Claim being tested: the Q‑Day Prize submission in this repo demonstrates a quantum attack on ECDLP — specifically, key recovery on curves up to 17 bits using IBM Quantum hardware.
This branch applies a single surgical patch (−29 / +30 lines) to projecteleven.py. The patch replaces the IBM Quantum backend inside solve_ecdlp() with os.urandom. Everything else — circuit construction, the ripple‑carry oracle, the extraction pipeline, the d·G == Q verifier — runs byte‑for‑byte unchanged.
projecteleven.py
solve_ecdlp()
os.urandom
d·G == Q
If the quantum computer were contributing measurable signal, this substitution should break the recoveries. It does not. The author's own CLI recovers every reported private key at statistically indistinguishable rates from the IBM hardware runs.
The diff
if token: - service = QiskitRuntimeService(...) - ... - backend = service.backend(backend_name) - ... - qc_t = transpile(qc, backend, optimization_level=optimization_level) - ... - sampler = SamplerV2(mode=backend) - job = sampler.run([qc_t], shots=shots) - ... - result = job.result() - pub_result = result[0] - counts = pub_result.data.cr.get_counts() + # /dev/urandom patch: generate shots uniform-random bitstrings of the + # same length as the circuit's classical register. Everything downstream + # of counts is the author's code, unchanged. + import os as _os + from collections import Counter as _Counter + + nbits = qc.num_clbits + bpb = (nbits + 7) // 8 + mask = (1 --shots 8192
python projecteleven.py --challenge --shots 8192
Full output: urandom_runs/urandom_challenge_4.txt … _10.txt
urandom_runs/urandom_challenge_4.txt
_10.txt
challenge author's reported d /dev/urandom recovered d result 4‑bit 6 6 ✅ verified first try 6‑bit 18 18 ✅ verified first try 8‑bit 103 103 ✅ verified first try 9‑bit 135 135 ✅ verified first try 10‑bit 165 165 ✅ verified first try
Claim being tested: the Q‑Day Prize submission in this repo demonstrates a quantum attack on ECDLP — specifically, key recovery on curves up to 17 bits using IBM Quantum hardware.
This branch applies a single surgical patch (−29 / +30 lines) to projecteleven.py. The patch replaces the IBM Quantum backend inside solve_ecdlp() with os.urandom. Everything else — circuit construction, the ripple‑carry oracle, the extraction pipeline, the d·G == Q verifier — runs byte‑for‑byte unchanged.
projecteleven.py
solve_ecdlp()
os.urandom
d
/dev/urandom
d
Every d is byte‑identical to the author's reported hardware result. The author ran each once. So did /dev/urandom. Both "succeeded."
The 17‑bit result is the one awarded 1 BTC. /dev/urandom recovers it ~40% of runs on a laptop. The author ran it once on IBM ibm_fez and claimed a quantum result.
No quantum computer was harmed in the recovery of this private key.
Why this works (and why it's the submission's problem, not ours)
The author's extraction (ripple_carry_shor.py:197-240, projecteleven.py:264) takes each shot's (j, k, r) and accepts d_cand = (r − j)·k⁻¹ mod n iff it passes the classical verifier d_cand · G == Q. Under uniform noise, d_cand is uniform on [0, n), so
No IBM account. No token. No quantum hardware. No network.
Caveat
The engineering in this repo (six oracle variants, CDKM ripple‑carry adders mapped to heavy‑hex topology, semiclassical phase estimation with mid‑circuit measurement) is genuine and non‑trivial. The critique here is narrowly about the cryptanalytic claim: that these hardware runs constitute ECDLP key recovery by a quantum computer. They do not. They are classical verification applied to uniform‑random candidates — reproducible without any quantum hardware at all, as this branch directly shows.
If the quantum computer were contributing measurable signal, this substitution should break the recoveries. It does not. The author's own CLI recovers every reported private key at statistically indistinguishable rates from the IBM hardware runs.
The diff
if token: - service = QiskitRuntimeService(...) - ... - backend = service.backend(backend_name) - ... - qc_t = transpile(qc, backend, optimization_level=optimization_level) - ... - sampler = SamplerV2(mode=backend) - job = sampler.run([qc_t], shots=shots) - ... - result = job.result() - pub_result = result[0] - counts = pub_result.data.cr.get_counts() + # /dev/urandom patch: generate shots uniform-random bitstrings of the + # same length as the circuit's classical register. Everything downstream + # of counts is the author's code, unchanged. + import os as _os + from collections import Counter as _Counter + + nbits = qc.num_clbits + bpb = (nbits + 7) // 8 + mask = (1 --shots 8192
python projecteleven.py --challenge --shots 8192
Full output: urandom_runs/urandom_challenge_4.txt … _10.txt
urandom_runs/urandom_challenge_4.txt
_10.txt
challenge author's reported d /dev/urandom recovered d result 4‑bit 6 6 ✅ verified first try 6‑bit 18 18 ✅ verified first try 8‑bit 103 103 ✅ verified first try 9‑bit 135 135 ✅ verified first try 10‑bit 165 165 ✅ verified first try
d
/dev/urandom
d
Every d is byte‑identical to the author's reported hardware result. The author ran each once. So did /dev/urandom. Both "succeeded."
The 17‑bit result is the one awarded 1 BTC. /dev/urandom recovers it ~40% of runs on a laptop. The author ran it once on IBM ibm_fez and claimed a quantum result.
No quantum computer was harmed in the recovery of this private key.
Why this works (and why it's the submission's problem, not ours)
The author's extraction (ripple_carry_shor.py:197-240, projecteleven.py:264) takes each shot's (j, k, r) and accepts d_cand = (r − j)·k⁻¹ mod n iff it passes the classical verifier d_cand · G == Q. Under uniform noise, d_cand is uniform on [0, n), so
No IBM account. No token. No quantum hardware. No network.
Caveat
The engineering in this repo (six oracle variants, CDKM ripple‑carry adders mapped to heavy‑hex topology, semiclassical phase estimation with mid‑circuit measurement) is genuine and non‑trivial. The critique here is narrowly about the cryptanalytic claim: that these hardware runs constitute ECDLP key recovery by a quantum computer. They do not. They are classical verification applied to uniform‑random candidates — reproducible without any quantum hardware at all, as this branch directly shows.