Vanitygen: Vanity bitcoin address generator/miner [v0.22] - page 184.

samr7

full member

Activity: 140

Merit: 430

Firstbits: 1samr7

To report on the current state of oclvanitygen, I've made some progress optimizing it for various GPUs. So far it has been depending on the CPU to compare addresses with prefix targets. The performance with higher-end GPUs has progressed to the point that the CPU has become the bottleneck, and the prefix checking will certainly need to be offloaded next. And don't even think about using regular expressions!

Obligatory performance numbers, searching for a single case-sensitive prefix:

nVidia GTX 285 + C2D 6600: 3.5 Mkey/s, 100% CPU / 90% GPU
AMD 5830 + Sempron 140: 5.5 Mkey/s, 100% CPU / 60% GPU

I found a really cool address with this thing. As it would turn out though, somebody already claimed it on 1stbits two days ago. Tongue

Regardless, 7- and 8-character prefixes are no longer out of reach for a single gaming system.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: JoelKatz on July 17, 2011, 11:19:40 PM

Quote from: TiagoTiago on July 17, 2011, 08:04:17 PM

How risky do you guys consider it to be for me to download the executable form the first post and run it on my machine?

It is trivial for someone to make a slightly-modified executable that appeared in all respects to work correctly but such that given the account name, they could deduce the private key. That said, I think it's highly unlikely that anyone has bothered.

You can actually check for such a thing. Unless someone specifically thought that someone would test for this, the most obvious way to do that would leave a tell. Create a specific vanity key, say "1Dag". Then create that same vanity key again. And then do it one more time. If any of your keys are the same, you have a sabotaged binary. If not, then you either don't have a sabotaged binary or the sabotage is very subtle. (The obvious way to sabotage it would be to use a defined pattern of keys rather than a random one.)

Oh, I don't doubt there's ways to subtly hide all sorts of malicious activities. I'm just talking from the standpoint of samr7's reputation here. I trust him, based on the work that he has released, the manner in which he released it, and the respect with which he conducts himself on this forum. Perhaps I am too trusting of people, but I get no indication of a bad apple. And since he's the one releasing the source code and builds, I also trust those builds.

JoelKatz

legendary

Activity: 1596

Merit: 1012

Democracy is vulnerable to a 51% attack.

Quote from: TiagoTiago on July 17, 2011, 08:04:17 PM

How risky do you guys consider it to be for me to download the executable form the first post and run it on my machine?

It is trivial for someone to make a slightly-modified executable that appeared in all respects to work correctly but such that given the account name, they could deduce the private key. That said, I think it's highly unlikely that anyone has bothered.

You can actually check for such a thing. Unless someone specifically thought that someone would test for this, the most obvious way to do that would leave a tell. Create a specific vanity key, say "1Dag". Then create that same vanity key again. And then do it one more time. If any of your keys are the same, you have a sabotaged binary. If not, then you either don't have a sabotaged binary or the sabotage is very subtle. (The obvious way to sabotage it would be to use a defined pattern of keys rather than a random one.)

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: TiagoTiago on July 17, 2011, 08:04:17 PM

How risky do you guys consider it to be for me to download the executable form the first post and run it on my machine?

Considering the work that samr7 has put into optimizing the code (and seeing those optimizations actually help), I would say zero risk.

TeraPool

newbie

Activity: 42

Merit: 0

Quote from: TiagoTiago on July 17, 2011, 08:04:17 PM

How risky do you guys consider it to be for me to download the executable form the first post and run it on my machine?

I hope it's not too risky Wink

I have been running it on my windows machine for a few days with no complaints.

TiagoTiago

hero member

Activity: 616

Merit: 500

Firstbits.com/1fg4i :)

How risky do you guys consider it to be for me to download the executable form the first post and run it on my machine?

samr7

full member

Activity: 140

Merit: 430

Firstbits: 1samr7

Version 0.13 is up. The only major change is to display hints when impossible address prefixes are entered, suggested by a user via email. It's not worth downloading if you already have 0.12.

Under the hood, the source tree has been reorganized a bit, and a new OpenCL version, oclvanitygen, is now present.

