May 2017

Why Quantum Computers Might Not Break Cryptography

A new paper claims that a common digital security system could be tweaked to withstand attacks even from a powerful quantum computer.

By Mark H. Kim

Math is hard. Indeed, much of the modern infrastructure for secure communication depends heavily on the difficulty of elementary mathematics—of factoring, to be exact. It’s easy to reduce a small number like 15 to its prime factors (3 x 5), but factoring numbers with a few hundred digits is still exceedingly difficult. For this reason, the RSA cryptosystem, an encryption scheme that derives its security from the difficulty of integer factorization, remains a popular tool for secure communication.

Research suggests, however, that a quantum computer would be able to factor a large number far more quickly than the best available methods today. If researchers could build a quantum computer that could outperform classical supercomputers, the thinking goes, cryptographers could use a particular algorithm called Shor’s algorithm to render the RSA cryptosystem unsalvageable. The deadline to avert this may arrive sooner than we think: Google recently claimed that its quantum computers will be able to perform a calculation that’s beyond the reach of any classical computer by the end of the year. In light of this, cryptographers are scrambling to find a new quantum-proof security standard.

Yet perhaps RSA isn’t in as much trouble as researchers have assumed. A few weeks ago, a paper surfaced on the Cryptology ePrint Archive that asked: “Is it actually true that quantum computers will kill RSA?” The authors note that even though a quantum computer running Shor’s algorithm would be faster than a classical computer, the RSA algorithm is faster than both. And the larger the RSA “key”—the number that must be factored—the greater the speed difference.

The authors of the paper estimate that attacking a terabyte-size key using Shor’s algorithm would require around 2100 operations on a quantum computer, an enormous number comparable to the total number of bacterial cells on Earth. The authors don’t convert this to a concrete time estimate, but current research suggests that a real quantum computer wouldn’t be able to accomplish this in any reasonable amount of time. “RSA is not entirely dead even if quantum computers are practical,” said Nadia Heninger, an assistant professor of computer and information science at the University of Pennsylvania and a co-author of the paper. The paper also shows how to implement such a massive RSA key, which had not been done before.

Still, a terabyte-size key isn’t exactly easy to work with. (The largest RSA keys right now are a few thousand bits; a terabyte is many trillions of bits.) The authors report that generating a terabyte-size RSA key and carrying out the encryption-decryption process takes about five days. “The encryption and decryption cost is terrible for most applications,” said Scott Aaronson, the director of the Quantum Information Center at the University of Texas, Austin. What’s more, the security we gain from using enormous RSA keys is “extremely precarious, vulnerable to even a modest improvement in algorithms or hardware, or a determined and well-funded-enough adversary.”

“Scott is thinking in a theoretical sense,” said Heninger, who maintains that the gap is enough “from a concrete security point of view.” “More importantly,” the paper states, “it is interesting to see that the conventional wisdom is wrong.”

Reprinted with permission from Quanta Magazine's Abstractions blog.