RSA’s demise from quantum attacks is very much exaggerated, expert says (2024)
Three weeks ago, panic swept across some corners of the security world after researchers discovered a breakthrough that, at long last, put the cracking of the widely used RSA encryption scheme within reach by using quantum computing.
Scientists and cryptographers have known for two decades that a factorization method known as Shor’s algorithm makes it theoretically possible for a quantum computer with sufficient resources to break RSA. That’s because the secret prime numbers that underpin the security of an RSA key are easy to calculate using Shor’s algorithm. Computing the same primes using classical computing takes billions of years.
The only thing holding back this doomsday scenario is the massive amount of computing resources required for Shor’s algorithm to break RSA keys of sufficient size. The current estimate is that breaking a 1,024-bit or 2,048-bit RSA key requires a quantum computer with vast resources. Specifically, those resources are about 20 million qubits and about eight hours of them running in superposition. (A qubit is a basic unit of quantum computing, analogous to the binary bit in classical computing. But whereas a classic binary bit can represent only a single binary value such as a 0 or 1, a qubit is represented by a superposition of multiple possible states.)
The paper, published three weeks ago by a team of researchers in China, reported finding a factorization method that could break a 2,048-bit RSA key using a quantum system with just 372 qubits when it operated using thousands of operation steps. The finding, if true, would have meant that the fall of RSA encryption to quantum computing could come much sooner than most people believed.
RSA’s demise is greatly exaggerated
At the Enigma 2023 Conference in Santa Clara, California, on Tuesday, computer scientist and security and privacy expert Simson Garfinkel assured researchers that the demise of RSA was greatly exaggerated. For the time being, he said, quantum computing has few, if any, practical applications.
“In the near term, quantum computers are good for one thing, and that is getting papers published in prestigious journals,” Garfinkel, co-author with Chris Hoofnagle of the 2021 book Law and Policy for the Quantum Age, told the audience. “The second thing they are reasonably good at, but we don’t know for how much longer, is they’re reasonably good at getting funding.”
Even when quantum computing becomes advanced enough to provide useful applications, the applications are likely for simulating physics and chemistry, and performing computer optimizations that don’t work well with classical computing. Garfinkel said that the dearth of useful applications in the foreseeable future might bring on a “quantum winter,” similar to the multiple rounds of artificial intelligence winters before AI finally took off.
The problem with the paper published earlier this month was its reliance on Schnorr's algorithm (not to be confused with Shor’s algorithm), which was developed in 1994. Schnorr’s algorithm is a classical computation based on lattices, which are mathematical structures that have many applications in constructive cryptography and cryptanalysis. The authors who devised Schnorr’s algorithm said it could enhance the use of the heuristic quantum optimization method called QAOA.
Within short order, a host of researchers pointed out fatal flaws in Schnorr’s algorithm that have all but debunked it. Specifically, critics said there was no evidence supporting the authors’ claims of Schnorr’s algorithm achieving polynomial time, as opposed to the exponential time achieved with classical algorithms.
The research paper from three weeks ago seemed to take Schnorr's algorithm at face value. Even when it’s supposedly enhanced using QAOA—something there’s currently no support for—it’s questionable whether it provides any performance boost.
“All told, this is one of the most actively misleading quantum computing papers I’ve seen in 25 years, and I’ve seen … many,” Scott Aaronson, a computer scientist at the University of Texas at Austin and director of its Quantum Information Center, wrote. “Having said that, this actually isn’t the first time I’ve encountered the strange idea that the exponential quantum speedup for factoring integers, which we know about from Shor’s algorithm, should somehow ‘rub off’ onto quantum optimization heuristics that embody none of the actual insights of Shor’s algorithm, as if by sympathetic magic.”
Quantum computers can break RSA encryption, which secures our online data. But there are solutions that are resistant to quantum attacks. One of them is Freemindtronic, an Andorran company that notably uses NFC HSM technology to share AES-256 keys using RSA-4096 encryption, which quantum computers cannot decipher.
