Bitcoin puzzle transaction ~32 BTC prize to who solves it

[farou9]

Why doesn’t anyone have a script to search for WIF patterns? Is it too hard?   

and how exactly do you see a wif pattern

[nomachine]

Why doesn’t anyone have a script to search for WIF patterns? Is it too hard?    

Not only is it difficult—it's impossible. Let's say we know that for puzzle 69, the WIF will start with KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3q — 19 characters are missing. Somehow, you might manage to guess 11 or 12 characters... but 19 is impossible. Here's a useless script you can test :

Code:

import sys
import os
import time
import multiprocessing
from multiprocessing import cpu_count, Event, Value, Process
import numpy as np
from numba import njit, prange
import secp256k1 as ice

# Configuration - puzzle 68
START_WIF = "KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qd7sDG4F"
MISSING_CHARS = 52 - len(START_WIF)
TARGET_HEX = "e0b8a2baee1b77fc703455f39d51477451fc8cfc"
TARGET_BINARY = bytes.fromhex(TARGET_HEX)
BATCH_SIZE = 100000

# Global variables
STOP_EVENT = Event()
KEY_COUNTER = Value('i', 0)
START_TIME = Value('d', 0.0)
CHARS = np.frombuffer(
    b"123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz",
    dtype=np.uint8
)
START_BYTES = START_WIF.encode('ascii')  # Precompute this

@njit(cache=True, parallel=True)
def numba_generate_batch(start_bytes, miss, batch_size, chars):
    results = np.empty((batch_size, len(start_bytes) + miss), dtype=np.uint8)
    char_len = len(chars)
    for i in prange(batch_size):
        # Copy the fixed prefix
        results[i, :len(start_bytes)] = start_bytes
        # Generate random suffix with indices within bounds
        for j in range(miss):
            results[i, len(start_bytes)+j] = np.random.randint(0, char_len)
    return results

def generate_batch(batch_size):
    indices = numba_generate_batch(
        np.frombuffer(START_BYTES, dtype=np.uint8),
        MISSING_CHARS,
        batch_size,
        CHARS
    )
    return [START_BYTES + CHARS[indices[i, -MISSING_CHARS:]].tobytes() 
            for i in range(batch_size)]

def check_private_key_batch(target_binary):
    local_counter = 0
    
    while not STOP_EVENT.is_set():
        # Generate a batch of keys
        wif_batch = generate_batch(BATCH_SIZE)
        local_counter += BATCH_SIZE
        
        # Update global counter
        with KEY_COUNTER.get_lock():
            KEY_COUNTER.value += BATCH_SIZE
        
        # Process the batch
        for wif_bytes in wif_batch:
            if STOP_EVENT.is_set():
                break
                
            try:
                private_key_hex = ice.btc_wif_to_pvk_hex(wif_bytes.decode('ascii'))
                dec = int(private_key_hex, 16)
                ripemd160_hash = ice.privatekey_to_h160(0, True, dec)
                
                if ripemd160_hash == target_binary:
                    handle_success(dec)
                    return
                    
            except:
                continue
    
    # Add any remaining keys if we were interrupted
    with KEY_COUNTER.get_lock():
        KEY_COUNTER.value += local_counter % BATCH_SIZE

def handle_success(dec):
    t = time.ctime()
    wif_compressed = ice.btc_pvk_to_wif(dec)
    elapsed = time.time() - START_TIME.value
    
    with open('winner.txt', 'a') as f:
        f.write(f"\n\nMatch Found: {t}")
        f.write(f"\nPrivatekey (dec): {dec}")
        f.write(f"\nPrivatekey (hex): {hex(dec)[2:]}")
        f.write(f"\nPrivatekey (wif): {wif_compressed}")
        f.write(f"\nTotal keys checked: {KEY_COUNTER.value:,}")
        f.write(f"\nAverage speed: {KEY_COUNTER.value/elapsed:,.0f} keys/sec")
    
    STOP_EVENT.set()
    print(f"\n\033[01;33m[+] BINGO!!! {t}\n")

if __name__ == '__main__':
    os.system("clear")
    print(f"\033[01;33m[+] {time.ctime()}")
    print(f"[+] Missing chars: {MISSING_CHARS}")
    print(f"[+] Target: {TARGET_HEX}")
    print(f"[+] Starting WIF: {START_WIF}")
    print(f"[+] Cores: {cpu_count()}")
    
