Pollard's kangaroo ECDLP solver - page 117.

brainless

member

Activity: 330

Merit: 34

Quote from: Etar on May 30, 2020, 01:56:54 PM

what i do not understand why zielar is not solve key yet..
with him power he can already done 4*sqrt(n) simply.
I left the race because I feel like something is wrong here.

there is no negative no positive, there is reverse point in other zone, it is not important zone is connect each other, like pubkey for x is same as ffff....4140 but y is difrent till 128 bit range zone, if you see at last of 128 bit range, last key you match reverse in fff...128bit minus zone, very next key you cant match it in next zone, but i can calc where that key zone will be exist, for detail of experiment i will write with examples later

Etar

sr. member

Activity: 642

Merit: 316

what i do not understand why zielar is not solve key yet..
with him power he can already done 4*sqrt(n) simply.
I left the race because I feel like something is wrong here.

arulbero

legendary

Activity: 1932

Merit: 2077

Quote from: Etar on May 30, 2020, 01:49:09 PM

Quote from: HardwareCollector on May 30, 2020, 01:29:21 PM

Quote from: Etar on May 30, 2020, 01:25:53 PM

Any body know if it is possible to know point is positive or negative? Or it is imposssible to know?

Only after solving the DL for that point, otherwise it would be trivial to solve the DLP on that curve. In a way, there are no negative or positive points because of the modular group.

Agree that it will be trivial task to solve key, but not agree that there are no negative or positive points.

There are no negative or positive points, because -1 = n-1 mod n, -1 'looks' negative and n-1 'looks' positive, but the point is the same.

It is not correct to think at this group like a line, it is more correct to think at it like a circle (that means 'modular' and 'cyclic group'). There are not concepts like "come before" or "follow", it doesn't make any sense say that a point P "comes before" Q , then there are no negative (before zero) or positive (after zero) points.

Etar

sr. member

Activity: 642

Merit: 316

Quote from: HardwareCollector on May 30, 2020, 01:29:21 PM

Quote from: Etar on May 30, 2020, 01:25:53 PM

Any body know if it is possible to know point is positive or negative? Or it is imposssible to know?

Only after solving the DL for that point, otherwise it would be trivial to solve the DLP on that curve. In a way, there are no negative or positive points because of the modular group.

Agree that it will be trivial task to solve key, but not agree that there are no negative or positive points.

Code:

#3-5=-2
#3
ptX=0xf9308a019258c31049344f85f89d5229b531c845836f99b08601f113bce036f9
ptY=0x388f7b0f632de8140fe337e62a37f3566500a99934c2231b6cb9fd7584b8e672
#5
ptsubX=0x2f8bde4d1a07209355b4a7250a5c5128e88b84bddc619ab7cba8d569b240efe4
ptsubY=0xd8ac222636e5e3d6d4dba9dda6c9c426f788271bab0d6840dca87d3aa6ac62d6

sub_point = (ptsubX, (p-ptsubY))
print ("sub_point= (%x,%x)" % sub_point)

result = addpt((ptX,ptY),sub_point, p)
print ("result_point= (%x,%x)" % result)

result_point= (c6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee5,e51e970159c23cc65c3a7be6b99315110809cd9acd992f1edc9bce55af301705)
As you can see Y coordinate is not the same as for 2, because 2 is
(c6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee5,1ae168fea63dc339a3c58419466ceaeef7f632653266d0e1236431a950cfe52a)
So we can say that (c6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee5,e51e970159c23cc65c3a7be6b99315110809cd9acd992f1edc9bce55af301705)
is negative point on curve and
(c6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee5,1ae168fea63dc339a3c58419466ceaeef7f632653266d0e1236431a950cfe52a)
is positive. But any way if there no way to get sign it is no matter.

HardwareCollector

member

Activity: 144

Merit: 10

Quote from: Etar on May 30, 2020, 01:25:53 PM

Any body know if it is possible to know point is positive or negative? Or it is imposssible to know?

Only after solving the DL for that point, otherwise it would be trivial to solve the DLP on that curve. In a way, there are no negative or positive points because of the modular group.

Etar

sr. member

Activity: 642

Merit: 316

Any body know if it is possible to know point is positive or negative? Or it is imposssible to know?

MrFreeDragon

sr. member

Activity: 443

Merit: 350

Quote from: Etar on May 30, 2020, 12:22:22 PM

Quote from: sssergy2705 on May 30, 2020, 11:58:46 AM

-snip-
Perhaps there is an implementation in C++ or Python code?

A negative point is the same point only with a negative coordinate Y
In python i use operator.neg(point_y))%p then ordinary addplt

p in your case is modulo of the curve.
To be honest operation (p-y) is faster than (-y)%p/ I have just tested for random 100 million 256bit numbers just the subtraction (p-y) and division by modulo (-y)%p --> division by modulo took 1.4527 longer

Etar

sr. member

Activity: 642

Merit: 316

Quote from: sssergy2705 on May 30, 2020, 11:58:46 AM

-snip-
Perhaps there is an implementation in C++ or Python code?

A negative point is the same point only with a negative coordinate Y
In python i use operator.neg(point_y))%p then ordinary addplt

arulbero

legendary

Activity: 1932

Merit: 2077

Quote from: sssergy2705 on May 30, 2020, 11:58:46 AM

Quote from: MrFreeDragon on May 30, 2020, 11:09:33 AM

If you know how to add - it is enough to perform the subtraction:
M = P - Q = P + (-Q) - here M point is P point minus Q point, which is the same as P point plus (-Q) point. So you make the addition of points P and (-Q).

If Q point has coordinates (Qx, Qy), so (-Q) point will have coordinates (Qx, modulo - Qy)

Now you can easily can make a subtraction:
M = P - Q = (Px, Py) - (Qx, Qy) = (Px, Py) + (Qx, modulo - Qy)

Perhaps there is an implementation in C++ or Python code?

python

Code:

p=0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F #field
n=0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 #curve

def inv(a,p):
u, v = a%p, p
x1, x2 = 1, 0
while u != 1 :
q = v//u
r = v-q*u
x = x2-q*x1
v = u
u = r
x2 = x1
x1 = x
return x1%p

def add(ax, ay, bx, by): #A + B -> C

bxax_inv = inv(bx-ax, p) #1/(x2-x1)
m = ( (by-ay) * bxax_inv ) % p #m = (y2-y1)/(x2-x1)

cx = (m*m - ax - bx) % p
cy = (m * (ax - cx) - ay) % p

return cx, cy

def sub(ax, ay, bx, by,): #A - B -> C

bxax_inv = inv(bx-ax, p) #1/(x2-x1)
m = ((p-by-ay) * bxax_inv) % p #m = (-y2-y1)/(x2-x1)

cx = (m*m - ax - bx) % p
cy = (m * (ax - cx) - ay) % p

return cx, cy

sssergy2705

copper member

Activity: 205

Merit: 1

Quote from: MrFreeDragon on May 30, 2020, 11:09:33 AM

If you know how to add - it is enough to perform the subtraction:
M = P - Q = P + (-Q) - here M point is P point minus Q point, which is the same as P point plus (-Q) point. So you make the addition of points P and (-Q).

If Q point has coordinates (Qx, Qy), so (-Q) point will have coordinates (Qx, modulo - Qy)

Now you can easily can make a subtraction:
M = P - Q = (Px, Py) - (Qx, Qy) = (Px, Py) + (Qx, modulo - Qy)

Perhaps there is an implementation in C++ or Python code?

arulbero

legendary

Activity: 1932

Merit: 2077

Quote from: HardwareCollector on May 30, 2020, 11:20:39 AM

Quote from: BitCrack on May 30, 2020, 09:41:00 AM

How did you manage to get it down to 16 bytes per point?

@BitCrack

I am storing only 8bytes of the x-coordinate and lookup information (8bytes with HT overhead included) on how to retrieve the rest of the information in the event of a collision. This is accomplish by using a custom version of Google’s Sparse_Hash_Set in a distributed setup. The cost is network bandwidth but all clients are on a 1 GigE network.

https://github.com/sparsehash/sparsehash

Maybe with a Bloom filter you can save more space ...

HardwareCollector

member

Activity: 144

Merit: 10

Quote from: MrFreeDragon on May 30, 2020, 10:16:55 AM

Quote from: HardwareCollector on May 30, 2020, 09:30:07 AM

Quote from: WanderingPhilospher on May 29, 2020, 08:48:04 PM

Hardware, how long are you running your precomp for? You have a set # of DPs or a percentage? 2/3 ops?

@WanderingPhilospher

The goal is ~512GiB worth of precomputed points (@ 16bytes/point).