Regarding the current state of oclvanitygen:

It isn't built by default, you need to run: make oclvanitygen. Build it on Windows at your own peril.
It isn't optimized at all. Specifically, it can't outperform the CPU with AMD hardware, and while it is faster with nVidia hardware, the profiler claims 25% occupancy.

cbuchner1

hero member

Activity: 756

Merit: 502

Hmm, these nVidia GPUs might not be particularly fast at those jobs. Last time I imlemented a 1024 bit (non modular) bignum multiplication on nVidia GTX 260 using CUDA, it turned out to be only as fast as two CPU cores combined.

One possible avenue to expore, would be using Intel AVX instructions ("Sandy bridge"). In principle these would allow to perform eight modular multiplications or additions in parallel. However you really need some up to date Intel silicon and an OpenSSL library with support for AVX.

samr7

full member

Activity: 140

Merit: 430

Firstbits: 1samr7

Quote from: dinox on July 16, 2011, 07:29:25 PM

I've implemented this in python with hashlib as only dependency and yes, it's indeed working. I want to translate this to a opencl kernel but I figured out we have a core problem to solve first.

The problem is that address generating is pipelined, i.e. you cant multi-thread the problem since next worker need the work of last worker to start computing. Let's say you have some workers and a base public key. Then worker 1 does public key += base_ec_point and worker 2 has to wait for this until it can do public key += base_ec_point and so on... How do you solve this?

The trick is to remember that: pub_key + (N+M)*base_ec_point == pub_key + N*base_ec_point + M*base_ec_point

Parallelism is possible by computing:

A row of sequential EC points (pub_key + k*base_ec_point) for k=0,1,2,...N
A column of EC points i*N*base_ec_point for i=0,1,2,...

..and then add each possible combination of row and column member in parallel.

The trickiest part of implementing this in OpenCL is the bigint arithmetic. I'm actually testing a kernel right now. It's monstrous, easily dwarfing the various miner kernels in compiled size, and only moderately fast -- on my GTX 285, it can produce ~1.1Mkey/sec.

dinox

full member

Activity: 126

Merit: 100

Quote from: BTCurious on July 16, 2011, 06:25:08 AM

Quote from: dinox on July 15, 2011, 07:29:23 AM

I haven't got every thing about ECC clear yet, but what I have understood you can do

Public_key = some_int*base_EC_point
Priv_key = some_int

Then

New_pub_key = Public_key + another_int*base_EC_point
New_priv_key = priv_key + another_int

Now if you set another_int=1 you only have to do one add each iteration, and if there is a match another add to get the private key. This should speed up the calc a lot if my maths is correct.

You're sort of correct, but samr7 has been doing this since his earliest released version. It's one of the reasons his tool is rather fast

I've corrected some stuff in green. The base_ec_point is a parameter that is known to all parties; it's defined in the protocol/cryptology parameters. It's parameter G.

Thanks!

I've implemented this in python with hashlib as only dependency and yes, it's indeed working. I want to translate this to a opencl kernel but I figured out we have a core problem to solve first.

The problem is that address generating is pipelined, i.e. you cant multi-thread the problem since next worker need the work of last worker to start computing. Let's say you have some workers and a base public key. Then worker 1 does public key += base_ec_point and worker 2 has to wait for this until it can do public key += base_ec_point and so on... How do you solve this?

BTCurious

hero member

Activity: 714

Merit: 504

^SEM img of Si wafer edge, scanned 2012-3-12.

Quote from: dinox on July 15, 2011, 07:29:23 AM

I haven't got every thing about ECC clear yet, but what I have understood you can do

Public_key = some_int*base_EC_point
Priv_key = some_int

Then

New_pub_key = Public_key + another_int*base_EC_point
New_priv_key = priv_key + another_int

Now if you set another_int=1 you only have to do one add each iteration, and if there is a match another add to get the private key. This should speed up the calc a lot if my maths is correct.

You're sort of correct, but samr7 has been doing this since his earliest released version. It's one of the reasons his tool is rather fast

I've corrected some stuff in green. The base_ec_point is a parameter that is known to all parties; it's defined in the protocol/cryptology parameters. It's parameter G.

Yeti

member

Activity: 112

Merit: 10

Firstbits: 1yetiax

This goes way back to the beginning of the month when there was no vanitygen. http://blockexplorer.com/address/1HnNPy6wtM8pG9TpF1dapvuLTPpdHwiYek

Somebody had figured this out earlier, activated them in Firstbits with tx of 1 Satoshi each, not released the code and now keeps all the addresses to sell them later (although that remains to be seen if people would buy private keys from somebody).

That's why I can't be 1yeti and that's why we can't have nice things!

dserrano5

legendary

Activity: 1974

Merit: 1029

Oh my goodness, and I thought my 45 vanity addresses were far too many...

pc

sr. member

Activity: 253

Merit: 250

Quote from: gmaxwell on July 15, 2011, 08:37:59 AM

It would appear that vanitygen is now the preferred tool of transaction spammers:

Yeah, between vanitygen and firstbits, there's been quite a bit of trying to get some nice addresses. I've certainly thrown a couple addresses into the chain myself just to get the vanity firstbits address, but nothing quite like that… But at least that transaction has a fee to pay for it, so it could almost be considered the system working just fine.

gmaxwell

staff

Activity: 4172

Merit: 8419

It would appear that vanitygen is now the preferred tool of transaction spammers:

http://blockexplorer.com/tx/60d7988fd2bc22ce764f9651b20fc3e7418ab6ab57c7057a16dfedd22e837b11

dinox

full member

Activity: 126

Merit: 100

Quote from: samr7 on July 14, 2011, 06:35:44 PM

Quote from: dinox on July 14, 2011, 01:53:02 PM

I tried to find an example code of how EC multiplication and add works but couldn't find one. I think we should grab some and translate it to a OCL kernel for running this on a GPU instead.

I've been messing around with this. More than 1/3 of the CPU time spent by the current algorithm is in Montgomery multiplication -- to produce each output address, it must do 14 of them. I have an OpenCL kernel that can correctly perform the Montgomery multiplication. Unfortunately, the performance so far isn't very encouraging.

I haven't got every thing about ECC clear yet, but what I have understood you can do

Public_key = some_int*Priv_key

Then

New_pub_key = Public_key + another_int*another_ec_point
New_priv_key = priv_key + another_int

Now if you set another_int=1 you only have to do one add each iteration, and if there is a match another add to get the private key. This should speed up the calc a lot if my maths is correct.

samr7

full member

Activity: 140

Merit: 430

Firstbits: 1samr7

Quote from: dinox on July 14, 2011, 01:53:02 PM

I tried to find an example code of how EC multiplication and add works but couldn't find one. I think we should grab some and translate it to a OCL kernel for running this on a GPU instead.

I've been messing around with this. More than 1/3 of the CPU time spent by the current algorithm is in Montgomery multiplication -- to produce each output address, it must do 14 of them. I have an OpenCL kernel that can correctly perform the Montgomery multiplication. Unfortunately, the performance so far isn't very encouraging.

dinox

full member

Activity: 126

Merit: 100

Nice work, getting ~~380KKeys/s~~ 450KKeys/s (with 8 threads) from my sandy MBP. Got 1DinoX and is now trying to get 1dinox (lowercase).

---

I tried to find an example code of how EC multiplication and add works but couldn't find one. I think we should grab some and translate it to a OCL kernel for running this on a GPU instead.

Edit: We do have the SHA-hashing code for "free" from the miners.

Shevek

sr. member

Activity: 252

Merit: 250

Quote from: Joric on July 13, 2011, 01:08:18 PM

Quote from: Shevek on July 13, 2011, 12:58:51 PM

But it does not work with long-term used wallet.dat file. Even if the server is stopped.
When wallet.dat is freshly created, there is no problem.

I've fixed this issue (removed tx reader), added max_version and got rid of pycrypto. https://github.com/joric/pywallet

WOW!! Thanks!

Joric

member

Activity: 67

Merit: 130

Quote from: Shevek on July 13, 2011, 12:58:51 PM

But it does not work with long-term used wallet.dat file. Even if the server is stopped.
When wallet.dat is freshly created, there is no problem.

I've fixed this issue (removed tx reader), added max_version and got rid of pycrypto. https://github.com/joric/pywallet

Topic: Vanitygen: Vanity bitcoin address generator/miner [v0.22] - page 184. (Read 1152778 times)