Pages:
Author

Topic: Pollard's kangaroo ECDLP solver - page 19. (Read 58537 times)

full member
Activity: 1162
Merit: 237
Shooters Shoot...
June 03, 2022, 05:25:07 PM
I'm not sure what you mean by who can find out they have a collision...the program lets you know when a collision has occurred and the key has been solved.

I mean, How to know ECDSA has collisions like that?
know from any report/research? or who find out
just would like to know step by step develop on this forum before Pollard's kangaroo ECDLP release
the first version is that python script right and then develop c++ for use GPU with high speed calculate

Ummmm the theory has been around since the 1970s; some smart people were just able to program it into a modern day programming language to speed it up/incorporate the use of GPUs.

More info:

https://en.wikipedia.org/wiki/Pollard%27s_kangaroo_algorithm
member
Activity: 406
Merit: 47
June 03, 2022, 09:57:15 AM
I'm not sure what you mean by who can find out they have a collision...the program lets you know when a collision has occurred and the key has been solved.

I mean, How to know ECDSA has collisions like that?
know from any report/research? or who find out
just would like to know step by step develop on this forum before Pollard's kangaroo ECDLP release
the first version is that python script right and then develop c++ for use GPU with high speed calculate
full member
Activity: 1162
Merit: 237
Shooters Shoot...
June 03, 2022, 09:49:37 AM

Code:
if both results is the same X that is collision right?
yes
 

Thank you WanderingPhilospher

Who can find out they have a collision? How did they find from some testing?

I had not been here when started the puzzle
I'm not sure what you mean by who can find out they have a collision...the program lets you know when a collision has occurred and the key has been solved.
newbie
Activity: 22
Merit: 3
June 03, 2022, 12:26:00 AM

Code:
if both results is the same X that is collision right?
yes
 

Thank you WanderingPhilospher

Who can find out they have a collision? How did they find from some testing?

I had not been here when started the puzzle

Well, Collisions work from DPs and as on wikipedia "the similarity between a visualisation of the algorithm and the Greek letter lambda ( λ ). The shorter stroke of the letter lambda corresponds to the sequence { x i }, since it starts from the position b to the right of x. Accordingly, the longer stroke corresponds to the sequence { y i }, which "collides with" the first sequence (just like the strokes of a lambda intersect) and then follows it subsequently. "

You know you have a collision if two different kangaroos start to output the same value.  Say K1 output 1,3,5,8,9 and K2 output 2,4,5,8,9 we know that between K1 and K2 after 3 or 2 they collide. We then can then refer to the tame kangaroo and correlate the input value of the wild one or as JeanLucPons put it himself "The program uses 2 herds of kangaroos, a tame herd and a wild herd. When 2 kangoroos (a wild one and a tame one) collide, the key can be solved". the actual outputs are valid public keys and the inputs are valid private keys.
member
Activity: 406
Merit: 47
June 02, 2022, 08:50:20 PM

Code:
if both results is the same X that is collision right?
yes
 

Thank you WanderingPhilospher

Who can find out they have a collision? How did they find from some testing?

I had not been here when started the puzzle
full member
Activity: 1162
Merit: 237
Shooters Shoot...
June 02, 2022, 10:01:30 AM
https://github.com/JeanLucPons/Kangaroo
kangaroo calculate random both tame and wild right?
tame is multiplied with a random number with G
wild is multiplied by ADD PUBKEY(target) with a random number
if both results is the same X that is collision right?
How can control range random of tame?
How can control range random of the wild?
control on Kangaroo 2.2 (use GPU)
(in python kangaroo script I can modify it)



distinguished point (DP)
-d: Specify the number of leading zeros for the DP method (default is auto)
-d dpBit
What mean if use -d ?
-d 32 = distinguished point 32 bit
-d 64 = distinguished point 64 bit
-d 128  = distinguished point 128 bit
(I did not yet understand it)

Code:
kangaroo calculate random both tame and wild right?
It assigns a random starting point (basically a private key value) within the user defined start and end range; after that, the kangaroos jump forward/positive based on average jump size; usually range width / 2 + 1.

Code:
tame is multiplied with a random number with G
tame is calculating the point/key it landed on and generating the corresponding pubkey

Code:
wild is multiplied by ADD PUBKEY(target) with a random number
wild is calculating the point/key it landed on and generating the corresponding pubkey AND now adds the target pubkey

Code:
if both results is the same X that is collision right?
yes

Code:
What mean if use -d ?
-d 32 = distinguished point 32 bit
to keep it easy to understand, each character in the pubkey is equal to 4 bits. Each pubkey has 64 characters times 4 bits = 256 bits
so for a dp of 32, the pubkey has to start with 8 zeros (leading zeros); 8 x 4 = 32. for dp 28, 7 leading zeros, for dp 64, 16 leading zeros, etc.

member
Activity: 406
Merit: 47
June 02, 2022, 08:03:06 AM
https://github.com/JeanLucPons/Kangaroo
kangaroo calculate random both tame and wild right?
tame is multiplied with a random number with G
wild is multiplied by ADD PUBKEY(target) with a random number
if both results is the same X that is collision right?
How can control range random of tame?
How can control range random of the wild?
control on Kangaroo 2.2 (use GPU)
(in python kangaroo script I can modify it)



distinguished point (DP)
-d: Specify the number of leading zeros for the DP method (default is auto)
-d dpBit
What mean if use -d ?
-d 32 = distinguished point 32 bit
-d 64 = distinguished point 64 bit
-d 128  = distinguished point 128 bit
(I did not yet understand it)


newbie
Activity: 1
Merit: 0
May 18, 2022, 08:51:16 AM

Someone try making sach scrypt ? Share code pls ?