How much bytes do you have for x-coordinate and for distance?

For the whole distance in 109bit range we need 109/8 ~ 14 bytes. If you allocate lower space, you need to brute the remaining bytes/bits if the collision is found.
If you have 16 bytes space per point, so you should split somehow it between x-coordinate and distance.

@MrFreeDragon

Please see my previous comment. Only 8bytes of the x-coordinate is needed plus ~4bytes for lookup information.

HardwareCollector

member

Activity: 144

Merit: 10

Quote from: BitCrack on May 30, 2020, 09:41:00 AM

How did you manage to get it down to 16 bytes per point?

@BitCrack

I am storing only 8bytes of the x-coordinate and lookup information (8bytes with HT overhead included) on how to retrieve the rest of the information in the event of a collision. This is accomplish by using a custom version of Google’s Sparse_Hash_Map in a distributed setup. The cost is network bandwidth but all clients are on a 1 GigE network.

https://github.com/sparsehash/sparsehash

MrFreeDragon

sr. member

Activity: 443

Merit: 350

Quote from: sssergy2705 on May 30, 2020, 11:01:21 AM

-snip-
Could you explain how you calculate the coordinates, is there such a tool? I know how to add and multiply, but not the opposite.

If you know how to add - it is enough to perform the subtraction:
M = P - Q = P + (-Q) - here M point is P point minus Q point, which is the same as P point plus (-Q) point. So you make the addition of points P and (-Q).

If Q point has coordinates (Qx, Qy), so (-Q) point will have coordinates (Qx, modulo - Qy)

Now you can easily can make a subtraction:
M = P - Q = (Px, Py) - (Qx, Qy) = (Px, Py) + (Qx, modulo - Qy)

arulbero

legendary

Activity: 1932

Merit: 2077

Quote from: HardwareCollector on May 30, 2020, 09:30:07 AM

The goal is ~512GiB worth of precomputed points (@ 16bytes/point).

I remember that the DPs are not equally useful:

https://eprint.iacr.org/2012/458.pdf

Quote from: MrFreeDragon on May 07, 2020, 07:55:36 AM

For the range [a,b] if we have pre-calculated (b-a)^(1/3) distinguished points, we would need only (b-a)^(1/3) group operations in order to find the collision. But precomputation requires (b-a)^(2/3) group operations (performed once as a preliminary stage).

EDIT:
source (see 2nd paragraph on page 6): https://eprint.iacr.org/2014/565.pdf

If we split 2^110 in 2^20 ranges each of length 2^90, for each range it would take only 2^30 steps to retrieve (on average) the key. In theory 2^20 * 2^30 = 2^50 steps would be enough.

Even if we look in different ranges, we can share the same 2^30 DP points. Each interval can be shifted in the range [0, 2^90] together with the public key P.

It becomes very important to generate this 2^30 DP points (but it requires 2^60 steps).

If we split 2^110 in 2^29 ranges each of length 2^81, for each range it would take only 2^27 steps to retrieve (on average) the key. In theory 2^29 * 2^27 = 2^56 steps would be enough.

And we would need to generate first 2^27 DP points (it requires 2^54 steps).

Quote from: Etar on May 30, 2020, 09:45:41 AM

About using an experience of previous work.
---
The result is that experience helps you find the key in the current range or in the previous one, but it is absolutely useless to search in the following range that is multiple large to the current one.[/b]
In other words, in order to solve the puzzle faster you need to move from end to beginning .. first 125, then 120, then 115 and then 110))

There is a small exception:

if you have found DPs in the interval [0, 2^109], then you have found actually DPs in the interval [-2^109, 2^109], therefor you have already the DPs for a double range.

sssergy2705

copper member

Activity: 205

Merit: 1

Quote from: Etar on May 30, 2020, 03:07:23 AM

Quote from: HardwareCollector on May 29, 2020, 11:56:27 AM

As relating to the Wild Kangaroos, [working_public_key] = [(original_public_key) - (beginning_range)*(secp256k1_generator_point)].
[distinguished_point] = [(+-traveled_distance)*(secp256k1_generator_point)] + [working_public key]

You will need to add back the (beginning_range) when there’s a collision to solve for the (original_public_key).

