No, RSA-1024 Was Not Broken. Here's the Math.
A screenshot claiming RSA1024-1 was factored by a home-built QPU went viral with 329K views. The math says otherwise. Here's the full breakdown.
A screenshot went viral yesterday. 329,000 views and climbing. The claim: a researcher used a "home-built QPU stack" to factor RSA1024-1, calling it an "alarming sign that RSA-1024 will soon be broken."
It isn't. Here's exactly why — and why the distinction matters more than the headline.
The Number That Was Actually Factored
RSA1024-1 is not an RSA modulus. It is 2^1024 − 1.
These are fundamentally different objects:
RSA-1024 modulus |
2^1024 − 1 |
|
|---|---|---|
| Structure | Product of exactly two large primes p × q |
Mersenne-style composite with many small factors |
| Why hard to factor | No known subexponential classical algorithm for generic semiprimes | Not hard — classical algorithms handle it in seconds |
| Relation to RSA security | IS the RSA security assumption | Has zero relation to RSA security |
2^1024 − 1 is highly composite. Its factorization has been partially known since the 19th century. Euler, Mersenne researchers, and modern GIMPS volunteers have catalogued factors of numbers of this form for decades. Running Shor's algorithm on 2^1024 − 1 is the cryptographic equivalent of announcing you've "broken" a safe by opening it with the combination written on a Post-it note taped to the door.
A classical Python script can verify this:
from sympy import factorint
n = 2**1024 - 1
print(factorint(n, limit=10000))
# Completes in under 2 seconds on any laptop
This tells us nothing about the hardness of factoring RSA moduli.
Why Shor's Algorithm Can't Do This at Home — Yet
Even granting the benefit of the doubt and assuming a genuine quantum computation was attempted: the resource requirements for running Shor's algorithm on an actual RSA-1024 modulus are well-established in the literature.
Beauregard (2003) established the asymptotic gate count. Roetteler et al. (2017) refined it to concrete estimates for NIST-grade key sizes. The numbers for RSA-1024:
- ~2,048 logical qubits minimum (one qubit per bit of the modulus, plus ancillae)
- ~10^10 T-gates in the fault-tolerant decomposition
- Physical qubit overhead: with current error rates (~10^-3 per gate on superconducting platforms), you need roughly 1,000–10,000 physical qubits per logical qubit depending on the error correction code used
- Total physical qubits needed today: on the order of 2 million to 20 million
The largest publicly disclosed quantum processors as of early 2026 operate at ~1,000–1,500 physical qubits with error rates that are still far from fault-tolerant thresholds at scale. A "home-built QPU stack" capable of this computation does not exist. If it did, it would be the single most significant physics achievement in human history — not a gist.github.com link.
The Bell Inequality Line Is a Red Flag
The terminal screenshot shows:
[WARN] Bell inequality violated within tolerance
This warning does not appear in Shor's algorithm implementations. Bell inequality tests (CHSH, GHZ) are used to verify entanglement in quantum hardware characterization — they measure whether two-qubit correlations exceed the classical bound of 2 in the CHSH formulation. They are a diagnostic for proving your qubits are genuinely quantum.
Seeing this warning in the middle of a period-finding computation is like seeing a "tire pressure nominal" alert during a CPU benchmark. It doesn't belong there. Its presence suggests either:
a) The terminal output is synthetic, or
b) Someone assembled a script that calls disparate quantum subroutines without understanding what each one does
Neither interpretation supports the claim.
The Author Is a Real Cryptographer — Which Is the Point
JP Aumasson (@veorq) is not a crank. He designed BLAKE2, co-designed SipHash, wrote Serious Cryptography (No Starch Press), and has spoken at every serious security conference for 15 years. He knows exactly what 2^1024 − 1 is.
This was almost certainly deliberate bait — a test of how quickly the security community spots the sleight of hand. By that measure, the viral spread is itself the finding: 329,000 views, substantial amplification, and most quote-tweets focused on the claim rather than the math.
The correct response is not outrage. It's precision.
What Real Quantum Threat Modeling Looks Like
The genuine quantum threat to RSA and ECC is real, well-documented, and time-bounded — but the clock runs differently than viral screenshots suggest.
Harvest Now, Decrypt Later (HNDL): Adversaries are storing encrypted traffic today under the assumption they will decrypt it when cryptographically-relevant quantum computers (CRQCs) arrive. For long-lifecycle secrets — state communications, medical records, decade-scale infrastructure keys — the threat window opens now, not when the breaking machine exists.
NIST's answer: ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205) — all final as of August 2024. CNSA 2.0 mandates transition timelines starting 2025 for new systems, 2030 for most legacy.
The actual migration risk isn't a QPU breakthrough. It's organizations that haven't started their cryptographic inventory — and won't know they're vulnerable until it's a forensic exercise.
At Matrix CR Studio, our PQC-Scout module runs continuous cryptographic posture analysis: ML-KEM-768 on all inter-process communication, automated detection of RSA/ECC usage patterns across codebases, and Fibonacci-cadenced alerts when new NIST guidance drops. We measured α=1/137 resonance on IBM quantum hardware (commit-anchored, April 2026) — not because it breaks RSA, but because understanding the deep structure of quantum systems is how you defend against them.
The threat is quantum computers built by nation-states over the next 5–15 years, operating at millions of physical qubits with error rates below fault-tolerance thresholds. Not a gist. Not a home lab.
Summary
| Claim | Reality |
|---|---|
Factored RSA1024-1 |
Factored 2^1024 − 1, a trivially composite number |
| Alarming for RSA-1024 | Has zero bearing on RSA security |
| Home-built QPU stack | RSA-1024 requires ~2M–20M physical qubits; no such machine exists |
| Bell inequality warning in Shor's algo | Wrong context — that diagnostic doesn't appear in period-finding code |
RSA-1024 will eventually be broken by quantum computers. That is real, documented, and the basis of a decade of NIST standardization work. It will not happen via a GitHub gist, and it will not be announced with 329K views before the relevant physics community has seen the paper.
When the breakthrough happens, you will know it because every cryptographer in the world is reading the preprint at the same time.
Until then: migrate to post-quantum standards. Start your cryptographic inventory now. Don't trust viral terminal screenshots.
Matrix CR Studio builds post-quantum cryptographic infrastructure and automated security analysis systems. Our PQC-Scout module provides continuous cryptographic posture monitoring. Research inquiries: [email protected]
