Prediction Market Opens in early 2025
Reward Starts at USD $(TBD) K and Increases w/ Predictions
Prediction Market Opens in early 2025
Reward Starts at USD $(TBD) K and Increases w/ Predictions
Cryptographically relevant quantum computers are expected to break classical public key infrastructure (PKI) related to the discrete logarithm problem (ECC/DH) and the integer factorization problem (RSA). In May of 2022, the White House announced: "Research shows that at some point in the not-too-distant future, when quantum computers reach a sufficient size and level of sophistication, they will be capable of breaking much of the cryptography that currently secures our digital communications on the Internet."
The date this happens is also referred to as "Q-Day" or also "Y2Q". Technologies enabled by cryptography such as secure web browsing, bank wire transfers, and the largest cryptocurrencies must change to post-quantum cryptography (PQC) in order to remain secure after Q-Day. The transition from classical to PQC PKI will take many years with significant investments, and the risks for not implementing PQC increase over time. Encrypted data transmitted across the Internet today, such as medical records, bank statements, etc., could be captured and stored in their ciphertext form, where the decryption becomes feasible after Q-day.
An estimate for Q-day would be valuable for governments, institutions, and companies to properly plan. The Global Risk Institute surveyed dozens of experts when a quantum computer can break RSA 2048 within 24 hours. The 2022 report expects around a 50% chance in 15 years. Germany's Federal Office for Information Security (BSI) "acts on the working hypothesis that cryptographically relevant quantum computers will be available in the early 2030s." A general trend is the expert estimates for Q-day are growing shorter faster than the years are passing.
Note that Q-day can arrive sooner than estimated from the Global Risk Institute survey, since a provable break of any classically secure RSA/ECC key by a quantum computer brings Q-Day (e.g. not limited to 24 hours of quantum computing time and RSA 2048). For example, breaking the public key in a widely shared root certificate for TLS over any reasonable quantum computing time (including a year) has greater immediate financial consequences than the ability to break a public key in 24 hours. TLS 1.2/1.3 is no longer secure when quantum computers achieve the proven capability to break the public key in a widely accepted root certificate based on RSA or ECC. Specifically, a broken root certificate would allow critical websites to be faked while also appearing trusted in web browsers. Simply extending RSA or ECC key lengths is not a solution, since the security of longer keys would provide only polynomial scaling (for Shor's or Regev’s algorithms) compared to quantum computing's expected exponential scaling (similar to Moore's law).
In summary, and as of 2023, there is no consensus when Q-Day will arrive. Primary goals of this project are to both (i) obtain a public, market-driven prediction for Q-Day and (ii) provide at least one "bright-line" proof for when Q-Day has indeed arrived.
Breaking a public key in this context means finding the corresponding private key. A fundamental assumption for secure PKI is that finding the random private key corresponding to a given public key would be infeasible. A crowd-sourced reward will be provided for breaking the first of either of the following public keys on curve secp192k1:
X: 5337652013586346735487680959091173929274945375420480564894
Y1: 5368037827508578675636122683046956953213154652721351504696, OR
Y2: 909063907878102088199666740160709462889200791738388036351
The X-value corresponds to the first decimal number of 192 bit length in the 1955 RAND publication "1 Million Random Digits", where the X-value is on the curve. The RAND publication is about three decades before the invention of ECC. A private key for secp192k1 corresponding to the above X-value has never been generated with near certainty, such as chances much lower than one in a trillion. Based on the parameters for secp192k1, two different private keys exist for the above X-value, with each Y-value representing a valid point/public key. Specifically, secp192k1 has a cofactor=1 ("h"). With cofactor=1, and thus for secp192k1, "all possible EC points on the curve (including the special point infinity) can be generated from the generator G by multiplying it by integer in the range [1...n]." Consequently, two different integers (e.g. two different private keys) are certain to exist for the above X-value on the curve for secp192k1.
