Looks like "version", "time", "bits", and "nonce" are correct.

hashPrevBlock and hashMerkleRoot have to be little endian.

Maybe there's a problem with switching endianness, i.e. reversing the string representation instead of bytes.

What is the previous block header, and the merkle tree?

The hash should be big-endian, what you showed is little-endian.

The hash of the header you presented is:

Investigating further, looks like you represented both previous block hash and merkle tree hash as little-endian.

Proper block header would be:

with hash:

EDIT:
Got it wrong. Still think endianness is the reason somehow.

The MOV Attack is from 1993:
A. J. Menezes, T. Okamoto and S. A. Vanstone, "Reducing elliptic curve logarithms to logarithms in a finite field," in IEEE Transactions on Information Theory, vol. 39, no. 5, pp. 1639-1646, Sept. 1993, doi: 10.1109/18.259647.

You'd have to ask Satoshi about this. Code snippet from v0.1.0 (or 0.1.3):

You need the public key in order to generate P2PKH or P2WPKH. So if the address is spent from, or signed with, then you can generate the corresponding P2WPKH.

No public key - no way.

EDIT:
Got a bit confused here. The hash is the same so one only has to change the encoding.

Moreover in 12 words BIP39 there's 4-bit checksum, so the number of valid combinations is ~29,937,600.

By this definition sha-256 could be non-invertible as well, depending on its input. And double sha-256 is non-invertible (as used in bitcoin), since half of the possible outputs of the second sha2 are unreachable, and 1/4th have more than one pre-image.

In decimal, modulo n (the group order):
                r₁: 99935505760319748698811422354322418311203851828465328908708024011195996180829
                s₁: 14810718830809274529170993651437030466460552688297005873719201854608653306524
                e₁: 84635513758865831094131084311208775267495704821994249663954751780286420288259
                r₂: 115035229747891778996889965749694763606205313739267493174821202115705061416296
                s₂: 56412229366601912356674994073152925730313351483910294670205660420888695151902
                e₂: 711922952377524543467576566144169816136170490747613227449590530659320692002
              s₁^-1: 49589235156255394867995584868850296899036724345858375131186053009052960413985
              s₂^-1: 75860710922369590624024015031955497020040967297713867268831531011990818769063
            s₂^-1e₂: 24319896032458654235859288439366790171987421552616806414321622974227628294346
            s₁^-1e₁: 33373073398809441106621025265904429856170478887328914010434069704980389675914
            s₂^-1r₂: 102756882304321902845902604711749179835279156262963247575454606290129811589248
            s₁^-1r₁: 109263722787838616791900575947640359553086907200677310074463510255775504782173
1 - s₂^-1e₂ + s₁^-1e₁: 9053177366350786870761736826537639684183057334712107596112446730752761381569
    s₂^-1r₂ - s₁^-1r₁: 109285248753799481477573013772796728135029813341360841883596259175872468301412
 (s₂^-1r₂ - s₁^-1r₁)^-1: 88597492899895469960154264896435952736065060080234931949365434864574123803941
                d_U: 74071287274168731384314914382498140270634658281328726941106265589917762050271

Only non-hardened child with leaked private key, and leaked parent extended public key makes finding the parent private key easy.

k_par = k_i - parse₂₅₆(I_L) (mod n)
I = HMAC-SHA512(Key = c_par, Data = ser_P(K_par) || ser₃₂(i))

Hardened derivation uses the parent private key, which is unknown.
I = HMAC-SHA512(Key = c_par, Data = 0x00 || ser₂₅₆(k_par) || ser₃₂(i))

Bitcoin Core uses only hardened keys.

Non-hardened keys could be useful, when a system needs to generate new addresses, without having access to their private keys.

If quantum computers ever work, then by using Groover's algorithm mining difficulty would be square root of the usual one.

Let's say that mining difficulty is 80 bits. Then QC difficulty would be equivalent to 40 bits. Usual miners would do 2⁸⁰ operations, while QC would do 2⁴⁰ quantum operations.

But, IMO, unfortunately QC wouldn't work for any task other than generating enormous amounts of noise.

Vanitygen searches for specific prefix. Pairgen searches for matching prefixes.

The difficulty of finding a pair is suqare root of the difficulty finding a specific prefix. This is known as Birthday Paradox.

Finding a 40-bit matching pair is 1,000,000 times faster than finding 40-bit prefix. Well, to be more precise, 890,578 times faster.

Since bitcoin generally uses double sha-256, there are in fact unreachable outputs.

It's expected, that half of the output values are unreachable (when using dSHA256).

Theoretically it might become a problem in the future, when difficulty is insanely high, no combination of nonce/extranonce would produce a number below target. This might not be true though, it's possible that all low values are reachable.

Long before this happens there will be a hardfork, since sha-256 wouldn't be secure anymore, or a softfork adding additional hash commitment, using something stronger than sha-256.

No. A private key is between 1 and 2²⁵⁶ - 432420386565659656852420866394968145599.

Assuming known legacy address, wif private key contains 85 characters, first is always "5", second one of "H", "J", "K", leaving us with 83 characters. Let's assume the second character is know. When we have 4 possibilities for each character, there are 2¹⁶⁶ possible combinations. Direct brute forcing has been solved for private keys with 2⁶³ possibilities up to now.

We could accelerate the calculations a bit, by dropping the checksum characters (last 5), and doing checksum on the rest. This drops the complexity to 2¹⁵⁶.

If the public key of the address is known (i.e. spent from, or signed with), then it's "easier" to do Pollard Rho on it - complexity is only 2¹²⁸.

With 2 possibilities per character, the complexity is 2⁷⁸, so few billions of dollars, many years, and giga-watt-hours later it could be cracked.

If we search for a curve y² = x³ + d passing through (1000,2000) then d = -996,000,000. Such big d would give enormous coordinates very fast. Well, small d would grow almost as fast too. Elliptic curve security is based on this effect to a large extent.

A "smaller" curve would be y² = x³ + 12 with G=(-2,2). The curve is of rank 1, isomorphic to secp256k1 curve mod p, G being the point with smallest height.
2*G = (13, -47)
3*G = (-74/225, 11674/3375)
4*G = (27313/8836, -5352937/830584)
5*G = (14932678/8994001, 109819305542/26973008999)
...

The numbers grow very fast, n*G needs at least 2ⁿ bits to represent just the numerator of x coordinate. y grows even faster.

To some extent this could be mitigated by using curves of rank > 1. This means a curve with more than one rational generator. One could relatively easy find a curve of rank 8, the smallest one (in absolute value) is d=−2520963512. The average x would need at least 2⁷³ bits to just represent its numerator (when multiplying by <2²⁵⁶).

The highest rank of publicly known curve, isomorphic to secp256k1, is 16. The x coordinate numerator (~2⁴⁵ bits) would fit the RAM of modern supercomputer.

There's no known (easy) way to lift a point mod p to a rational numbers one. It is at least as hard as ECDLP.

When the input is sanitized there are no infinity points. Step 9 is skipped.

I missed something from J+A point addition - step 14 in 3.22. There should be additional 256-bit-add-minus-p & 256-bit-mux, for 1280 more gates. It doesn't change the outcome much.

Since there are many multiplexers, it might be beneficial to allow the Transmission gate.

A 256-bit multiplexer would be 512*TG + 1*NOT. This is 3 times less transistors.

Perhaps it would be better to count transistors instead of logic elements.
 NOT - 2
 NOR - 4
NAND - 4
 AND - 6
  OR - 6
 XOR - 8 (6 with PTL)
XNOR - 8
  TG - 2

The most naive point addition is with memory 1 point (G). Then we double the generator and add points appropriately. However all doubled points are constant, hence we could precompute all 255 doublings. The result is 256 points memory, no doubling. Since point addition is more expensive compared to implementing memory through multiplexers, we could go further. Split the private key in groups of 2 bits, precompute for each group the four combinations (resulting in 4*128 points memory), and feed the appropriate points to 127 point adders.

i.e. at lsb position
bits
00 - 0*G
01 - 1*G
10 - 2*G
11 - 3*G

next group would be
00 - 0*G
01 - 4*G
10 - 8*G
11 - 12*G

and so on.

If we use groups of 4 bits - 2⁴ points memory per group.

It turns out that with affine points best is to use groups of 11 bits, plus 3 bits for the last group.
For Jacobian+affine point additions best is groups of 10 bits, plus 6 bits for the last group.


1. It is quite possible, that I have a mistake here, missing one multiplication. Anyway Jacobian+affine performs better.
2. "Guide to Elliptic Curve Cryptography", Algorithm 3.22. It has 8 multiplications, 3 squares, 6 subtractions.

For binary euclidean gcd I get 760 iterations, when running with input 0x8000...00 and p.

You could have fun the other way as well. For every y there are 3 possible x values. You could even combine both strategies.

For any number in range (0, p), 1/2 are valid x coordinates, 1/3 are valid y coordinates.
The probability any y coordinate is valid x coordinate is 50%.
There are (n-1)/3 y coordinates (n being the group order) ≈1.33*2²⁵⁴.
The average number of child points is 1. Any child point has 3 parents.
The longest chain could be in the order of 2¹²⁸ points.
Most probably there are cycles, specially when the chain approaches 2¹²⁷ points.