations to the release, targeting the gate sets and connectivity graphs of their superconducting quantum processors. Fraunhofer FOKUS, which focuses on applied research in digital infrastructure and security, contributed the cryptographic workload specification and validation. The collaboration between a hardware vendor and an applied research institute is part of why the result is more directly applicable to real security planning than a purely academic publication would be.

Implications for finance, cloud, and communications security

RSA-2048 remains in active use across TLS certificates, VPN tunnels, code signing infrastructure, and financial transaction systems. The National Institute of Standards and Technology finalized its first post-quantum cryptography standards in August 2024, including CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium for digital signatures. Those standards exist precisely because the quantum threat to RSA was anticipated, but migration timelines in large organizations are measured in years, not months.

The IQM and Fraunhofer FOKUS result does not change the immediate threat level. No machine capable of running this compiled circuit exists yet. What it does is give security architects a concrete reference point for urgency calculations. Organizations that have deferred post-quantum migration planning now have a more specific answer to the question of what, exactly, they are migrating away from, and what hardware capability would need to exist before their current encryption becomes vulnerable.

The harvest-now-decrypt-later attack model is the more pressing concern in the near term. In this scenario, adversaries collect encrypted traffic today with the intention of decrypting it once sufficient quantum hardware exists. Long-lived sensitive data, including classified government communications, proprietary research, and financial records retained for regulatory compliance, is already at risk from this approach regardless of when a Shor-capable machine actually arrives. The Qrisp 0.8 result adds precision to how organizations should think about that window.