First Use of Quantum Computers to Crack Encryption Should Prompt Review, Not Panic

by | Oct 23, 2024

Reports of Chinese researchers able to crack encryption considered “military grade” may have briefly raised alarms this past week, but a closer look at the situation reveals it is far from time to panic. But it is a prompt to review plans for securing networks against the future threat of quantum computers, and to reconsider what the overall timetable may well be.

Present-day quantum computer used to crack basic RSA encryption

It is true that one of the presently available quantum computers, the D-Wave, was used to crack a form of RSA encryption. However, these computers remain nowhere near the power level that has spurred fears of a “cryptopocalypse.” And the demonstrated ability to crack encryption is extremely weak, handling only a primitive version of RSA that is nothing like the modern standard that is broadly used.

What this development does warn of is the possibility of weaker quantum computers being used to crack encryption ahead of schedule, by focusing on specific standards and coming up with innovative approaches tailored to them. In this case, the researchers deployed the D-Wave’s “quantum annealing” ability in a way that it was not originally designed or previously used for.

Of course, there still is no clear timeline for the threat to crack encryption that quantum computers present. Up until now, experts had generally agreed it was about a decade off at minimum. Some now feel that specific encryption standards might be targeted in as little as a few years, via similarly creative approaches to optimize weaker systems. But the overall timetable remains as unclear as ever.

At present, the only threat this theoretical attack presents is to an RSA key that uses a mere 50 bits. RSA is generally a 2048-bit standard, so the D-Wave quantum computers (which cost tens of millions of dollars to purchase or about $2,000 per hour to rent via the cloud) are not any kind of an immediate threat.

Ability to crack encryption should prompt calm reassessment

So what does this new development mean for organizations? It really doesn’t change much, but it should prompt a reassessment incorporating the possibility that some encryption standards may be defunct in closer to five years than ten.

This news is far from a guarantee of a shortening of the timetable, but it would be prudent to no longer assume that we have “at least ten years” before modern encryption standards start being knocked down. The measurement is now not necessarily how many qubits quantum computers currently have, but how specific systems can be made use of.

Cryptography experts still vary greatly in their assessment of the eventual overall level of the threat and its timetable. But NIST has already rolled out its primary post-quantum cryptographic algorithms, making it possible to begin transition plans and processes today. While most organizations (rightly) view this process as a “nightmare,” those that get a jump by beginning to address machine identities today will likely be in for a lot less trouble in the future.

Recent Posts

How can we help?

13 + 3 =

× How can I help you?