The reason why puzzle 65 was cracked because the owner of the puzzle revealed the public key of every 5 bit address. For example puzzle 2^65, 2^70, 2^75, 2^80 they're all increasing 5 bits in difficulty but it's public key is revealed which makes it of course easier to attack and get it's key. When the public key of those are revealed people were able to crack them by the help of algorithms like Kangaroo, or BSGS.
Puzzle 161 to 256 were not cracked, but the owner took its coin and added them up for the unsolved parts of the puzzles. He did this because he knew cracking 256 bits is impossibly hard and also since Bitcoin address is only 160 bits.
Hope that answers your question
Hey, sorry for late reply but thanks a bunch for this nice explanation  Do we know the owner, who is that? And why did he reveal the pubkey for every 5 bit addresses, what was the reason therefore and do you have a link where I can find this information where he/she published it? Does that mean that if anyone gets my pubkey for a certain adress he is likely able to crack my privkey for that address? When gets a pubkey of an address disclosed and why? What countermeasures are best-practice therefore, how could one protect against this Hopefully anyone can address this questions. Thanks in advance. We don't know the owner, he only posted in this thread in its early years, just go back in this thread's pages .. He thanked the community for trying to create great cracking tools.. so he most likely did this whole puzzle thingy to test the community strength of cracking BTC .. he also revealed public keys to see if knowing the public key can make any difference in minimizing cracking difficulty.. obviously, it made a huge difference ..coz knowing the public key turned out to make a 115 bit key with a known public key easier to crack than a 64 bit key with hidden public key (thanks to Pollard's kangaroo) .. however, this doesn't make cracking a random btc address any easier (you know, the address with a fully randomized 256 bit private key that android or pc wallet software generates for you) because the most you can crack with a public key nowadays is 119 bit .. if you wanna try it on 256 bit, you would spend billions of years and still not succeed . So yeah, a typical btc address is safe and sound with or without its public key exposed |
|
|
|
So there are 2^96 different private keys in the entire 2^256 space that can "unlock" for example this address: 16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN (Puzzle 64)? Can anyone confirm this?
Yes exactly and for a simple fact : 16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN (and every other wallet address of this type) is encoded on 160 bits (and not on 256 bits like the majority of other crypto parameters in bitcoin protocol) 16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN is base58 encoded and is 3ee4133d991f52fdf6a25c9834e0745ac74248a4 (20*8bytes = 160bits) in hexadecimal ( Unlike public keys that are encoded on 256 bitsa simple wallet address (p2pkh) is simply obtained by the function hash160(public_key) So if you have the possibility to browse the entire 1-2^256 space and to compute the hash160 function for every hash160(public_key) derived from 1-2^256 private keys you will find an average of 2^(256-160) = 2^96 public key with hash160=16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN . But even if 2^96 seems big its far away smaller from 2^256. And it's pretty impossible to have a collision between two random public key in the using age of bitcoin. But theoretically if you find any public key derived from a private key with hash160(public_key)= '16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN' or = to any other non zero wallet address you will able to unlock the coins. Because the verification in the bitcoin protocol to prove that you are the owner of the private key is simply "have you signed the transaction with the private key associated to a public key that gives 16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN (or any other target address) with hash160 function Thanks for the reply! I'm missing something...So these addresses will have different public keys or not? Can one private key control 2^96 different wallets? For example when I import some random private key in Electrum wallet and click on "sweep funds" am I sweeping one wallet or 2^96 different wallets? You simply got it backwards .. One private key does NOT open 2^96 addresses instead, One address can be opened by 2^96 private keys See the difference? Yeah I get it thanks. Still the odds of finding one remain almost the same if you scan through 2^255 I wouldn't say that with 100% confidence .. any address that starts with the number "1" (i mean a p2pkh address) is prone to 160 bit range attack using private key cracking tools .. it is well known that this entire first 160 bit range has all addresses (including the 40+ millions with balance) .. this is the problem with hashing public keys .. coz you basically reduced cracking difficulty down from 256 bits to 160 bits .. however, this doesn't mean that bitcoin security got any loopholes .. just watch how only 64 bits are beating the hell out of all crackers trying to solve one address within it .. trying to go through the entire 64 bits, you would have to traverse 18 million trillion private keys .. this number is so huge that the average person will never hear about it in their lifetime coz most likely they will never need to .. ok going forward, getting out of this range and moving up one bit to 65 bit range .. is double that number .. keep doubling on every bit until you reach 160 bits and you would have to crack one quindecillion private keys .. in case you wonder, one quindecillion is a number consisting of 49 digits (1 followed by 48 zeros) .. no machine in our world is known to be able to even count through this whole range within like what, a million generations lifetime? let alone trying to convert each pvt key to public key hash .. in simple words: practically impossible Update: edited some wrong calcs. |
|
|
|
So there are 2^96 different private keys in the entire 2^256 space that can "unlock" for example this address: 16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN (Puzzle 64)? Can anyone confirm this?
Yes exactly and for a simple fact : 16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN (and every other wallet address of this type) is encoded on 160 bits (and not on 256 bits like the majority of other crypto parameters in bitcoin protocol) 16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN is base58 encoded and is 3ee4133d991f52fdf6a25c9834e0745ac74248a4 (20*8bytes = 160bits) in hexadecimal ( Unlike public keys that are encoded on 256 bitsa simple wallet address (p2pkh) is simply obtained by the function hash160(public_key) So if you have the possibility to browse the entire 1-2^256 space and to compute the hash160 function for every hash160(public_key) derived from 1-2^256 private keys you will find an average of 2^(256-160) = 2^96 public key with hash160=16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN . But even if 2^96 seems big its far away smaller from 2^256. And it's pretty impossible to have a collision between two random public key in the using age of bitcoin. But theoretically if you find any public key derived from a private key with hash160(public_key)= '16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN' or = to any other non zero wallet address you will able to unlock the coins. Because the verification in the bitcoin protocol to prove that you are the owner of the private key is simply "have you signed the transaction with the private key associated to a public key that gives 16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN (or any other target address) with hash160 function Thanks for the reply! I'm missing something...So these addresses will have different public keys or not? Can one private key control 2^96 different wallets? For example when I import some random private key in Electrum wallet and click on "sweep funds" am I sweeping one wallet or 2^96 different wallets? You simply got it backwards .. One private key does NOT open 2^96 addresses instead, One address can be opened by 2^96 private keys See the difference? |
|
|
|
So there are 2^96 different private keys in the entire 2^256 space that can "unlock" for example this address: 16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN (Puzzle 64)? Can anyone confirm this?
Yes exactly and for a simple fact : 16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN (and every other wallet address of this type) is encoded on 160 bits (and not on 256 bits like the majority of other crypto parameters in bitcoin protocol) 16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN is base58 encoded and is 3ee4133d991f52fdf6a25c9834e0745ac74248a4 (20*8bytes = 160bits) in hexadecimal ( Unlike public keys that are encoded on 256 bitsa simple wallet address (p2pkh) is simply obtained by the function hash160(public_key) So if you have the possibility to browse the entire 1-2^256 space and to compute the hash160 function for every hash160(public_key) derived from 1-2^256 private keys you will find an average of 2^(256-160) = 2^96 public key with hash160=16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN . But even if 2^96 seems big its far away smaller from 2^256. And it's pretty impossible to have a collision between two random public key in the using age of bitcoin. But theoretically if you find any public key derived from a private key with hash160(public_key)= '16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN' or = to any other non zero wallet address you will able to unlock the coins. Because the verification in the bitcoin protocol to prove that you are the owner of the private key is simply "have you signed the transaction with the private key associated to a public key that gives 16jY7qLJnxb7CHZyqBP8qca9d51gAjyXQN (or any other target address) with hash160 function Couldn't have said it better .. in theory, there are enormous amount of private keys that open one single wallet .. i read somewhere that they found some collisions but were empty wallets .. however, there have been no claims about finding any UTOX with collisions .. although i tend to expect that even when found, it will never be announced .. it would hurt the technology and hurt bitcoin specifically |
|
|
|
Can anyone explain, there is any chance to use it in btc mainnet?
There is any vulnerability addresses in blockchain that can be hacked with kangaroo ecdlp solver?
Or it's nearly impossible to retrieve private key only from public key and outgoing transactions?
I tried with more than 45k public keys of top btc wallets but as i expected, months and months passed without a single private key retrieved .. because in such case you are searching the entire range of private keys using your public keys with kangaroo .. and no animal in the world could ever jump that high 😉 You was searching 45k public keys at the same time with kangaroo? kangaroo can search only one public key each time if have multiple pubkey setups first pubkey will be search kangaroo can not search multiple keys in the same time because it is use pubkey that search to calculate multiply number for the search if search multiple pubkey at the same time that means your kangaroo program or script will be worked by calculating multiply many key in the same time JeanLucPons Kangaroo and another kangaroo in Github work by searching one key first time I looking for kangaroo or other program that can search multiple pubkey in same time too but not have one becuase it is work by one pubkey search I know all that ..for multi keys i never use kangaroo i use keyhunt BSGS mode .. it can search millions of pubkeys at a time but .. and that's a big but .. every single pubkey you add to the list, is gonna cut your speed greatly.. so it's a tradeoff .. but still, result is it would take eternity for you to calculate even a single key out of this .. like i said, tried for several months uninterrupted and got nothing .. nil .. zilch .. the 2^256 range is unimaginably large that even quantum computers would look like an infant trying to squeeze a mountain with its palm |
|
|
|
What gives? How come a gpu program would yield test results in more time than a cpu one? Am i doing something wrong concerning the gpu part? I only stick to default commands on both .. except that keyhunt BSGS uses as much memory as you want it to as long as you have enough for it .. which gives you a speed pump with every increase in memory allocation!
That's basically what's going on. GPUs have about as much on-board memory as a small computer has RAM. CUDA can only use the onboard memory, because there is a large performance penalty in moving data between host and device that will neutralize any "hacks" and "tricks" the code does. Got it .. thanks 👍 |
|
|
|
Can anyone explain, there is any chance to use it in btc mainnet?
There is any vulnerability addresses in blockchain that can be hacked with kangaroo ecdlp solver?
Or it's nearly impossible to retrieve private key only from public key and outgoing transactions?
I tried with more than 45k public keys of top btc wallets but as i expected, months and months passed without a single private key retrieved .. because in such case you are searching the entire range of private keys using your public keys with kangaroo .. and no animal in the world could ever jump that high 😉 |
|
|
|
|
Speaking of faster .. i have a question that is bugging me ..common sense would suggest that gpu is always faster by many folds than cpu .. but how in the hell is my cpu faster?! Here is what i did..
Tried kangaroo on gtx 1070 : GREAT speed
Tried keyhunt BSGS mode: just way faster?!?!
What gives? How come a gpu program would yield test results in more time than a cpu one? Am i doing something wrong concerning the gpu part? I only stick to default commands on both .. except that keyhunt BSGS uses as much memory as you want it to as long as you have enough for it .. which gives you a speed pump with every increase in memory allocation!
If anyone tried both too and got the same thing please enlighten me. Thnx
|
|
|
|
|
Reading all the way back from first page .. it was amusing to see the development of this topic .. people were all about trying to solve "a math formula" in order to predict all puzzle bits (puzzle creator had it all the way until 256 bits then changed his mind after remembering that trying to crack anything over 160 bits is a fantasy) .. it was funny most ppl back then thought that cracking even 50 bits would take "decades" .. until the almighty bitcrack and kangaroo came into existence .. i wonder how this thread would look like in 10 years from now
|
|
|
|
Guys, do you think I should convert these [my] python scripts into a library, with it's own PIP page and docs? So that people no longer make fundamental errors when using them and then calling me for tech support...
It's good idea, i think you should do it. Make sure setup script include version of required dependency (e.g. numpy==1.23.1 or numpy>=1.20,<=1.23 rather than numpy) to save headache in future if dependency API changed. Good idea .. due to things like this, i once spent 2 hours trying to fully install a library .. a lot of searching and navigating through stackexchange and quora.. such a waste of time and energy |
|
|
|
Puzzle 64 beating everyone? No! Just wait for GR Sasa's GPU'S Army to come. They will go far beyond 64 bits.
Nice! However, i find it a little bit unbelievable that you only waited all those years to provide such a huge claim as a response to a random post on the puzzle thread .. i wonder how much longer it might take until someone else comes here and claim they invented quantum computers that will beat the entire puzzle range. Btw, it's already written some where on github that you need 256 TESLA V100 to cover puzzle #120 (same #64 difficulty if using kangaroo) .. and even then, you would need two months to solve it .. good luck to your army 😘 |
|
|
|
Guys, do you think I should convert these [my] python scripts into a library, with it's own PIP page and docs? So that people no longer make fundamental errors when using them and then calling me for tech support...
Lol Yess! |
|
|
|
|
Puzzle #64 is beating everyone .. this tells us that even if it gets solved, moving on to puzzle #66 and trying to solve it is practically impossible .. let alone trying to crack 67, 68 69 etc..
This is it guys, only 64 and 120 are to be cracked (hardly) .. every other puzzle is there to stay unsolved forever.. unless owner decides to reveal public keys of all the small ranges, which will not happen, as it would defeat the purpose of the puzzle
|
|
|
|
I think if it was that easy to crack 64, someone would have tweaked the version to become 64bit .. but looks like it's already been done in secret but still unsolvable, or no one has the knowledge to do it yet .. tools like bitcrack and keyhunt makes me regret not taking cpp seriously back in my enthusiastic days .. but overall, devs like these taught me a lot more than i thought i know about bitcoin
As a C++ dev, I can tell you that the language is not the obsticle to designing these programs, but it's the knowledge required for curves, finite fields, groups, etc AND implementing all that in C++ or even JS, I'm sure I left out a ton of number theory topics from this list that are required studying as well [not to mention that GPU programming is done in a completely different language that is extremely difficult to debug]. So basically the biggest barriers are knowledge of cryptography, extensive Math, and gpu-specific programming 🤔 |
|
|
|
Well, if zeilar managed to clear 20% of the keyspace for #120, it should not be too hard for someone to construct a DC and put an end to that key. Or maybe puzzle solving is becoming more like mining, where it's only done when BTC price is profitable, only without those pesky ASICs and difficulty levels, hmmmm.... Or maybe 120 and 64 are the roofs in current technology .. it really seems so hard to crack those two .. been trying it for months now using multiple workarounds and tweaks but they're still out there unsolvable .. not to mention that the more resources you put into this, the more you realize you need even more resources .. hats off to Satoshi, this puzzle proved that best case scenario is you can only crack a private key of 119 bits out of the PRACTICAL staggering 256 bits .. cracking bitcoin is simply impossible, at least for this generation and under current tech 115 bits is the ceiling, actually, when you have the public key - as Pollard's Kangaroo uses a faster iterative algorithm to guess the private key. 63 when you only have the address. But then again, Bitcrack's linear search is not optimized, and I suspect that a GPU farm could solve #64 if only it had a 64-bit version of Bitcrack (the current version uses only 32-bit words) and an optional bit pattern filter to filter out long sequences of zeros and ones. I think if it was that easy to crack 64, someone would have tweaked the version to become 64bit .. but looks like it's already been done in secret but still unsolvable, or no one has the knowledge to do it yet .. tools like bitcrack and keyhunt makes me regret not taking cpp seriously back in my enthusiastic days .. but overall, devs like these taught me a lot more than i thought i know about bitcoin |
|
|
|
Well, if zeilar managed to clear 20% of the keyspace for #120, it should not be too hard for someone to construct a DC and put an end to that key. Or maybe puzzle solving is becoming more like mining, where it's only done when BTC price is profitable, only without those pesky ASICs and difficulty levels, hmmmm.... Or maybe 120 and 64 are the roofs in current technology .. it really seems so hard to crack those two .. been trying it for months now using multiple workarounds and tweaks but they're still out there unsolvable .. not to mention that the more resources you put into this, the more you realize you need even more resources .. hats off to Satoshi, this puzzle proved that best case scenario is you can only crack a private key of 119 bits out of the PRACTICAL staggering 256 bits .. cracking bitcoin is simply impossible, at least for this generation and under current tech |
|
|
|
As a real world example, I am currently searching for the 120 puzzle in the 110 bit range, using a DP of 25. I divided 120's pubkey by 1,024 (2^10) which generates 1,024 new pubkeys related to the original pubkey, but only 1 (at most 2) of the new pubkeys are in the 110 bit range (the remaining pubkeys are spread out over the entire key space). So I will generate enough Tame points first and then run back through the range looking for Wilds. I expect to need to store 2^31 (110/2 + 1 - 25) total points and distances to solve the key, which will take an estimated checking of 2^56(ish) total keys. Now if I tried to bruteforce the same key, it could take me up to 2^110 total keys to check.
Hi WanderingPhilospher , Can u explain a little more your algorithm of dividing the pubkey before doing the Kangaroo search? Because if i well understand when you reduce the range to 2^110 (division by 1024) You will have to do an average of (cf Jean luc formula) : 2.08*sqrt(k2-k1) = 2.08*sqrt(2^(120-10)-2^(119-10)) = 5.29*10^16 ops but as you say only 1 or 2 of the dividing split range will contains a pubkey with (pubkey+n)%1024==0 so you will have to repeat the search 512 times and do an average of (1024/2)*5.29*10^16= 5.42*10^19 ops before having a collision. But with the initial config of the kangaroo you will only have: 2.08*sqrt(k2-k1)= 1.69*10^18 to do (32 times less)  I will need to run/check all of the new 1,024 pub keys through the range. With JLP's Kangaroo program, I would need to do this one pubkey at a time. However, I modified some code to allow me to run and check all 1,024 pubkeys at once/concurrently. A few thoughts about this...I am hoping with double the needed tame points, the less wild group ops needed for a collision. I have completed tests at lower bits and this was the case however, this is a much larger range and untested. Keeping the math simpler (at least for me): The original 120 bit range (reduced to 119 bit range): 119/2 + 1 = 2^60.5 expected group ops In the 110 bit range (reduced to 109 bit range): 109/2 + 1 = 2^55.5 expected group ops So straight up, 109 bit range = 32 times less but as you stated (and I know) I have to check all 1,024 new pubkeys. I am hoping by having at least double the amount of required tames plus being able to check all pubs concurrently, I can beat the original 2^60.5 expected group ops. I have beaten the averages in lower bit ranges (up to 84 bit range) but this is new territory. We shall see what happens! When you say concurrently are you saying you're playing with code in the same language or switched to golang? Im thinking of rewriting it in Go but a little hesitant coz i always have that idea that c/c++ are still faster than Go |
|
|
|
Guys Quick question, since I can't get my head around how Kangaroo works in terms of Maths, i was wondering if Kangaroo would still consider a private key within the range, a valid key even if it turns out to be just another colliding key of the 2^96 possible keys that resolve to an address on average .. actually thinking of this while writing, I don't see a reason why not .. but would like if someone could confirm
Kangaroo does not know anything about addresses, so the private key you get is the one that can sign coins from any of the 2^96 colliding addresses (the addresses are defined to be any that collide with the input public key). Wow .. how come I didn't realize this from the beginning! So instead of brute forcing using collision, it will actually try to find one or more of the 2^96 addresses that the public key resolves to .. i can easily assume ALL those addresses would be empty except the one that actually has the puzzle funds 🤣 now i realize why kangaroo is great only for puzzle range search I am sorry, I do not understand what you are saying, exactly. IMO, Kangaroo is still doing a brute force, of sorts. Instead of checking every private key sequentially, it makes jumps/strides to private keys, calculates the public key, verifies if public key ends with/starts with user inputted distinguish point, if yes, it stores the public key and the applicable private key, if no, discards the priv/pub keys. But the way you can use a Kangaroo program to look for more than one private key that will unlock one wallet, is to to subtract or add from original public key. So if you created 2^10 new public keys from the original public key, if you find any of those public keys, you can now unlock the original public key's private key. As for what you say you realized, no programs, whether kangaroo or bitcrack or bsgs, etc are "efficient" for searching the entire key range. Meaning they were designed for the puzzle. However, each one will eventually find what you are looking for, even in the entire keyspace, and that all depends on hardware and time resources. Ok I'll try to explain how i see it My conclusion depends on 2 factors: 1- number of private keys, public keys and address in the entire bitcoin space 2- the way hash functions distribute outcome along the entire range so point 1 above is simple. in bitcoin, every single private key corresponds to only one public key .. however, any single address could be opened with 2^96 private keys .. hence 2^96 public keys would correspond to such address as well Point 2 has all the magic, as it is deemed certain that good hash functions would have a sort of distribution that ends up almost evenly across a huge space, we can easily assume that every 160 bit in the entire range would encompass all possible bitcoin addresses .. so for example if we look for the address of puzzle number 160 in range from 1 to 160 .. we would have been doing the same as someone searching for that exact address in the next 160 bits .. and same for someone searching in the 3rd 160 bit range and so on until the last 160 bits in the keyspace .. all of those searchers would in theory find the private key that opens that address although all of these private keys are different AND produce different public keys as well .. So in conclusion, many private keys and public keys will correspond to the same address and the keyword here is 160 bits range .. the advantage of looking for the puzzle wallets is that you narrowed down that 160bits .. in this case, any program will perform better but kangaroo would be the best performer But this becomes the exact opposite if we choose to look for all funded addresses in any 160 bit range (remember that entire ADDRESS space is gonna get repeated in every 160 bit key range) .. so assuming i wanna search for these addresses (23 million addresses) in the first 2^100 unsearched range (ranges where all the rest of puzzles weren't visited and most likely has all funded addresses lying somewhere within) .. if we decide to use kangaroo, we would have to : 1st find public keys for all these addresses which means we will only be looking for addresses that spent some money.. leaving us with way less addresses than we want to search for 2nd for each public key, we would be searching for the EXACT private key that produced that exact public key which means we are not looking for a colliding key here, we are looking for a 256 bit private key, a well randomized one .. we are not only increasing difficulty by many folds, but also searching in the wrong range .. in order for one to search for a well randomized pvt key, one has to search in not any 160 bit range but in almost the whole keyrange space .. that's why i said kangaroo is only great for puzzles .. while programs like keyhunt or bitcrack can be directed to the first 160 bit range and get us a colliding private key, kangaroo has to shoot blindly in the sky of the entire range in the hopes it lands on a funded address As for the addition and subtraction point you mentioned, i might need to read up on more about it as I don't yet get why it would get a collision I understand the whole 2^96 collision theory. That was not the issue. The issue was how you limit the power of Kangaroo versus say keyhunt or bitcrack. Why does Kangaroo have to shoot blindly? Why do you consider it shooting blindly? With your perspective, the same would be for any searching program, even looking for a collision with 2^96 priv keys that would lead to a single funded address. It all comes down to if you know the public key of a funded address. I can create 2^96 public keys that if one is found, will lead me back to any public key/private key of an address. You really have to understand how Kangaroo works and the speed up it provides with any given keyspace. You can also create many more addresses for one funded address to increase the chance of a 2^96 collision. If you take one address that is funded, and you know its pub key, from that you can create many more addresses, that if found, would lead you back to the key you want. For all of the funded addresses where the pub key is known, I can use kangaroo and find 2^31 of those addresses (and I'm certain there aren't that many funded addressed) before bitcrack searches the first 2^160 possibilities (considering GPU speed is the same for both programs). now i realize why kangaroo is great only for puzzle range search Perhaps, this is what confused me the most. If you have an address and know its public key, and need to search for it, Kangaroo is trillions x trillions x infinity faster than brute force LOL. That is all. So my rebuttal would be, if you know the public key of ANY key, the most searching you would have to do with Kangaroo is 2^128, whereas with a bruteforce search, it could be anywhere in a 2^160 range. So kangaroo is great, even outside of puzzle ranges. As for the addition and subtraction point you mentioned, i might need to read up on more about it as I don't yet get why it would get a collision It's easy to understand. Again, if you know the pub key. Address a = privkey unknown and pubkey 1 if we add 1 to Address a, we get Address b So now, if we find Address a then we know its privkey. But If we find Address b first, then we know Address b privkey - 1 = Address a privkey; thus we have solved and found Address a's privkey. So if you have a list of 1000 funded addresses, just add or subtract 1 from each and now you have 2000 addresses that will lead to x amount of BTC. Now add or subtract 2 from each, now you have 3000 addresses, etc. etc. Thanks for replying .. i learned a lot from this .. what I'm still confused about, is how to implement this in practical terms, like say if i want to find a key in the first 160 bit .. you know, that silly range with a lot of leading zeros .. i consider it our only safe haven in this gigantic keyspace .. if i want to use kangaroo to find collisions , how could i use addition/substraction of pub key to look there? Isn't this method gonna look for 256 bit keys anyway? I understood from your explanation how easy it is to use one public key to get well ahead of usual brute force prv key tools .. but does generating so many keys on kangaroo lead to a find in the first 160 bits? or the entire keyspace? Excuse my ignorance im way better in other things but not kangaroo .. i even went all the way to automate all the other brute force tools so I don't have to waste anymore time on something that is highly unlikely to find stuff any time soon .. but your last reply got me thinking we might have a greater advantage this way .. i might even be able to automate search on kangaroo as well if it really could lower search down to 2^128 .. im currently doing some thorough reading hoping to get the hang of this specific point 👉 "finding colliding keys in the first 160 bits" |
|
|
|
Guys Quick question, since I can't get my head around how Kangaroo works in terms of Maths, i was wondering if Kangaroo would still consider a private key within the range, a valid key even if it turns out to be just another colliding key of the 2^96 possible keys that resolve to an address on average .. actually thinking of this while writing, I don't see a reason why not .. but would like if someone could confirm
Kangaroo does not know anything about addresses, so the private key you get is the one that can sign coins from any of the 2^96 colliding addresses (the addresses are defined to be any that collide with the input public key). Wow .. how come I didn't realize this from the beginning! So instead of brute forcing using collision, it will actually try to find one or more of the 2^96 addresses that the public key resolves to .. i can easily assume ALL those addresses would be empty except the one that actually has the puzzle funds 🤣 now i realize why kangaroo is great only for puzzle range search I am sorry, I do not understand what you are saying, exactly. IMO, Kangaroo is still doing a brute force, of sorts. Instead of checking every private key sequentially, it makes jumps/strides to private keys, calculates the public key, verifies if public key ends with/starts with user inputted distinguish point, if yes, it stores the public key and the applicable private key, if no, discards the priv/pub keys. But the way you can use a Kangaroo program to look for more than one private key that will unlock one wallet, is to to subtract or add from original public key. So if you created 2^10 new public keys from the original public key, if you find any of those public keys, you can now unlock the original public key's private key. As for what you say you realized, no programs, whether kangaroo or bitcrack or bsgs, etc are "efficient" for searching the entire key range. Meaning they were designed for the puzzle. However, each one will eventually find what you are looking for, even in the entire keyspace, and that all depends on hardware and time resources. Ok I'll try to explain how i see it My conclusion depends on 2 factors: 1- number of private keys, public keys and address in the entire bitcoin space 2- the way hash functions distribute outcome along the entire range so point 1 above is simple. in bitcoin, every single private key corresponds to only one public key .. however, any single address could be opened with 2^96 private keys .. hence 2^96 public keys would correspond to such address as well Point 2 has all the magic, as it is deemed certain that good hash functions would have a sort of distribution that ends up almost evenly across a huge space, we can easily assume that every 160 bit in the entire range would encompass all possible bitcoin addresses .. so for example if we look for the address of puzzle number 160 in range from 1 to 160 .. we would have been doing the same as someone searching for that exact address in the next 160 bits .. and same for someone searching in the 3rd 160 bit range and so on until the last 160 bits in the keyspace .. all of those searchers would in theory find the private key that opens that address although all of these private keys are different AND produce different public keys as well .. So in conclusion, many private keys and public keys will correspond to the same address and the keyword here is 160 bits range .. the advantage of looking for the puzzle wallets is that you narrowed down that 160bits .. in this case, any program will perform better but kangaroo would be the best performer But this becomes the exact opposite if we choose to look for all funded addresses in any 160 bit range (remember that entire ADDRESS space is gonna get repeated in every 160 bit key range) .. so assuming i wanna search for these addresses (23 million addresses) in the first 2^100 unsearched range (ranges where all the rest of puzzles weren't visited and most likely has all funded addresses lying somewhere within) .. if we decide to use kangaroo, we would have to : 1st find public keys for all these addresses which means we will only be looking for addresses that spent some money.. leaving us with way less addresses than we want to search for 2nd for each public key, we would be searching for the EXACT private key that produced that exact public key which means we are not looking for a colliding key here, we are looking for a 256 bit private key, a well randomized one .. we are not only increasing difficulty by many folds, but also searching in the wrong range .. in order for one to search for a well randomized pvt key, one has to search in not any 160 bit range but in almost the whole keyrange space .. that's why i said kangaroo is only great for puzzles .. while programs like keyhunt or bitcrack can be directed to the first 160 bit range and get us a colliding private key, kangaroo has to shoot blindly in the sky of the entire range in the hopes it lands on a funded address As for the addition and subtraction point you mentioned, i might need to read up on more about it as I don't yet get why it would get a collision |
|
|
|
Guys Quick question, since I can't get my head around how Kangaroo works in terms of Maths, i was wondering if Kangaroo would still consider a private key within the range, a valid key even if it turns out to be just another colliding key of the 2^96 possible keys that resolve to an address on average .. actually thinking of this while writing, I don't see a reason why not .. but would like if someone could confirm
Kangaroo does not know anything about addresses, so the private key you get is the one that can sign coins from any of the 2^96 colliding addresses (the addresses are defined to be any that collide with the input public key). Wow .. how come I didn't realize this from the beginning! So instead of brute forcing using collision, it will actually try to find one or more of the 2^96 addresses that the public key resolves to .. i can easily assume ALL those addresses would be empty except the one that actually has the puzzle funds 🤣 now i realize why kangaroo is great only for puzzle range search |
|
|
|
|
Show Posts
