The $20 Million Question: Why a Special-Purpose Quantum Computer Built to Break Encryption Is Closer Than Most Enterprise Planning Cycles Assume

The hard science is done. The engineering is not.

Both papers describe cryptanalytically relevant quantum computers. Not general-purpose machines. Not quantum simulators. Not quantum-inspired classical hardware. These are architectures purpose-built to run Shor's algorithm against the elliptic-curve discrete logarithm problem—the mathematical foundation of ECDSA, the signature scheme protecting virtually every blockchain transaction and most TLS handshakes in production today.

The cost estimates converge on a range between $13 million and $40 million, depending on the hardware platform, the error correction overhead, and the engineering timeline. At the upper bound, this is the price of a midsize corporate jet. At the lower bound, it is a Series A round.

Neither paper claims the machine can be built today. Both claim the path is now measurable in years and dollars rather than decades and miracles.

The resource estimates are collapsing

To appreciate why these papers matter, it helps to understand how fast the estimates have moved.

In 2019, Google published a widely cited analysis suggesting that breaking a 256-bit elliptic-curve key would require roughly 20 million physical qubits. That number was so large it functioned as a kind of psychological moat: even if quantum hardware improved dramatically, the finish line was too far away to worry about.

The new papers demolish that moat.

The Google result brings the superconducting path into the range of a large but not extraordinary engineering project. The Caltech/Oratomic result suggests that a different hardware platform could reach cryptanalytic relevance with a machine that fits in a single room.

This is not just a cryptocurrency problem

The immediate media coverage focused on Bitcoin. That is understandable—there is roughly $1.7 trillion in Bitcoin alone secured by ECDSA signatures, and the blockchain's immutable ledger means you cannot simply rotate keys without moving funds. An attacker who can solve ECDLP can derive private keys from public keys, and approximately 4 million BTC (roughly $250 billion at current prices) sit in addresses whose public keys are already exposed on-chain.

But ECDSA does not only protect cryptocurrency. It protects:

• TLS handshakes—the majority of HTTPS connections negotiate ECDHE key exchange, which relies on the same elliptic-curve math.
• Code signing—software updates for operating systems, firmware, and IoT devices are authenticated with ECDSA signatures.
• Document and identity attestation—eIDAS digital signatures, FIDO2/WebAuthn hardware keys, and government PKI infrastructure.
• Financial messaging—SWIFT, FedNow, and interbank settlement systems use elliptic-curve cryptography in their authentication layers.

A purpose-built Shor machine does not need to attack all of these simultaneously. It needs to attack one high-value target to demonstrate capability, at which point the credible threat forces emergency migration across every system that depends on the same math.

Government agencies are even further behind

Federal systems hold the most sensitive long-lived data on Earth: classified intelligence, defense plans, diplomatic communications, healthcare records, tax data, and critical infrastructure controls. The legal framework for migration has been in place since 2022. NSM-10, OMB M-23-02, the Quantum Computing Cybersecurity Preparedness Act, and CNSA 2.0 all require federal agencies to inventory cryptographic systems, prioritize assets, and begin migration.

The deadlines are concrete. CNSA 2.0 requires all new National Security System acquisitions to be PQC-compliant by January 2027. NIST targets deprecation of quantum-vulnerable algorithms by 2030 and full disallowance by 2035. The Department of Defense aims to implement NIST-approved PQC algorithms by 2030.

But the inventory is not done. Federal agencies were directed to submit cryptographic inventories of high-value assets beginning in 2023. As of early 2026, whether agencies are still submitting annual inventories under M-23-02 is unclear. CISA's own strategy for automated cryptographic discovery tools is still being piloted, not deployed at scale.

The migration cost is massive. The Biden administration estimated the cost of migrating all U.S. federal civilian agencies to PQC at over $7 billion. Defense and intelligence systems add to the total. No comparable budget line has been publicly allocated.

Most agencies are still in the inventory phase, four years after the mandate was issued. Enterprise vendors selling to the federal government face CNSA 2.0 procurement deadlines starting January 2027. The gap between mandate and execution is wider in government than in any other sector.

Why neutral atoms change the cost equation

The Caltech/Oratomic paper is particularly striking because neutral-atom platforms have fundamentally different economics than superconducting processors.

Superconducting qubits require dilution refrigerators operating at 15 millikelvin—colder than outer space. Each refrigerator costs $1–3 million, supports a limited number of qubits, and demands specialized cryogenic infrastructure. Scaling to 500,000 physical qubits would require either a dramatically larger cryostat or a modular network of interconnected refrigerators, each adding cost and engineering complexity.

Neutral-atom systems operate at room temperature (for the vacuum chamber and laser systems) with atoms cooled and trapped individually by optical tweezers. The qubit count scales by adding more laser-addressed sites in the array, not by building more cryogenic infrastructure. The dominant costs are the laser systems, the ultra-high vacuum chamber, and the classical control electronics.

A rough cost model for a 26,000-atom special-purpose machine:

These are component costs, not retail prices from a quantum computing vendor. They assume a well-funded lab or defense contractor building from subsystems, not purchasing a turnkey product. The engineering talent required to integrate these components into a functioning cryptanalytic machine would add further cost—but the hardware itself is within reach of budgets that nation-states and large enterprises already allocate to signals intelligence and offensive cyber programs.

Timeline scenarios

The timeline depends on which hardware path proves most tractable and how quickly the remaining engineering challenges are resolved. Three scenarios bracket the range:

In all three scenarios, the cost of a purpose-built Shor machine falls within the budget range of a nation-state intelligence program or a well-funded private effort. The question is not whether it is affordable. The question is when the engineering matures enough to build it. Economically plausible is not the same as operationally imminent. But for organizations whose migration timelines are measured in years, the distinction between “plausible by 2029” and “certain by 2029” may not matter as much as the planning window it creates.

Special-purpose machines ship first

The history of quantum computing already demonstrates this pattern. D-Wave shipped its first commercial quantum annealer in 2011. It could not run Shor's algorithm. It could not do universal gate-based computation. It solved a narrow class of optimization problems, and it solved them well enough for Lockheed Martin to pay for one.

By 2017, D-Wave's 2000Q system sold for approximately $15 million. It was still special-purpose. It was still not a threat to cryptography. But it proved that quantum hardware could be built, sold, and operated outside of a physics lab at price points accessible to defense contractors and large enterprises.

A cryptanalytic Shor machine follows the same economic logic. It does not need to be a universal quantum computer. It does not need to run Grover's algorithm, quantum simulation, or quantum machine learning. It needs to factor large numbers or solve discrete logarithms—one specific computation, optimized to the exclusion of everything else. That constraint dramatically reduces the engineering complexity.

The hardware roadmap supports the trajectory

Several developments in neutral-atom quantum computing align with the trajectory described in the Caltech/Oratomic paper:

• Harvard/MIT (Endres group, 2024): Demonstrated reconfigurable arrays of 6,100 neutral atoms with individual control—the largest qubit register demonstrated on any platform.
• QuEra Computing (2025): Raised $230 million to build error-corrected neutral-atom quantum computers, with a public roadmap targeting 10,000+ logical qubits by 2030.
• Pasqal (2025): Deployed 1,000+ atom arrays and announced partnerships with European defense agencies for quantum simulation applications.
• Atom Computing (2024): Demonstrated a 1,180-qubit neutral-atom system with coherence times exceeding 40 seconds—orders of magnitude longer than superconducting qubits.

None of these systems can run Shor's algorithm today. But they demonstrate that the physical qubit counts, coherence times, and gate fidelities required by the Caltech/Oratomic architecture are on established scaling trajectories, not speculative extrapolations.

What could go wrong

Intellectual honesty demands a clear-eyed accounting of the risks to these projections. Four deserve specific attention:

1. Error correction overhead may be worse than modeled. Both papers assume error rates and code distances that have not yet been demonstrated at scale. If physical error rates plateau above the threshold required for surface code or other error-correcting codes, the qubit overhead could increase by 2–10x, pushing the cost and timeline into the pessimistic scenario or beyond.

2. Coherence times may not scale. Neutral-atom systems have demonstrated impressive coherence times at small scale (40+ seconds for Atom Computing's 1,180-qubit system). Whether these times hold as arrays scale to 26,000 atoms with active error correction running is an open engineering question.

3. Classical control electronics could become the bottleneck. Running Shor's algorithm on a 26,000-qubit machine requires real-time classical processing to decode error syndromes and apply corrections faster than errors accumulate. The classical computing requirements for this feedback loop at the scale and speed required are non-trivial and may require custom ASIC development.

4. The ~26,000 qubit estimate may prove impractical. The Caltech/Oratomic paper assumes hardware-native Toffoli gates with fidelities that have not yet been demonstrated in neutral-atom systems. If these gates require decomposition into two-qubit gates (as they do on superconducting platforms), the resource estimate would increase significantly, potentially converging with the Google superconducting estimate.

What would have to be true for this thesis to be wrong? Three things. First, qLDPC error correction codes would have to underperform at scale, with the physical-to-logical ratio landing at 30:1 instead of 10:1, requiring roughly 78,000 physical qubits and pushing cost above $60 million. Second, two-qubit gate fidelity would have to stall below 99.9%, meaning fault-tolerant operation across 26,000 atoms simultaneously remains out of reach. Third, classical control electronics would have to hit a scaling wall, with real-time feedback across 26,000 qubits at microsecond precision proving more stubborn than current trajectories suggest. If all three hold, the thesis is wrong. If any two close, the machine becomes a question of cost and calendar, not feasibility.

