Hello! I wrote to you in PM. Did you get the result?

A small calculation of effectiveness of using mining chips in bruteforce. Mining chips can greatly reduce the cost compared to FPGA-only solution.
S9 is capable of 14 TH/s (average). The main obstacle for bruteforce of HD wallets is 100.000 hashes. The chip does two hashes by default. In addition, it can load new data during hashing. Using cross-loading, this eliminates the load time losses. Thus, only 50.000 hashes need to be done without load time losses. How many wallets can hash this device? 280 M.wallets/s. S17 Pro can hash 1120 M.w/s.

In reality, the speed will be slightly lower because the hashboard is not designed to high speed communication (for maximum efficiency it is necessary to design ad hoc device). However, in just a few weeks many popular ASICs (T9/S9 etc) will become scrap. These are millions of free SHA-256 co-processors. Design a control board that can turn them into "seedpick" seems like a good idea.
ASIC's consumption will be halved (approximately) plus cascading to a pool. If you had a S9 farm this can be a powerful treasure hunt tool.

Let me remind I do not design a cracker. It will not be able to crack modern wallets. This is a forced restriction that I have programmed. If you have savings on old wallets (created until mid 2012 or started from "1"), just transfer BTC to modern ones and be safe. But abandoned wallets must be opened! As of January, out of the 18.14 million BTC that existed at that time, almost 60% had never moved.

After halving with the current price of Bitcoin treasure hunting becomes more profitable than mining. A rainbow table is valuable too, even if an address with a balance was not found.
Both in mining and in hunting, luck is at the basis. Finding a block using one ASIC is also difficult like finding a treasure with my device. But by combining the power we can do more. The pool is effective in both cases. Consider this factor when trying to calculate how long it will take to find the first treasure

I would like to know the opinion of the community, will such a control board for the resurrection of bitmain scrap be interesting for ASIC's owners?

Updated by new data.

I have MVP on my desk but you keep explaining to me how it works

SHA256 is the basic function of bitcoin used at all stages of its work. Mining chip is not a panacea but acceleration of this function speeds up the whole process. Of course this requires some algorithmic tricks. like a diagnostic codes for a one-time hash generation, adjustment of target to issuing each result, etc.

FPGAs can optimize computations very well. For example, it is known that SHA-512 is faster than SHA-256 on 64 bit machines. HMACSHA512 is not identical, but the optimization paths are the same. I do not ignore this stage - I do not see a problem on this stage.

Why did you decide that it is impossible to count HMACSHA512 as fast as a SHA256? FPGA counts only two stages out of many. I talked about the instruction pipelining in the first post in this sense. This eliminates downtime for the chips. Using a mining chip reduces the power and cost of equipment. This problem can be solved completely on the FPGA but it will be more expensive.

P2PK is changes everything This is a bit more combinations, but it also eliminates half of the heavy functions from the algorithm
Of course the same exhaustion method can be applied to P2PKH too.

Brain wallets are a classic example of a limited dictionary. The dictionary is limited to typical passwords from the list or simple words and phrases. Most brain wallets are encrypted with a combination of no more than three words, usually one. https://eli5.eu/brainwallet/detail/1PzYwVuTotg15ridCGNnAo8u3dr6bE2Yxy.html
English contains a little more than one million words. My device will complete enumerate them in a few weeks.

You say the right things such as "MD5 is safe", "cryptonight is ASICs resistant", etc. But from my point of view, you never programmed on verilog. It is not the same with .NET or PHP cryptography implementations The bitcoin algorithm is well protected from reverse decryption. But against from exhaustive algorithm it is poorly protected. I repeat, security calculations are outdated and do not include the power of ASICs and FPGAs. Direct evidence now flashing LEDs to my eye

Hello pooya87!
Pls explain what you mean "doesn't mean they are the same"? The SHA algorithm is defined at the standard level.
RIPEMD160 is just one of the key generation steps. For this I use FPGA. And for the curves too. I never suggested using a mining chip only. It just a co-processor.
As for deterministic keys (did you mean this?) "the number of private keys is unimaginably high". But most number of a real ancient wallets are P2PK
I did not know that LBC are scam. However, this is theoretically possible, as are brain wallets too. This is based on the finiteness of the dictionary.