This method to obtain a public key for demonstrating a break has advantages compared to many alternatives. Valid RSA public keys normally can only be generated using a private key. Consequently, third parties could potentially question if an RSA public key was actually broken, and instead consider a corresponding private key was possibly leaked. Alternatively, an ECC public key for demonstrating a break could be generated through a combination of various public and/or private keys (though point addition of public keys and point multiplication with private keys). The process and security of values used for that combination may be questioned, and accurate verification of the security for generating the alternative ECC public key could be difficult for third parties.
In contrast to the above alternatives, it is simple to reasonably determine the private key is completely unknown for the above public key. The primary assumption is the random number for the X-value is selected in a manner that cannot be tampered with. An example of "tampering" would be presenting a public key to break where the private key is already known. Tampering for the above public keys is not feasible because:
Curve secp192k1 is selected based on:
The discovery of a private key for either of the above public keys would provide reasonable confirmation that Q-day has arrived. Given the nearly 50 year history of the discrete logarithm problem for cryptography, the probability is low that classical computing resources alone can find a private key. The term "Q-day" in the 21st century has a slight relationship to the previous meaning for "Q-Day" in the 20th century. The leading prior use for "Q-day" was for the dress rehearsal (on June 23, 1945) of the first atomic bomb test near Alamogordo, New Mexico.
Demonstrating the break of secp192k1 can serve as a "dress rehearsal" for the imminent subsequent break of classical PKI cryptography with higher security levels and widespread commercial use. Those classical algorithms, such as based on RSA 2048/3072/etc. and ECC 256/384/etc., currently serve as a security foundation for much of the world's IT infrastructure. Unless a different provable break of classically secure PKI is found sooner, Q-day in the 21st century can be the day when a private key for either of the above public keys is revealed using a quantum computer.
In summary, the 20th century Q-day immediately preceded the start of the Anthropocene geological epoch. The 21st century Q-day will be a milestone for Quantum Advantage, when the use of quantum computers solve foundational computing problems which are infeasible for digital (or analog) computers alone. The impact of events tied to the 20th century Q-day is certainly far beyond comparison with the impact of the 21st century Q-day. The 21st century Q-day can simply be an important event in the history of computer science.
Users submit predictions for the year in which the first of either of the above ECC public keys will be broken. Users make predictions by sending Quanta for the Quantum Resistant Ledger (QRL) to a contract addresses for each year of prediction listed here. QRL is selected for three primary reasons:
The minimum value submitted for an accepted prediction will be 10 Quanta, as a minimum threshold to limit transaction volume and overall gas fees. The window for accepting predictions should open around early 2025 (soon after QRL POS mainnet), and the window will close at year end 2026. Predictions can be made for 15 years/categories of "2026 (or earlier), 2027, ... 2039, and 2040 (or later)". A successful break while the window is open immediately closes the window and distributes the Quanta as discussed below.
The year of the break will be determined by the block timestamp (converted to UTC) containing a QRL transaction that confirms discovery of a private key for the above X-value, as described in the next section. The sum of all Quanta submitted with predictions for all years will be allocated in the following manner:
For example, assuming:
In other words and for the above example, each address sending Quanta to the receiving address for 2031 would receive 6.48x Quanta in return (e.g. net gain of 5.48x Quanta). The above system will be implemented as a QRL POS mainnet smart contract, when mainnet becomes available likely in late 2024 or early 2025. The $(TBD) K component of the reward is an initial cash value portion separately retained at the project's launch and also transferred outside of the smart contract functionality described below. Documents confirming commitments of the cash value portion will be made available on this website upon launch. Transfer of this $(TBD) K cash value portion will require basic KYC information (confidentially held) for the QRL wallet address revealing the private key.
Also, one address is provided for 100% allocation of received Quanta to the Reward (e.g. "No Prediction Address"). Some participants may simply want to increase the Reward without making a prediction for the year of the break. In the example above, if an additional 100,000 Quanta is received by the "No Prediction Address" before the break, then the Reward would be 275,000 Quanta (instead of 175,000 Quanta), while the allocation to winning predictions keeps the same example value described above. The "No Prediction Address" described in this paragraph (i) can receive Quanta for distributing to the winner until the time of the break, and (ii) is not subject to the window closing for predictions at the end of 2026.
If a private key for the above X-value is not revealed before January 1, 2040, then the controller smart contract will automatically distribute the 65% allocation (less gas fees) to QRL addresses pro-rata making predictions for year "2040 or later". The Reward will subsequently be distributed as described below, when the private key for the break is revealed.
{Note: the below steps for identifying and paying the rewards are DRAFT, and subject to change until testnet smart contract code is finalized}
Below are the steps to prove the break of secp192k1 and receive the Reward:
The above steps #1 - #4 ensure (i) the winner's receiving address/wallet for the Reward is securely identified and (ii) the break and time are also available for public inspection. "QRL source address" is the wallet address of the winner used to generate transactions for steps #1 and #3 above. The Winner is strongly encouraged to test steps #1 - #4 multiple times on a testnet (using different test public keys P1 and P2 for the contract where the private key is known), before conducting the steps in production on mainnet. The two transactions for steps #1 and #3 above on mainnet should naturally include high gas fees to ensure prioritization. Transactions with less than 10 Quanta transferred to the "controller" smart contract will be ignored by the "controller" smart contract, to reduce possible spam input. All Quanta received at the contract address will also be available as gas for the "controller" smart contract.
The "controller" smart contract performs the steps in sequence in order to determine a Winner and distribute Quanta:
A summary of the security against an attacker is described in the next section below. Note that data input to the smart contract is entirely within confirmed transactions and blocks for QRL POS mainnet, which enhances security by omitting an external oracle. Verification of the break requires only elliptic curve point multiplication of the secp192k1 base point G by the private key, to confirm the result equals one of the two public keys being broken. Participants can separately use web-based calculators to confirm the winning private key generates one of the public keys for the break with secp192k1.
All smart contracts for this project will be available as open source within GitHub (or equivalent), with a link provided in this website. A series of test smart contracts on QRL POS testnet will be implemented before launch of the prediction market on QRL POS mainnet. The test smart contracts will support the use of different secp192k1 public keys to "break", where tests with known private keys can verify functionality and overall security. An independent audit of the smart contract will also be conducted with audit results provided within this website before launch. A detailed example for the precise encoding of data within the transaction message field will be provided before launch (e.g. big-endian, hexadecimal for numbers, etc.)
The Reward will be evenly split and (A) the first 50% automatically transferred to the QRL address revealing the private key for a break (in contract steps #7 and #8 above), and (B) the second 50% transferred when an explanation of the technology and algorithms to find the private key is published, either as a preprint or in a peer-reviewed journal. The release of this second 50% of the Reward to the same QRL address will be triggered for the "controller" smart contract based upon a transaction approved by a Review Committee. The Review Committee members are currently TBD, but names will be listed on this website upon project launch. All of the 65%, less gas fees, is distributed to users predicting the year of the break when the private key is revealed.
Note that the publication for (B) should have sufficient detail to allow knowledgeable third parties to fully reproduce and/or confirm the steps required to find the private key for the break (assuming the third parties have access to an equivalent quantum computer). The publication should also provide a detailed analysis of the additional quantum computing resources and processing time required to break a public key for secp256k1 and an estimate for the break of an RSA 2048 public key.
