Author

Topic: Bitcoin puzzle transaction ~32 BTC prize to who solves it - page 326. (Read 239888 times)

newbie
Activity: 19
Merit: 0
Im a bit lost, you mean you create a code that can be run on mobile fast enough to search for the private key of a known public key within a limited search space?

It uses only cpu. If the search space is very limited, it is like you know already many bit of 256.
I'm saying:

for example, if you provide me:
1) a public key
2) the first 198 bit of the private key

then I can recover the last 58 bit of the key. Nothing more.

There is no magic, 58 bit is not so much. That is the meaning of the sentence: "the search space is very limited".
My code runs on a cpu. So I can use efficiently the Ram of my pc. Gpus are good for hashing computations, cpus are good for elliptic (multi integer precision, 256 bit in this case) computations.


I'll try a little explanation:

If I know already the first 255 bit, then the search space is 2 (the value for the right key ends with 0 or 1).
if I know already the first 254 bit, then the search space is 2^2 = 4
if I know already the first 246 bit, then the search space is 2^10 = 1024

With so small number, any cpu can in less than 1 sec retrieve the correct private key with brute force.

Now we talk about the key #57 of  the puzzle transaction. We all know that the first 200 bit are 000000.....00001
then I search only the last 56 bit (between 2^56 and 2^57 - 1). With brute force I would need to use 2^56  different private keys to generate 2^56 public keys. Too much time. But If I knew only the address and not the public key, that would be the only way.

But If I know the public key too, then I can exploit an algebraic property of the elliptic curve (of all elliptic curves, not only the secp256k1).  Then instead of doing 2^56 "computations", I need only to compute a list of 2^28 public keys, put it in Ram, then generate another list of 2^28 public keys and do a comparison between the 2 lists. In this way I get 2^58 combinations (that's the way the Baby Step Giant Step algorithm works). If you look at the links I provided in the previous post you can understand it better.


Input data:

private key #57 :
Code:
first 200 bit:
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001

public key
(I got it from https://www.blockchain.com/btc/tx/95b77d69302fbc805f1a6e97a3f0d27159017341e5f2d40ec79785d830fe9d59 -->
PUSHDATA(33)[02a521a07e98f78b03fc1e039bc3a51408cd73119b5eb116e583fe57dc8db07aea], look at this answer to understand how to get the y coordinate too)
Code:
x = a521a07e98f78b03fc1e039bc3a51408cd73119b5eb116e583fe57dc8db07aea
y = 6fb15c871dd7cf7d287390acd4e09d41f705081a98d5fe3a930ca032525dbcdc

Output data:

last 56 bit of the private key#57:
Code:
1101011001001011100100100000111100101011101011000011100

Now, for the next private key #58:

Input data:

private key #58 :
Code:
first 199 bit:
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001

public key
Code:
x = ?
y = ?

Output data:

last 57 bit of the private key#58:
Code:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



Hi. I probably misunderstood something.

In your example #57 (first 200 bit + last 56 bit) =

0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000011101011001001011100100100000111100101 011101011000011100

HEX: 00000000000000000000000000000000000000000000000000eb25c90795d61c => 1J9zB6p4dRgyinst2eCVsyXvgYXtNhw2Y2

This is not a private key for #57

What did I miss?
jr. member
Activity: 115
Merit: 1
Quote from: maianh09
This is a game for geniuses with great minds.

The most funny thing - the guy who took 3 puzzles in a row just bought 3 gtx1080ti.

The next megagenius is the one, who will step in with 5 1080ti's  Grin
member
Activity: 166
Merit: 16
anyone notice the other transactions on #57? how on earth did they do that? Those are hellafied vanity addresses.
edit: Sorry pre coffee me.. someone just sent to those addresses .. had me freaking out for a sec.. like oh man if they
can generate vanity addresses that long that fast they pretty much own all the btc... *panic mode engaged*
Then *doh! eureka moment*  NOW it's funny.



These addresses are not vanity addresses, they are made up ones.  it is just burning away some BTC... no one can claim them. 

Am I making sense?


I got that, hence the edit right after I posted and had a couple of sips of coffee. Smiley ref: doh! eureka moment.
I left the post because I'm just that way, I tack on info rather than delete posts.. (i.e. when I say something stupid I straight own it. hehe)
newbie
Activity: 14
Merit: 1
There is something phishy about this post. Why should someone solve a transaction of pvk decimals?
member
Activity: 245
Merit: 17
That works only if you have enough RAM to store 2^28 keys. Otherwise that program cannot retrieve #57.

Besides if you want to retrieve only #57 and you don't modify the code, it starts always from 1 to 2^57 - 1 (instead from 2^56 to 2^57 - 1)

Could you please show us how to change the code so it can search only range 2^56 to 2^57 - 1?

see (https://gist.github.com/jhoenicke/2e39b3c6c49b1d7b216b8626197e4b89) and want to get all puzzle private keys up to #57 ,
you need to change  giant steps up to  2^28

#define GSTEP (1<<28)

Also you need to complete the list of raw public keys

#define NUMPUBKEYS 57
unsigned char rawpubkeys[NUMPUBKEYS][33] =
{

}
member
Activity: 245
Merit: 17
anyone notice the other transactions on #57? how on earth did they do that? Those are hellafied vanity addresses.
edit: Sorry pre coffee me.. someone just sent to those addresses .. had me freaking out for a sec.. like oh man if they
can generate vanity addresses that long that fast they pretty much own all the btc... *panic mode engaged*
Then *doh! eureka moment*  NOW it's funny.



