Chinese researchers this month threw a scare in the IT industry by saying they had used a quantum computer to crack a password-based encryption method used today across multiple industries like defense and banking.

According to a paper they published in the Chinese Journal of Computers in May and a report about the work in the South China Morning Post this month, the researchers said they used quantum computing vendor D-Wave’s Advantage system to attack three algorithms used in the AES framework.

The researchers argued that their work represents a “real and substantial threat” to the long-used encryption techniques used in crucial business and government sectors and added fueled to a long-standing worry that the widespread availability of quantum systems in the future will blow a hole in modern cybersecurity protections.

While initial reports about the research were alarming, the worry about immediate threats to today’s encryption methods were unfounded, according to some cybersecurity experts. However, that doesn’t mean the research or its results should be dismissed, they said.

“While the research shows quantum computing’s potential threat to classical encryption, the attack was executed on a 22-bit key – far shorter than the 2048- or 4096-bit keys commonly used in practice today,” said Avesta Hojjati, head of R&D at cybersecurity firm DigiCert. “The suggestion that this poses an imminent risk to widely used encryption standards is misleading.”

The research may be intriguing but it doesn’t announce “an immediate quantum apocalypse,” Hojjati said.

“We are still far from a practical attack that can threaten real-world encryption systems, especially with the current state of quantum computing,” he said. “The coverage may serve as a cautionary tale, but it exaggerates the timeline and feasibility of quantum threats to make for a more dramatic story. While the research advances discussion on quantum readiness, we should remain cautious but not alarmist.”

Quantum is Coming, but When?

The research highlights the uncertainty about quantum computing. Companies like D-Wave, IBM, Google, and Microsoft are working toward a future of quantum computers, when they become widely available is unclear, which also makes their threat to cybersecurity and encryption unsure. There are a lot of unknowns, as HP Security Lab’s Thalia Laing and Tommy Charles wrote earlier this year.

“All we know is that if sufficiently powerful quantum computers are successfully built, they will break much of the cryptography we rely on as societies, businesses, and individuals,” Laing and Charles wrote in a blog post. “Data will be exposed. Devices will not be secure. Systems will be controllable by hackers. The digital security we know and depend on will break. Specifically, the asymmetric cryptographic algorithms that we rely on for data encryption and digital signatures will be broken. The impact could be cataclysmic, which is why this is a risk to be taken seriously.”

Quantum systems strong enough to crack modern cryptography are theoretical for now, but progress is being made, they wrote, which is why work needs to start now to thwart the threats these computers may bring. Some of the work already is being done.

NIST and Post-Quantum Cryptography

In August, the National Institute of Standards and Technology (NIST) released three post-quantum cryptography standards – ML-KEM (formerly known as Kyber), ML-DSA (Dilithium), and SLH-DSA (SPHINCS+) – designed to address potential threats.

Duncan Jones, head of security for quantum computing company Quantinuum, at the time said the three standards represent “a crucial first step towards protecting all our data against the threat of a future quantum computer that could decrypt traditionally secure communications. Every CISO now has a mandate to urgently adopt these new standards alongside other methods for hardening their cybersecurity systems.”

Jones also noted the ongoing effort by threat groups to steal encrypted data now that they will be able to decrypt in the future with quantum systems.

The Research is a Warning

The work done by the researchers at Shanghai University doesn’t yet present a threat, but is a reminder about the potential problems that lie ahead. Conventional computers use bits, that are either 1 or 0. Quantum systems – using principles of quantum mechanics – use qubits, which can 1, 0, or both, allowing them to run workloads exponentially faster. Such workloads could include breaking what are now essentially unbreakable encryption algorithms.

The researchers used an Advantage quantum system from D-Wave, which uses a process called “annealing.” Essentially, the goal of an annealing quantum computer is to sort through all possible solutions to a complex problem to find the best one.

As DigiCert’s Hojjati noted, the system was used to break an encryption with 22-bit keys, significantly fewer than the encryption widely used today. Using computers to break modern encryption, which typically use 2048-bit keys, requires more compute power and time than is feasible.

“The longer the secret key, the harder it is for an attacker to guess via brute force attack,” cybersecurity firm Ubiq wrote.