The above steps #1 - #8 for the contract and steps #1 - #4 for the Winner ensure secure identification of the Winner, assuming QRL POS/EVM mainnet is secure and blocks are finalized well under 100 blocks. Below reviews two main attacker strategies using the public transaction message data, where both clearly fail:
Below is a detailed explanation why both attacker strategies fail:
Regarding the first strategy above, an attacker may feasibly "front run" and have the smallest block number with the specific message {"H" | 32-bytes } from the Winner's first transaction. An attacker could also see the Winner's second transaction message {"SK" | private key} and submit a confirmed transaction and the same message, but only from the attacker's QRL source address. However, the contract in step#4 and step #5 calculates and records the value of SHA3-256(private key | QRL source address) based on the QRL source address from the second transaction with the message {"SK" | private key}. The attacker's attempted "front run" and possibly smallest block number with message {"H" | 32-bytes } will be ignored by the contract in step #6 because the attacker's value of 32-bytes will not match the contract's calculated value of SHA3-256(private key | QRL source address). In other words, (i) the hash value of 32-bytes is based on the winner's input of their QRL source address (and the private key), and (ii) the contract's value for SHA3-256 would be over the different attacker's source QRL address, so there would not be a match for the smart contract step #6 above.
Regarding the second strategy above, the attacker can (A) observe the winning private key, (B) feasibly have a transaction with valid 32-bytes confirmed before the Winner's second transaction (but not before the Winner's first transaction), and also (C) feasibly have a transaction with {"SK" | private key } confirmed before the Winner's second transaction. However, this still fails because the Winner's valid 32-bytes is in a much lower block (e.g. the wait for Winner's step #2) than the attacker's valid 32-bytes from (B). In other words, when the Winner conducts the specified steps #1 through #3, the Winner will always have the smallest block number (by far) with (i) a recorded first transaction message with 32-bytes that matches (ii) the smart contract's calculated value of SHA3-256(private key | QRL source address) from the second message with the publicly disclosed winning private key.
There are other attacker strategies which are prevented. "Denial of service" or an attempted drain of contract gas fails because each transaction with the "controller" smart contract requires at least 10 Quanta and the gas consumed to process each possible transaction will be far below the 10 Quanta (and Quanta input for the "controller" will be allocated to gas"). Brute force attacks from classical computers to guess the private key are clearly infeasible.
Implementation of ECDSA for secp192k1 is not required within the smart contract and by a client for the winner, which greatly reduces complexity. Avoiding ECDSA prevents questions if (A) a secure public key for secp192k1 is proven to be broken when (B) a valid digital signature has been verified by the public key. Successful demonstration of (B) actually proves something different, which would be ECDSA for secp192k1 can be broken. Using ECDSA, a single transaction attempting to confirm the break could include generating a valid digital signature over at least the winner's QRL source address. The possible advantage of this approach would be the winning private key does not need to be directly revealed in plaintext. The digital signature could be verified by checking with both of the public keys listed above. About 300 - 400 lines of code for an EVM are likely needed to implement ECDSA for secp192k1, with extensive testing and validation.
A goal of the project is directly revealing the private key to clearly prove (i) public keys for secp192k1 can be broken and (ii) Q-day has arrived. The successful verification of a digital signature, as described in the paragraph above, is less direct and subject to reasonable questions or possible denial of the broader claim that PKI for secp192k1 can be broken. As one example, if a digital signature using secp192k1 is successfully verified by one of the two public keys, does that actually prove the private key has been determined? Experts could (i) agree the specific implementation of ECDSA for secp192k1 has been shown to be broken, but (ii) remain unconvinced of the broader desired claim that a secure public key for secp192k1 has been broken. Those experts and third parties generally could also remain unsure if Q-day has arrived.
In order to firmly prove (A) a secure public key for secp192k1 has been broken instead of (B) only proving a beak of ECDSA for sep192k1, an alternative to the above steps for the Winner and the contract could include (i) a first transaction with an ECDSA digital signature and then (ii) a second, later transaction revealing the private key. With this alternative, (i) the first transaction could have a message of {"SIG" | signature (QRL source address) }, and then (ii) the same second transaction message of {"SK" | private key}. However, securely implementing this alternative ultimately would require very similar steps already outlined for the Winner and the contract above! Consequently, for the overall goal of revealing the private key to prove the break of a reasonably secure public key for secp192k1, the steps outlined above for the Winner and the contract are simpler and preferred, compared to the more complex implementation and use of ECDSA for secp192k1.