(0xe6dabff2705a80acc23ae121956873c4ff9fd31cb0faca522c33624e23657e04,0x125c04d29ea83874332ea8aef3b3467f22665a4970df415be756bcdf5675e569)
+ (fb12e2e7eba822db7582b91da81c0f1d991a6fec79d170733a1eceb039b3e1f9,ee2e79d5326d178c91ed36ca52f9be4f04c42e3cf7cabb3299e070bc1231bb05)
=(dcbae520622e89bd4c0062bb82400003c628f41e76f5bce8566c3dfa2c3fff0,b6fdc18b5be9048e837759b86efa422511b717ed9e7bc2d7b1936c06a0620cfe)

Could you explain how you calculate the coordinates, is there such a tool? I know how to add and multiply, but not the opposite.

MrFreeDragon

sr. member

Activity: 443

Merit: 350

Quote from: HardwareCollector on May 30, 2020, 09:30:07 AM

Quote from: WanderingPhilospher on May 29, 2020, 08:48:04 PM

Hardware, how long are you running your precomp for? You have a set # of DPs or a percentage? 2/3 ops?

@WanderingPhilospher

The goal is ~512GiB worth of precomputed points (@ 16bytes/point).

How much bytes do you have for x-coordinate and for distance?

For the whole distance in 109bit range we need 109/8 ~ 14 bytes. If you allocate lower space, you need to brute the remaining bytes/bits if the collision is found.
If you have 16 bytes space per point, so you should split somehow it between x-coordinate and distance.

Etar

sr. member

Activity: 642

Merit: 316

About using an experience of previous work.
Here is test, were all possible DPs from previous was put to next work.
Gain from pazzle#54 to #79
DP=20 for both variants.

Code:

pazzle#54
*original*
40000000000000
7fffffffffffff
0385a30d8413af4f8f9e6312400f2d194fe14f02e719b24c3f83bf1fd233a8f963
[Count 2^32.75]result>0x6ABE1F9B67E114
*shifted*
0
3fffffffffffff
04b1f8ba606a61026d1ecaa93d9e9ceb12260c33e92809ed1ecb0850a2856accc1ac46d892583d7fdd24a25a229b6ea8d17add77b1f410a9d30441e0acbec19c74
[Count 2^32.76]result>0x2ABE1F9B67E114 + 0x40000000000000 = 0x6abe1f9b67e114

pazzle#59
*original*
800000000000000
fffffffffffffff
0348e843dc5b1bd246e6309b4924b81543d02b16c8083df973a89ce2c7eb89a10d
[Count 2^34.63]result>0xFC07A1825367BBE
*shifted + experience*
0
7ffffffffffffff
042b90a8680d08cf81e15e209acadbb16b7bdff19787d6d13ca6a7852fee8d1013447a29425ea9773471ad9810d21a976cf5bd4bdb46d0c8ae537591dce43252f2
[Count 2^35.42]result>0x7C07A1825367BBE+0x800000000000000 = 0xfc07a1825367bbe

pazzle#64
*original*
10000000000000000
1ffffffffffffffff
0230210c23b1a047bc9bdbb13448e67deddc108946de6de639bcc75d47c0216b1b
[Count 2^34.49]result>0x1A838B13505B26867
*shifted + experience*
0
ffffffffffffffff
04e7daa14feea7f3e6b77aa3ff75989ac171d9b3f7a263e70eab001849f2f185449b51b0bc783313d9e201f1bc453d0e7c2bb94db007ab7a848a63b47d86f29416
[Count 2^36.70]result>0xA838B13505B26867+0x10000000000000000 = 0x1a838b13505b26867

pazzle#69
*original*
200000000000000000
3fffffffffffffffff
0290e6900a58d33393bc1097b5aed31f2e4e7cbd3e5466af958665bc0121248483
[Count 2^38.68]result>0x349B84B6431A6C4EF1
*shifted + experience*
0
1fffffffffffffffff
049ffc74f6136e60e9229a58544c0e9cffa5a9d955d949e75e4bccbe1c06b81c3402d4ba4d9f65b918376c0cbf6f8caa840a6261cf900f413fb5279bb243f20c4c
[Count 2^38.43]result>0x149B84B6431A6C4EF1+0x200000000000000000 = 0x349b84b6431a6c4ef1