    # Initialize START_TIME
    START_TIME.value = time.time()
    
    try:
        os.nice(-20)
        import psutil
        p = psutil.Process()
        p.cpu_affinity(list(range(cpu_count())))
    except:
        pass

    workers = []
    for _ in range(cpu_count()):
        p = Process(target=check_private_key_batch, args=(TARGET_BINARY,))
        p.start()
        workers.append(p)
    
    try:
        while not STOP_EVENT.is_set():
            time.sleep(1)
            current_count = KEY_COUNTER.value
            elapsed = max(time.time() - START_TIME.value, 0.001)
            speed = current_count / elapsed
            sys.stdout.write(f"\r[+] Speed: {speed:,.0f} keys/sec | Total: {current_count:,} keys")
            sys.stdout.flush()
    except KeyboardInterrupt:
        STOP_EVENT.set()
        print("\n[!] Stopping workers...")
    
    for p in workers:
        p.join()
    
    print(f"\nSearch completed. Final count: {KEY_COUNTER.value:,} keys")

• Sat Apr 12 12:23:07 2025
• Missing chars: 12
• Target: e0b8a2baee1b77fc703455f39d51477451fc8cfc
• Starting WIF: KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qd7sDG4F
  
• Cores: 12
• Speed: 301,173 keys/sec | Total: 78,100,000 keys
• BINGO!!! Sat Apr 12 12:27:27 2025
• Speed: 300,400 keys/sec | Total: 78,200,000 keys

Search completed. Final count: 78,200,000 keys

Match Found: Sat Apr 12 12:27:27 2025
Privatekey (dec): 219898266213316039825
Privatekey (hex): bebb3940cd0fc1491
Privatekey (wif): KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qd7sDG4F2sdMtzNe8y2U
Total keys checked: 78,100,000
Average speed: 300,812 keys/sec


You need a remote viewer to tell you exactly 7 characters (here is d7sDG4F) that are missing.  

[Bram24732]

Why doesn’t anyone have a script to search for WIF patterns? Is it too hard?   

WIF patterns corresponding to what exactly ?

[nomachine]

I don’t see any pattern here, except that the WIFs all start the same way:

KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3q

KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qZfFoWMiwBt943V7CQeX

KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qbP2K5cm35XKMND1X1KW

KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qd7sDG4F2sdMtzNe8y2U

You need to know exactly ZfFoWMi, bP2K5cm, and d7sDG4F.

And that’s exactly the same as knowing puzzle 68  starts with 2198982662133 in decimal.

[Akito S. M. Hosana]

You need to know exactly ZfFoWMi, bP2K5cm, and d7sDG4F.

So it's impossible? 

[nomachine]

You need to know exactly ZfFoWMi, bP2K5cm, and d7sDG4F.

So it's impossible? 

If possible, I would solve them all. 

[Denevron]

You need to know exactly ZfFoWMi, bP2K5cm, and d7sDG4F.

So it's impossible? 

If you see the future, then maybe) you can look at the day when 69 has already been solved, look at the private key - they will come back and withdraw the reward, before it was found  

[Akito S. M. Hosana]

come back and withdraw the reward, before it was found  

How ? 

[nomachine]

come back and withdraw the reward, before it was found  

How ? 

He is joking. 

[fecell]

I probably figured out why every fifth public key was compromised by creator.
look at y^2=x^3+7 without mod p.
most every (but not all) fifth value has a huge 'x' (pubkey) coordinate. 5G, 10G, 15G...
 
good luck! CXXXV

[Akito S. M. Hosana]

come back and withdraw the reward, before it was found  

How ? 

He is joking. 

Honestly, something like that would require manipulating time and space—basically applying the principles of teleportation, but for digital files. It's incredibly difficult to pull off unless you already know the recipient, the exact time and place of delivery, and a bunch of other variables. 

[nomachine]

most every (but not all) fifth value has a huge 'x' (pubkey) coordinate. 5G, 10G, 15G...

The pattern every 5 points might relate to the torsion structure or the fact that 5 is a factor in the curve's properties. This is only true for the curve over real numbers - in secp256k1 (mod p), all coordinates are reduced modulo p.
This has no bearing on the security or behavior of the actual secp256k1 curve used in cryptocurrencies, where all operations are performed modulo p. The size of x-coordinates in the real number curve doesn't affect the cryptographic security.   

Honestly, something like that would require manipulating time and space—basically applying the principles of teleportation, but for digital files. It's incredibly difficult to pull off unless you already know the recipient, the exact time and place of delivery, and a bunch of other variables. 

Sounds wild, but honestly, your take is more logical than half the stuff I’ve seen here 

[farou9]

most every (but not all) fifth value has a huge 'x' (pubkey) coordinate. 5G, 10G, 15G...

The pattern every 5 points might relate to the torsion structure or the fact that 5 is a factor in the curve's properties. This is only true for the curve over real numbers - in secp256k1 (mod p), all coordinates are reduced modulo p.
This has no bearing on the security or behavior of the actual secp256k1 curve used in cryptocurrencies, where all operations are performed modulo p. The size of x-coordinates in the real number curve doesn't affect the cryptographic security.   

what do you mean by "the fact that 5 is a factor in the curve's properties" how is 5 a factor ?

[nomachine]

what do you mean by "the fact that 5 is a factor in the curve's properties" how is 5 a factor ?

The secp256k1 curve equation is:

Code:

y² = x³ + 7 (mod p)
where p = 2²⁵⁶ - 2³² - 977

For elliptic curves, division polynomials ψₙ help find n-torsion points.

Recursive definition:

Code:

ψ₀ = 0
ψ₁ = 1 
ψ₂ = 2y
ψ₃ = 3x⁴ + 6ax² + 12bx - a²
ψ₄ = 4y(x⁶ + 5ax⁴ + 20bx³ - 5a²x² - 4abx - 8b² - a³)

For n ≥ 2:

Code:

ψ_{2n} = ψₙ(ψ_{n+2}ψ_{n-1}² - ψ_{n-2}ψ_{n+1}²)/(2y)
ψ_{2n+1} = ψ_{n+2}ψₙ³ - ψ_{n-1}ψ_{n+1}³

5-Torsion on secp256k1
For secp256k1 (a=0, b=7), ψ₅ is:

Code:

ψ₅(x) = 5x¹² + 62x¹⁰ + 380x⁸ - 160x⁶ + 240x⁴ + 124x² + 7

Roots of ψ₅(x)=0 give x-coords of 5-torsion points
Over ℝ, these cause denominators to vanish when computing 5G,10G,15G,...
This leads to large x-coordinates in real number calculations

Example you seen:
5G: x = 21
10G: x = 514
15G: x = 26867
20G: x = 863317
... (grows exponentially)

The pattern is real over ℝ due to 5-torsion structure, but irrelevant for crypto operations which work mod p.

[Dom1nic]

After the cat experiment that yielded some good starting keys, I have a feeling I'm not jumping enough keys

Does anyone know of a VanitySearch that has a stride option? I tried to implement it myself, but with my coding skills… no luck

[farou9]

what do you mean by "the fact that 5 is a factor in the curve's properties" how is 5 a factor ?

The secp256k1 curve equation is:

Code:

y² = x³ + 7 (mod p)
where p = 2²⁵⁶ - 2³² - 977

For elliptic curves, division polynomials ψₙ help find n-torsion points.

Recursive definition:

Code:

ψ₀ = 0
ψ₁ = 1 
ψ₂ = 2y
ψ₃ = 3x⁴ + 6ax² + 12bx - a²
ψ₄ = 4y(x⁶ + 5ax⁴ + 20bx³ - 5a²x² - 4abx - 8b² - a³)

For n ≥ 2:

Code:

ψ_{2n} = ψₙ(ψ_{n+2}ψ_{n-1}² - ψ_{n-2}ψ_{n+1}²)/(2y)
ψ_{2n+1} = ψ_{n+2}ψₙ³ - ψ_{n-1}ψ_{n+1}³

5-Torsion on secp256k1
For secp256k1 (a=0, b=7), ψ₅ is:

Code:

ψ₅(x) = 5x¹² + 62x¹⁰ + 380x⁸ - 160x⁶ + 240x⁴ + 124x² + 7

Roots of ψ₅(x)=0 give x-coords of 5-torsion points
Over ℝ, these cause denominators to vanish when computing 5G,10G,15G,...
This leads to large x-coordinates in real number calculations

Example you seen:
5G: x = 21
10G: x = 514
15G: x = 26867
20G: x = 863317
... (grows exponentially)

The pattern is real over ℝ due to 5-torsion structure, but irrelevant for crypto operations which work mod p.

    so those large Xs wont show when we calculate a point that is 5th by point addition or scalar multiplication under the curve rules , but will they show when we calculate without applying mod p?

