A team of researchers just ran a quantum key-recovery attack on real IBM hardware and recovered a 10-bit encryption key. The previous best on actual silicon was 4 bits. They more than doubled the frontier.

The work comes from QuantumOS, a group operating under the VIDRAFT umbrella, and it landed on HuggingFace's blog as part of their FINAL-Bench quantum benchmarking initiative. They used IBM's ibm_kingston processor (a 156-qubit machine) to execute attacks against two classic cryptographic constructions: the Even-Mansour cipher and a 3-round Feistel network. Both attacks are based on Simon's algorithm, a period-finding subroutine that can break these structures exponentially faster than classical brute force, provided the attacker gets quantum oracle access.
Let me be clear about what this means and what it doesn't. They did not break AES-128. They did not break RSA. They did not break 16-round DES. What they did was push the envelope on what noisy, error-prone quantum hardware can physically do with real key recovery. The gap between the theoretical ceiling and the practical floor is shrinking faster than most cryptographers are comfortable with.
The two constructions they targeted are textbook examples of how quantum algorithms undermine symmetric cryptography. Even-Mansour is a block cipher built from a public permutation and a secret key, simple, elegant, and vulnerable to Simon's algorithm in the Q2 model (where the attacker can query the encryption oracle in superposition). The 3-round Feistel construction, a building block behind DES-family ciphers, is similarly breakable. Simon's algorithm can distinguish it from a random permutation and recover the round keys.
Previous hardware demonstrations were stuck at N=4 for Even-Mansour. The QuantumOS team scaled this to N=10 using 21 qubits and about five and a half seconds of computation time. For the Feistel construction, they reached block size 8 (up from the previous ceiling of 6), using 17 qubits and 0.2 seconds. They achieved these results using a combination of error mitigation techniques: dynamical decoupling, randomized compiling (Pauli twirling), and readout-error mitigation. No quantum error correction was used. That's the part that matters. They're doing this on noisy hardware without the luxury of logical qubits.
The performance is not yet threatening real-world encryption. The researchers are honest about this: the effective difficulty they observe tracks the classical birthday bound (~2^{n/2}). In plain terms, at these scales, the quantum attack isn't faster than a classical brute-force search. The value is in demonstrating that the hardware can physically execute the circuits, not that it's currently winning a speed race.
What makes this work interesting is the honest accounting. The team explicitly states: "We did not break real AES or RSA... We did not break 16-round DES." They acknowledge the Q2 model's limitations. Quantum oracle access is a strong assumption that rarely holds in real-world cryptanalysis. And they provide an interactive demo where you can run the attacks yourself in a browser, cross-checked against Qiskit implementations.
There's also a parallel line of work worth watching. A paper published in npj Quantum Information describes a Grover's algorithm attack on Mini-AES, a 16-bit variant of the real thing. The researchers built complete quantum oracles for every component of the cipher (SubBytes, ShiftRows, MixColumns, Key Schedule) and discovered something unexpected: key clustering. Multiple valid keys produce the same ciphertext for a given plaintext, which shrinks the effective search space. They also found that the theoretical number of Grover iterations (201 for a single key) was wildly pessimistic. They achieved reliable recovery with as few as 26 iterations by targeting a practical detection threshold instead of the theoretical optimum.
Both of these results point to the same uncomfortable truth. The gap between "quantum computers can theoretically break crypto" and "quantum computers are physically doing it on real hardware" is no longer a chasm. It's a series of small, methodical steps, and each one narrows the margin.
The FINAL-Bench quantum leaderboard, now live on HuggingFace, aims to standardize how we measure this progress. Rather than relying on theoretical resource estimates (which tend to be either terrifyingly high or suspiciously optimistic), the benchmark focuses on what machines can actually execute right now. The VIDRAFT QuantumOS platform covers all five symmetric structures (linear, Even-Mansour, SPN, MAC, and Feistel) in a single environment, with attacks verified against independent implementations.
For engineers and security teams, the takeaway is straightforward. Post-quantum migration isn't a future problem. It's a present-tense logistics challenge. The NIST PQC standards (ML-KEM, ML-DSA) are ready. The tools exist. The question isn't whether quantum computers will eventually threaten symmetric cryptography. It's whether your infrastructure will be ready when they do. The 10-bit key recovery on real hardware isn't a wake-up call. It's a data point that says the timeline is compressing.
Sources
- FINAL-Bench Quantum Cryptanalysis Blog Post: QuantumOS team's full write-up with methodology, hardware specs, and interactive demo links
- VIDRAFT QuantumOS Interactive Demo: Browser-based quantum cryptanalysis across five symmetric structures, cross-checked against Qiskit
- Quantum Cryptanalysis of SPN Ciphers (npj Quantum Information, 2026): Grover's algorithm attack on Mini-AES with key clustering discovery and iteration optimization
- FINAL-Bench Quantum Leaderboard: HuggingFace Spaces leaderboard for neutral quantum benchmarking
- Simon's Algorithm for Even-Mansour on NISQ Hardware (arXiv): Proof-of-concept quantum cryptanalysis on noisy intermediate-scale quantum devices
- Improved Quantum Attacks on Iterated Even-Mansour Ciphers (ePrint 2026/930): Asymptotic improvements over classical bounds for iterated Even-Mansour with two keys