A group of Chinese researchers have claimed to be able to break a widely used encryption scheme with a quantum computer that already exists, creating a possible boon for surveillance and a crisis for data protection.
The two dozen researchers from seven research institutions in China authored on paper describing a method using a 372-qubit computer to break RSA encryption instead of the theoretical quantum computer with tens of millions of qubits that was previously thought to be needed.
The implications are serious.
“Quantum computing has the capability to break the encryption on which most enterprises, digital infrastructures, and economies rely, rendering today’s encryption methods useless,” said Bryan Ware, CEO of LookingGlass Cyber Solutions. “That means that all secrets are at risk — nuclear weapons, banks, business IP, intelligence agencies, among other things, are at risk of losing their confidentiality and integrity.”
Quantum computing is still in its infancy, but cybersecurity experts have worried that quantum computers will eventually become powerful enough to break popular encryption schemes within minutes instead of the thousands of years needed by conventional modern computers. That possibility was supposed to be several years away, however.
Just in December, Congress enacted a law requiring the Office of Management and Budget to prioritize federal agencies’ acquisition of IT systems using post-quantum cryptography in an effort to deal with future advances in quantum computing.
But if the Chinese researchers are correct, the future is now. In November 2022, IBM announced it had built a working 433-qubit computerlarger than the quantum computer the researchers say is needed to break RSA encryption.
Still, the researchers’ claims have been met with skepticism in some cybersecurity circles.
The Chinese research is theoretical, and the underlying research it’s based on is “highly controversial,” Ware told the Washington Examiner. The paper may be an attempt from China to show it is leading the world in quantum computing, he added, but organizations relying on traditional encryption should start looking for other data protection methods.
“Even if their claims aren’t 100% true, there is a limited window for secrets to be protected by post-quantum encryption,” he added.
The paper is generating debates across the cybersecurity industry, said Vincent Berk, chief strategy and revenue officer at Quantum Exchangea company offering quantum-safe security.
“I am wrestling with the question: ‘If you truly cracked RSA, would you publish all the details, or would you go and just crack the crypto?'” Berk told the Washington Examiner.
Still, the Chinese research is based on an improved version of a 1995 quantum computing algorithm created by MIT professor Peter Shor, and Shor has said he sees no flaw in the paper, Berk noted. Whether or not the research paper is correct, traditional encryption schemes will soon be at risk.
“It is strongly believed that if the mathematics for one of our relied-upon cryptographic algorithms is defeated, then the others will fall as well,” Berk said. “If a technique is found to default to the mathematics of crypto, then all communications, emails, website traffic, financial transactions, social media, cryptocurrencies, etc., will all fall.”
Whether or not the Chinese paper is accurate, Q-Day, the day quantum computers can break existing encryption, is coming, said Petko Stoyanov, global CTO at computer security provider force point.
“On a global scale, we have an arms race happening behind closed doors across quantum and AI,” Stoyanov told the Washington Examiner.
Organizations that fear the fall of today’s encryption schemes should implement other data protection methods, including multifactor authentication, data tokenization, and pseudo-anonymization, Stoyanov recommended. They should also create data retention and deletion rules that limit the data they store and process.
If there’s good news, it’s that nation-states are the only attackers capable of affording and building a powerful enough quantum computer, Stoyanov said.
However, “if the encryption has been broken, nation-states with quantum encryption could, in theory, not only decrypt encrypted phone calls but potentially change information in encrypted systems while the data is in transit,” he added. “All telecommunications, from emails to bank transfers and control systems for power plants, depend on encryption.”