You only need a few thousand error-free qubits to implement Shor's algorithm for 256-bit Elliptic Curve Discrete Log, that will for instance break nearly all crypto. The "millions" is trying to account for the several orders of magnitude error correcting overhead.

Sure, I just don't think error-free qubits are a thing (or will be in the future). I don't think anyone seriously expects quantum computing to work without error correction.

The difficulty of adding qubits increases super-linearly with the number of qubits (especially because of communication delay vs time to decoherence) , so "only" a few thousand is already very optimistic. Worse, the idea of "error-free qubits" is essentially like cold fusion - you can say the words and we understand what you mean by them, but they don't describe anything that can exist in practice.

> The difficulty of adding qubits increases super-linearly with the number of qubits

Is that true? Hardware from the likes of IBM and IonQ has already gone from < 10 to >= 20 “algorithmic qubits” [1] in the space of a few year.

[1] https://ionq.com/quantum-systems/aria

Error-free qubits are a fantasy, error correction is a must. I'm not particularly worried about quantum computers breaking crypto anytime soon.

That's from three years ago, and for error-corrected RSA breaking. ECC has keys an order of magnitude smaller, and minimizing the number of quits to run Shor's is a hot area.

And compared to other uses (quantum AI anyone?), it's surprisingly compact.