Quantum computers are still expected to threaten parts of today’s encryption, but a new theory paper argues that the threat may not scale without bound. In a March 13, 2026 preprint, physicist Ralf Riedinger derived a thermodynamic lower bound for generic quantum search and concluded that an 831-bit secret key could not be deterministically recovered in an expanding universe before star formation ends. The claim matters because it reframes the debate: the bottleneck may be physics itself, not only engineering.
💡
The new claim does not mean modern public-key cryptography is safe from quantum attack.
It applies to generic quantum search limits, while RSA and elliptic-curve systems remain vulnerable in theory to Shor’s algorithm; Google Quantum AI estimated on May 21, 2025 that RSA-2048 could be factored in under a week with fewer than 1 million noisy qubits under stated assumptions.
The distinction is central. Much of the public discussion around “quantum breaking encryption” mixes together two different attack models. One is brute-force key search, where Grover-style quantum search offers a quadratic speedup over classical guessing. The other is structure-exploiting attacks such as Shor’s algorithm, which target the mathematics behind RSA and elliptic-curve cryptography. Riedinger’s paper addresses the first category, not the second.
Quantum Encryption Risk: What the Main Sources Actually Say
| Item | Finding | Date | Why it matters |
|---|---|---|---|
| Thermodynamic Limits of Quantum Search | 831-bit secret key cannot be deterministically reconstructed before star formation ceases in an expanding universe | March 13, 2026 | Suggests a physics-based ceiling for generic quantum search |
| Google Quantum AI RSA estimate | RSA-2048 could be factored in less than a week with fewer than 1 million noisy qubits | May 21-23, 2025 | Shows public-key systems remain theoretically exposed |
| NIST PQC standards | FIPS 203, 204 and 205 finalized and ready for use | August 13, 2024 | Migration path already exists |
| NIST backup encryption pick | HQC selected as an additional encryption algorithm | March 11, 2025 | Adds diversity to post-quantum defenses |
| IBM roadmap | Targets fault-tolerant quantum computing by 2029 | Roadmap viewed March 19, 2026 | Industry still aims to scale hardware rapidly |
Source: arXiv, Google Security Blog, NIST, IBM | Accessed March 19, 2026
831-Bit Search Bound Recasts the Debate
Riedinger’s preprint, posted to arXiv on March 13, 2026, studies the thermodynamic cost of generic quantum search rather than a specific hardware platform. The paper says prior work established asymptotic complexity for Grover-style search but lacked implementation-agnostic tight bounds. Its headline result is a work-runtime trade-off with a fundamental lower bound for autonomous quantum computers, then an application to key recovery: a secret key of 831 bits cannot be deterministically reconstructed in a dark-energy-dominated expanding universe until star formation is expected to cease.
That is a striking threshold because it is far below the key sizes used in many symmetric systems deployed today. AES-128, for example, uses a 128-bit key, while AES-256 uses a 256-bit key. Even before this paper, Grover’s algorithm was understood to cut brute-force complexity roughly from 2n to 2n/2, which is why cryptographers have long treated larger symmetric keys as a practical hedge against quantum search. The new paper goes further by arguing there is a deeper physical ceiling on how far such search can be pushed. That is an inference from the paper’s framing, not a direct statement that all real-world symmetric cryptography is permanently safe.
Quantum Encryption Timeline
August 13, 2024: NIST finalized FIPS 203, 204 and 205, its first three post-quantum cryptography standards, and said they were ready for immediate use.
March 11, 2025: NIST selected HQC as a backup post-quantum encryption algorithm to complement earlier standards.
May 21, 2025: Craig Gidney posted a preprint estimating RSA-2048 factoring in less than a week with fewer than 1 million noisy qubits.
March 13, 2026: Riedinger posted “Thermodynamic Limits of Quantum Search,” arguing for a fundamental lower bound on generic quantum search.
Why RSA-2048 Still Faces a Different Threat
The new theory does not overturn the main reason governments and large technology vendors are migrating to post-quantum cryptography. RSA, Diffie-Hellman and elliptic-curve systems are threatened by Shor’s algorithm, which attacks the algebraic structure of those schemes instead of searching keys one by one. Google’s May 2025 preprint estimated that a 2048-bit RSA integer could be factored in less than a week by a quantum computer with fewer than 1 million noisy qubits, assuming a square grid, nearest-neighbor connectivity, 0.1% gate error, 1 microsecond surface-code cycle time and 10 microseconds of control-system reaction time.
