Pages:
Author

Topic: Pollards kangaroo method to reverse engineer private keys - page 3. (Read 1861 times)

hero member
Activity: 862
Merit: 662
Thanks for the info, is there a consolidated list of the puzzles that have been solved and the likely method used to solve them?

This is one of the list:

https://bitcointalksearch.org/topic/archive-bitcoin-challenge-discusion-5166284

But is not update. let me search the updated one.

Edit: this is the last update topic:

https://bitcointalksearch.org/topic/bitcoin-challenge-transaction-1000-btc-total-bounty-to-solvers-updated-5218972

Best Regards!
full member
Activity: 1232
Merit: 242
Shooters Shoot...
kangaroos have claimed up to 115 bits.
I think that is a new world record but would have to research it to make sure.  If so, the person who claimed the 0.115 BTC should get some fame for that - if they want the fame...

Since the jump size is limited to 64 bits it quickly becomes impractical to search ranges that are say 128 bits long without extending the code.

I estimate it would take at least 2^64 jumps for the program to get from one end of that particular range to another, and who knows how much that translates to in terms of running time.

Code:
F737013293C98AC672D66B872468B8C0EF395CF200FE98D3E2F4915D39000000 FFB147D2479E70AE8656DD645BD0E1458D98543C555FF33CCC87B4592C966CB6
8A90D1581D2E2DF040F87DDF49A52B3691AA54F7BE8C0647FAB5F3EEDB000000 0002E3B2800D79DAD9CBFEE901E1E1F0A8991BB922941DD1D9C4E94369C2C31C
FE648F53DF416B87C9EA9E2DC8E456AEED7836A5FC9A40F085D1ECD995000000 FFF9ECC78E1E3477E5EF2FA877761578FF7A8E73CE6F3CD47A6DD2682A9D3D09
DACEE00338E64CED5641E8C2C7679ECC1B72729CCFB5BBC40CED057F5C000000 001EB2689F2D30D9FAAF28A9E16E998702FA4F597D4EC573A7857261D5758245
All depends on the program you use.
What do you mean the jump size is limited? I do believe the max is set at 128, and one could change that, however, for JLP's program, it just can't write to file with the current 126 bit restriction.
I have hopped around the elliptic wheel and picked up many 24 to 32 DP points. I believe I probably hold the useless record of most 32 bit DPs Smiley
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
kangaroos have claimed up to 115 bits.
I think that is a new world record but would have to research it to make sure.  If so, the person who claimed the 0.115 BTC should get some fame for that - if they want the fame...

Since the jump size is limited to 64 bits it quickly becomes impractical to search ranges that are say 128 bits long without extending the code.

I estimate it would take at least 2^64 jumps for the program to get from one end of that particular range to another, and who knows how much that translates to in terms of running time.

EDIT this may not be correct see my below reply
legendary
Activity: 2646
Merit: 1138
All paid signature campaigns should be banned.
Thanks for the info, is there a consolidated list of the puzzles that have been solved and the likely method used to solve them?
This is the only transaction I know of that is specifically designed to experimentally determine the security strength of Bitcoin.
newbie
Activity: 12
Merit: 8
Thanks for the info, is there a consolidated list of the puzzles that have been solved and the likely method used to solve them?
full member
Activity: 1232
Merit: 242
Shooters Shoot...
kangaroos have claimed up to 115 bits.
I think that is a new world record but would have to research it to make sure.  If so, the person who claimed the 0.115 BTC should get some fame for that - if they want the fame...
I think Zielar and/or Jean Luc (the finders) said it tied the record at 114 bits.
legendary
Activity: 2646
Merit: 1138
All paid signature campaigns should be banned.
kangaroos have claimed up to 115 bits.
I think that is a new world record but would have to research it to make sure.  If so, the person who claimed the 0.115 BTC should get some fame for that - if they want the fame...
full member
Activity: 1232
Merit: 242
Shooters Shoot...
Here is an experiment to determine the answer to your question

https://bitcointalksearch.org/topic/m.51460251

Brute force has claimed up to 61 bits.

Kangaroos have claimed up to 80 bits.
kangaroos have claimed up to 115 bits.
legendary
Activity: 2646
Merit: 1138
All paid signature campaigns should be banned.
Here is an experiment to determine the answer to your question

https://bitcointalksearch.org/topic/m.51460251

Here my comment from that thread:

Well, what is the sacramental meaning of the step through 5? And he just brute force? because, it seems, it is necessary that the address be translated to its public key lit up. Arulbero could not until there is no output, find the number or could?)).

The author of the puzzle did that transaction to spend from every fifth address.  

My guess is that it is an experiment to see how far people can get when there is an available spend transaction versus addresses with no available spend transaction.

He has been known to visit this thread.  Perhaps he will explain it.

Obviously it is much easier to get the private key when there is a spend transaction on the address. #1 through #61 took a long time whereas #65, #70, #75 and #80 were snatched up pretty soon after the author added the spend transaction to those addresses.  I expect #85 will also be snatched up in due time.

As discussed #85, #90, #95, #100, #105, #110 are all within the realm of possibility given enough time and resources.  It looks as if #115 would be a new world record so someone with enough equipment and motivation can probably get that one.  Beyond that it is very iffy.

Note that since there is a spend transaction on these addresses we will probably see more of them before we ever see the next address without a spend transaction, #62.  This is a HUGE difference in effort.

I think one of the take home messages here might be that due to this difference in effort and other factors having to do with privacy and the fungibility of Bitcoin in general:  do not reuse Bitcoin addresses.  Bitcoin addresses should be used exactly twice:  once to fund them and once to spend them - then never used again.

As I predicted:

https://blockchair.com/bitcoin/outputs?q=transaction_id(56857085)&s=index(asc)#

Brute force has claimed the BTC up to 63 bits and the next brute force target address has 64 bits.

Kangaroos have claimed up to 115 bits the and next target for the kangaroos is 120 bits.
newbie
Activity: 12
Merit: 8
Thanks for the reply, knew my understanding must have a big hole in it.

So the additional information an attacker would need is to know a range that the private key is within [a, b]. Now I understand why a flaw in generating the private key (not truly random) can result in encryption failure on an other wise cryptographically secure system.

Thanks for the info on UTXO, always thought it was weird to leave funds on an exposed address but the above explains it.

One other question, how small does the range [a, b] have to be to consider it an immenent security threat with current hardware?
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
* The pollard kangaroo method can drastically reduce the amount of work required to obtain the private key from the public key but requires the public key as an input to do this.

That's actually not how it works. We take a range with a minimum and maximum number [a, b] that's in 256-bit space, and we "search" for the private key in (and only in) that interval by taking a starting term somewhere in that range, and then keep adding a smaller variable-sized increment. Each one of these increments is called a hop or jump.

EDIT: yes we also take the public key as input just to clarify.

We actually take two starting numbers as part of the Kangaroo algorithm, one of these is called a "wild" kangaroo which uses a starting term that is an estimate of G (the generator point) * the private key, and then computes more terms trying to "jump" to the private key.

The other kangaroo is a "tame" one because it's starting point is the public key itself, which is already known. In this way we can have many wild kangaroos with different estimates of what G*the private key is, and one tame kangaroo, and compute them all in parallel.

When a term of a wild kangaroo matches a term of the tame kangaroo we call that a "collision" and that number can be used to derive the private key easily.

Now as you might have guessed the range to search has to be very small, otherwise if the range to search in is too large the algorithm will take too long to find a collision on modern hardware. Combined with the fact that Kangaroo can't search outside the range, that's why this is impractical to brute force random people's private keys and their money hasn't been stolen en masse.

* The funds which are not spent are returned to a change address leaving a balance of 0.

This actually only happens to the outputs that has been spent. If an address has many outputs and only one is spent then the others remain in the address leaving some BTC leftover in there.
newbie
Activity: 12
Merit: 8
Sorry if this should be elsewhere but the level of technical detail in the main pollard kangaroo method thread is far beyond my level of technical understanding.

I just want to check my understanding and see where I might not have a good grap of the basics before proceeding. My assumptions are below;

* The pollard kangaroo method can drastically reduce the amount of work required to obtain the private key from the public key but requires the public key as an input to do this.

* Once an address has spent some of it's funds that address public key is revealed in the spend transaction.

* The funds which are not spent are returned to a change address leaving a balance of 0.

* The address should not be reused as a malicious actor can start generating the private keys from the moment the spend transaction is confirmed.

Feel free to correct any of the above points but if the above is correct; can anyone answer the following;

* Address reuse was extremely common in the early days and there are several addresses with 1000+ BTC balances with outgoing transactions revealing the public key.

Why has this not been used to steal the funds?

I'm sure there is a limiting factor to this method but I could do with it being spelled out in layman's terms.

Cheers.
Pages:
Jump to: