Breaking a public key in this context means finding the corresponding private key. A fundamental assumption for secure PKI is that finding the random private key corresponding to a given public key would be infeasible. A crowd-sourced reward will be provided for breaking the first of either of the following public keys on curve secp192k1:
X: 5337652013586346735487680959091173929274945375420480564894
Y1: 5368037827508578675636122683046956953213154652721351504696, OR
Y2: 909063907878102088199666740160709462889200791738388036351
The X-value corresponds to the first decimal number of 192 bit length in the 1955 RAND publication "1 Million Random Digits", where the X-value is on the curve. The RAND publication is about three decades before the invention of ECC. A private key for secp192k1 corresponding to the above X-value has never been generated with near certainty, such as chances much lower than one in a trillion. Based on the parameters for secp192k1, two different private keys exist for the above X-value, with each Y-value representing a valid point/public key. Specifically, secp192k1 has a cofactor=1 ("h"). With cofactor=1, and thus for secp192k1, "all possible EC points on the curve (including the special point infinity) can be generated from the generator G by multiplying it by integer in the range [1...n]." Consequently, two different integers (e.g. two different private keys) are certain to exist for the above X-value on the curve for secp192k1.
This method to obtain a public key for demonstrating a break has advantages compared to many alternatives. Valid RSA public keys normally can only be generated using a private key. Consequently, third parties could potentially question if an RSA public key was actually broken, and instead consider a corresponding private key was possibly leaked. Alternatively, an ECC public key for demonstrating a break could be generated through a combination of various public and/or private keys (though point addition of public keys and point multiplication with private keys). The process and security of values used for that combination may be questioned, and accurate verification of the security for generating the alternative ECC public key could be difficult for third parties.
In contrast to the above alternatives, it is simple to reasonably determine the private key is completely unknown for the above public key. The primary assumption is the random number for the X-value is selected in a manner that cannot be tampered with. An example of "tampering" would be presenting a public key to break where the private key is already known. Tampering for the above public keys is not feasible because:
- The 1955 RAND publication is a frequently cited source for random numbers and is useful by long predating the invention of ECC.
- Selecting the very first decimal number of 192 bit length on the curve for secp192k1 reasonably qualifies as a "nothing up my sleeve" number.
Curve secp192k1 is selected based on:
- Secp192k1 should remain secure against attacks from classical computers until long after Q-day;
- Smaller standard curves such as secp160k1 may feasibly have public keys broken by classical computers before Q-Day;
- The time when secp192k1 is broken will provide valuable lead time before public keys on more economically relevant curves can be broken, such as (i) secp256k1 used by Bitcoin and Ethereum or (ii) curve25519 used by TLS. If capabilities of quantum computers are exponentially scaling, then the lead time may be less than a year and likely less than two years; and
- A quantum computer should be able to break secp192k1 before RSA 2048. Secp192k1 should require significantly fewer logical qubits and gates compared to RSA 2048.
The discovery of a private key for either of the above public keys would provide reasonable confirmation that Q-day has arrived. Given the nearly 50 year history of the discrete logarithm problem for cryptography, the probability is low that classical computing resources alone can find a private key. The term "Q-day" in the 21st century has a slight relationship to the previous meaning for "Q-Day" in the 20th century. The leading prior use for "Q-day" was for the dress rehearsal (on June 23, 1945) of the first atomic bomb test near Alamogordo, New Mexico.
Demonstrating the break of secp192k1 can serve as a "dress rehearsal" for the imminent subsequent break of classical PKI cryptography with higher security levels and widespread commercial use. Those classical algorithms, such as based on RSA 2048/3072/etc. and ECC 256/384/etc., currently serve as a security foundation for much of the world's IT infrastructure. Unless a different provable break of classically secure PKI is found sooner, Q-day in the 21st century can be the day when a private key for either of the above public keys is revealed using a quantum computer.
In summary, the 20th century Q-day immediately preceded the start of the Anthropocene geological epoch. The 21st century Q-day will be a milestone for Quantum Advantage, when the use of quantum computers solve foundational computing problems which are infeasible for digital (or analog) computers alone. The impact of events tied to the 20th century Q-day is certainly far beyond comparison with the impact of the 21st century Q-day. The 21st century Q-day can simply be an important event in the history of computer science.