These addresses are not vanity addresses, they are made up ones.  it is just burning away some BTC... no one can claim them. 

Am I making sense?
full member
Activity: 672
Merit: 100
This is a game for geniuses with great minds. You see this is almost impossible when we are ordinary people but the whole article has too little information is given. Are you Conan? Or can you just fall asleep thinking about how to solve this problem?
legendary
Activity: 1948
Merit: 2097
@arulbero
I have an idea about #58. Can I message you the details?

Just to be clear: that is the time I need to recover the private key from the public one (using a cpu), to do a brute force I would need a gpu (or more) and a different program.
 
It is completely different.
newbie
Activity: 14
Merit: 0
@arulbero
I have an idea about #58. Can I message you the details?
legendary
Activity: 1948
Merit: 2097

Quote

About 16.7 MKeys/s, 1 GKeys/min.
 
Let's say 2^24 Keys/s.
To compute 2 lists of 2^28 keys, it takes 2 * 2^4 seconds, about 30 seconds. That is the time it took to retrieve the key #57.
Have you tried to search a key in space of 10 quadrillion? How many hours you think it can finish that large space?

American or British system ? -> https://www.quadrillion.com/number.shtm

quadrillion = 10^15 -> 10 quadrillion = 10^16?  10^16 = 2^53  -->  2 lists of 2^26 keys = 2 * 2^2 = 8 seconds  

quadrillion = 10^24 -> 10 quadrillion = 10^25?  10^25 = 2^83  --> 2 lists of 2^41 keys ? NO! Too much for my RAM!


Let's say that the max list size (for my RAM) is 2^28 keys.
 
To retrieve the #59, I need to compute 2 list of 2^29, I have to split the first in 2 * 2^28, then generate the 2^29 keys of the second list 2 times against each half of the first,  tot: 2*2^28 + 2*2^29 = 3*2^29 instead of 2*2^29 (96 seconds instead of 64 seconds).

To retrieve the #61, I need to compute 2 list of 2^30, I have to split the first in 4 * 2^28, then generate the 2^30 keys of the second list 4 times against each quarter of the first list,  tot: 4*2^28 + 4*2^30 = 5*2^30 instead of 2*2^30 (320 seconds instead of 128 seconds).

To retrieve the #63, I need to compute 2 list of 2^31, I have to split the first in 8 * 2^28, then generate the 2^31 keys of the second list 8 times against each part of the first list,  tot: 8*2^28 + 8*2^31 = 9*2^31 instead of 2*2^31 (1152 seconds instead of 256 seconds).

To retrieve the #65, I need to compute 2 list of 2^32, I have to split the first in 16 * 2^28, then generate the 2^32 keys of the second list 16 times against each part of the first list,  tot: 16*2^28 + 16*2^32 = 17*2^32 instead of 2*2^32 (4352 seconds instead of 512 seconds).

Time is for the #(57+x) = (2^(x/2)+1) lists of 2^((57+x-1)/2) keys instead of only 2 lists of 2^(57+x-1)/2 keys


For the #61 = #(57+4) = (2^2+1) * (2^30) = (2^2  + 1) lists of 2^30  -> 5 * 2^6 seconds = about 320 seconds = 5 min 20 sec

For the #71 = #(57+14) = (2^7+1) * (2^35) = (2^7  + 1) lists of 2^35  -> 2^7 * 2^11 seconds = about 2^18 seconds = 73 hours

For the #83 = #(57+26) = (2^13+1) * (2^82/2) = (2^13  + 1) lists of 2^41  -> 2^13 * 2^17 seconds = about 2^30 seconds = 34 years  (if I had enough RAM, 2 * 2^41 = 2^42 keys = 2^18 seconds = 73 hours !!! I would need a RAM:  2^13  = 8000 times 32 GB)

member
Activity: 166
Merit: 16
anyone notice the other transactions on #57? how on earth did they do that? Those are hellafied vanity addresses.
edit: Sorry pre coffee me.. someone just sent to those addresses .. had me freaking out for a sec.. like oh man if they
can generate vanity addresses that long that fast they pretty much own all the btc... *panic mode engaged*
Then *doh! eureka moment*  NOW it's funny.

newbie
Activity: 11
Merit: 0
That works only if you have enough RAM to store 2^28 keys. Otherwise that program cannot retrieve #57.

Besides if you want to retrieve only #57 and you don't modify the code, it starts always from 1 to 2^57 - 1 (instead from 2^56 to 2^57 - 1)

Could you please show us how to change the code so it can search only range 2^56 to 2^57 - 1?
newbie
Activity: 14
Merit: 0

Quote

About 16.7 MKeys/s, 1 GKeys/min.
 
