Would You Take On A $1 Million Bet For The Cracking of Elliptic Curve Cryptography (ECC) By 2050?


There is a great deal of debate about the cracking of public key encryption with Quantum Computers. Like it or not, Shor’s algorithm [3] showed how we can crack RSA, Elliptic Curves Cryptography (ECC) and Discrete Logarithms using Quantum Computers. The theory is unquestionable, but the time that QCs will be built for production-level cracking is the main question to be answered — or at least, proposed.

And, so, on 18 April 2023, a strange challenge was posted to the PQC email forum:

It was from John Preuß Mattsson from Ericsson Research:

The bet follows one made in 2017 between Daniel J Bernstein (djb) and Francisco Rodríguez-Henríquez, and where RSA-2048 will be cracked by 2033. John’s bet of $2,050 is that RSA-2024 will not be cracked by 2050. Again, djb stood the bet, along with John Sahhar, Daniel Apon, and Michele Mosca. John Sahhar, in fact, posted a further challenge that wagered $1 million that 256-bit Elliptic Curve methods would be broken by 2050:

On Tuesday, April 18, 2023, John Sahhar <jo...@entropy.xyz> wrote:
Hello John,

Wager accepted.

Furthermore, I wager anyone 1,000,000$ USD that solving the discrete logarithm
of any 256 bit Elliptic Curve will be computationally feasible by a
quantum computer before or during the year 2050.

Any takers?

John Sahhar
Cryptographer @ Entropy Cryptography Services, Inc.
Contact - https://ok-john.us/about

For this, Gouzien et al [4] recently computed the expected time to crack an n-bit ECC problem for the number of kiloqubits, and found that ECC-256 could be crackable within 100 kiloqubits:


RSA gains its key security strength from the multiplication of two prime numbers (p and q) to get N. If we get p and q, then we can work out:

Phi = (p-1)(q-1)

And since we have encryption key (e), which is normally 65,537, we solve for d in:

d x e mod (PHI) = 1

Basically we have the inverse of e mod PHI For example, if we have an e value of 65,537 and a PHI of 10,347,768,518,374,182,260, then the decryption key value (d) will be 12,406,113,933,120,080 Test.

And so, it becomes easy to crack RSA if we can crack N. But when we define that a digital certificate has 2,048 bits, how big are the values of p and q? Well, if we have an n bit value and multiply it with an m-bit value, we get a result which has n+m bits. And so if our RSA keys are 2,048 bits long, then our prime numbers will be half this size (1,024 bits).

So how many digits will a 1,204-bit have? Well, we can use Python to determine that it has 309 digits:

>>> y=2**1024
>>> print y,len(str(y))
37216 309

and when we multiply two 1,024-bit primes, we get a 617-digit number:

>>> y=2**2048
>>> print y,len(str(y))
596230656 617

Martin Gardner’s Scientific American column first proposed the RSA method; the challenge was to break an N value of just 129 digits, and which would be fairly easy to crack today (but at the time, Ron Rivest thought it would take 40 quadrillion years to factorize).

So if we want to generate two prime numbers, how long will it take? Well again, we can turn to Python and use the Riemannr method to estimate the number of prime numbers that are 1,024 bits long:

import sys
import math
from mpmath import *


print "Est prime numbers :\t",n
print "Estimation to find is 1 in",(2**1024)/n

If we run, we determine that we have a massive number for1,024-bit numbers, but that the chances of us finding one is 1-in-1,418:

Est prime numbers : 12669164489297035838042749092693935645472324718849614339
Estimation to find is 1 in 1418

And so we could generate a 1,024-bit number using a getranbits() function:

>>> import random
>>> random.getrandbits(1024)
>>> random.getrandbits(1024)

And then test if it is a prime number. If not, we decrement it and test again. From our calculation, it should only take 1,418 attempts to find one.