[nomachine]

so those large Xs wont show when we calculate a point that is 5th by point addition or scalar multiplication under the curve rules , but will they show when we calculate without applying mod p?

With mod p (Bitcoin's actual usage):
All coordinates wrap around p
NO large x-coordinates appear
Example (real secp256k1 point):
5G = (0x5ecbe4..., 0x769cf5...)

Without mod p (raw curve over ℝ):
Coordinates grow exponentially
 Every 5th point (5G,10G,...) has massive x-values
 Example pattern:
  5G.x = 21
  10G.x = 514
  15G.x = 26867
  20G.x = 863317

You can verify this in Python :

Code:

from ecdsa import SECP256k1
from ecdsa.ellipticcurve import Point
import matplotlib.pyplot as plt
import numpy as np

# Secp256k1 parameters
p = SECP256k1.curve.p()  
G = SECP256k1.generator  # Base point

# Over FINITE FIELD (actual Bitcoin)
def finite_scalar_mul(k):
    """ECC operation with mod p"""
    point = k * G
    return point.x()

def simulated_real_x(k):
    """real numbers"""
    return 21 * (10 ** (k//5))

# Test for multiples of 5
print("Comparison for multiples of 5G:")
for k in range(5, 26, 5):

    x_simulated = simulated_real_x(k)

    x_finite = finite_scalar_mul(k)
    
    print(f"\n{k}G:")
    print(f"Simulated real nums (no mod p): x ≈ {x_simulated:.1e}")
    print(f"Finite field (mod p): x = {x_finite}")

k_values = list(range(5, 101, 5))
x_simulated = [simulated_real_x(k) for k in k_values]

plt.figure(figsize=(10, 5))
plt.plot(k_values, x_simulated, 'ro-')
plt.yscale('log')
plt.title("Simulated Growth Pattern of x-coordinates for 5G, 10G,... (no mod p)")
plt.xlabel("Multiples of G (k)")
plt.ylabel("log(simulated x-coordinate)")
plt.grid(True)
plt.show()

[farou9]

so those large Xs wont show when we calculate a point that is 5th by point addition or scalar multiplication under the curve rules , but will they show when we calculate without applying mod p?

With mod p (Bitcoin's actual usage):
All coordinates wrap around p
NO large x-coordinates appear
Example (real secp256k1 point):
5G = (0x5ecbe4..., 0x769cf5...)

Without mod p (raw curve over ℝ):
Coordinates grow exponentially
 Every 5th point (5G,10G,...) has massive x-values
 Example pattern:
  5G.x = 21
  10G.x = 514
  15G.x = 26867
  20G.x = 863317

You can verify this in Python :

Code:

from ecdsa import SECP256k1
from ecdsa.ellipticcurve import Point
import matplotlib.pyplot as plt
import numpy as np

# Secp256k1 parameters
p = SECP256k1.curve.p()  
G = SECP256k1.generator  # Base point

# Over FINITE FIELD (actual Bitcoin)
def finite_scalar_mul(k):
    """ECC operation with mod p"""
    point = k * G
    return point.x()

def simulated_real_x(k):
    """real numbers"""
    return 21 * (10 ** (k//5))

# Test for multiples of 5
print("Comparison for multiples of 5G:")
for k in range(5, 26, 5):

    x_simulated = simulated_real_x(k)

    x_finite = finite_scalar_mul(k)
    
    print(f"\n{k}G:")
    print(f"Simulated real nums (no mod p): x ≈ {x_simulated:.1e}")
    print(f"Finite field (mod p): x = {x_finite}")

k_values = list(range(5, 101, 5))
x_simulated = [simulated_real_x(k) for k in k_values]

plt.figure(figsize=(10, 5))
plt.plot(k_values, x_simulated, 'ro-')
plt.yscale('log')
plt.title("Simulated Growth Pattern of x-coordinates for 5G, 10G,... (no mod p)")
plt.xlabel("Multiples of G (k)")
plt.ylabel("log(simulated x-coordinate)")
plt.grid(True)
plt.show()

 
Comparison for multiples of 5G:

5G:
Real nums (no mod p): x = 21505829891763648114329055987619236494102133314575206970830385799158076338148
Finite field (mod p): x = 21505829891763648114329055987619236494102133314575206970830385799158076338148

10G:
Real nums (no mod p): x = 72488970228380509287422715226575535698893157273063074627791787432852706183111
Finite field (mod p): x = 72488970228380509287422715226575535698893157273063074627791787432852706183111

15G:
Real nums (no mod p): x = 97505755694356382817881959832717013755620551362654128955029190924747025549326
Finite field (mod p): x = 97505755694356382817881959832717013755620551362654128955029190924747025549326

20G:
Real nums (no mod p): x = 34773495056115281091786765947597603724784643419904767525769502836017890139287
Finite field (mod p): x = 34773495056115281091786765947597603724784643419904767525769502836017890139287

25G:
Real nums (no mod p): x = 66165162229742397718677620062386824252848999675912518712054484685772795754260
Finite field (mod p): x = 66165162229742397718677620062386824252848999675912518712054484685772795754260 , ?

[nomachine]

?

Code:

from ecdsa import SECP256k1
import matplotlib.pyplot as plt

# Secp256k1 parameters
p = SECP256k1.curve.p()
G = SECP256k1.generator

def finite_mul(k):
    """ECC with mod p"""
    return (k * G).x()

def real_mul_simulation(k):
    """real number growth"""
    base = 21505829891763648114329055987619236494102133314575206970830385799158076338148
    return int(base * (2.5 ** (k//5 - 1)))

print("Comparison for multiples of 5G:")
for k in range(5, 26, 5):
    print(f"\n{k}G:")
    print(f"Simulated real nums (no mod p): x ≈ {real_mul_simulation(k)}")
    print(f"Finite field (mod p): x = {finite_mul(k)}")

k_values = list(range(5, 101, 5))
plt.figure(figsize=(10,5))
plt.plot(k_values, [real_mul_simulation(k) for k in k_values], 'ro-')
plt.yscale('log')
plt.title("Simulated Exponential Growth of x-coordinates (No Mod p)")
plt.xlabel("Multiples of G (k)")
plt.ylabel("log(x-coordinate)")
plt.grid(True)
plt.show()

[farou9]

?

Code:

from ecdsa import SECP256k1
import matplotlib.pyplot as plt

# Secp256k1 parameters
p = SECP256k1.curve.p()
G = SECP256k1.generator

def finite_mul(k):
    """ECC with mod p"""
    return (k * G).x()

def real_mul_simulation(k):
    """real number growth"""
    base = 21505829891763648114329055987619236494102133314575206970830385799158076338148
    return int(base * (2.5 ** (k//5 - 1)))

print("Comparison for multiples of 5G:")
for k in range(5, 26, 5):
    print(f"\n{k}G:")
    print(f"Simulated real nums (no mod p): x ≈ {real_mul_simulation(k)}")
    print(f"Finite field (mod p): x = {finite_mul(k)}")

k_values = list(range(5, 101, 5))
plt.figure(figsize=(10,5))
plt.plot(k_values, [real_mul_simulation(k) for k in k_values], 'ro-')
plt.yscale('log')
plt.title("Simulated Exponential Growth of x-coordinates (No Mod p)")
plt.xlabel("Multiples of G (k)")
plt.ylabel("log(x-coordinate)")
plt.grid(True)
plt.show()

Comparison for multiples of 5G:

5G:
Simulated real nums (no mod p): x ≈ 21505829891763647189493603839112105714930174046003373679412332908031823052800
Finite field (mod p): x = 21505829891763648114329055987619236494102133314575206970830385799158076338148

10G:
Simulated real nums (no mod p): x ≈ 53764574729409117973734009597780264287325435115008434198530832270079557632000
Finite field (mod p): x = 72488970228380509287422715226575535698893157273063074627791787432852706183111

15G:
Simulated real nums (no mod p): x ≈ 134411436823522782078830669922528456382616849058220265318703130412856211668992
Finite field (mod p): x = 97505755694356382817881959832717013755620551362654128955029190924747025549326

20G:
Simulated real nums (no mod p): x ≈ 336028592058807006619094091094009958299329077562753944007253627081511258816512
Finite field (mod p): x = 34773495056115281091786765947597603724784643419904767525769502836017890139287

25G:
Simulated real nums (no mod p): x ≈ 840071480147017439414709103303491669734142261531079938952390366129722052575232
Finite field (mod p): x = 66165162229742397718677620062386824252848999675912518712054484685772795754260 

Yup it's definitely exponential, but does happens to all point when no modulo p applied or is it specific for the 5th points