Have the Chinese cracked the quantum computing encryption code?

Feb. 13, 2023
Security experts weigh in on this potential threat to the RSA data encryption systems vital to national security
One of the more interesting – and some say controversial -- pieces of news to come out of the recent 2023 Consumer Electronics Show (CES) in Las Vegas was a claim by Chinese scientists who say they’ve developed an algorithm that can decrypt 2048-bit RSA using a combination of classical and quantum computers with at least 372 qubits.

If true, this discovery poses a tremendous threat to the RSA data encryption systems that safeguard everything from national security to the global banking system, so we asked four technology security experts to weigh in on the plausibility of the Chinese claims:

  •  Petko Stoyanov, Global Chief Technology Officer, Forcepoint
  • Richard Ford, Chief Technology Officer, Praetorian
  • Tim West, Head of Threat Intelligence, WithSecure
  • Tom Van de Wiele, Principal Technology & Threat Researcher, WithSecure

Is this a plausible claim? If not, why not?

Petko Stoyanov, Global Chief Technology Officer, Forcepoint: On a global scale, we have an arms race happening behind closed doors across Quantum and AI. Regardless of whether the claim is real or not, we know that the day will eventually come. The day is often coined as Q-Day, the coming of the day that quantum computers can break our existing encryption. At this point, nation-states are the only attackers capable of affording and building a powerful enough quantum computer.

Richard Ford, Chief Technology Officer, Praetorian: I am not running for the hills quite yet, fortunately. While I am concerned there's going to be an advance that breaks RSA encryption in my lifetime, I believe there's solid evidence that this isn't it. If you read the paper carefully, there are a couple of red flags, and of course, there's silence on one or two of the most important points. Because work like this can be hard to evaluate, there's the acid test: the RSA Factoring Challenge. The proof, as it were, is in the pudding. Can you actually do it? If you can't demonstrate it, it's abstract.

What the paper really describes is a theoretical approach that might be able to break RSA-2048 soon. That's it. It's a bit of a tempest in a teacup, to be honest.

Tim West, Head of Threat Intelligence, WithSecure: I honestly have no idea right now whether it's plausible or not. From what I have read, it has seemed to defy expectations, which places enormous intelligence value on such a discovery, so I would not expect a country to publicly announce it.

Imagine a worst-case scenario where China could reliably break 2048-bit RSA encryption at scale. However, based on what I’ve read, that does not appear to be the case. With that being said, any progression toward such a state is not good news. Having the quantum computing power necessary to break RSA at scale has huge implications, To explain the problem in Lehman’s terms, RSA uses a type of encryption that works on the basis that a mathematical equation can be completed, but not reversed – and China has just claimed to be able to reverse it.

What China may be claiming is that they are now able to reverse engineer the secret values using a quantum computer that defies expectations on how powerful the quantum computer needs to be to do so. If true, they can now reverse engineer the private keys that can decrypt all data they have captured that was encrypted using RSA (and possibly other asymmetric encryption algorithms).” 

Tom Van de Wiele, Principal Technology & Threat Researcher, WithSecure: The claim seems heavily disputed when we look at the statements from quantum computing experts around the world as far as what capability is required to be able to perform what they have claimed. We currently have no evidence to suggest that what is being claimed is true. It could be that these scientists were able to break a certain implementation and not the design of the encryption algorithm itself. Still, they are at least not including that information, so unless we get more evidence of their claims, we need to wait.Quantum computing is making progress but is still a long way from being used in practical applications to secure or break security controls meant to protect information at rest or in transit. Certain precautions can be made, though, so that any future discovery can have its impact reduced or will force the attacker to target rather than try an attack in bulk. 

If this is plausible, what's the impact on encryption, privacy, and surveillance?

Petko Stoyanov: “At this point, nation-states are the only cyber attackers that can afford, program, and operate a quantum computer. Encryption is the cornerstone of our privacy, built on security concepts of confidentiality and non-repudiation of data. Confidentiality ensures that data is only shared between trusted individuals, and non-repudiation assures that the information transmitted has not changed and the sender cannot delay sending it.

If the encryption has been broken, nation-states with quantum encryption could, in theory, not only decrypt encrypted phone calls but potentially change information in encrypted systems while the data is in transit. All telecommunications, from emails to bank transfers and control systems for power plants, depend on encryption. The cybersecurity industry is especially concerned about “encrypted” data, which has been harvested or hacked to be decrypted later.

Richard Ford: I'll say again, I don't think this is that watershed moment. However, if such a moment were to occur, it would be very bad because RSA is a common algorithm that’s used everywhere, from banks to healthcare and beyond. Most of the issues are found around public-key (asymmetric) algorithms - not block ciphers or hash functions. In that sense, the impact is limited in terms of what needs to be changed. But it's still incredibly broad as these asymmetric algorithms are how block cipher symmetric keys are usually exchanged. If RSA is still generally in use when RSA is actually broken, it would utterly destroy a lot of the privacy and security foundations we have in place today.

Are there ways for people and organizations to protect themselves and their encrypted data against the coming wave of quantum computing?

 Petko Stoyanov: Most of us are digital pack rats, so we hate to delete data. Given that fact, is storing too much data a risk? For example, a telecommunications organization experienced a large-scale breach of users’ personally identifiable data, including social security numbers and driver’s license numbers. It turns out the breach totaled twice the number of the company’s active customers, demonstrating that data has become an asset and a liability. Organizations need to have data retention and deletion rules to ensure they are responsible for the data they are storing.

Are there ways for people and organizations to protect themselves and their encrypted data against the coming wave of quantum computing?

Richard Ford: Yes, as developers, we have choices around encryption standards, and better yet, there are incredibly robust libraries we can use. There are VERY few people in 2023 who need to be writing their own encryption routines outside of governments. There's quite a selection of so-called quantum-resistant algorithms that are readily available today. In terms of what ordinary people can do? Stop worrying, for starters. While the threat to encryption is real, they're much more at risk from not having a backup or responding to a phishing email.

For companies, it's a little more complex. If you build your own software, take a good look at your encryption practices, and at a minimum, make sure your code is modular and not possible to change algorithms. Better yet, get standards in place that start to move you to something that’s more robust. This likely isn't the proof we've been anxiously awaiting, but it seems likely that day will come in the next decade or two, so it’s best to be ready.

Petko Stoyanov: Identity the data worth protecting and assess the risk of storing the data. Implement security controls on your data (beyond just encryption.) Think access controls rules like MFA, data tokenization, or pseudo anonymization. Create and Implement data retention and deletion rules which limit the data your organization stores and processes. Finally, continuously scan your organizational systems for new data worth protecting.