One of the most popular methods of factorizing a modulus is the prime sieve. This can create all the prime numbers up to a given limit. For this, it progressively removes composite numbers until it only has prime numbers left, and it is the most efficient way to generate a range of prime numbers [here]:

import sys


if (len(sys.argv)>1):

def sieve_for_primes_to(n):
size = n//2
sieve = [1]*size
limit = int(n**0.5)
for i in range(1,limit):
if sieve[i]:
val = 2*i+1
tmp = ((size-1) - i)//val
sieve[i+val::val] = [0]*tmp
return [2] + [i*2+1 for i, v in enumerate(sieve) if v and i>0]

print (sieve_for_primes_to(test))

This works because we start with all the odd numbers up to the square root of the limit of the numbers we are looking for. If we have 100, then the size will be 50. We start off with odd numbers (as 2 is the only even prime):

3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 .. 99

In the first time round, we have i equal to 1, and we will jump three each time and mark them as not prime (to find all the factors of 3):

3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 .. 97 99

In the next time round, we will jump 5, starting at 5 (to find all the factors of 5):

3 5 7 X 11 13 X 17 19 X 23 25 X 29 31 X 35 .. 97, X

In the next time round, we will jump 7, starting at 7 (to find all the factors of 7):

3 5 7 X 11 13 X 17 19 X 23 X X 29 31 X X .. 97 99

In the next time round, we will jump 9, starting at 9 (to find all the factors of 9):

3 5 7 X 11 13 X 17 19 X 23 X X 29 31 X X .. 97 99

In the end, we stop at 19, and with a jump of 19, and add the value of 2 to the discovered prime numbers:

2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97

In February 2020, Boudat et al cracked the RSA-250 (828-bit) RSA challenge.

RSA-250 = 2140324650240744961264423072839333563008614715144755017797754920881
RSA-250 = 6413528947707158027879019017057738908482501474294344720811685963202
× 333720275949781565562260106053551142279407603447675546667845209870238417292

It took 2700 CPU core-years to crack, and used the Number Field Sieve algorithm. At present RSA-260 (with an 862-bit modulus) is still yet to be factored.

Energy to crack RSA

In order to understand the concept of work in cracking cryptography, Lenstra [here] defined the concept of Global Security in order to show the amount of energy required to crack cryptographic algorithms and compared this with the amount of water that energy could boil something. This could be seen as the carbon footprint of cracking. For a 35-bit key symmetric key (such as AES), you only need to pay for the boiling of a teaspoon of energy, and for a 50-bit key, you just need to have enough money to pay for a shower:

So let’s look at RSA. In order to crack it, we need to factor N, into p and q (the two prime numbers used). Once cracked we can determine PHI (p-1 x q-1), and then we can determine the decryption value (d) [here]. First we will take teaspoon security, and where we would need to consume the amount of energy that can boil a teaspoon. A sample would be (242-bit RSA modulus) [here]:

N=p*q= 5896261486983538627098661478596873684661596787145726508859641645687965941

The prime numbers have 121 bits, and, if we were to crack it, the prime numbers are:

(p): 2526944374765758521282783272842906989
(q): 2333356264531983395509730755656883369

Now we try pool security, which will have a 745-bit modulus [here]:

N=p*q= 328205934170686373022187747612351335632840120299170566830841570637

You would then have to consume the amount of energy to boil a swimming pool of water, in order to recover p and q, and which would be:

(p): 5136574890107321107930054184342872847511932740355863615831749987190796683508207354267329960601590388187075433061
(q): 6389587248163902409204449208538775019640799414724150251382810569000364623759594714615114512184726059299258653193

Now, for a 2048-bit modulus, we would have to get the energy to boil all the seas in the world in order to factorize this [here]:

N=p*q= 43167595701317556262423026656965675311752941263790242843723869722559

If you could afford the energy to boil all the seas on the planet, you would be able to recover the prime number factors of:

(p): 196609148217569855881469103057436778288884865730728431036496969106242709174542556226244974424242605165013577403243273721574500460326174617160923703395095978667090714867455310166651932606597318485468745721964757615177804666962624050069365974032392172635080905056653578728556376998092239415714121906067
(q): 219560463450804526512484156665207894511493329487508026519690092833541901773486924130405885017845670513121751269792879364231218578683707161192474640518621978728363979172391042793592947789410287416485864619629721775927035570271970144478351754084252110756000450203907965120369883036301470716442779209339

Finally we move to solar security (4,096-bit modulus) [here]:

N=p*q= 3960081571383420167814679941098524090937928309488590816012966209196161

You will never find the prime numbers, but they are:

(p): 2387628035654914041578676682340635535950948791037039903330270590495501744849764207480076462162294270197243407459110192208709737698247332428053357258855955290692393471421516310661792749482905080962109692416944336517049095407867686284521225687878370847230533829287501911033500368831913293493330562838467387835530549969054109399131451846959457130413492668037089837378118350872377084885693225874836148717207853352068189405415387476462556003921350678166912349980061364631958090280213640154021116006326720158290040518790513066623093136091263566334119222952846436577451
(q): 1658583963769377603578396329705793644732710623310129654038348230711585763044092787355651332948374169988931521882298144371384733551640579147022118494636732293264604461116977329421823894181755805820089237394172033870263627093736577790369697957516336302977958796425947479274422794199973433467842572527064416348509712003954901454840352976743534063167992440103943082723957859216188269111695713462656653049479588103312185114742167076660911677070759504987871743971457634287384430572107927280368523691106585718147625665698291217102305172813935222056309427697965967221113

Cracking with quantum processors

A recent paper was published that perhaps speeds up the migration process [here][1]:

In the paper, it is quoted that:

We demonstrate the algorithm experimentally by factoring integers up to 48 bits with 10 superconducting qubits, the largest integer factored on a quantum device. We estimate that a quantum circuit with 372 physical qubits and a depth of thousands is necessary to challenge RSA-2048 using our algorithm.

The worrying part of this statement is that there are companies that are creating quantum computers that are likely to release 1,000 qubit+ processors by 2025. Previously, it was thought that RSA-2048 would need millions of physical qubits to crack it.

The paper focuses on 2K RSA cracking, but another risk would be if ECC was crackable, as this would mean that our key exchange methods (with ECDH) and digital wallets for cryptocurrency could be cracked. Obviously, the word “challenge” is a little vague, and there is no real benchmark defined about how costly it would be for a quantum computer to actually crack RSA-2048.

There are, though, some doubts about the paper, as the method is not based on Shor’s method [3], but on one defined by Peter Schnorr [1] (and which was subsequently withdrawn):

Also, sublinear does not relate to sublinear time, but to the number of Qubit circuits. No practical evaluation of the time it would take to crack the modulus is given in the paper.

Cracking with lattices

In RSA, we create a modulus (N) by multiplying two random prime numbers (p and q). If we can factorize this modulus into p and q, we easily break RSA. One of the most popular methods for factorizing a modulus is using lattice methods. This includes the LLL method and which was created by AK Lenstra, HW Lenstra, Jr., and L Lovasz in 1982. If you want to see it in operation, try here:



The bet for RSA-2048 has been laid down, but the Elliptic Curve one is still open.


[1] Yan, B., Tan, Z., Wei, S., Jiang, H., Wang, W., Wang, H., … & Long, G. L. (2022). Factoring integers with sublinear resources on a superconducting quantum processor. arXiv preprint arXiv:2212.12372.

[2] Schnorr, C. P. (2021). Fast factoring integers by SVP algorithms, corrected. Cryptology ePrint Archive.

[3] Shor, P. W. (1994, November). Algorithms for quantum computation: discrete logarithms and factoring. In Proceedings 35th annual symposium on foundations of computer science (pp. 124–134). IEEE.

[4] Gouzien, É., Ruiz, D., Régent, F. M. L., Guillaud, J., & Sangouard, N. (2023). Computing 256-bit elliptic curve logarithm in 9 hours with 126133 cat qubits. arXiv preprint arXiv:2302.06639.



Prof Bill Buchanan OBE FRSE
ASecuritySite: When Bob Met Alice

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. Based in Edinburgh. Old World Breaker. New World Creator. Building trust.