This message was too old and has been purged - page 8.

piotr_n

legendary

Activity: 2053

Merit: 1356

aka tonikt

Quote from: Ritual on January 29, 2014, 01:31:03 PM

I'd like to see what happens with this. Just because it hasn't been done in a couple of hours doesn't mean it CAN'T be done.

As has been well established on this thread, this is a rainbow table attack, and one of those 200,000 keypairs could lie within reach. Remember that we have NO IDEA how keypairs are spread along the curve, so it's not possible to tell how "weak" an address is before it's tried.

gmaxwell has the massive advantage of the entire space to choose from, obviously, but there is a possibility (however vanishingly small) that he could get caught here.

Yeah. So if anyone wants to help ripping gmaxwell of 50 BTC, please make sure to start EK's tool before going to bed tonight

But much more important thing than Greg's 50 BTC is that we all would help to (dis)prove the actual security of secp256k1.
Losers or winners - we're all in this together and we all care to know the answer. Don't we?

Ritual

member

Activity: 84

Merit: 10

Quote from: BurtW on January 29, 2014, 12:55:02 PM

Quote from: forzendiablo on January 29, 2014, 12:51:31 PM

gweedo why dont u put there 1BTC o nthe wallet if you believe he cant crack it. 16$ doesnt sound like u really are not worried.

gmaxwell already put up 50 BTC if he can crack any one of 200,000 different keypairs.

Now, everyone, including him, knows he cannot do it.

He may never have claimed he could, that is another matter.

I'd like to see what happens with this. Just because it hasn't been done in a couple of hours doesn't mean it CAN'T be done.

As has been well established on this thread, this is a rainbow table attack, and one of those 200,000 keypairs could lie within reach. Remember that we have NO IDEA how keypairs are spread along the curve, so it's not possible to tell how "weak" an address is before it's tried.

gmaxwell has the massive advantage of the entire space to choose from, obviously, but there is a possibility (however vanishingly small) that he could get caught here.

Give it some time

Rit.

PS: I also agree this is a valuable experiment, even if it comes to nothing. A security system claiming to be this unbreakable *needs* someone to try to prove it wrong sometimes - otherwise stagnancy sets in and no progress is made.

BurtW

legendary

Activity: 2646

Merit: 1137

All paid signature campaigns should be banned.

Quote from: forzendiablo on January 29, 2014, 12:51:31 PM

gweedo why dont u put there 1BTC o nthe wallet if you believe he cant crack it. 16$ doesnt sound like u really are not worried.

gmaxwell already put up 50 BTC if he can crack any one of 200,000 different keypairs.

Now, everyone, including him, knows he cannot do it.

He may never have claimed he could, that is another matter.

forzendiablo

legendary

Activity: 1526

Merit: 1000

the grandpa of cryptos

gweedo why dont u put there 1BTC o nthe wallet if you believe he cant crack it. 16$ doesnt sound like u really are not worried.

itod

legendary

Activity: 1974

Merit: 1077

^ Will code for Bitcoins

Quote from: gmaxwell on January 29, 2014, 12:08:10 PM

Itod, you realize that the software you're running is indistinguishable from a cracker of EC keys, right? I mean— no real reason to believe that anyone will find anything, but...

I disagree, I would never run an EC kracker but I'm running this, thinking of it as a statistical analysis tool.

Quote from: gmaxwell on January 29, 2014, 12:18:43 PM

I think I've pointed out the fraud in this thread clearly enough. The impression was made that this tool was able to find the private keys of some portion of random keys enough for shill demonstrations in this thread. I posted 200,000 keys with a substantial bounty for giving me the private key of any one of them. Evil, where is my private key? You said your software takes a few minutes— please either solve one of the keys I posted or admit that you cannot and that people have been mislead by this thread.

I really can't understand where do you see the fraud in this. Guy paid his due yesterday, and he said that he will continue paying until he spends 10 BTC. I'll let you know immediately if me misses todays payment. Those 10 BTC have to come from somewhere, and although the thread title is a bit on the high tone, he haven't said a single lie in the explanation. Regarding your challenge to him, it's a really a low blow because he never, ever said he can crack usual private/public keypair. All he said is if you generate the private key, who's 1/8 of the corresponding public key matches the 5000 values he gave - he will crack your keypair in minutes. There's no point in challenging someone to do what he never claimed he could do.

piotr_n

legendary

Activity: 2053

Merit: 1356

aka tonikt

So you are saying that there is no way for the numbers ending with a certain value (of the last LSBs) to have a certain set of the optimal "randezvouz points" to start with, for cracking?
I mean, a different set of "randezvouz points" for different values of the last LSBs - obviously.

EDIT:
Maybe not even a set of points - maybe it is as simple as a single "randezvouz point" for each specific value of the LSBs.
Are you sure that we are talking about a total nonsense here?
Because if he manages to prove by statistics that there is such a correlation, then building a complete rainbow table for mapping N LSBs to a specific randezvouz point should be just a matter of time.
And when/if it happens - then it is 'goodbye bitcoin'.

gmaxwell

staff

Activity: 4284

Merit: 8808

Quote from: piotr_n on January 29, 2014, 12:21:37 PM

But he only makes the stats for the least 32 bits, and not for the entire numbers - it doesn't matter?

It doesn't matter (and for some curves— e.g. ones where the x^2 term is non-zero, though IIRC in scep256k1 there isn't a tidy LSB pattern, some 32 bit LSB patterns are unused entirely). About half of the X values are not points on the curve, but this is accounted for in the order of the group. There are ORDER points on the curve, and the private keys 1..ORDER-1 uniquely map to them. Lets say that all the X values were even— they're not— but lets say— it doesn't matter since any search is already limiting itself to valid X values, e.g. any statement about the security already excludes the points which are not part of the curve, which can't be reached by any private key, and which wouldn't be included in any key search.

piotr_n

legendary

Activity: 2053

Merit: 1356

aka tonikt

Quote from: gmaxwell on January 29, 2014, 12:08:10 PM

But, of course, there isn't. The group is complete, all $ORDER points are reachable by multiplying the generator from 1..$ORDER-1. Some points _can't_ be more likely than others as a property of the curve with a uniform input, or otherwise some points would be unreachable (obvious by the pigeonhole principle) and the order would be less.

OK - that's a solid statement.
But he only makes the stats for the least 32 bits, and not for the entire numbers - it doesn't matter?

gmaxwell

staff

Activity: 4284

Merit: 8808

Quote from: Blaater on January 29, 2014, 04:43:55 AM

Would that be impossible or just take a good amount of time but still possible.

It's not possible. Though the fact that you can 'search from both directions' is why 256-bit ECC has 2^128 security. Rho is an enormous speedup but the parameters are chosen to make it irrelevant.

I think I've pointed out the fraud in this thread clearly enough. The impression was made that this tool was able to find the private keys of some portion of random keys enough for shill demonstrations in this thread. I posted 200,000 keys with a substantial bounty for giving me the private key of any one of them. Evil, where is my private key? You said your software takes a few minutes— please either solve one of the keys I posted or admit that you cannot and that people have been mislead by this thread.

gmaxwell

staff

Activity: 4284

Merit: 8808

Quote from: piotr_n on January 29, 2014, 10:22:50 AM

From what I see, the guy is literally gathering a statistical data, hoping that maybe there is something about this curve that would make the balls more likely to end up in a certain places on the earth.

But, of course, there isn't. The group is complete, all $ORDER points are reachable by multiplying the generator from 1..$ORDER-1. Some points _can't_ be more likely than others as a property of the curve with a uniform input, or otherwise some points would be unreachable (obvious by the pigeonhole principle) and the order would be less.

Quote from: piotr_n on January 29, 2014, 11:38:44 AM

Quote from: itod on January 29, 2014, 11:23:32 AM

Dozens off us with many machines are helping him gather this data, we'll see the results in the paper.

Exactly. It is a highly valuable project, because even if it fails, it still proves something.

All it does is reaffirms is that the world is full of fuzzy headed reactionary thinkers, unscrupulous parties, and pump-and-dumpers looking to cash in on hysteria.

Itod, you realize that the software you're running is indistinguishable from a cracker of EC keys, right? I mean— no real reason to believe that anyone will find anything, but...

itod

legendary

Activity: 1974

Merit: 1077

^ Will code for Bitcoins

Quote from: piotr_n on January 29, 2014, 11:47:54 AM

Quote from: BurtW on January 29, 2014, 11:39:25 AM

That looks like great/fun/useful? research into the properties of the RNG used to generate the data.

As I said, I suck at math, but my understanding of this project is that it is a statistical analysis of how the value of the least significant 32 bits of... something (but which has definitely nothing to with RNG), can be projected into the most efficient set of a specific randezvouz point, to be (eventually) used for bruteforcing secp256k1 keys.

Exactly, RNG has nothing to do with it, which is often overlooked because people are used to faulty RNG being the usual suspect. RNG quality on machines generating the triplets is unimportant, because all generated private keys are sieved against an array of predefined values, and if matched is later used in the analysis.

Edit: X EC coordinate (first half of the public key) is calculated, and if last 1/4 of that X-coord matches any value in the array produced triplet is submitted.

Quote from: piotr_n on January 29, 2014, 11:38:44 AM

Quote from: itod on January 29, 2014, 11:23:32 AM

Dozens off us with many machines are helping him gather this data, we'll see the results in the paper.

Exactly. It is a highly valuable project, because even if it fails, it still proves something.

Unlike the "there is nothing suspicious about secp256k1 params" or "your tool cannot crack my key" approach - which is totally useless and may be even dangerous, since it strengthens confidence in the technology that uses assumptions, which no sane mathematician would bet his life on.

+1

prezbo

sr. member

Activity: 430

Merit: 250

Quote from: piotr_n on January 29, 2014, 10:22:50 AM

Of course currently EK can only crack a tiny (statistically almost non-existent) part of all the possible keys out there.
But he is obviously doing some more research.
From what I see, the guy is literally gathering a statistical data, hoping that maybe there is something about this curve that would make the balls more likely to end up in a certain places on the earth.
It might be a dead end, but you cannot blame him for trying. I personally appreciate it.

It is a dead end, because he's using old techniques, that were already proven how efficient they are.

piotr_n

legendary

Activity: 2053

Merit: 1356

aka tonikt

Quote from: BurtW on January 29, 2014, 11:39:25 AM

That looks like great/fun/useful? research into the properties of the RNG used to generate the data.

As I said, I suck at math, but my understanding of this project is that it is a statistical analysis of how the value of the least significant 32 bits of... something (but which has definitely nothing to with RNG), can be projected into the most efficient set of a specific randezvouz points, to be (eventually) used for bruteforcing secp256k1 keys.

EDIT:

Quote from: BurtW on January 29, 2014, 11:39:25 AM

Have no problem with that part of it. What I have a problem with is his marketing and sales:
Quote
[WTS] OpenCL Based, Optimized BTC Private-Key Cracker with Sources [WITH VIDEO]

Well, it's not like anyone bought this tool, is it? It looks like a good ad, though.

One day when I pointed out that nobody cares about my working bitcoin client in Go while everyone was very excited about another one only announced to be made - one guy came to tell me that my software only matters as much, as my marketing is worth.. and there is something about it

FiatKiller

sr. member

Activity: 378

Merit: 250

Can I ask a fine point about reusing address?

When you send your coins to a new address to be safe, can it be in the same wallet or does it have to be a new wallet?

I know say it does not matter, but what the heck. Might as well CYA as much as possible. lol

thanks

BurtW

legendary

Activity: 2646

Merit: 1137

All paid signature campaigns should be banned.

That looks like great/fun/useful? research into the properties of the RNG used to generate the data. Might be interesting. Have no problem with that part of it. What I have a problem with is his marketing and sales:

Quote

[WTS] OpenCL Based, Optimized BTC Private-Key Cracker with Sources [WITH VIDEO]

piotr_n

legendary

Activity: 2053

Merit: 1356

aka tonikt

Quote from: itod on January 29, 2014, 11:23:32 AM

Dozens off us with many machines are helping him gather this data, we'll see the results in the paper.

Exactly. It is a highly valuable project, because even if it fails, it still proves something.

Unlike the "there is nothing suspicious about secp256k1 params" or "your tool cannot crack my key" approach - which is totally useless and may be even dangerous, since it strengthens confidence in the technology that uses assumptions, which no sane mathematician would bet his life on.

Besides, if you don't try to break the things that others consider unbreakable, even though there is no proof of them being actually unbreakable - then what kind of fun your life is? Wink

itod

legendary

Activity: 1974

Merit: 1077

^ Will code for Bitcoins

Quote from: piotr_n on January 29, 2014, 10:22:50 AM

From what I see, the guy is literally gathering a statistical data, hoping that maybe there is something about this curve that would make the balls more likely to end up in a certain places on the earth.
It might be a dead end, but you cannot blame him for trying. I personally appreciate it.

From http://stargate.bitwarrant.com/science/

Quote

Live Key Counter: 51012 keys submitted so far.
What Do I Actually See Here?
We are generating random Bitcoin addresses, that match (in the least significant 32 bits) a few of our rendezvous points on the elliptic curve (read more). Bitcoin addresses themselves are just points on this very elliptic curve. Now if the distribution of BTC addresses is completely random, we should experience a totally balanced distribution of hit rendezvous points (The bar-chart on the right hand side shows these rendezvous points and their distribution).

Time will tell, how random BTC addresses actually are. If the right "point cloud" evolves to a straight blue line, our BTC adresses should be safe. Hence if it doesn't, this will open new topics to be discussed.

Dozens off us with many machines are helping him gather this data, we'll see the results in the paper.

piotr_n

legendary

Activity: 2053

Merit: 1356

aka tonikt

I find this thread very interesting.

From myself (since I suck in math these days), I can only add one thing here, though more of a philosophical matter:
There is no way anyone would ever break this curve, without first assuming that the curve can be broken.
At the other hand, assuming that this curve cannot and will never be broken, is the most irresponsible thing a bitcoin holder can do.

Of course currently EK can only crack a tiny (statistically almost non-existent) part of all the possible keys out there.
But he is obviously doing some more research.
From what I see, the guy is literally gathering a statistical data, hoping that maybe there is something about this curve that would make the balls more likely to end up in a certain places on the earth.
It might be a dead end, but you cannot blame him for trying. I personally appreciate it.

onzoom

newbie

Activity: 37

Merit: 0

First the boring but true bit

There is no risk whatsoever in revealing your Public Key.

There is no need to change your Wallet Address

You do not choose your private key. The private key is not weak.
.

Now the fun bit

Quote from: Evil-Knievel on January 29, 2014, 05:28:18 AM

Maybe some more correct explanation.

[1] - imagine the bitcoin address space is ALL the sand grains on planet earth (it's actually much bigger than that I think but this is easier to visualise)

[2] - imagine someone picks a private key which we assume to be our sandgrain and hides is somewhere on any beach on this planet. Lets further assume this sandgrain is painted blue.

[3] - Searching for this particular sand grain is computationally infeasible. But let us say you have placed a colored tennis ball (each with a different color) on each of the world's beaches.

[4] - now imagine you send out 100.000 people to all the beaches of the world simultaneously. If one of these people finds a blue tennis ball somewhere, you can recover the private key.

[1] most of the sand is under the sea or in a desert
[2] someone carefully paints a grain of sand blue before hiding it underneath some of this sand
[3] now rather than trekking through oceans and deserts I do a world tour of beaches carelessly littering a load of balls
[4] I send 100,000 people to all the beaches in the world to find my favourite blue ball (which is pretty cruel since i know where I placed the blue ball) Reunited with my favourite blue tennis ball I celebrate by typing dumpprivkey into the console of my bitcoin wallet and recover my private key

On reflection the most relevant comment on this thread is summarised by the last four words of point [3]

Ritual

member

Activity: 84

Merit: 10

Hmmm....from the explanations offered in this thread, would I be correct in thinking:

The generator code allowed for 20million keys each side of a set (i.e. known) rendezvous point. So for each, this is 40 million keys.

Evil appears to have started with 768 points, and is mining thousands more on his other thread.

So let's say that we end up in a month with a million rendezvous points total. This would give us a total number of crackable keys = 40 million * 1 million.

So 40000000000000. That's a big number. Very big. But...

The namespace is 2^160 keys (I think - please correct me if that's wrong), and the number above is insignificant to the point of meaninglessness in that context.

Please correct me if I'm wrong. I'm trying to pick up this stuff as I go along

Rit.

Topic: This message was too old and has been purged - page 8. (Read 50756 times)