Energy costs of a Cryptanalytically Relevant Quantum Computers
US policy think tank RAND published an estimate on operating a quantum computer for breaking traditional cryptographic schemes including ECC (Elliptic Curve Cryptography). They call such quantum computers “CRQC”, a “Cryptanalytically Relevant Quantum Computer”. First, they establish that today’s quantum quantum computers are not It:
The use of a quantum algorithm known as Shor’s algorithm to efficiently break existing public-key cryptography algorithms is one of the best-known eventual applications of quantum computers. Prototype quantum computers exist today […] But these prototypes are still very far from being able threaten the security of modern public-key cryptography. An expert consensus study concluded that such a [CRQC] is unlikely to become available before 2030 and the U.S. National Security Agency has stated that it “does not know when or even if a … CRQC will exist.”
(The NSA’s record is mixed: its involvement in the DES encryption algorithm strengthened the design against then-nonpublic attacks but also fixed a (too) short key length; its association with the Dual_EC_DRBG debacle damaged its credibility; and cryptographer Daniel J. Bernstein has argued that U.S. guidance slowed parts of the post-quantum transition. So it is not a neutral signal.).
The authors further substantiate on quantum computers being “very far” away:
Many design challenges need to be solved before a CRQC can be built. […] Many of these [error correcting] techniques are well-understood theoretically, but quantum error correction is incredibly challenging to implement in practice, and only basic proofs of principle have yet been demonstrated experimentally. […] Whichever qubit architecture proves the most feasible, building a CRQC will require an enormous amount of new fundamental systems engineering at every level – from the high-level algorithmic flow to the low-level engineering, networking, and control of individual qubits.
They concede that making estimates is thus hard:
An additional complication is that several different basic physical architectures for qubits are being developed in parallel by different groups […] It is therefore difficult to predict even the basic physical operating principles of a future CRQC, let alone details about its system architecture. […] therefore enormously challenging to make any estimates of the financial requirements to operate a future CRQC, even at the order-of-magnitude level of precision.
Because they couldn’t find any “serious” prior attempts to this, and the “important implications for both research and development strategies and policy, especially with respect to efforts to address future cybersecurity risks”, they develop a framework which arrives at an estimated energy requirement of 890 MWh to break one ECC encryption key, equalling $64,000 based on US energy prices in 2022.
As energy got more expensive since the study concluded, the cost would nowadays be between $79,032 (2027 outlook, based on: US EIA Energy Outlook) and €156,640 (Germany BDEW SME industry 2025 annual average).