But isn't that about the "spending" script put in the witness not the pubkey script where the program is?

Witness version 0 is strict and will fail if the program size is not 20 or 32 bytes but witness version 1 will simply assume the program is undefined and passes on verification. What's the rational for keeping this loose?
https://github.com/bitcoin/bitcoin/blob/55a156fca08713b020aafef91f40df8ce4bc3cae/src/script/interpreter.cpp#L1878

Assuming you are using the PublicKey class provided here you have to call the ToByteArray() method and then encode the bytes however you want. byte[] has a special extension method to convert to hexadecimal called ToBase16().

BTW if you want to get public key of a private key it is best to use the PrivateKey class directly since it makes sure you have a valid key.

I'm not sure what you are asking here. Each .cs file has to have the using directives before you can use the types in that namespace. This is not something you can get rid of.
https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/keywords/using-directive

Unless this is just for educational purposes you shouldn't do it. Use a library like libsecp256k1 with a wrapper in C#.

Bitcoin.Net has an EllipticCurve namespace which is a very simple implementation of ECC.
Private key to public key code would be MultiplyByG(BigInteger k) method.
Keep in mind that this is minimally tested using NIST Cryptographic Algorithm Validation Program since I plan to completely replace it before releasing version 1.0.

If you want to see a more efficient implementation based on libsec256k1 check out the ECC namespace in FinderOuter.

After you instantiate a new instance using one of the constructors, you can call the public method called ToMnemonic() to get the string of words.

But if you want to see how the entropy is being converted you have to look at the private method called SetWordsFromEntropy(byte[] entropy) which is basically brute forcing the entropy to get one that corresponds to the required seed type.

ElectrumMnemonic class is found under Autarkysoft.Bitcoin.ImprovementProposals namespace. Also if you click on that little dropdown in your screenshot intellisense should give you the correct suggestion.

Thanks.

Version 0.10.0 is released.
https://github.com/Coding-Enthusiast/FinderOuter/releases/tag/v0.10.0.0
See changelog for details.
BigInteger Be Gone!
This release introduced a new code for Elliptic Curve Cryptography that also solves issue #9. 
Effectively this brings a ton of optimization to almost all options, mainly the mnemonic recovery and
Base16 rcovery. But also any option that required an ICompareService that used ECC. 
By getting rid of the old ECC code and BigInteger this also solves the pressure on garbage collector
and lets FinderOuter utilize the entire CPU power during parallelism. 
Speed gain in this release is usually around 200% compared to previous releases. 
Good news is that this is the initial step for more optimization! For example the current ECC implementation
uses radix 2²⁶ and contstant time operations, changing to radix 2⁵² and using variable time operations, etc
will improve the speed more. 

Some additional changes:

• Path recovery can now accept any extended keys (xprv, ypub, zprv, ?pub, ...)
• It is now possible to recover a WIF missing up to 11 characters from the end
• Reports generated by MissingEncoding option are improved
• Various code improvements and tests
• From this version we are also releasing binaries for 3 operating systems (Linux, Windows and MacOs all x64)

That's what I was doing, but my list was old since I hadn't worked on it for over a month and I was checking 200+ IPs with a socket that has a 30 second connection timeout. So I had to do a manual reset and fall back to DNS seeds.
Plus for some reason the couple of nodes (from DNS) seed I connected to didn't reply to my GetAddr message.

Thanks for the info, it is useful. But unfortunately this seems to return nodes that have these flags not nodes that have only these flags which means it still returns a node with NODE_NETWORK_LIMITED flag if it has the specified flag too.

Could you please elaborate?

Considering the fact that nodes mainly dig DNS seeds when they start for the first time why are they returning pruned nodes (NodeNetworkLimited)?
Right now almost all IP addresses returned from DNS seeds are pruned nodes which has made downloading blocks impossible for me.

Another issue I noticed is that some of the addresses they return are not useful at all (I either get timeouts or the connection is refused or there isn't any node at all to connect to).
For example the following list is a handful of invalid IP addresses that seed.bitcoin.sipa.be returns:

Then you are more skilled than I.
But please note that the check here is against an address not a public key so algorithms such as Pollard Kangaroos, and Baby Step Giant Step can't work.

I'm not just reporting the time, I'm offering an existing solution and in case it wasn't clear the link to FinderOuter is found in my signature.
Announcement: https://bitcointalk.org/index.php?topic=5214021.0
Source code: https://github.com/Coding-Enthusiast/FinderOuter

It depends on whether the key is compressed or uncompressed. For a compressed key you have to check about 22 million while for an uncompressed key the number is 5.8 billion.

For the first case it takes about 2 minutes to check all the keys using FinderOuter

Compiled binaries for version 0.11.0 was released and can be found here: https://github.com/Coding-Enthusiast/SharpPusher/releases/tag/0.11.0.0
They are available for Linux, OSX and windows all x64. If you need any other OS you'll have to compile the code yourself.
All of these releases are published as a self contained app which means you won't need to download anything extra including the .net framework since it is already included in the package. That also makes them portable too.

PS. There is a small change where a new checkbox is added to allow users to locally evaluate the transaction without broadcasting it. It will deserialize the transaction hex and evaluates all its scripts without executing them.

This is a Visual Studio related problem. Refer to SO: https://stackoverflow.com/questions/65209536/microsoft-visual-studio-2019-the-project-file-cannot-be-opened-unable-to-locat

Yes, FinderOuter can run on all operating systems.
You have to compile the source code yourself for Windows, although I suggest always dealing with private keys on an air-gap machine.
Steps are explained in ReadMe file on GitHub.
Remember to use release configuration:

Check out my project, The FinderOuter.
In "Missing Base58" option enter the characters you have and replace the remaining missing characters with '*' and click Find button.
Look at examples 3 and 4 for more information.


The optimized method works for up to 11 missing chars at the end of a compressed key and up to 9 for uncompressed. Since you are missing 9 for both it works for you. I'll optimize it soon to support more.

We're trying to address some of the problems and shortcoming with the existing mnemonic algorithms namely BIP-39 and Electrum. The idea is to add the information that the wallet needs to derive child keys to final string that the user writes down and more importantly we see mnemonic as a simple encoding and avoid modifying the entropy when deriving the BIP-32 seed (see #4).

The C# implementation can be found here: https://github.com/Autarkysoft/Denovo/blob/master/Src/Autarkysoft.Bitcoin/Experimental/BetterMnemonic.cs
Like any experimental class under Experimental namespace this is a rough idea and the code is untested.


1. Scalability
To make the algorithm scalable a small 4 bit version is added to the beginning of the encoding. This way we can have different definitions using the same scheme.

2. Derivation path/script type
In order to let the wallet know which BIP-32 derivation path to use, that path has to be encoded into the mnemonic. This path could also act as the script (address) type of the child keys. For instance m/84'/0'/0'/0 is for P2WPKH addresses.
The downside is increasing the length of the final mnemonic. This could be mitigated by introducing version 2 where instead of encoding the entire path a 4 bit integer is used to indicate the predefined paths. 16 hard-coded paths can be defined this way and for anything new next version could be used.
version 1: 4-bit version | 4 bit derivation path depth | each index as 32-bit unsigned integers
version 2: 4-bit version | 4 bit hard-coded path

BIP-39 doesn't have this feature.
Electrum has a partial solution by first increasing the entropy size from 128 to 132 bits then brute forcing a version that indicates the derivation paths and script types

3. Creation time
This can be useful for the full nodes to avoid re-scanning the entire blockchain when the user imports their mnemonic. The creation time (as a LockTime object) can quickly tell the client from when in the history to begin the scan. For example a mnemonic created today doesn't have to scan the 300 GB of existing history.
Since this is LockTime as used in transactions (instead of simple DateTime) it could be used by both online and offline clients generating the mnemonic as the online synced client knows the block height and can use that and the offline (cold storage) can use the DateTime (values as Unix timestamp and above 500,000,000).

The rest is implementation detail, for example the wallet UI can show the LockTime (block height or DateTime) and still give the user the option to do a full rescan.

4. No modification of the initial entropy
This is the main and biggest difference. Both BIP-39[2] and Electrum[3] are modifying the mnemonic:
A. Modifying by normalization
BIP-39 uses a Unicode normalization with full compatibility decomposition (form KD) but Electrum takes a step further and modifies the input mnemonic more by removing accents, changing Chinese words, removing spaces for word lists other than English, etc. Then the byte array representation of the string is used to derive the keys.
This can create incompatibility between different implementations and lead to losses specially for any word list other than English.

If the words are only used to look up index of each word in the word list to get the entropy out and nothing else, this problem is eliminated.
In other words if user enters a word like "aliener" instead of "aliéner" (from French word list) it still can be searched inside the word list and if the search fails (due to bad normalization) the import process fails right away instead of going ahead. While normalizing this word can give different values:
The problem is more palpable when using Japanese word list for example (the start of the difference is marked by ^, also note the lengths):

B. Use the UTF-8 decoded bytes of the mnemonic instead of the entropy
When creating a mnemonic a random entropy with a good distribution of bits is chosen. For example in a 12 word mnemonic the entropy is an octet string with length of 16 (ie. 128 bits). Each octet can have a value between 0 and 255 inclusive which is 256 different values.
When this is converted to 12 words using English word list then UT8 decoded to be used to derive BIP-32 seed, it is a longer octet string but each octet can only have a value between 97 and 122 inclusive which is only 26 different values.
In other words a big bias is introduced in the input of PBKDF2 while the initial entropy had no bias at all (assuming it was chosen using a strong RNG).

By using the entropy itself we can eliminate this bias and also avoid the normalization bugs that could occur in different implementations while greatly simplifying the implementation.

Downside
The only disadvantage of this proposal is the longer mnemonic. For example a 12-word BIP-39/Electrum mnemonic would turn into a 26-word version 1 BetterMnemonic using BIP-84 derivation path (without locktime) or 14-word version 2+ (without locktime).

[1] Experimental-1: https://bitcointalk.org/index.php?topic=5245712.0
[2] https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#from-mnemonic-to-seed
[3] https://github.com/spesmilo/electrum/blob/392a648de5f6edf2e06620763bf0685854d0d56d/electrum/mnemonic.py

Yes. Unlike .net framework the .net is no longer windows specific and can be used for any operating system. The UI is also designed that way to render everything based on the platform that is used.

There are two ways we can publish a .net application framework-dependent and self-contained, the former requires installing .net and the later doesn't but it is slightly bigger.
I have been releasing my other project (FinderOuter) as a self-contained executable for 64-bit Linux OS. It doesn't need any additional download or install, you just get the binaries and run them. The screenshot is from it running on Ubuntu 20.04.

You are comparing master with master on the same repository, so there is nothing to create a PR with. You have to change the branch. There is a button on top saying "compare across forks".
An easier way is to just fork the project and push changes to your own repository then inside that repository you will see a PR button that you can use.