Topic: Pollards kangaroo method to reverse engineer private keys - page 3. (Read 1830 times)

This is one of the list:

https://bitcointalksearch.org/topic/archive-bitcoin-challenge-discusion-5166284

But is not update. let me search the updated one.

Edit: this is the last update topic:

https://bitcointalksearch.org/topic/bitcoin-challenge-transaction-1000-btc-total-bounty-to-solvers-updated-5218972

Best Regards!

All depends on the program you use.
What do you mean the jump size is limited? I do believe the max is set at 128, and one could change that, however, for JLP's program, it just can't write to file with the current 126 bit restriction.
I have hopped around the elliptic wheel and picked up many 24 to 32 DP points. I believe I probably hold the useless record of most 32 bit DPs

Since the jump size is limited to 64 bits it quickly becomes impractical to search ranges that are say 128 bits long without extending the code.

I estimate it would take at least 2^64 jumps for the program to get from one end of that particular range to another, and who knows how much that translates to in terms of running time.

EDIT this may not be correct see my below reply

This is the only transaction I know of that is specifically designed to experimentally determine the security strength of Bitcoin.

Thanks for the info, is there a consolidated list of the puzzles that have been solved and the likely method used to solve them?

I think Zielar and/or Jean Luc (the finders) said it tied the record at 114 bits.

I think that is a new world record but would have to research it to make sure.  If so, the person who claimed the 0.115 BTC should get some fame for that - if they want the fame...

kangaroos have claimed up to 115 bits.

Here is an experiment to determine the answer to your question

https://bitcointalksearch.org/topic/m.51460251

Here my comment from that thread:


As I predicted:

https://blockchair.com/bitcoin/outputs?q=transaction_id(56857085)&s=index(asc)#

Brute force has claimed the BTC up to 63 bits and the next brute force target address has 64 bits.

Kangaroos have claimed up to 115 bits the and next target for the kangaroos is 120 bits.

Thanks for the reply, knew my understanding must have a big hole in it.

So the additional information an attacker would need is to know a range that the private key is within [a, b]. Now I understand why a flaw in generating the private key (not truly random) can result in encryption failure on an other wise cryptographically secure system.

Thanks for the info on UTXO, always thought it was weird to leave funds on an exposed address but the above explains it.

One other question, how small does the range [a, b] have to be to consider it an immenent security threat with current hardware?

That's actually not how it works. We take a range with a minimum and maximum number [a, b] that's in 256-bit space, and we "search" for the private key in (and only in) that interval by taking a starting term somewhere in that range, and then keep adding a smaller variable-sized increment. Each one of these increments is called a hop or jump.

EDIT: yes we also take the public key as input just to clarify.

We actually take two starting numbers as part of the Kangaroo algorithm, one of these is called a "wild" kangaroo which uses a starting term that is an estimate of G (the generator point) * the private key, and then computes more terms trying to "jump" to the private key.

The other kangaroo is a "tame" one because it's starting point is the public key itself, which is already known. In this way we can have many wild kangaroos with different estimates of what G*the private key is, and one tame kangaroo, and compute them all in parallel.

When a term of a wild kangaroo matches a term of the tame kangaroo we call that a "collision" and that number can be used to derive the private key easily.

Now as you might have guessed the range to search has to be very small, otherwise if the range to search in is too large the algorithm will take too long to find a collision on modern hardware. Combined with the fact that Kangaroo can't search outside the range, that's why this is impractical to brute force random people's private keys and their money hasn't been stolen en masse.


This actually only happens to the outputs that has been spent. If an address has many outputs and only one is spent then the others remain in the address leaving some BTC leftover in there.

Sorry if this should be elsewhere but the level of technical detail in the main pollard kangaroo method thread is far beyond my level of technical understanding.

I just want to check my understanding and see where I might not have a good grap of the basics before proceeding. My assumptions are below;

* The pollard kangaroo method can drastically reduce the amount of work required to obtain the private key from the public key but requires the public key as an input to do this.

* Once an address has spent some of it's funds that address public key is revealed in the spend transaction.

* The funds which are not spent are returned to a change address leaving a balance of 0.

* The address should not be reused as a malicious actor can start generating the private keys from the moment the spend transaction is confirmed.

Feel free to correct any of the above points but if the above is correct; can anyone answer the following;

* Address reuse was extremely common in the early days and there are several addresses with 1000+ BTC balances with outgoing transactions revealing the public key.

Why has this not been used to steal the funds?

I'm sure there is a limiting factor to this method but I could do with it being spelled out in layman's terms.

Cheers.