Industry News

First Successful Factorization of RSA-2048 by Quantum Computer? Not Even Close!

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email January 7, 2025
5 minutes read
RSA-2048 Factorization BS

Chinese researchers published A First Successful Factorization of RSA-2048 Integer by D-Wave Quantum Computer.” To get straight to the point – the title is misleading. The authors did NOT factor a general RSA-2048 key (as used in real cryptography); instead, they factored a specially structured 2048-bit semiprime chosen to be extremely easy.

In fact, the paper “investigates a class of special integers” where the two prime factors differ in only two specific bits (the bits of weight 2 and 4). This means $$p$$ and $$q$$ were almost identical except for two low-order bits – for example, one case is essentially $$p = q + 6$$ (since $$2+4=6$$). Such an $$n=p\cdot q$$ is not a typical RSA key; it lies in a trivial corner-case that can be cracked by elementary means. A classical calculation could factor those numbers almost instantly – essentially by taking the square root of $$n$$ and adjusting by ±3 (a human could do it by hand). In other words, the authors factored a toy 2048-bit number with a hidden structure, not a random 2048-bit RSA modulus. The paper itself eventually acknowledges it has no impact on standard RSA-2048 keys, but it still frames the result as a potential “quantum threat,” which is sensational.

Algorithm & Assumptions

Rather than using Shor’s algorithm or a known general factoring method, the authors employ a quantum annealing approach on a D-Wave machine. They cast the factoring problem into a Quadratic Unconstrained Binary Optimization (QUBO) formulation suitable for D-Wave’s annealer. However, this formulation relies on the assumption that the factors differ in only two bit positions (a huge a priori restriction). By exploiting that assumption, the factorization reduces to solving a few simple binary equations. In fact, for any semiprime whose primes differ in 2 bits, the problem simplifies dramatically: the authors note that the usually exponential search “simplif[ies] to a constant-level solution space”. In practice, this meant the D-Wave only had to determine a handful of unknown bits (on the order of 4 bits for the two differing positions and related carries). This is essentially a constant-size brute-force search embedded in a quantum annealer. Indeed, the paper’s own statement is that the special number’s properties collapsed the complexity to O(1) in that case. This is not a new general algorithm but a twist on known hybrid factoring attempts: it’s a variation on adiabatic/annealing methods that others have used for small factorizations, here applied to a contrived 2048-bit case. Crucially, D-Wave’s annealing provides no known asymptotic speedup for general factoring – it’s an analog optimizer, not a gate-based computer with Shor’s algorithm. The authors’ “sublinear resources” claim stems from the fact that their quantum qubit requirement grows with the number of differing bits, not with the full size of $$N$$. If only 2 bits differ, only a constant number of qubits were needed (indeed, they report factoring 56153 with 4 qubits in earlier work). This is “sublinear” only by picking an easy problem – essentially hard-coding most of the solution into the problem’s structure. It does not translate to a general sublinear factoring method for arbitrary RSA numbers.

Scaling to RSA-2048

The method does NOT realistically scale to factoring arbitrary 2048-bit RSA keys. It works only for semiprimes with an extremely special structure. No banking or military RSA key would ever be generated with $$p$$ and $$q$$ so close (in fact, if primes were that close, classical Fermat’s method would factor them in polynomial time). The authors effectively solved a toy problem of known difficulty 0 (a near-square semiprime) to claim a record 2048-bit length. There was no actual break of a hard 2048-bit RSA key, just an extrapolation. The paper’s results are more of a theoretical or at best a narrow demonstration – they likely did use the D-Wave hardware to find the factors of their special number, but this doesn’t demonstrate any quantum advantage. In fact, classical computation could factor the same number faster, so there’s no point other than showcasing that the D-Wave can run a tiny QUBO. There is no evidence they factored any random large semiprime, nor that their approach would succeed for larger gap primes. All data suggests that when the special conditions are removed, the problem remains intractable. Subsequent analyses by others have reinforced that these hybrid/annealer approaches don’t scale. For example, when researchers tried to apply similar algorithms beyond trivial sizes (50–70 bit range), they found the runtime blows up exponentially. In short, the method only “scales” to RSA-2048 in the vacuous sense that you can feed a 2048-bit near-square into it – it doesn’t bring us any closer to factoring a real 2048-bit RSA modulus. The paper gave no demonstration of factoring high-size hard keys, only this one contrived example, backed perhaps by some smaller experiments. No widely accepted experimental validation on genuine large RSA numbers has been shown.

Reproducibility & Practicality

The method is technically reproducible on similar hardware, but that speaks more to its triviality than its robustness. Given the primes’ structure, one could reproduce the factorization on a laptop in seconds. Running it on a D-Wave quantum annealer is also feasible (the problem mapping is simple and involves only a few logical qubits). In other words, yes – one could replicate the authors’ experiment if you have a D-Wave – but doing so isn’t necessary or particularly informative. As for the “sublinear resources” claim, it rings hollow under practical constraints. The authors achieved a constant-size quantum problem by effectively knowing almost everything about the factors in advance. In a real RSA scenario, one does not know that, say, only 2 bits differ – so one cannot restrict the search space so drastically without enumerating possibilities. If one tried to generalize this approach, the resource requirements would balloon. In fact, attempts to use hybrid quantum-classical algorithms for larger semiprimes have shown that the resource count and runtime grow quickly (still exponential for general inputs). The much-touted “372 qubits” estimate (from a related 2022 proposal) for breaking RSA-2048 turned out to be overly optimistic and failed to scale even to 72-bit tests. In practice, quantum error correction, decoherence, and the limited coherence time of annealers all impose overhead that the paper completely ignores. D-Wave’s annealer uses thousands of physical qubits, but they are noisy and non-error-corrected; solving anything but tiny toy problems reliably is a challenge. The claim of sublinear qubit growth is meaningful only in the same sense as saying “if we only search a constant-size portion of the solution space, we use constant resources” – it’s true but trivial, and it requires prior knowledge that defeats the purpose. Under realistic conditions (no special hints about $$p, q$$ and with hardware noise), this method offers no practical advantage. In fact, even if quantum annealing improved, it’s unclear it would ever outperform classical algorithms for factoring, except perhaps in similarly contrived cases.

Bottom Line

The paper’s technical content is built on a valid but narrow experiment – using a D-Wave quantum annealer to factor a 2048-bit number with primes of a special form – and it illustrates a hybrid quantum-classical approach in name only. However, its broader claims are not credible in the context of real cryptography. It’s a clever but ultimately hollow stunt – technically solving a 2048-bit equation, but in a way that sidesteps the true difficulty and hence doesn’t advance the state of the art. And, just because it is worth repeating: the authors did not “break” RSA-2048 at all nor showed any way that could eventually scale to breaking RSA-2048.

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email January 7, 2025
5 minutes read
Photo of Marin Ivezic

Marin Ivezic

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven professional services firm dedicated to helping organizations unlock the transformative power of quantum technologies. Alongside leading its specialized service, Secure Quantum (SecureQuantum.com)—focused on quantum resilience and post-quantum cryptography—I also invest in cutting-edge quantum ventures through Quantum.Partners. Currently, I’m completing a PhD in Quantum Computing and authoring an upcoming book “Practical Quantum Resistance” (QuantumResistance.com) while regularly sharing news and insights on quantum computing and quantum security at PostQuantum.com. I’m primarily a cybersecurity and tech risk expert with more than three decades of experience, particularly in critical infrastructure cyber protection. That focus drew me into quantum computing in the early 2000s, and I’ve been captivated by its opportunities and risks ever since. So my experience in quantum tech stretches back decades, having previously founded Boston Photonics and PQ Defense where I engaged in quantum-related R&D well before the field’s mainstream emergence. Today, with quantum computing finally on the horizon, I’ve returned to a 100% focus on quantum technology and its associated risks—drawing on my quantum and AI background, decades of cybersecurity expertise, and experience overseeing major technology transformations—all to help organizations and nations safeguard themselves against quantum threats and capitalize on quantum-driven opportunities.
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Bluesky
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap