If you want to prove that somebody has the ability to pick locks in order to protect your valuables, you leave the prize sitting on the kitchen table (at 66 bits of entropy) behind your relatively easy front door lock, not in a secure vault with triple redundant mechanisms. Somebody with the solution is going to be able to claim the money in far, far less computing time than they could claim a larger prize by breaking industry standard prequantum key sizes.
The $400,000 is an inducement for any participant in that engineering effort to break the conspiracy and take the bag. It's effective during the period between the time that a quantum Shor's solver has been achieved for a given algorithm in theory for 256 bits (and in practice for 66 bits), and the time that a practical solution at 256 bits has been implemented.
Let's say a given intelligence agency's quantum computing efforts have Shor working for 16 bit keys in 2025, for 64 bit keys in 2028, for 128 bit keys in 2033, and for 256 bit keys in 2038. Let's say competing intelligence agencies are 1-3 years behind. Let's say we make it to Puzzle 69 over the next four years. Nice.
I don't know how plausible that timeline is either in spacing or accuracy.
Sometime in early 2029, a bunch of people suddenly find that they're eligible for a $400,000 cash prize if they manage to secretly steal a bit of time on a working quantum computer. In 2030, that group of people doubles, and incorporates a new agency with its own security weaknesses. By 2031 we're talking about four separate countries with their own engineers that have managed to achieve the capability to claim that cash prize. Private corporations are somewhere on the horizon. Very soon this becomes an urgent imperative to anyone inclined, because the prize, like cash, disappears the moment that somebody else seizes it.
It's hard to keep conspiracies, particularly with a verifiable open offer of large amounts of highly portable money on the table to the first person to reveal secrets, and a gradually widening circle of access. The gradually expanding circle of access is what ensures we get some kind of alarm LONG before 2038. Keeping that secret to even 2033 requires hundreds of people and four agencies with diverse motivation and values to consistently turn down cash money for years on end in the interest of keeping their quantum capabilities hidden from the world.
Based on the other comments, is that true? The top comment here implied that the puzzle explicitly had a private key with all 0s except for 66 bits, so that lock was definitely weaker than a key with all bits unknown, right?
Why should the analogy consider each key as a different brand of lock? Each key needs to be cracked separately, but you can use the same method for all of them (assuming one finds a general method and not one based on some property that only a subset of the keys has). So it should be akin to locks of the same brand, using different keys to open them. But that, being of the same brand, can be picked in the same way.
Perhaps each key is not a different brand, but given that the puzzle had only 66 known bits, it seems equivalent to knowing what some of the cuts are on a physical key.
The $400,000 is an inducement for any participant in that engineering effort to break the conspiracy and take the bag. It's effective during the period between the time that a quantum Shor's solver has been achieved for a given algorithm in theory for 256 bits (and in practice for 66 bits), and the time that a practical solution at 256 bits has been implemented.