pazzle#74
*original*
4000000000000000000
7ffffffffffffffffff
03726b574f193e374686d8e12bc6e4142adeb06770e0a2856f5e4ad89f66044755
[Count 2^38.56]result>0x4C5CE114686A1336E07
*shifted + experience*
0
3ffffffffffffffffff
04997bf5a3795f965c338f3739dae9e4cc202c2203100e6be8132a65bf2c3681d1fa67799ecfb697015037e44076c734ad2eef8c3b166e04b0a76d8c0de0e14dc2
[Count 2^40.32]result>0xC5CE114686A1336E07+0x4000000000000000000 = 0x4c5ce114686a1336e07

pazzle#79
*original*
80000000000000000000
ffffffffffffffffffff
037e1238f7b1ce757df94faa9a2eb261bf0aeb9f84dbf81212104e78931c2a19dc
[Count 2^39.25]result>0xEA1A5C66DCC11B5AD180
*shifted + experience*
0
7fffffffffffffffffff
043aeb4f818ca91912a3e50d1b3db196696f82713bae00ba2b53c09a23f1d284a085b2197137256def6c05a0f105e1b1eee9c10d23b7a4911040a23e891ebb3dc9
[Count 2^41.87]result>0x6A1A5C66DCC11B5AD180+0x80000000000000000000 = 0xea1a5c66dcc11b5ad180

So as you can see an experience didn`t help to solve next pazzle faster.
Most likely because the range is increased by 32 times in the next puzzle, and all DPs are concentrated at the very beginning of the range. Perhaps experience can help in solving the next range, but not after 5 bits.

And here is result of 3 test randomly generated keys in range 64bit and with experience from the puzzle 79.

Code:

***test 64bit****
*original*
10000000000000000
1ffffffffffffffff
035492d5b1c9e271d393ace35b32ed922e1ad202ff0c0aa05f53ba39edcabb003c
[Count 2^36.63]result>0x151881A76D2AEC2D9
*shifted + experience79bit*
0
ffffffffffffffff
049959d0a41a11f42a64f2a86c8133089e7fa508e53fb4afc64c03e5b4b109edd7b9c955dd43bca51b6db320602101d10585ebf60330bd3ea9d445b6cbb6e18932
[Count 2^34.63]result>0x51881A76D2AEC2D9+0x10000000000000000 = 0x151881a76d2aec2d9

***test 64bit****
*original*
10000000000000000
1ffffffffffffffff
03a643b91c86b76a71ec6f9c6a6d0a9ba71fcf3c69c11b919a252b44b76bfe9b6f
[Count 2^35.93]result>0x1CC24D7785E54FD54
*shifted + experience79bit*
0
ffffffffffffffff
0443814ed8fe2a1d4a36993911354fe8f7bf6daddbfcc3a1f814a3d3d32c7772eaa448c10af7a7f4f94da0c35e087cfba5310c81f86c4b0aaca9250476960305b7
[Count 2^34.87]result>0xCC24D7785E54FD54+0x10000000000000000 = 0x1cc24d7785e54fd54

***test 64bit****
*original*
10000000000000000
1ffffffffffffffff
035267fc38fc04ef271b54f5be8e482c46392ba97ca171e68d2408dd0717bd87cf
[Count 2^37.10]result>0x1114527E6BCFD0EAD
*shifted + experience79bit*
0
ffffffffffffffff
041c4f6e5f89465a941bb4291cf0266fff79c333e4dc1b30e5a8671b15504f364f1e5be5ba0cb4f8b19769ac5904aa465dab6fb3b8ace9862c704f8ea5a916d061
[Count 2^35.56]result>0x114527E6BCFD0EAD+0x10000000000000000 = 0x1114527e6bcfd0ead

In all three cases, experience helped me find the key faster.

The result is that experience helps you find the key in the current range or in the previous one, but it is absolutely useless to search in the following range that is multiple large to the current one.
In other words, in order to solve the puzzle faster you need to move from end to beginning .. first 125, then 120, then 115 and then 110))

BitCrack

jr. member

Activity: 30

Merit: 122

How did you manage to get it down to 16 bytes per point?

WanderingPhilospher

full member

Activity: 1162

Merit: 237

Shooters Shoot...

Quote from: HardwareCollector on May 30, 2020, 09:30:07 AM

Quote from: WanderingPhilospher on May 29, 2020, 08:48:04 PM

Hardware, how long are you running your precomp for? You have a set # of DPs or a percentage? 2/3 ops?

@WanderingPhilospher

The goal is ~512GiB worth of precomputed points (@ 16bytes/point).

Wow...pretty good bit!

Topic: Pollard's kangaroo ECDLP solver - page 117. (Read 59389 times)