However, cryptography advancements and the rise of quantum computing have rendered the 1024-bit RSA keys vulnerable to cyberattacks. Continuing to use 1024-bit RSA keys for encryption increases the risk of exposing sensitive data to eavesdropping, decryption, and data breaches.
At the moment, RSA is still secure. NIST recommends a key length of at least 2048 bits, likely secure until 2030. A sufficiently powerful quantum computer would be able to break RSA, but no such quantum computer exists and there are serious engineering challenges to create one.
I would like to point out that the compromise of RSA happens only when it is not properly implemented. Specifically, when the prime numbers (p, q) that make up the RSA keys are not sufficiently spaced apart. In this limiting scenario, Fermat's Factorization Method can completely compromise the integrity of RSA.
Exponentially faster is very fast. Breaking a 2048-bit RSA key would take 1 billion years with a classical computer. A quantum computer could do it in 100 seconds. The immediate focus on examining post-quantum security solutions is no longer optional.
RSA was revolutionary for its time, but as computing systems have evolved, the strength of RSA has dramatically deteriorated. The attacks on RSA are plentiful and rudimentary for attackers to execute.
Microsoft noted that RSA encryption has encountered challenges due to recent advancements in quantum computing and other cryptographic techniques. Consequently, many organizations are transitioning to more secure encryption methods to mitigate risks associated with RSA vulnerabilities.
So, even with the assumed computational capacity of Google's data centers, it would take approximately 19.8 quadrillion years to crack RSA-2048 using brute force. This is an astronomical time frame, far longer than the current age of the universe (which is about 13.8 billion years).
The RSA SecurID breach was a highly sophisticated cyberattack that occurred in March 2011, in which hackers accessed the computer systems of RSA, a company that provides two-factor authentication solutions to many organizations.
The alternative to RSA and DH, these days is elliptic curve asymmetric key cryptography. Specifically ECDSA for the sign/verify and ECDH for the key exchange. You have ECDSA TLS certificates for this.
Securing file storage: AES is preferable due to its faster encryption and decryption speeds, making it suitable for encrypting large amounts of data. Secure communications: RSA is typically used for key exchange in SSL/TLS protocols, ensuring a secure channel for data transmission between clients and servers.
RSA, the oldest, is widely used and known for its robustness, while ECC provides greater cryptographic strength with shorter key lengths, making it ideal for devices with limited computing power.
The Federal Office for Information Security (BSI) recommended the use of at least 3000-bit RSA keys as early as 2023. The use of RSA keys with a key length of 2048 bits was permitted only for a transition period until the end of 2023.
Grover's algorithm is a quantum algorithm for unstructured data that provides a quadratic speedup in the computation over classical computing. This can result in AES-128 being feasible to crack, but AES-256 is still considered quantum resistant—at least until 2050, (as referenced throughout ETSI GR QSC 006 V1. 1.1.)
A 256-bit encryption is considered to be highly secure and it would take classical computers millions of years to crack it. However, quantum computers could potentially crack this level of encryption in mere seconds or minutes.
Provided one uses sufficiently large key sizes, the symmetric key cryptographic systems like AES and SNOW 3G are already resistant to attack by a quantum computer.
The current estimate is that breaking a 1,024-bit or 2,048-bit RSA key requires a quantum computer with vast resources. Specifically, those resources are about 20 million qubits and about eight hours of them running in superposition.
Specifically, a quantum computer could take a publicly available public key and derive the associated private key from it. This means that any data encrypted using that public key could now be decrypted without the consent of the party that sought to protect that data.
How is RSA secure? RSA security relies on the computational difficulty of factoring large integers. As computing power increases and more efficient factoring algorithms are discovered, the ability to factor larger and larger numbers also increases.
Hobby: Calligraphy, Rowing, Vacation, Geocaching, Web surfing, Electronics, Electronics
Introduction: My name is Msgr. Benton Quitzon, I am a comfortable, charming, thankful, happy, adventurous, handsome, precious person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.