If you manage to guess any piece of information (parity , range ,bias,  divisibility by a number etc...) of a private key with his public key  (or a bunch of public keys), secp256k1 will  be broken and bitcoin too.

We are pretty sure (99.9999% but not 100%) that is impossible and the generated public key (EC point)  of a specific private key seems to be perfectly random an perfectly distributed.

Fanch

Hello,
Have you sucess to recover your sha256 wallet?
In case of not i can propose you the help of my own software.
Ive optimised it to be as fast as possible.

It can try around 50Mega keys (sha256 brainwallet) per seconds on a rtx 3070.

Btcrecover can only kilo k /sec

If you want I can help you to recover your funds.

Fanch

Hi

I already think about this method of searching for a collision between a temporary key (for example every intermediate wild kangaroo jump) and a lookup in a  hashtable of precomputed  random key in the range of puzzle 120.

Let-s do some math to show if it is realistic or not...

Imagine that you will precompute an huge hashtable (or a bloom filter) of 256 Gigas entries (or 256Giga  keys picked up at random in the puzzle 120 interval)

Forget the fact that this table will occupe several TerraBytes of RAM and that the lookup time will increases with the size of the hashtable (less true for a bloom filter look up).

The formula which defines the probability of finding a particular piece among N pieces at the end of n draw without replacement, is as follows:

P=1-(1-1/N)^n

we can replace 1/N by (number_entries_in_hashtable/interval_of_puzzle_120) =  256*10^9/(2^120-2^119) = 3.85e-25


We fixed  for example P=0.5 (means a probability of having an hit of 50%)

Let's calculate n for such P=0.5

0.5=(1-1/N)^n

a=b^n => n=ln(a)/ln(b)

n=ln(0.5)/ln(1-3.85e-25) = 1.8e24
if your GPU can do 1 billion  jumps (and lookup at the same time) per second (typically the speed of Jean-Luc pons program with a good GPU)

You will have to wait 1.8e24/1e9 = 1.8e15 seconds or  57 Millions of years before having 50% of having an hit...

Hopeless..., even if you uses a bigger hashtable or a powerfull GPU cloud.


The main problem of this approach is that you don't  profite of the birthday paradox used in the kangaroo solver because you look for in a predefined list.

Regards

Fanch

Hi
I can eventually convert this code using  my own secp256k1 library for CUDA (based on Jean Luc Pons Kangaroo ).

It can achieve up to 70M scalar mult /sec on a rtx 3070.

A python implementation with pycuda can be do easily

But sorry for this trivial question :
What the purpose of this script?

Regards

Fanch

In  this case where R1=R2 and S1=S2 It's impossible to recover the private key. And it probably come from an invalid TX because in the bitcoin protocol signature you might not have two S identical

But there is different case where you can recover private key from bad use of R.

if you find for the same address two TXS with the same R and different S the private key can be easily recover with a simple formula. Before that you have to recover the Z parameter (hash of the previous tx output). If you have the private key you can easily find the nonce  (k) that generate the R (supposed to be random).


After if you find an second address using the same R than above (even in only one TX). you will be able to recover the second privkey.

this case of R reusing is only possible if a issue was made on the creation of the TX
for example:
bad number random generator.
bad implementation of a TX by a developper who coded tx 'by hand'.


But as you know,  knowing a private key doesn't mean than the bitcoin are yours (in a ethical way).

 

one kangaroo per core.

Yes !


1 billions points of random walk determined by the formula :
jD=[G,2*G,4*G...2^n-1*G]
 tamePos[j+1] =  tamePos[j] + jD[tamePos[j].x % n]    (like in Jean-Luc Pons algorithm explanation) j

Exactly, but i'don't think it will decreases dramatically the performance.

in the way i'm imagine the system, the clients (lots of ARM CPUs) will be only dedicated to be wild or tame kangaroo and to performs pure increments in the random walk.

If a distinguished point is found (i've to find a way to  be faster as possible) : example (AND mask beetween the first   of the 5 limbs (5*52bits)of X  and the desired DP,
 the client   send the X coordinate through a socket to the centralized server (computer with and hashtable checking continuously if a collision is found between received x coordinate and previously ones ).
I think it will  not slow significantly the computing because a client send a message to the server  only 1 on 2^DP times on average and a the stop of computing during the socket communication can be optimised to be fast.
 

In fact this speed is achieved with a modified version of the secp256k1 library of bitcoin core where every verification instructions have been removed for field and group function.
The library field_5*52.h  (instead of 10*26 for x86 cpu) (limbs registers) is automatically include for 64bits architecture and you've right it's maybe 10x faster.

I will study the NEON instructions to improve but it will be difficult because this benchmark doesn't include the DP detection code.
It's only a pure random walk benchmark on 1 Billion points.

 

Hi everybody,
I'm writing a  light beta library in C  to run Pollard kangaroo algorithm on ARM64 CPU.

I am at the very beginning of this project but i am able to do benchmark.

when the library will be functionnal i will posted it on github.

the library (a shared object file) will be callable by python with ctypes module
The herds  of kangaroos will be controlled directly with python (for convenience and ease).
The idea is to have a lot of clients running on ARM64 low cost CPU to compute parallelized secp256k1 points additions  .
The memory (DP  points of a client) will be returned with a client-server socket data transfer (server will have the main hashtable of DP ) as the Kangaroo software from Jean-Luc Pons.

The first benchmark on ARM (Raspberry PI 400 without overclocking ) are better than I expected (around 30MKeys/s with 4 cores).

What do you think about this performance ?
Do you know if there is a very low cost card (mini PC) with ARM CPU (similar to raspberry pi compute module 4 see link below)  to do the work (in a parallelized way) and see if the ratio (computing power)/price might be better compared to the latest GPU CUDA Compatible graphics card.

https://www.raspberrypi.org/products/compute-module-4/?variant=raspberry-pi-cm4001000

Ok thanks i' don't know that, (amazon EC2 F1 on AWS)

I made some search about FPGA performance on secp256k1 operations.

https://github.com/ZcashFoundation/zcash-fpga/blob/master/zcash_fpga_design_doc_v1.4.2.pdf

this paper (from Zcash fondation) presents some benchmarks of a well optimised group operation on secp256k1 implementating on an AWS FPGA (Zcash has the same curve than bitcoin).

Point addition is "only" about (1.9M op/s).
maybe it is possible to optimise it for the kangaroo algorithm but we are far away from the Giga op / s with the latest GPU.

 

Sorry but i'm not sure to fully understand what you said about bits (1 vs 256).
I understand about the kangaroo algorithm that it forces you to perform a group addition at every jumps of every kangaroo of the herd (wild or tame)
in affine coordinate you have to calculate the next jump with this function (whatever the range size)

X(i+1)=X(i)+deterministic_random_walk[G,2G,4G...]

m = (y1 - y2) * inverse_mod(x - xG,P)
xQ = pow(m,2,P) - x1 - xG
yQ = y1 + m * (xQ - x1)
Q = (xQ %P -yQ %P)

knowing that P is about 2^256, you cannot reduce the size of the integers used in this function
below 256bits because the result coordinate of point Q will be (about randomly) between
(x,y) = ([1 -- 2^256],[1 -- 2^256])
and u need all this information to compute the next point (whatever DP bits used)

it is this costly addition function that i want to implement in my hypothetical ASICs of FPGA's chips (parrellised).

Storing the X coordinates (masked with DP) of every jump  (calculate with the dedicated devices) in a hash table could be achieved with a centralized computer with a lot of ram.

Ok thanks for the correction so the average cost will be

549/7 *1000 about 78000 $ (not profitable ;( )


Yes I know that but i want to know if it feasible to develop such of "specific circuit" by a man or in team in is garage ( )for a relative low cost  ?

this study gives diagrams for implementing SECP256K1 addition/multiplication/modular inversion on 256bits integers on a FPGA.

https://cse.iitkgp.ac.in/~debdeep/osscrypto/psec/downloads/PSEC-KEM_prime.pdf

But i dont know what sort of performance it can have on FPGA (op/s) ?
If it is fast for relative low cost parrellised FPGA chips can may be an alternative to GPU??
Maybe is it possible to "convert" this diagram to develop an ASIC.?

Hello everybody,

I am newly interested in the resolution of puzzle # 120 (119 bits private key)
pubkey : 02CEB6CBBCDBDF5EF7150682150F4CE2C6F4807B349827DCDBDD1F2EFA885A2630 (hash 160: 17s2b9ksz5y7abUm92PCTzK8jEl5y7abUm92PCTzK8jEl5y7abUm92cHZK8jElc).
a short calculation shows the difficulty of it with the excellent (probably the most optimised) GPU  solver from Jean-Luc Pons.


n=2*sqrt(0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFF-0x40000000000000000000000000000)

best_GPU_card_speed=4*10**9 #(I read that RTX3090 can achieve around 4Giga Keys /s with Kangaroo ECDLP SOLVER)
excepted_days=n/best_GPU_card_power/86400

so ... around 833 excepted days! 

if u consider a rent of gpu cloud at the minimal price (around 1000$ per week for 8x3090) u can expected to resolve it in 100 days (about 15 weeks)
15*1000=15000$ (very rentable in comparison of 60000$/BTC market price) (1.2*60000 72000$ on wallet) 

But u forget that
-that someone else can be faster than u,
-u can be unlucky because the Kangaroo Lambda algorithm is a probabilistic algorithm.
-Bitcoin price can dip while u are in!

Are my calculation are correct?

Have u heard of an implementation of SEC256K1 addition on FPGA or ASIC (ASIC miner have only optimised implementation for sha256)?

Regards

Fanch