Br

What is sach scrypt ?

Did you mean search script or  scrypt hash algorithms ?

They meant "such a script"
member
Activity: 873
Merit: 22
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
May 08, 2022, 06:11:52 PM

Someone try making sach scrypt ? Share code pls ?

Br

What is sach scrypt ?

Did you mean search script or  scrypt hash algorithms ?

1048576 and 1073741824 pubkeys with each other addition and mutiplication
member
Activity: 406
Merit: 47
May 08, 2022, 11:11:46 AM

Someone try making sach scrypt ? Share code pls ?

Br

What is sach scrypt ?

Did you mean search script or  scrypt hash algorithms ?
member
Activity: 873
Merit: 22
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
April 29, 2022, 04:19:42 PM
" I got it down to 104 bits today, but with 32,000 pubkeys; better than the normal 2^16 normally required, but I can't figure out a way to shrink it down to one key... "

for 10 bit down = 1024 pubkeys
for 20 bit down = 1024*1024 = 1048576 pubkeys
for 30 bit down = 1024*1024*1024 = 1073741824 pubkeys

1048576 and 1073741824 pubkeys with each other addition and mutiplication will return you 260 pubkeys apear where 16 pubkeys sure inside 10 bit down from main pubkey
these 260 pubkeys again played for get 30 bit down for 1/720 pubkeys
now you can start to find with above tip



can you share script to do these calculations or explain a way please


Someone try making sach scrypt ? Share code pls ?

Br
newbie
Activity: 22
Merit: 3
April 19, 2022, 01:36:20 AM

Now kangaroo found problem same BitCrack  both range search is very large
kangaroo method still works but is stuck with a very large range of search

I do simple easy tests on both 120 bit and 160 bit (and 256) with keyspace (under 32 bit wide) nearby it is still found key
but when used with a very large rank and nowhere is key store, so kangaroo is stunned

Kangaroo and BSGS are both O root n complexity
root 120 is 2^60
2^60 is 1,152,921,504,606,846,976.
Can the discrete logarithm be computed in polynomial time on a classical computer? someday, but not tomorrow.
member
Activity: 406
Merit: 47
April 18, 2022, 05:24:37 AM

Now kangaroo found problem same BitCrack  both range search is very large
kangaroo method still works but is stuck with a very large range of search

I do simple easy tests on both 120 bit and 160 bit (and 256) with keyspace (under 32 bit wide) nearby it is still found key
but when used with a very large rank and nowhere is key store, so kangaroo is stunned
newbie
Activity: 22
Merit: 3
April 13, 2022, 11:35:03 PM
Hi, is there a way to find private key range from the public key, (Start and Stop range) ? Can someone point me to the right direction


For any random private key this is not (yet?) possible, in the case of the puzzle the creator initially put an amount of btc correlating to the bit length of the corresponding key.
Like 0.64 btc to puzzle 64 (16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN)
member
Activity: 406
Merit: 47
April 13, 2022, 12:51:45 AM
it can possible to calculate rollback to know the sample tame and wild?
just idea would like to test check how far tame and wild on 120 bit
newbie
Activity: 1
Merit: 0
April 12, 2022, 10:53:25 PM
Hi, is there a way to find private key range from the public key, (Start and Stop range) ? Can someone point me to the right direction
member
Activity: 406
Merit: 47
April 05, 2022, 12:45:47 AM

Can I ask about script python?
Each script and program Pollard's kangaroo ECDLP all are not the same algorithms right?
How can I know the same calculated algorithms?

Compare with calculating same public key and same keyspace search

https://github.com/JeanLucPons/Kangaroo
https://github.com/Telariust/pollard-kangaroo
https://github.com/secoc/Pollard-Rho-kangaroo

or compare with both python script
https://github.com/Telariust/pollard-kangaroo/blob/master/pollard-kangaroo-multi.py
https://github.com/BirminghamUK/Math_Task/blob/master/Recovery_X3.py

I test simply by use-value tame and wild that found the key to script python and swap value to another script it is now works value tame and wild can not use other script
Maybe I test the wrong way?
member
Activity: 873
Merit: 22
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
April 01, 2022, 06:29:05 PM
The you div 7 to 3 you get 2.5 = int2 float 0.5

7/3= 2.5

Then you sub 1 from 7 and div to 3 you get 2.

(7-1) / 3 = 2

So fo finding good range from 1 to 3, you need get EXACT integer without  float.


