It's not possible. Though the fact that you can 'search from both directions' is why 256-bit ECC has 2^128 security. Rho is an enormous speedup but the parameters are chosen to make it irrelevant.

I think I've pointed out the fraud in this thread clearly enough.  The impression was made that this tool was able to find the private keys of some portion of random keys enough for shill demonstrations in this thread.   I posted 200,000 keys with a substantial bounty for giving me the private key of any one of them.  Evil, where is my private key?  You said your software takes a few minutes— please either solve one of the keys I posted or admit that you cannot and that people have been mislead by this thread.

But, of course, there isn't. The group is complete, all $ORDER points are reachable by multiplying the generator from 1..$ORDER-1. Some points _can't_ be more likely than others as a property of the curve with a uniform input, or otherwise some points would be unreachable (obvious by the pigeonhole principle) and the order would be less.

All it does is reaffirms is that the world is full of fuzzy headed reactionary thinkers, unscrupulous parties, and pump-and-dumpers looking to cash in on hysteria.

Itod, you realize that the software you're running is indistinguishable from a cracker of EC keys, right?  I mean— no real reason to believe that anyone will find anything, but...

If he has anything at all then he can demonstrate it by cracking any one of the 200,000 keys I posted as a bounty and collect a bunch of coins from me.

What I was responding to was someone asking about testing if a key is "weak"— it's pointless, if any non-infinitesimal fraction is weak (e.g. by being generated from private keys known to an attacker) all keys are weak.

There is no such thing as a weak key in secp256k1. If any non-trivial fraction of uniformly selected keys are weak then all keys are weak because there is a simple bit of algebra to convert an attack on a non-trivial fraction of random keys into an attack on any specific key.

The crappy and super slow implementation of ECC arithmetic linked to on that website checks keys generated against a couple thousand 32 bit values. (Why use a slow thing like that if you've supposedly got some amazing gpu thing). My guess was that he's using this as bait to get people to run that program and the values that its looking for are all 'near' high value keys.

Or other wise it just another lame market manipulation attempt. Either way, ... if he actually can crack something I welcome him to go solve any of the 200,000 keys I listed and collect his bounty.

Thanks for decoding his JS, I'd just ignored it.

The thread has several instances of newbie accounts providing single pubkeys which evil claims to crack e.g: https://bitcointalk.org/index.php?topic=421842.msg4800547#msg4800547

Encoding 'in the blockchain' is pretty much the absolute last thing you want to do for pretty much any question.

What you're describing also has the bad property that you can't prove the connection without disclosing the private key.

It also suffers from bad key management since coins will be assigned to non-backed up ephemeral keys which could be loss.

It also doesn't create strong evidence that the receiver of the coins actually knew of their existence... e.g. I fail to give you the private key, then I spend the coins myself, then I say you didn't live up to your side of a contract you never saw.

There are proposals for pay to contract which are much better, but they still have the data integrity issues.

The payment protocol supports x509 signing for non-repudiation of invoices, which is I think mostly what the OP wanted.

Nah, coincidental. The only reason I put a limit at all is so I wouldn't feel ethically obligated to hold onto 50 BTC beyond that point in time.

So you claim you can crack some random keys provided by people on the forum? Oh really.

Well here, I'll make it very profitable for you then:


Full message at https://people.xiph.org/~greg/keysfun.asc

Surely if you can crack a single key provided by a person in the thread cracking any one of 200k keys should be a cinch.

So you claim you can crack some random keys provided by people on the forum? Oh really.

Well here, I'll make it very profitable for you then:


Full message at https://people.xiph.org/~greg/keysfun.asc

Surely if you can crack a single key provided by a person in the thread cracking any one of 200k keys should be a cinch.

This is indistinguishable from a ECC cracking tool.

After reading the source code, it appears to me that you're using this crap as a cover to try to trick people into performing computation for you in an attempt to crack a couple thousand selected keys.

Unfortunately its impossible to determine which keys you're attempting to crack because its possible to cryptographically blind the cracking process (e.g. the matches are against key + s*G for some s known only to you).

It's pointless and a waste of time, but I guess you figure so long as other people are doing the computation for you that its worth doing.

It's doubly hilarious that you claim to have (and offer to sell) a GPU tool that can compute keys a "terra-tries per second", and yet you'd ask people to waste their time crunching with this rubbish python EC implementation.

Ask Theymos about it. Regular mods can't see deleted stuff.

No one here was claiming that and if they were they would have been promptly corrected.  The the selection power in the 'random' parameter procedure would have required unknown attacks is something that has been pointed out before.  If you're going to bump an old thread, please at least refrain from insulting everyone on in the subforum.

It's not unusual when chanting prices to give coupons to customers who purchased right before the change, effectively grandfathering them into the new price so they don't feel cheated that they didn't order a couple days later... removes a buying reservation "I could buy— but maybe tomorrow the price will be lower!" and getting it in coupon form keeps the sales going.

Nothing about it seemed surprising or inexplicable to me.

What, you don't think it's an awesome price? It's probably about 1/3rd of what he paid for it!

DHL is now saying that it's almost here. Maybe I'll have it up 24 hours from now.

The energy efficiency advantage isn't small— it's similar to the improvement early Bitcoin asics achieved over GPUs— and don't forget the secondary costs (PSUs, motherboards and slots, etc.) that these miners will reduce.  The price is a product of the manufacturers pricing of an exclusive bleeding edge part— these are not chips which costs more to produce than GPUs by any means— even absent competition you can expect the pricing to eventually achieve whatever amount allows them to sell a metric boat load of them and the power efficiency will drive GPUs out of the market. This is my prediction at least.

GPUs had their advantages but they did for Bitcoin too, the story is pretty similar and GPUs are irrelevant today for SHA256 mining.

I'm pretty happy using my antminers on P2Pool, just make sure you're running the current firmware (20131226 or better). I can't really recommend using a remote p2pool node, as when you use someone elses you lose most of the advantages of P2Pool.

I generally agree, but it's also one of the reasons why we shouldn't be willing to pay prices which are too close to the border of profitability... there are a whole bunch of risks associated with operating mining equipment, including shipping snafus.

For 300GH/s you will need 100,000 3 GHz Intel or AMD cores of recent vintage, plus a lot of additional money to power is as the power consumption will be so high that it will operate at an almost complete loss.

Cheers.