These risks are real. They are also engineering risks, not physics risks. The underlying mathematics of Shor's algorithm has been proven for thirty years. The question is not whether the algorithm works but whether the hardware can be built to run it. That is a categorically different kind of uncertainty than “we do not know if this is possible.”

The economics of quantum attack

The cost framing matters because it determines who can build the machine. At $20 billion, only the United States and China could plausibly fund it. At $20 million, the list of potential builders expands to include:

• Any nation-state with a signals intelligence program
• Defense contractors and national laboratories
• Well-funded criminal syndicates and ransomware operators
• Sovereign wealth funds with strategic interests
• Large technology companies pursuing competitive intelligence

When the cost of building the attack machine is two orders of magnitude less than the value of what it can unlock, the economic incentive is not theoretical. It is arithmetic.

The implications for every organization

If you are a CISO: Your threat model just changed. The question is no longer “will quantum computers break our cryptography?” but “will we finish migrating before someone finishes building the machine?” These papers compress your planning horizon from “someday” to “this decade.”

If you sit on a board: You now have a fiduciary duty to ask whether your organization has a post-quantum migration plan. Not a quantum strategy deck. A plan with dates, budgets, and accountability. The SEC has made clear that material cybersecurity risks must be disclosed. A $20 million machine that can derive private keys from public keys is a material risk.

If you manage critical infrastructure: NIST's 2029 deadline for federal PQC migration was set before these papers were published. The deadline now looks less like an aggressive target and more like the minimum viable timeline. If your migration plan assumed you had until 2035, revise it.

If you hold cryptocurrency: The BTC addresses with exposed public keys (~4 million BTC, ~$250 billion) cannot be secured by a software update. The only defense is to move funds to addresses whose public keys have never been exposed on-chain. The window to do this safely is before someone demonstrates the capability, not after.

If you work in national security: A $20 million special-purpose Shor machine is within the demonstrated budget range of multiple state-sponsored offensive cyber programs. The assumption that only the U.S. and China could build one is no longer safe. Plan accordingly.

Sources

1. Google Quantum AI, “Quantum Resource Estimates for Elliptic Curve Cryptanalysis with Optimized Windowed Arithmetic,” Preprint, March 31, 2026.
2. Caltech / Oratomic, “Breaking Elliptic Curve Cryptography with 26,000 Neutral-Atom Qubits Using Hardware-Native Toffoli Gates,” Preprint, March 30, 2026.
3. Craig Gidney and Martin Ekerå, “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits,”Quantum 5, 433 (2021). DOI: 10.22331/q-2021-04-15-433.
4. Roetteler et al., “Quantum resource estimates for computing elliptic curve discrete logarithms,” ASIACRYPT 2017, Springer LNCS 10625 (2017).
5. H. Endres et al., “Atom-by-atom assembly of defect-free one-dimensional cold atom arrays,” Science 354, 1024 (2016); D. Bluvstein et al., “A quantum processor based on coherent transport of entangled atom arrays,” Nature 604, 451 (2022).
6. QuEra Computing, Series B announcement, 2025. “10,000+ logical qubits by 2030” roadmap.
7. Atom Computing, “1,180-qubit neutral atom system with 40-second coherence times,” Demonstration, 2024.
8. D-Wave Systems, Inc., “D-Wave 2000Q” commercial quantum annealer. Unit price ~$15M (2017).
9. NIST, “Transition to Post-Quantum Cryptography Standards,” IR 8547, November 2024. Federal migration deadline: 2029.
10. Deloitte, “Quantum Threat to Bitcoin: Analysis of ECDSA-Exposed Addresses,” 2025. Estimates 4M BTC with exposed public keys.
11. U.S. Securities and Exchange Commission, “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” Final Rule, July 2023.
12. J. Nathaniel Ader, The Quantum Almanac 2026-2027: Signal Over Noise on Quantum Risk to Data Security, Qtonic Quantum Corp, 2026. ISBN 979-8250257756.

About the Author

J. Nathaniel Ader is the author of The Quantum Almanac 2026-2027 and Co-Founder and Chief Innovation Officer of Qtonic Quantum Corp, an independent quantum security advisory helping Fortune 1000 companies prepare for the post-quantum transition. The Almanac tracks 72 signal events, maps quantum risk across 12 sectors, and provides the frameworks CISOs and board directors need to make evidence-based migration decisions before the NIST 2029 deadline.

Disclaimer: This article is an analysis of publicly available research preprints and does not constitute investment advice, security guidance, or an endorsement of any quantum computing vendor or cryptocurrency. Cost estimates are based on publicly available component pricing and are approximations intended for strategic planning context, not engineering specifications. Organizations should consult qualified cryptographic and security professionals before making migration decisions.

© 2026 J. Nathaniel Ader. All rights reserved. Published at thequantumalmanac.com.