Happy New Year at all!

On this forum have repeatedly discussed ways to crack wallets in the Bitcoin blockchain. Typical hacking methods are key enumeration (LBC https://lbc.cryptoguru.org/about) and dictionary attack / brain wallets (https://eli5.eu/brainwallet/).
It is believed that breaking a wallet takes millions of years, but let me disagree. These calculations were done for household PCs.
In fact, there are only two bottlenecks. This is the key generation speed and the key verification speed.

Today, the mining chips make 71 Gh/s (BM1387). Bitfury Clarke is already 120 Gh/s. BM1391 produces 170-200 Gh/s, 1397 - already 440-500 Gh/s (in S17+). Do not forget that this is the speed of a double SHA-256 (SHA-256).
If we take the standard algorithm for addresses calculating (https://gobittest.appspot.com/Address) it is not difficult to notice that most of the steps are the same SHA-256 and SHA-256 (SHA-256). One RIPEMD-160 stage and several bit shifts. Is it possible to use the mining chip as a coprocessor when generating keys? Yes, it is possible, but more on that later.

The second bottleneck is checking the balance at the address found. The system should turn to the blockchain and make sure that there are bitcoins on the addresses belonging to the key pair. Compared to hashing speed, it is very slow.
The situation changes if you know a wallet or a private key with a balance. In this case, you should only verify a few bytes.

Armed with this knowledge, I assembled the simplest device based on the S9 hashboard and Cyclone IV FPGA evaboard. This works correctly and I was able to crack test wallets with a simple (low order) key.

Findings:
1. A hashboard is poorly suited for simultaneous computing. It is necessary to connect the chips in parallel, but not in a daisy chain.
2. It is necessary to organize the instruction pipelining in the FPGA for acceleration of calculations.

Now a little about the economy. Why is all this necessary?
I do not want to steal user funds. This is not possible in my system if your wallet is not generally known.
However, there are a lot of forgotten wallets in the blockchain. Some wallets contain thousands of bitcoins. And these wallets remain motionless for many years. You can consider this as a treasure, which has the right to change the owner, imho.

Take for example the Antminer S17e (64Th), whose current profitability is 0.5 btc/year.
The device contains 144 BM1397 chips with approximately 440 Gh at each.
We’ll make the calculation for a wallet protected by seed phrase with a 12-word. The English BIP39 dictionary contains 2048 words. With high probability the old wallet is encrypted in English (or Hex, lol).
((2048 ^ 12) / (144 * (440^9))) / (86400 * 365) = 1939618 years it will take one ASIC to search for all the combinations.
However, if we’ll track 10,000 wallets, then 1939618/10000 = 194 years to search for at least one match. And even if we have 100 ASICs, it turns out 2 years to search for at least one match (based on average luck).
These calculations are very simplified, but they show the order of numbers.

For 2 years, these same 100 ASICs will get 2*100*0.5 = 100 bitcoins. Provided there are no changes in the network’s hashrate and the power of ASICs (no).

At the same time, the difficulty of the seeds of abandoned wallets will never change.
And finding at least one wallet like 1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF can pay for the mining of 100 ASICs for 1600 years. Their name is Legion 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr, 12tkqA9xSoowkzoERHMWNKsTey55YEBqkv, 1PeizMg76Cf96nUQrYg8xuoZWLQozU5zGW etc.

Thus, mining abandoned addresses is more profitable than mining new coins. Over time, the situation will change in this direction IMHO.

WBR, Ossy.

Update. 6 march 2020.
Pic1 - Structure
Pic2 - Algorithm
1. Defined prototype architecture.
2. The distribution of tasks is determined.
3. Alpha version of bitstream is tested.

Tasks are shared between mining chips and FPGA. In current configuration the prototype is capable to generate (and compare) up to 1500G keys (addresses) per second.
The current prototype is contains only 20 mining chips. After improving the technology computing power will be multiplied.