In a potentially concerning advancement for global cybersecurity, Chinese researchers have introduced a technique leveraging D-Wave’s quantum annealing systems to breach traditional encryption, which may hasten the timeline for when quantum computers could pose a genuine threat to widely used cryptographic systems.
Published under the title “Quantum Annealing Public Key Cryptographic Attack Algorithm Based on D-Wave Advantage,” the paper details how D-Wave’s machines were utilized to compromise RSA encryption and target symmetric encryption systems, raising significant concerns about the future of cybersecurity.
Led by Wang Chao from Shanghai University, the research team discovered that D-Wave’s quantum computers can optimize problem-solving processes in a way that enables them to target encryption methods such as RSA.
In essence, the study reveals how quantum annealing transforms cryptographic attacks into combinatorial optimization problems, making them easier to solve. Quantum annealing is a quantum computing technique used to find the minimum energy state of a system by gradually evolving a quantum system towards its lowest energy configuration, making it well-suited for solving complex optimization problems.
Making Waves
Simon Bain, CEO of data expert OmniIndex, says that while the paper is still under review, the implications are making waves, suggesting that quantum computing may pose a serious threat to the security of current encryption standards.
“Ever since the dawn of quantum computers, it has been claimed that they will break current encryption norms and put our data at risk. While the findings are certainly intriguing, they don’t appear to be a threat yet,” Bain explains.
He says this type of encryption, although a robust and passable method for protecting bulk data, is a simplified symmetric form and is not the same type used for protecting our most sensitive data: asymmetric, wherein a pair of keys (publish and private) are used instead of a single key for both encryption and decryption.
“So while this research demonstrates a step towards a potential quantum-based attack, we’re still a significant distance away from a practical and widespread threat as it is yet to be proven against the recommended industry standard.”
However, Bain says this is not to say that this won’t become a threat in the future.
Looking Over Our Shoulders
“The research should serve as a reminder that it is crucial for the security industry to never stand still. We must always be looking over our shoulders and into the darkest corners to work out what the next threat will be and to have an answer for it before it becomes a problem. When we don’t, as has arguably been the case with ransomware, then we will see people’s data being breached.
“The security industry needs to be ready. It’s that simple. And fortunately, we hopefully will be. This is because while this appears to be one of the first credible reports of quantum computing being successfully used in this way, people in the tech industry have been anticipating this for years.
For instance, as far back as 2015, the NSA announced plans to transition to quantum-resistant cryptography and issued a public call for submissions to the ‘Post-Quantum Cryptography (PQC) Standardization Process in 2016. Since then, three Federal Information Processing Standards (FIPS) for Post-Quantum Cryptography have been announced.
“So, when we inevitably reach a point when quantum computing has become a credible threat, we will need to upgrade to a new industry standard. And I have no doubts that we will be ready to do so due to the continued work being done in this area.
“Right now, it still appears that it will be an incredibly expensive thing to do. With the right investment and work, the infrastructure and technology will become accessible enough that everyone is able to protect their data and that there is not a monopoly on data security.”
The Quantum Starting Gun is Well Underway
Kevin Bocek, Chief Innovation Officer at Venafi, a CyberArk company, adds that D-Wave’s news is all part of the quantum starting gun that’s well underway and is all part of the threat the system of cryptography that makes the digital world and economy possible is already facing, and will only face more of. “Attackers are certain to be paying close attention.”
Bocek says that as we edge closer to the day when a quantum computer capable of cracking encryption becomes a reality, it’s crucial that entities consider their quantum readiness plans. “A big part of this challenge is knowing where machine identities – the system of authentication keys and certificates that secure machine-to-machine communication that our digital world relies on – are being used. Larger organizations will have thousands, or even hundreds of thousands, of identities that need to be replaced with new quantum-proof identities.”
We’ll Deal With it Then
He says almost two-thirds (64%) of security leaders say they “dread the day” the board asks about their migration plans, and 67% think the shift to post-quantum cryptography will be a nightmare, as they don’t know where all their keys and certificates are. Moreover, many companies have their heads in the sand. 78% of security leaders say if a quantum computer capable of breaking encryption is built, they will “deal with it then,” with 60% believing that quantum computing doesn’t present a risk to their business today or in the future. Moreover, 67% dismiss the issue, stating it has become a “hype-pocalypse.”
On the plus side, Bocek says the platforms that businesses will need to adjust to a post-quantum world are already here and that security pros recognize that taking control of the management of machine identities is the best way to prepare for future quantum risks.
“Security teams can get certificate lifecycle management (CLM), PKI-as-a-service, and workload identity issuers all on one control plane now. And the automation we put in place with machine identity security not only gets us ready for the post-quantum future, it also provides protection and efficiencies for securing machine identities today,” Bocek ends.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
