Chinese researchers claim they have devised a new algorithm that can crack the widely used RSA-2048 encryption key, using a quantum computer that can be built today.
Senior security and quantum computing experts have questioned this claim, which defied expectations that the technology to allow this kind of codebreaking was many years away. But the truth is, it doesn’t matter whether it’s true or not. Either way, we must start putting a lot of energy and money into a new approach to encryption since this type of breakthrough is inevitable and carries enormous implications across business and government.
If this code is broken, it could potentially threaten everything from the mundane things that we do today, like online banking and secure communications, to classified government information. If we are not ready when it happens, we are going to spin into a real crisis, because, how will we do business then?
One of the biggest issues at the beginning of the internet was how to conduct e-commerce safely. We worked to guarantee integrity and non-repudiation and other pillars of information assurance. We must do something similar now.
If the Chinese are able to break encryption – or are moving closer to doing so – they’ll be able to actually see what we are transmitting. We don’t have any alternative encryption right now that we can readily implement.
Looking at potential mitigating alternatives, we could consider increasing the key length, but this will have a detrimental effect on transactions as hardware will need to be on par with it and there is no way to predict how long this would be safe. We could move to a symmetric encryption model but that would require a constant exchange of keys resulting in a very labor intensive, disruptive, and costly endeavor. Both scenarios would create an environment that is very challenging to maintain, and at the same time, prone to errors.
Another alternative is to come up with your own algorithm, but it’s not clear that the receiving end would take the risk and accept it. Furthermore, you’ve already implemented a number of tools that actually inspect this type of traffic, but they’ll become useless because if you change the paradigm, they won’t understand how to use the algorithm. Neither of these potential solutions are workable.
Therefore, we may be looking at a doomsday-type situation because most people will be at risk of compromise. Obviously, not everything is created equal. If a company doesn’t have anything highly sensitive that could potentially take them out of business, then that’s not the same as governments or militaries with highly classified information whose disclosure would have vast consequences. But that does not mitigate the risk.
Some experts who have gone through this paper say the science looks sound but it’s not clear whether today’s quantum technology is advanced enough to apply it in practice. Even so, it suggests that quantum computers are going to be used to crack encryption earlier than expected, some of them say.
We need to be smart about the fact that it’s going to happen sometime soon. We need to innovate and disrupt very quickly. We’ll have to find new methods to protect information that don’t rely on a 45-year-old encryption algorithm that we know at one point or another will be broken. This is closer than we think, and we need to start working yesterday.