IF the private key for the break is revealed in a transaction message of {"SK" | private key } without a first transaction message {"H" | SHA3-256(private key | QRL source address) } within the prior 1,000 blocks, THEN (i) the "controller" smart contract will distribute the 65% (less gas fees) and (ii) the 35% for the Winner will be retained by the contract and later released to an address or addresses determined by the Review Committee (at its sole discretion) described in (B) for the last paragraph in the section "Confirming the Break ..." above. Also, for this case of the private key being revealed without the first transaction message, then the year of the break will be the UTC timestamp of the block with the message revealing the private key. The 35% distribution will be triggered for the "controller" smart contract based upon a transaction (which contains the receiving QRL address) approved by the Review Committee. Note the Winner can completely avoid this case by simply ensuring the first transaction with the message of {"H" | SHA3-256(private key | QRL source address) } is confirmed and finalized before sending their second transaction message of {"SK" | private key }. As mentioned above, the Winner should also test transactions on a testnet (with different public keys to break) using the published smart contract code.
IF two valid and different first transactions from step #1 for the Winner(s) with {"H" | SHA3-256(private key | QRL source address) } are finalized in the same smallest block number (highly unlikely), THEN the 35% Reward will be split between the two QRL source addresses. IF more than two valid and different first transactions from step #1 for the Winner are finalized in the same smallest block number (implausible), THEN the 35% Reward will be split between the first source QRL addresses for the lowest 2x Winner first transactions listed in the block.
There likely will be more special cases to consider and handle as the smart contract code is developed and tested. So, description of handling for those special cases will be described here.
The prediction market can provide a useful public estimate for when Q-day arrives, at least for the first few years after launch. The estimate may be helpful around 2027-2028 for companies and organizations to plan investments in upgrading IT systems to support post-quantum cryptography and phase out classical PKI algorithms. A proven break of secp192k1 will confirm classical PKI cryptography has imminent risk, and projects for upgrading to PQC should have clear visibility for nearing completion.
Predictions made with financial commitment/backing should accurately reflect the views and information held by participants. Note that financial incentives also tend to keep the market neutral. If many users might be overly optimistic for predicting Q-day too soon, this provides financial incentive for other users with opposing views (that Q-day is later) to submit balancing predictions based on financial gains available from the "apparent" market bias (at least according to their views). Since the break of 192 bit ECC is a good measure for determining Q-day, it's likely other prediction markets will become available, including those based directly on USD and other fiat currencies. Comparison between prediction markets should indicate possible bias for participants in each prediction market.
Operating the prediction market through smart contracts on a quantum safe blockchain provides the highest level of trust for participants. Rewards are precisely linked to a proven break of secp192k1. Traditional prediction markets can be more subject to risks from human errors or tampering related to:
Consequently, this project can achieve both (i) a secure prediction market and (ii) a public, proven arrival of Q-day, which should also receive widespread recognition. In January of 2023, the Financial Times reported that for a true break of classical PKI cryptography, "it would be a secret like out of the movies, and one of the biggest things ever in computer science."
Interested companies and organizations are also invited to provide funding commitments (not based on Quanta) to the Reward for the party finding a private key. These funding commitments increase the separate "cash" value of the Reward. Contact project management here, and funding commitments can be recognized as sponsors. Payment of these "cash" value commitments will be directly (i) from each entity making a commitment (ii) to the party revealing the private key (as securely identified in steps #7 and #8 of the controller smart contract). A goal is to increase the value of the Reward, so both (i) teams with quantum computing capabilities have increased motivation to break the secure public keys identified above, and (ii) a proven/true break of classically secure PKI becomes public knowledge when the technical capability exists.