That estimate was materially lower than Google’s 2019 figure of 20 million noisy qubits for an eight-hour attack under similar physical assumptions. Google said the reduction came from better algorithms and better error correction, not from a sudden hardware leap. In other words, the resource bar moved because the theory improved.
Hardware, though, is still far from that scale. IBM says it is targeting near-term quantum advantage by the end of 2026 and the first large-scale fault-tolerant quantum computer by 2029. Its public roadmap points to 200 logical qubits and 100 million quantum operations by 2029, with 2,000 logical qubits a few years later. Those milestones are meaningful, but they are not the same as demonstrating a machine capable of running a full RSA-2048 attack under Google’s assumptions.
ℹ️
NIST’s migration message has not changed.
NIST said on August 13, 2024 that its first three post-quantum standards were ready for immediate use and urged administrators to start integrating them because full deployment will take time.
2024-2026 Standards Show the Response Is Already Underway
The practical takeaway for enterprises is less dramatic than the headline. NIST finalized three post-quantum standards on August 13, 2024: FIPS 203 for ML-KEM, derived from CRYSTALS-Kyber, as the primary standard for general encryption; FIPS 204 for ML-DSA, derived from CRYSTALS-Dilithium, as the primary signature standard; and FIPS 205 for SLH-DSA, derived from SPHINCS+, as a backup signature method. NIST said the standards were ready for immediate use and explicitly encouraged system administrators to begin integration at once.
NIST then added another layer on March 11, 2025 by selecting HQC as a backup algorithm for general encryption. That matters because cryptographic migration is not only about replacing one vulnerable primitive with one new primitive. It is also about diversity, fallback options and long transition windows across browsers, cloud systems, hardware security modules, telecom networks and embedded devices.
So the strongest reading of the new theory claim is narrow but important: generic quantum search may face a hard physical ceiling, which could strengthen confidence in sufficiently large symmetric-key security margins. The weaker reading would be to treat it as a blanket reprieve for all encryption. The available evidence does not support that. Public-key systems based on factoring and discrete logarithms remain the reason standards bodies are pushing migration now.
What March 2026 Changes for Security Teams
For security teams, the March 2026 paper is best viewed as a refinement of threat modeling, not a reason to pause post-quantum work. It may reduce the plausibility of unlimited Grover-style brute force against very large symmetric keys. It does not remove the “store now, decrypt later” risk for data protected today by vulnerable public-key exchange or signature systems if a future fault-tolerant quantum computer arrives. NIST’s standards program exists because migration takes years, not weeks.
The market implication is similar. The story is not that quantum risk disappeared on March 13, 2026. The story is that one branch of the risk tree now appears more bounded by fundamental physics than many headlines implied, while the branch tied to Shor’s algorithm still drives standards, budgets and vendor roadmaps.
Frequently Asked Questions
Does this new theory mean quantum computers cannot break encryption?
No. The March 13, 2026 paper addresses generic quantum search limits, not all cryptanalysis. RSA and elliptic-curve systems are still considered theoretically vulnerable to Shor’s algorithm, and Google’s May 2025 estimate for RSA-2048 remained under one week with fewer than 1 million noisy qubits under stated assumptions.
What is the significance of the 831-bit number?
It is the paper’s threshold example for deterministic key recovery under its thermodynamic bound. The author says an 831-bit secret key could not be reconstructed before star formation ceases in an expanding universe, making it a physics-based benchmark for generic search rather than a direct statement about one commercial cipher.
Why are governments still pushing post-quantum cryptography?
Because the main migration target is vulnerable public-key cryptography. NIST finalized FIPS 203, 204 and 205 on August 13, 2024 and said they were ready for immediate use, then selected HQC on March 11, 2025 as an additional encryption algorithm. The agency has said integration should start now because deployment takes time.
How close is hardware to breaking RSA-2048?
No public machine is near the full attack scale described in Google’s 2025 estimate. IBM’s roadmap, viewed March 19, 2026, targets near-term quantum advantage by end-2026 and a large-scale fault-tolerant system by 2029, with 200 logical qubits and 100 million operations by that date. That is progress, but not proof of an imminent RSA-2048 break.
What should organizations do now?
Organizations should continue inventorying quantum-vulnerable systems and planning migration to NIST-standardized post-quantum algorithms. The new theory may affect long-term assumptions about brute-force quantum search, but it does not change NIST’s published guidance that the first PQC standards are ready for immediate integration.
Disclaimer: This article is for informational purposes only. Information may have changed since publication. Always verify information independently and consult qualified professionals for specific advice.