But, why the I div
0xea1a5c66dcc11b5ad180 to 2**64 or 2**128 I always get some float result 0xea1a5c66dcc11b5ad180 Huh
member
Activity: 330
Merit: 34
April 01, 2022, 04:00:29 AM
paniker this is meaning that you can change the n's

modular elliptic curve

Total of all the wallets n is the last number. n= 115792089237316195423570985008687907852837564279074904382605163141518161494337 (In Dec)

n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 (In HEX)

Half way of n n//2 = 57896044618658097711785492504343953926418782139537452191302581570759080747169

57896044618658097711785492504343953926418782139537452191302581570759080747169 Lenght Bits = 255

very nice and thanks to boris.. you still here..

yes I am still here, this was the only thing I have found so far.

Half way of n
n//2 is wrong, check in above posts, mention clearly formula for div
thankx

do you mean the last "6" ,
115792089237316195423570985008687907852837564279074904382605163141518161494337 ?

here is script for div for 2

import gmpy
p = 115792089237316195423570985008687907852837564279074904382605163141518161494337
c = gmpy.invert(2,p) %p
print (c)

for div 10

import gmpy
p = 115792089237316195423570985008687907852837564279074904382605163141518161494337
c = gmpy.invert(10,p) %p
print (c)

same modify for your requirements
newbie
Activity: 22
Merit: 3
March 31, 2022, 03:16:00 AM
paniker this is meaning that you can change the n's

modular elliptic curve

Total of all the wallets n is the last number. n= 115792089237316195423570985008687907852837564279074904382605163141518161494337 (In Dec)

n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 (In HEX)

Half way of n n//2 = 57896044618658097711785492504343953926418782139537452191302581570759080747169

57896044618658097711785492504343953926418782139537452191302581570759080747169 Lenght Bits = 255

very nice and thanks to boris.. you still here..

yes I am still here, this was the only thing I have found so far.

Half way of n
n//2 is wrong, check in above posts, mention clearly formula for div
thankx

do you mean the last "6" ,
115792089237316195423570985008687907852837564279074904382605163141518161494337 ?


There seems to be some confusion here. the largest possible private key is 115792089237316195423570985008687907852837564279074904382605163141518161494336 or in hex FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364140

Zero cannot be a private key therefor there are 115,792,089,237,316,195,423,570,985,008,687,907,852,837,564,279,074,904,382,605,163,141,518,161,494,336 valid private keys
It turns out there are only                                     57,896,044,618,658,097,711,785,492,504,343,953,926,418,782,139,537,452,191,302,581,570,759,080,747,168 valid public x coordinates

It really is not straight forward to grasp as it took me time though it happens at half of the largest key which is 57896044618658097711785492504343953926418782139537452191302581570759080747168 or in hex 7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0
 
you see 57.........168 and 57.........169 have both the same public x coordinate and opposite y parity (fancy word for even/odd)

removing the lead 03 or 02 It turns out that every public x coord from 1 to 57.........168 is exactly equal to the public x coord at the same spot in the sequence from 115........336 to 57.........169
finally, if you search every private key from 1 to 57,896,044,618,658,097,711,785,492,504,343,953,926,418,782,139,537,452,191,302,581,570,759,080,747,168 (exactly half the normal range) for a public x coord (the majority of a compressed public key) you would find it whether or not the original private key was larger or smaller than 57.........169 however a leading 03 would be 02 and vice versa therefor the limitation doesn't apply to the resulting addresses. In a sense the only thing we care about a private key with this equation is the position of the xcoord's "foundkey" 1 + (115........336-foundkey) or 115........336 - (foundkey-1) depending on which side of 57.........168.5 the foundkey is as we can infer the other and deduce the private key.

In other words this would cut the time of brute forcing any public key in half provided you are searching the full range of 1 to 115........336.
57.........168 is still a lot of private keys so bitcoin is not exactly broken.....yet.

Also with regards to the y value,

 What I mean when I say "it is trivial to calculate the y" value I am referencing the following information I had apparently left out, from the spec of Secp256k1
 p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F = 2^256 - 2^32 - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1  (115792089237316195423570985008687907853269984665640564039457584007908834671663)

the aforementioned "twins" that share a public x coord also share a y coords in the manner that they are linked together as adding the two y coords together = p (115792089237316195423570985008687907853269984665640564039457584007908834671663)

therefor it can be computed as following
p - y1 = y2

deriving from my earlier code you can try it with this:
for x in range(100000):
    s1 = secrets.randbelow(max)
    k = Key.from_int(s1)
    k._public_key = k._pk.public_key.format(compressed=False)
    s2 = twin(s1,k.pub_to_hex())
    t = Key.from_int(s2[0])
    t._public_key = t._pk.public_key.format(compressed=False)
    out = bool(115792089237316195423570985008687907853269984665640564039457584007908834671663 == int(t.pub_to_hex()[66:],16)+int(k.pub_to_hex()[66:],16))
    print(out)
    if not out:
        print("Boris Is Wrong")
        break




Pages:
Jump to: