After a Chinese research team recently published a paper explaining their success in cracking encrypted data with a quantum computer, it was reported in some outlets as the end of military-grade data encryption – but the truth, it seems, lies somewhere in between.
The paper – which was published by a team of researchers from Shanghai University’s Key Laboratory of Speciality Filter Optics and Optical Access networks – explains how researchers used ‘quantum annealing’ to develop a new way of attacking ubiquitous RSA data encryption.
RSA algorithms rely on two long encryption ‘keys’ – which are generated by multiplying two prime numbers together and whose length is measured in bits – to secure everything from web browsing, e-commerce, and cryptocurrency, to secure messaging, email, banking, and military secrets.
Each key only has two prime factors, and figuring them out to decrypt the data requires using mathematical algorithms so complex that conventional computers could take hundreds of years or more to do.
So-called ‘cryptographically relevant quantum computers’ (CRQCs) work differently and could shorten this to minutes – ushering in a change that in quantum computing circles is referred to as ‘Q Day’ because it will render existing data encryption useless.
Thanks to what the Shanghai University researchers called the “notably sluggish” pace at which CRQCs are developing from theory to reality, data has so far remained safe.
But by combining quantum annealing based D-Wave quantum computers with Schnorr’s algorithm – which explains how to mathematically calculate encryption keys – the researchers said they had developed a new hybrid attack technique “beyond the reach of traditional computing methods.”
The technique factored some numbers up to 50 bits long, far less than the 128, 256, 512 or even 1024-bit keys used in real-world applications.
Since keys become twice as hard to factor with each bit that’s added, keys of those lengths are many orders of magnitude harder to crack.
And while critics pointed out that 50-bit encryption can be also cracked by conventional computers in “around a millisecond”, the researchers called it “a demonstration to validate the algorithm’s universality and expansibility”.
“In the context of slow progress in universal quantum computing devices,” they wrote, the D-Wave approach “has shown better realistic attack capabilities” to advance quantum computers’ “exciting yet formidable challenge to cryptographic security.”
Is data on a death march to Q-Day?
Although the South China Morning Post reported the research with relative restraint and noted the “real and substantial threat” such research poses to global data encryption, subsequent reporting fuelled global concern by suggesting the researchers had already hacked military-grade encryption.
Aware that military applications use much longer encryption keys and often encrypt data multiple times, security experts’ reactions to the research ranged from the curious to the dismissive.
“Cryptography is safe, and will be for a long time,” security expert Bruce Schneier concluded in citing a Forbes report that quoted experts noting that the researchers didn’t mention military grade encryption at any point, but were simply testing their technique against RSA security.
Others noted concerns that Q-Day could hasten the undoing of modern cryptocurrency systems, which are fundamentally based on cryptographic algorithms whose compromise could destabilise global crypto markets.
For now, the steady progress towards workable CRQCs is being documented in technical journals around the world by multi-disciplinary, often international teams with experts from a growing quantum industry stretching from Perth to Sydney, and their peers around the world.
And while some experts believe the real timeframe for Q-Day is still around 7 years from now – giving companies that long to implement new post quantum computing (PQC) algorithms to protect their data – it will be driven by further esoteric advancements in physics and maths.
“If you were the Chinese military and you had just broken AES,” Quantinuum head of cybersecurity Duncan Jones told Forbes, “media coverage wouldn’t be on your priority list.”
“Instead, you would maximise your informational advantage, without revealing you’ve broken a critical global cipher.”