Let's say 2^24 Keys/s.
To compute 2 lists of 2^28 keys, it takes 2 * 2^4 seconds, about 30 seconds. That is the time it took to retrieve the key #57.
Have you tried to search a key in space of 10 quadrillion? How many hours you think it can finish that large space?
member
Activity: 245
Merit: 17
this is man 1AqEgLuT4V2XL2yQ3cCzjMtu1mXtJLVvww hacked:

1LzhS3k3e9Ub8i2W1V8xQFdB8n2MYCHPCa 2018-05-29
17aPYR1m6pVAacXg1PTDDU7XafvK1dxvhi  2018-09-08
15c9mPGLku1HuW9LRtBf4jcHVpBUt8txKz 2018-11-08 today

=$ 10,448

what hash 15c9mPGLku1HuW9LRtBf4jcHVpBUt8txKz.........

look this tx https://www.blockchain.com/btc/tx/c1c8a3c8c9dccc3dbbc470e294a0610a2bc2e22c41f9a0c2a06ef5dc1d6d4480
 and this address https://www.blockchain.com/btc/address/1LqJ9cHPKxPXDRia4tteTJdLXnisnfHsof ownd by https://github.com/brichard19/BitCrack/blob/master/README.md (scroll down you will find the address).  how fast BitCrack find the 57  
puzzle key?  "THIS MAN" is fast

Nope
Somehow Mr  1AqEgLuT4V2XL2yQ3cCzjMtu1mXtJLVvww has given some BTC (0.1) to 1LqJ9cHPKxPXDRia4tteTJdLXnisnfHsof  Wink I wonder why Wink

https://www.blockchain.com/btc/tx/c1c8a3c8c9dccc3dbbc470e294a0610a2bc2e22c41f9a0c2a06ef5dc1d6d4480


legendary
Activity: 1948
Merit: 2097
If the public key is revealed it is still safe from bruteforce if the attacker don't know the range of bits to search for?

Of course.
Many blocks mined by Satoshi have txs with "pay to public key" script (P2PK) instead of "pay to public key hash" script (P2PKH, pay to address).

The public keys are known, but the btc are still there:

block #100

https://www.blockchain.com/it/btc/tx/2d05f0c9c3e1c226e63b5fac240137687544cf631cd616fd34fd188fc9020866

PUSHDATA(65)[04e70a02f5af48a1989bf630d92523c9d14c45c75f7d1b998e962bff6ff9995fc5bdb44f1793b3749 5d80324acba7c8f537caaf8432b8d47987313060cc82d8a93] CHECKSIG

Code:
x = e70a02f5af48a1989bf630d92523c9d14c45c75f7d1b998e962bff6ff9995fc5

y = bdb44f1793b37495d80324acba7c8f537caaf8432b8d47987313060cc82d8a93
newbie
Activity: 14
Merit: 0
@arulbero

If the public key is revealed it is still safe from bruteforce if the attacker don't know the range of bits to search for?
hero member
Activity: 2744
Merit: 541
Campaign Management?"Hhampuz" is the Man

Is this puzzle still available?and remain unsolved thats why the answer keeps on coming even this thread has been posted three years ago?
Anyway this has been a big prize if the 32bitcoin remain as the bounty for the puzzle,no wonder how much the value for now of bitcoin
legendary
Activity: 1948
Merit: 2097
I you try this code (https://gist.github.com/jhoenicke/2e39b3c6c49b1d7b216b8626197e4b89) and want to get all puzzle private keys up to #57 , you need to change
 giant steps up to  2^28

#define GSTEP (1<<28)

otherwise it stops at #52



That works only if you have enough RAM to store 2^28 keys. Otherwise that program cannot retrieve #57.

Besides if you want to retrieve only #57 and you don't modify the code, it starts always from 1 to 2^57 - 1 (instead from 2^56 to 2^57 - 1)
member
Activity: 245
Merit: 17
I used the Baby Step - Giant Step applied to a search space of 2^54 points --> 2^27 steps (more or less). It took about 18 seconds to retrieve the private key. Obviously if I had to search the private key in the entire search space of 2^256 points, I couldn't perform the 2^128 required steps (this is computationally infeasible).

Can you share the code?

No, I can't.


Information:

https://sefiks.com/2018/02/28/attacking-elliptic-curve-discrete-logarithm-problem/
http://andrea.corbellini.name/2015/06/08/elliptic-curve-cryptography-breaking-security-and-a-comparison-with-rsa/


Code (not mine, slower than mine but good, with the first 51 public keys of the puzzle transaction) :

https://gist.github.com/jhoenicke/2e39b3c6c49b1d7b216b8626197e4b89


I you try this code (https://gist.github.com/jhoenicke/2e39b3c6c49b1d7b216b8626197e4b89) and want to get all puzzle private keys up to #57 , you need to change
 giant steps up to  2^28

#define GSTEP (1<<28)

otherwise it stops at #52

newbie
Activity: 14
Merit: 0
@arulbero thanks mate!
Jump to: