Bitcoin puzzle transaction ~32 BTC prize to who solves it

[kTimesG]

for 135-bit tame's and wild's values needs very long time (about 48h) to fill.

48h or 48 millenia?

It was proven several times since 1994 that the lower bound for finding the discrete log in a generic group is sqrt(N) steps, and there is no magical way to go lower than that within classical computation, and there is no way to ever come up with a lower complexity than sqrt(N). Anyone who argues this is an idiot (and I use the word lightly).

Of course, EC is not a generic group, so any algo that lowers the complexity must take into account the curve's properties, otherwise they are simply methods of a generic group, and follow the above conclusion.

[fecell]

48h or 48 millenia?

We know probability theory. We know that a private key is determined by probability conditions. We can, using probability theory, limit the search area for a private key.
1000000000..00000000000001 is possible but not real key.
101011011011..000111011001 more real key by theory.

so, for exampe, if we do 0b100000000 (tame) minus 0b10 (wild) we have a poor result 100% (a lot of 'zero' in PK is abnormal).
so, correct initial 'tame' and 'wild' values for huge PubKey is very important.

[kTimesG]

48h or 48 millenia?

We know probability theory. We know that a private key is determined by probability conditions. We can, using probability theory, limit the search area for a private key.
1000000000..00000000000001 is possible but not real key.
101011011011..000111011001 more real key by theory.

so, for exampe, if we do 0b100000000 (tame) minus 0b10 (wild) we have a poor result 100% (a lot of 'zero' in PK is abnormal).
so, correct initial 'tame' and 'wild' values for huge PubKey is very important.

Amazing, I can't dispute this.

QQ: if I pick a number in my mind from 1 to 100, it is less likely to pick a number that has an abnormal amount of 0 or 1 (in base 2)?

[nomachine]

3 seconds on PYTHON! PK found.

You can halve that in 1.5 seconds with Inverse Wild Herd.

But you'll still need a hall full of GPUs for puzzle 135.

[Akito S. M. Hosana]

But you'll still need a hall full of GPUs for puzzle 135.

So, the whole point of this story is pointless without that many graphics cards? Are we just wasting our time and nerves here? 

[kTimesG]

But you'll still need a hall full of GPUs for puzzle 135.

So, the whole point of this story is pointless without that many graphics cards? Are we just wasting our time and nerves here? 

So TSMC responded after 3 months...

From: ****.*****@*****.****.**
Subject: Re: Inquiry about Special ASIC for secp256k1 Hardware Acceleration

Dear **** ********,

Thank you for reaching out to TSMC regarding your request for a custom ASIC tailored to secp256k1 calculations. We appreciate your interest in creating a specialized chip that includes hardware circuits for modular inversions, batch point additions (using a single inversion), automatic distinct-point detection, and overall hardware acceleration for the Pollard Kangaroo algorithm.

Below is a brief overview of what we can offer and some preliminary information about costs:

Design and Technology Options

TSMC provides a wide range of process nodes, from legacy (180nm/130nm) up to advanced nodes (7nm, 5nm). Choosing the right node depends on desired performance, power consumption, and budget.
We can work directly with your design team or with an external IP partner to integrate the cryptographic hardware blocks required for your application.
Cost Estimates

NRE (Non-Recurring Engineering): This includes design, verification, mask creation, and initial test runs. For a mature node like 28nm, NRE can range from $5–8 million for a moderately complex design, possibly exceeding $15 million if the design is very intricate. For advanced nodes (7nm/5nm), NRE can go beyond $20–30 million.
Per-Wafer Costs: Once the mask set is completed, the cost per wafer varies by node. At 28nm, each wafer might be a few thousand dollars, while at 7nm it could be between $10,000 and $15,000 per wafer. Final unit cost depends heavily on volume and yield.
Production Volume: Higher volumes help amortize NRE more effectively.
Timeline: Typically, after design completion and tape-out, it can take 6–9 months to receive the first wafers for mature nodes, and possibly longer for advanced nodes due to additional verification steps.
Special Requirements for Pollard Kangaroo Acceleration

Adding hardware support for modular inversion, batch point additions, and automatic point distinction detection will require specialized cryptographic IP.
Costs may rise if new IP blocks need to be developed or if advanced security features are required.
TSMC will work with your chosen IP vendor or design partner to ensure the integration and validation of these specialized functions.
Next Steps

To provide a more accurate quote, we would need further details on performance targets (frequency, power constraints), security/certification requirements, estimated production volume, and your target budget/timeline.
Based on your inputs, we can recommend the most suitable process node and give you a detailed pricing breakdown.
Please let us know if you have any questions or would like to arrange a call to discuss technical specifics. We appreciate your interest in TSMC and look forward to working with you on this project.

Best regards,
******* *** *****
Head of Technical Inquiries,
TSMC (Taiwan Semiconductor Manufacturing Company)

[nomachine]

Cost Estimates
NRE (Non-Recurring Engineering): This includes design, verification, mask creation, and initial test runs. For a mature node like 28nm, NRE can range from $5–8 million for a moderately complex design, possibly exceeding $15 million if the design is very intricate. For advanced nodes (7nm/5nm), NRE can go beyond $20–30 million.
Per-Wafer Costs: Once the mask set is completed, the cost per wafer varies by node. At 28nm, each wafer might be a few thousand dollars, while at 7nm it could be between $10,000 and $15,000 per wafer. Final unit cost depends heavily on volume and yield.

Finally, a concrete proposal for building an ASIC running the Kangaroo algorithm. The challenge, as expected, is the cost.  Unless there’s serious financial backing or a strong business case, it’s a massive investment for a niche application.

[singlethread1]

Wondering if anyone can help me with this.

Just curious - how long would it take for the average household desktop computer now in 2025 to get through 50% of the keys for puzzle 67?

I want to know to better explain this puzzle to my family/friends.

Thanks!!

#67 range is  73.79 quintillion
#68 range is 147.57 quintillion
#69 range is 295.15 quintillion

73.79 quintillion = 73790000000000000000

your new houshold Pc can prob do 8 Mkeys/s without high end GPU!

so about 292,277 years or  148,639 years for 50% of the range in #67 to answer your question!

Awesome, thanks!

[hoanghuy2912]

Could you explain more how you were doing this?

It will be pointless. 99.9% of ideas are criticized and easily destroyed.
Therefore, I see no point in showing my results, because they are rather based on chance and the dark side. lol.

But for 67 my approach is still the same. I also keep a log of prefixes so I can understand what ranges I've gone through. It makes absolutely no sense, but I just like to see thats prefixes.

I have some good work on random libraries, but not perfect. For example, for 130 bits, my library guesses from 90 to 95 bits in 15-25 seconds.
But for example for 66 from 50 to 58 bits.
Likewise for 40 from 30 to 39 bits.
https://www.talkimg.com/images/2025/02/18/qPIol.png
https://www.talkimg.com/images/2025/02/18/qPsx1.png
https://www.talkimg.com/images/2025/02/18/qPNuo.png

For any prefix 67bits these are the results.
https://www.talkimg.com/images/2025/02/18/qPyCC.png
67, I have absolutely no idea where he might be. I’m probably doing this for the sake of an idea, since bots will instantly change tx. This is of course very disappointing.
Good luck everyone.

can you show me how to do it?

[casperas20]

there is this Mara method to take the reward before the bots   if u find out the pv

[Cryptoman2009]

no technique, no artifact, no math.
Only the IMPROBABLE luck will give the chance to discover the puzzles 135-140-145-150-155-160.

Unless you invest tens of thousands of $ in GPU and electricity + time.

[kTimesG]

no technique, no artifact, no math.
Only the IMPROBABLE luck will give the chance to discover the puzzles 135-140-145-150-155-160.

Unless you invest tens of thousands of $ in GPU and electricity + time.

The cost of breaking 135 is closer to 1 million $, for a 99.999% chance of success. That is only the price for paying the electricity bill. You also need a bullet-proof distributed management system to sync data.

Relying on luck without a risk strategy will just end up as losing time and money.

Tens of thousands will get you nowhere, unless your risk ratio is around 1 to 1000. Very low chances you'd get to the solution with that amount.

[Cryptoman2009]

I have never used GPU for puzzle searching.
Only keyhunt, I like it and I enjoy playing with the "spaces".

Question... with a GPU system is it possible to search for multiple public addresses together or just one?
do software that use GPU accept a .txt file like the one generated by keysubtracter?

[brokedummy]

Wondering if anyone can help me with this.

Just curious - how long would it take for the average household desktop computer now in 2025 to get through 50% of the keys for puzzle 67?

I want to know to better explain this puzzle to my family/friends.

Thanks!!

For a decent CPU around 200 million years, for an average GPU maybe a couple thousand years.

I have never used GPU for puzzle searching.
Only keyhunt, I like it and I enjoy playing with the "spaces".

Question... with a GPU system is it possible to search for multiple public addresses together or just one?
do software that use GPU accept a .txt file like the one generated by keysubtracter?

Yes, I did multiple with Bitcrack but there is a bug in the code that causes an error if you use more than 15 addresses in your text file. There is a proposed solution to the bug that has to be fixed before building and maybe that will work for more than 15 but I haven't tried.

[Gtsg]

This puzzle is very strange. If it's for measuring the world's brute forcing capacity, 161-256 are just a waste (RIPEMD160 entropy is filled by 160, and by all of P2PKH Bitcoin). The puzzle creator could improve the puzzle's utility without bringing in any extra funds from outside - just spend 161-256 across to the unsolved portion 51-160, and roughly treble the puzzle's content density.

If on the other hand there's a pattern to find... well... that's awfully open-ended... can we have a hint or two?

I am the creator.

You are quite right, 161-256 are silly.  I honestly just did not think of this.  What is especially embarrassing, is this did not occur to me once, in two years.  By way of excuse, I was not really thinking much about the puzzle at all.

I will make up for two years of stupidity.  I will spend from 161-256 to the unsolved parts, as you suggest.  In addition, I intend to add further funds.  My aim is to boost the density by a factor of 10, from 0.001*length(key) to 0.01*length(key).  Probably in the next few weeks.  At any rate, when I next have an extended period of quiet and calm, to construct the new transaction carefully.

A few words about the puzzle.  There is no pattern.  It is just consecutive keys from a deterministic wallet (masked with leading 000...0001 to set difficulty).  It is simply a crude measuring instrument, of the cracking strength of the community.

Finally, I wish to express appreciation of the efforts of all developers of new cracking tools and technology.  The "large bitcoin collider" is especially innovative and interesting!

I've been analyzing the puzzle formation algorithm for two years. Just look at this information. After you figure this out, I'm ready for further dialogue.
https://i.postimg.cc/dVHh5k8h/XLS.jpg

It's part of the algorithm, there's another part, but what's the point of it all if the bots take the entire reward?

[frozenen]

This puzzle is very strange. If it's for measuring the world's brute forcing capacity, 161-256 are just a waste (RIPEMD160 entropy is filled by 160, and by all of P2PKH Bitcoin). The puzzle creator could improve the puzzle's utility without bringing in any extra funds from outside - just spend 161-256 across to the unsolved portion 51-160, and roughly treble the puzzle's content density.

If on the other hand there's a pattern to find... well... that's awfully open-ended... can we have a hint or two?

I am the creator.

You are quite right, 161-256 are silly.  I honestly just did not think of this.  What is especially embarrassing, is this did not occur to me once, in two years.  By way of excuse, I was not really thinking much about the puzzle at all.

I will make up for two years of stupidity.  I will spend from 161-256 to the unsolved parts, as you suggest.  In addition, I intend to add further funds.  My aim is to boost the density by a factor of 10, from 0.001*length(key) to 0.01*length(key).  Probably in the next few weeks.  At any rate, when I next have an extended period of quiet and calm, to construct the new transaction carefully.

A few words about the puzzle.  There is no pattern.  It is just consecutive keys from a deterministic wallet (masked with leading 000...0001 to set difficulty).  It is simply a crude measuring instrument, of the cracking strength of the community.

Finally, I wish to express appreciation of the efforts of all developers of new cracking tools and technology.  The "large bitcoin collider" is especially innovative and interesting!

I've been analyzing the puzzle formation algorithm for two years. Just look at this information. After you figure this out, I'm ready for further dialogue.
https://i.postimg.cc/dVHh5k8h/XLS.jpg

It's part of the algorithm, there's another part, but what's the point of it all if the bots take the entire reward?

Could you share more details of what this is?
I don't understand what you are trying to show with #100 all I can see is that you think #67 privkey starts with a 7 according to this?

[bibilgin]

Could you share more details of what this is?
I don't understand what you are trying to show with #100 all I can see is that you think #67 privkey starts with a 7 according to this?

No, it doesn't show that it starts with 7.

What your friend did is to mark where it exits between the Min. Decimal start and the Max. Decimal.

I just don't understand the coloring.

[Gtsg]

Could you share more details of what this is?
I don't understand what you are trying to show with #100 all I can see is that you think #67 privkey starts with a 7 according to this?

No, it doesn't show that it starts with 7.

What your friend did is to mark where it exits between the Min. Decimal start and the Max. Decimal.

I just don't understand the coloring.

the first and second lines are the dec range of the wallet, the third line is the hex key, the key in hex is formed from the elements of the dec range, the color shows the values in the order of formation. You look at the first hex character and find it in dec by color and so on. For example 100: a=6+3+1 , f=8+7 and so on. The rest of the information is only for donations

It would be better if the creator himself joined the conversation before I started laying out a method for generating conversion coefficients from wallet to wallet.

[frozenen]

Could you share more details of what this is?
I don't understand what you are trying to show with #100 all I can see is that you think #67 privkey starts with a 7 according to this?

No, it doesn't show that it starts with 7.

What your friend did is to mark where it exits between the Min. Decimal start and the Max. Decimal.

I just don't understand the coloring.

the first and second lines are the dec range of the wallet, the third line is the hex key, the key in hex is formed from the elements of the dec range, the color shows the values in the order of formation. You look at the first hex character and find it in dec by color and so on. For example 100: a=6+3+1 , f=8+7 and so on. The rest of the information is only for donations

It would be better if the creator himself joined the conversation before I started laying out a method for generating conversion coefficients from wallet to wallet.

Ok I see what you did but for #67 why color 7 , 6+9=f ,  6+1=7 ?

[Gtsg]

Could you share more details of what this is?
I don't understand what you are trying to show with #100 all I can see is that you think #67 privkey starts with a 7 according to this?

No, it doesn't show that it starts with 7.

What your friend did is to mark where it exits between the Min. Decimal start and the Max. Decimal.

I just don't understand the coloring.

the first and second lines are the dec range of the wallet, the third line is the hex key, the key in hex is formed from the elements of the dec range, the color shows the values in the order of formation. You look at the first hex character and find it in dec by color and so on. For example 100: a=6+3+1 , f=8+7 and so on. The rest of the information is only for donations

It would be better if the creator himself joined the conversation before I started laying out a method for generating conversion coefficients from wallet to wallet.

Ok I see what you did but for #67 why color 7 , 6+9=f ,  6+1=7 ?

What's the point? The bot will take the entire balance with a change in the transaction fee.
Maybe yes, maybe no