In a paper published late last month, 24 Chinese researchers suggested that RSA-2048 encryption could be broken using a quantum computer with 372 physical quantum bits.
Cryptographer Bruce Schneier drew attention to the paper [PDF] last week in a blog post, noting that IBM recently announced a 433-qubit quantum computer, far exceeding the researchers’ stated requirements. “This is something to take seriously,” Schneier wrote. “It might not be correct, but it’s not obviously wrong.”
Schneier’s post quoted security consultant Roger A. Grimes, who said the researchers had examined previous efforts that attempted to break traditional asymmetric encryption and failed, but “realized that the step that killed the whole thing could be solved by small quantum computers. So they tested it and it worked.”
Still, Schneier also noted that the recent findings rely on a controversial paper by Claus Schnorr that “falls apart at larger sizes … So if it’s true that the Chinese paper depends on this Schnorr technique that doesn’t scale, the techniques in this Chinese paper won’t scale, either.”
Research Dubbed ‘Actively Misleading’
Ultimately, a separate blog post by quantum computing expert Scott Aaronson convinced Schneier and others that the new research is nothing to worry about.
Simply put, Aaronson wrote, “here is my 3-word review: No. Just No.”
He quoted one sentence in the paper in question: “It should be pointed out that the quantum speedup of the algorithm is unclear due to the ambiguous convergence of QAOA [the Quantum Approximate Optimization Algorithm].”
Aaronson’s response: “‘Unclear’ is an understatement here. It seems to me that a miracle would be required for the approach here to yield any benefit at all.”
“All told, this is one of the most actively misleading quantum computing papers I’ve seen in 25 years, and I’ve seen… many,” Aaronson wrote.
As Deloitte quantum specialist Itan Barnes noted in a comment on Aaronson’s post, “The funniest part of the paper is the very last sentence (page 32!) which states: ‘However, the touch-size is an ideal basic situation, the QAOA usually works more than one layer and deeper circuit required. Besides, the quantum speedup is unknown, it is still a long way to break RSA quantumly.’ They basically trash their own work!”
Not Today, Cryptobreakers
A separate report published last week by Moody’s Analytics similarly questioned the paper’s findings, but suggested that it should serve as a reminder of the importance of developing a post-quantum cryptography (PQC) strategy.
Moody’s quantum computing lead Sergio Gago wrote on LinkedIn, “Our team has evaluated the paper and its implications, as well as the existing literature, and the conclusion is that the research is a bit misleading and there is no imminent threat due to the convergence complexities of QAOA.”
“There is no guarantee this novel algorithm can shorten the proposed timelines; however, our recommendation is to follow NSA / NIST guidelines and start preparing a PQC strategy immediately by creating a cryptographic key inventory,” the Moody’s paper stated.
As Gago put it in response to a comment on his post, “Cryptobreakers will have their day, just not today…”
Read next: Best Encryption Software