If you logged onto your bank account this morning, the security protocols still seem secure – but things are changing quickly in the tech world. A team in China just showed that the math behind RSA encryption is starting to bend to the will of the quantum realm.
Using a quantum annealing processor built by D‑Wave Systems, the researchers say they factored a 22‑bit RSA integer that had resisted earlier attempts on the same class of hardware. Wang Chao and colleagues at Shanghai University carried out the experiment.
RSA’s reputation for toughness
When RSA encryption debuted in 1977 it was lauded for tying security to the difficulty of splitting a large semiprime into its two prime factors .
Classic computers still need sub‑exponential time to break today’s 2048‑bit keys, and the largest key so far cracked with conventional methods is only 829 bits (RSA‑250) after weeks on a supercomputer.
“Using the D‑Wave Advantage, we successfully factored a 22‑bit RSA integer, demonstrating the potential for quantum machines to tackle cryptographic problems,” the authors wrote.
The group translated factorization into a Quadratic Unconstrained Binary Optimization problem, which the D‑Wave Advantage system solves by letting qubits tunnel through energy barriers seeking the lowest energy state.
They also applied the same method to Substitution–Permutation Network ciphers such as Present and Rectangle, calling it “the first time that a real quantum computer has posed a substantial threat to multiple full‑scale SPN structured algorithms in use today.”
Twenty‑two bits still matter
A 22‑bit key is trivially small compared with production‑grade RSA, yet the test matters because the approach scaled beyond past demonstrations that stopped at 19 bits and required more qubits per variable.
Reducing the local‑field and coupling coefficients in the Ising model cut noise, letting the annealer reach correct factors more often and hinting at paths to bigger keys, according to the paper.
“The advancement of quantum computers can seriously threaten data security and privacy for various enterprises,” warned Prabhjyot Kaur of analyst firm Everest Group, who was not involved in the study.
Annealing vs. Shor’s promise
Universal, gate‑based quantum machines run Shor’s algorithm, which in principle can shred RSA by finding the period of modular exponentiation in polynomial time.
Those devices still struggle with error correction, while D‑Wave’s annealers, though not universal, already pack more than 5000 qubits and avoid deep circuits by using a chilling 15 mK environment and analog evolution.
Annealing excels at combinatorial optimization, so the Shanghai team reframed factoring as that type of search problem instead of using Shor’s period‑finding route.
The strategy sidesteps current qubit‑count limits of gate machines but pays a price in exponential scaling, which is why only a 22‑bit modulus fell this time.
The policy clock keeps ticking
Standards bodies are not waiting. In August 2024 NIST released FIPS 203, 204 and 205, the first federal standards for post‑quantum cryptography based on lattice problems, and in March 2025 it selected HQC for the next wave.
A White House event framing the publication urged U.S. agencies to begin swapping vulnerable keys because adversaries may already be hoarding encrypted data for “hack now, decrypt later” attacks.
“Businesses must treat cryptographic renewal like a multi‑year infrastructure project,” the Wall Street Journal’s CIO briefing noted when the final standards neared release last year. Corporate technology leaders echoed that sense of urgency.
RSA vs. quantum cracking
Most businesses haven’t yet updated their cryptography inventories, and many don’t even know which algorithms their systems depend on.
Security experts recommend starting with an internal audit to identify all uses of RSA, ECC, and other vulnerable algorithms before building a replacement plan.
While full migration may take years, organizations can begin by testing quantum-safe libraries such as Open Quantum Safe, deploying hybrid key exchange methods.
Integrating crypto-agility – the ability to swap cryptographic algorithms without reengineering entire systems – is also a good option. This makes future upgrades less painful as new standards arrive.
What comes next and what to watch
Large‑key RSA is still safe today, yet the study shows that hardware improvements and smarter embeddings keep shaving away at the gap.
D‑Wave plans a Zephyr‑topology processor with more than 7000 qubits later this year, and each topology upgrade improves connectivity, which in turn reduces the number of physical qubits needed per logical variable.
Cryptographers, meanwhile, recommend adopting hybrid schemes that wrap lattice‑based algorithms such as CRYSTALS‑Kyber around classical RSA signatures to provide forward secrecy during the transition period.
Organizations holding sensitive data for decades, health records, genomic files, diplomatic cables, have the most to lose if they wait until a full‑scale quantum computer arrives.
Some observers point out that the Shanghai result relied on heavy classical pre‑ and post‑processing, and that the annealer still required many runs to locate the right factors.
Even so, history shows that cryptanalytic proofs of concept rarely stay small: DES fell to a $250,000 machine in 1998 only four years after the first partial cracks surfaced.
The study is published in the Chinese Journal of Computers.
—–
Like what you read? Subscribe to our newsletter for engaging articles, exclusive content, and the latest updates.
Check us out on EarthSnap, a free app brought to you by Eric Ralls and Earth.com.
—–
