Topic: Pollard's kangaroo ECDLP solver - page 109. (Read 58667 times)

Thank you.
The above tame and wild files, were from some random search I did. These tame and wild were exported from a workfile using this program.
So for the above tame and wild, the first part of each line needs to match; the x coord? The second part is the distance and it just tells us what kind of kangaroo it is?

i do not know what wild and tame file you have, but work file has Dp points like tame and wild.
Each dp have 2 128bit word distance and x-coordinate.
There will be collision if x-coordinate of tame and wild Dp the same.
to chech what type of Dp need test 126 bit of distance if it zero then it is tame dp, if it is one then dp is wild.

Ask Etar he know

Anyone?

6*sqrt(N) => 99.752% chance that you found the key so ~0.25% chance that the key is well in the range.
This value assume that your setup is well tuned with a negligible DP overhead.

What is the earliest moment to be sure that range is wrong and result is outside? 6N?

What does program compare to result in a solved key/solution?

(Tame,Wild) = Collision
k = k1 + Tame.dist - Wild.dist

Tame File:

Wild File:

Those are from Tame and Wild files. What exactly does the program look for in those 2 lines above to result in solved key? Can anyone break it down by line and what the line/characters represent?  Thanks.

The only reward I asked to Zielar is a symbolic satoshi to a symbolic address which is quite important for me. Nothing more. And I will refuse any remuneration for this tool or any other GPL3 tools I did. I already received tons of emails for various development request with fee.

I did this tool for everybody and I will continue, however I can't develop a secure server with a validation mechanism for a pool, it is a very hard task.
I don't know if Zielar solved #62 and #63 with the VanitySearch engine and his own mods or with bitcrack.

i will not put here all message, just one left here...
i did not need any reward from zielar it is just for clarify.

How on earth did I miss the 'Releases' tab? The .exe was there all along... 

Thank you for this clarification. I really appreciate taking the time and replying. Have a wonderful day!

Visual Studio 2015 + Cuda 8 => Take project files in VC_CUDA8
Visual Sutido 2017 + Cuda 10 => Take project files in VC_CUDA10
Visual Studio 2019 + Cuda10.2 => Take project files in VC_CUDA102

Note: I don't have a dev environment Visual Studio 2017 + Cuda 10 at the moment so project files may be out of date and some files may be missing, in that case just add them to the project...

I recommend to use Visual Studio 2019 + Cuda10.2.

I will update the README.

Compiled exe are available from:
https://github.com/JeanLucPons/Kangaroo/releases

Thank you, Tamarindei. The readme file says to use Visual C++ 2017 so upgrading VS won't do any good I suppose.

Jean_Luc , as the creator of this code, would you mind compiling the latest version as .exe on github for those of us having issues building it manually from source code? I am not even trying to solve this Bitcoin puzzle. I need it for a completely different thing at Uni. I am also willing to donate something for your effort. I am not rich but I can appreciate someones time. Feel free to contact me if you want. Thank you.

Pls Correct, about Race
there is no Race, as no one have big gpu pools, and developer saying he have some secret setting and contract with winner, so definatly there is no race, that match was fixed
next time guys make bets on fixed match and definatlly you all will win,

Right.
256 for fast access (and check) 1 dummy point is sacrificed.

That means you need only 16 blocks of 255 (why 256?) precomputed points for a 128-bit privkey, only 15 adds, not too much respect to a single addition.

Split a 128-bit in 16 pieces (each piece has 128/16=8 bit -> 255 elements) and  compute only 16-1 = 15 group additions for each key.

Just for example, if you have a 128 bit key:

key = 10101010 10100000 11111111 01000010 ...  11101010

split in 16 pieces of 128/16=8 bits:

(10101010)*2^120 + (10100000)*2^112 + (11111111)*2^104 + (01000010)*2^96 + .... + (11101010)2^0

The ComputePublicKey() in kangaroo use 32 blocks of 256 precomputed points and zero are checked so it performs:
31 adds max for a full privkey (nothing when a zero byte is present) and a modular inversion.
There is also a ComputePublicKeys() which group modular inversions.

Sorry Jean Luc. I wrote a little offending. I put some resources into the search for #110 so I was little emotional for a moment. I apologize.

Here there is the explanation on how it works my script:
https://bitcointalksearch.org/topic/m.54213558

Basically you have to split the private key as a sum of precomputed private keys.

In these sentences:


you can half the groups (32 pieces of 4 bit instead of 64 for a total of 480 precomputed points) and the additions needed (31 instead of 63) if you use 128bit-private keys.

You can have a estimation too on how long it takes to perform k*G against P+Q,  about 31 times (or 63 times) more than a simple addition P+Q (that we use in the kangaroo algorithm).

I refer only to the cpu speed, because on gpus things are different, we can't exploit a fast access on a huge memory for the precomputed points.

I agree with you, but I remember you that a proof of work is always a probabilistic task, we cannot redo the entire work to be sure that the entire work is correct.

My proposal:

let's say DP=25, we perform a check on 2 levels, a result and a process check:

level 1) result check

we check that each DP fulfils:
                   - has at least 25 zeros bits
                   - its private key is correct and lies in the correct interval

level 2) process check, proof that the points were generated with a correct path

- we check that there are at least 1/2000 of the points with x-coordinate with at least 25 + 10 zeros
- we redo only the complete path of each kangaroo that ends with a DP with at least 35 zeros

The second check is a valid proof of work, because to generate (in the correct way, with the correct jumps) a single DP with 35 zeros you need to generate correctly on average 2^10 = 1024 kangaroos with a end point with 25 zeroes, you can't fake it.

Obviously you can choose to modify + 10 zeros in +12 or +8, as you prefer.
In this way you need to redo only a small fraction on the entire work, but it is a very significative fraction, not a simple random sample.

There are no shortcuts to generate this correct fraction (DP = 35) of the entire work without doing the entire work, but the checker needs only to do a check on the fraction.

I disagree.
I spent much time to explain in the readme, in this topics or in the code the way to choose best parameters and trap to avoid.
Zielar has also to win his life and cannot spend full time to solve these puzzles.
It is far from sure that Zielar will win all the races.

Anyway, I'm working on the 1.9 in order to integrate mods from PatataFritas and support of -ws for clients.


Edit: You have no idea who Zielar is actually. He is a very competent person in his domain, I must say that from time to time I pain to follow him !