Bitcoin puzzle transaction ~32 BTC prize to who solves it

[ytrezq]

A completely new class of method for computing discrete logarithms

This paper seems to be about a specific case http://web.archive.org/web/20250725043122/https://cr.yp.to/dlog/cuberoot-20120919.pdf but in reality, the method is generic. They talk about small discrete logarithms in the same vein that pollard rho has a complexity too high to handle large discrete logarithms…

Victor Shoup theorized that no generic discrete logarithm solving method could perform better than x^½. This is indeed the complexity of Pollard Kangaroo and Pollard rho. But he also theorized than an algorithm with precomputation can yield at best a complexity of x^⅓ which means the lower bound to break full sized secp256k1 is far less than the 2¹²⁸ estimated security.

This paper is indeed diving in that class of faster speed at the expense of memory storage.

anyone to turn it’s mathematical description into implementation ?

Yes. That paper is the very basis of everything I was talking about numerous times, when saying that the DLP can be solved much faster.

You can also see it in practice whenever you hear anyone talking about precomputed data.

Note that reaching the 1/3 exponent complexity also requires doing the 2/3 exponent pre-work, so for secp256k1, if you want to reach that lower bound, you first have to do 2**170 group operations (and also storing a very large amount of data, depending on the desired DP frequency; in any case, much much more than the number of bits in all the storage drives in existence, raised to the power of 2).

And another thing is that that 1/3 + 2/3 refers to an optimal tradeoff between precomputed effort and solving effort, because there's nothing (except memory and time limits) stopping anyone from computing the full log, storing it, and solving any key in a single O(1) lookup step. And nothing stopping anyone from computing, let's say, half of the full log domain, and solving any key in 2 steps. And so on and so forth.

No, because as far I understand, in the case of http://web.archive.org/web/20250725043122/https://cr.yp.to/dlog/cuberoot-20120919.pdf the complexity is decreased by the square of the size of the table. And anyway, the challenge here indeed involve computing several discrete logarithms so reusing precomputation would be worthwhile compared to sticking to pollard kangaroo isn’t it ?

[kTimesG]

No, as far I understand, in the case of http://web.archive.org/web/20250725043122/https://cr.yp.to/dlog/cuberoot-20120919.pdf the complexity is decreased by the square of the size of the table. And anyway, the challenge indeed involve computing several discrete logarithms so reusing precomputation would be worthwhile isn’t it ?

In theory, yes. In practice, the algorithm you use may or may not allow you to reuse the precomputed data, because you have to factor in the fact that the DLPs are in a higher and higher range, and the data you precomputed might have only been optimal up to a limiting upper bound (otherwise, it would have been inefficient in solving the very first DLP).

To sum it up: this is only useful if one wants to solve a large amount of DLPs, up to some upper bound. For example, all the puzzles up to 120 bits, in absence of having any pubKeys already, can use a precomputed data that allows ANY 120 or lower bits key to be found. For example, it can solve Puzzle 1, 2, 3, 4, .... 70, 71, 72, .... 115, 116... up to 120 bits. But it will have a 50% chance of failing to find a 121-bits key, a 75% chance of failing to find a 122 bits key, etc. because the new keys may be outside the precomputed domain and finding them may or may not be possible.

It is useless to do it for puzzles that are unsolved and have the pubKey exposed, because in THAT case, the most efficient algorithm is to simply merge the precomputing with the solving, to obtain the minimum effort (e.g. 1/2 + 1/2 exponents, times whatever constant factor + any overheads).

[krems_hive]

Wanted to ask, given the latest puzzle and last couple of solved puzzles are unprofitable to crack by renting from, say vast.ai or clore.ai, what do you guys think these people who cracked last couple of puzzles rented those 1000s of GPUs?

Current prices say they should spend around 1.5 million usd to crack 6.9 btc puzzle which is not at all profitable. So, how are they doing it? Stolen/hacked GPU compute?

[Cricktor]

I think it is technically possible to prove, that you are the real solver. Which means, that everyone would know, if coins were stolen or not. Solvers just don't use such proofs, but it can be done.

I'm trying to understand what you try to impose for a "real solver". Did the puzzle creator specify what "real solving" means? I don't think so. The puzzle creator offered puzzles to be solved by any means, AFAIR.

The stated analogy by someone here of some thief waiting at the bank's door for someone who just collected some cash in the bank is plain stupid. In my jurisdiction a theft is defined as taking away physical things that you don't own which would be difficult for digital coins anyway, but that's not the point. Taking someone else's cash in such a situation, usually by necessary force, is theft, no need to argue over that.
A grinding solver broadcasting a vulnerable transaction in the public doesn't own the coins until the transaction is actually confirmed. Am I wrong with this? I'd love to hear why, seriously!

Normal Bitcoin transactions are safe because there's not enough energy and time on this planet to find the same private key(s) that allows to sign a transaction to move coins secured by high entropy random private key(s). This is the simple safety of very very large random numbers.
Mathematically is totally possible that you find the same private key(s) that I use to secure my coins. It's not impossible, it's just so utterly unlikely and improbable that I've no worries about my coins. Even if you try a billion times per second for whatnot many years, it's still not likely you will ever find a funded private key by random chance.

Exposing a vulnerable public key in public mempools opens the opportunity to use faster methods than brute-force grinding of the private key. If a real grinding solver ignores this, whoes fault is this, seriously?

Bots don't steal the private key, they find it with faster methods because it is possible to use those faster methods from publicly available data that is open to everyone! This is the consequence of publicly known weak and vulnerable low entropy private keys. Do not ignore this simple fact.

What exactly is wrong or unethical or whatnot to use publicly available data to find a private key faster that allows you to sign a transaction to move coins that are "controlled" by such a vulnerable low entropy private key? The root problem is the vulnerable low entropy private key where you risk exposure of it with public transactions. You should not publish transactions in the open public for such vulnerable low entropy private keys because public exposure of their matching public keys is not safe.

It's maybe drifting away from the topic of this mega-thread. How do we define "ownership" of coins? The owner has a "normal" private key to move those coins. Owner's duty is to keep this private key secret, at all cost. If it's a strong entropy private key, it's totally improbable that someone else could gain possession of the same private key by random chance and/or grinding. Stealing those coins would be only possible by taking away the sole possession of a safe private key from the "owner" of that private key.

Hm, it's getting difficult. I don't neglect moral aspects, even when it seems so. I'm happy if someone points out moral flaws.

[maseratti007]

This is my hardware https://ibb.co/27kkq4yT
2 x AMD EPYC  64 cores each
1.5 T RAM
-n 0x1000000000000 -k 16384

Heya!

How many threads (-t) did you use to get that speed?


Thanks!

[kTimesG]

Wanted to ask, given the latest puzzle and last couple of solved puzzles are unprofitable to crack by renting from, say vast.ai or clore.ai, what do you guys think these people who cracked last couple of puzzles rented those 1000s of GPUs?

Current prices say they should spend around 1.5 million usd to crack 6.9 btc puzzle which is not at all profitable. So, how are they doing it? Stolen/hacked GPU compute?

Large scale GPU grids over long-term contracts, possibly interruptible instances for an even cheaper price. And obviously, very fast software and a bullet-proof distributed communication system to sync work.

If you think the puzzles are solvable by clicking "Rent" buttons and uploading some binaries to print BS on the terminal shell, too bad.

[viljy]

~
Hm, it's getting difficult. I don't neglect moral aspects, even when it seems so. I'm happy if someone points out moral flaws.

Logically, everything is correct. A puzzle solver does not acquire ownership of coins just by finding the key. His responsibility is also to protect his potential property (for example, by sending a transaction through Mara). If he did not do this, then the bot that used RBF and received the coins becomes the owner. Because ownership initially belongs to the creator of the puzzle and is transferred by the creator to anyone who takes the coins as a reward.

However, on the other hand, the condition and basis for acquiring ownership of coins is to find the key directly. That is, not from the sent transaction - not from the public key disclosed in the mempool, since in this case the key has already been found earlier. Then the use of RBF is not a basis for acquiring ownership rights. Because it was not specified by the creator of the puzzle. So it's not all that clear.

In other words, is the ownership of the one who finds the key second (from the transaction) legitimate? My subjective opinion is no. Since this does not meet the main purpose of the puzzle (testing the security of keys) and such a condition for acquiring ownership of the reward is not explicitly stipulated by the creator of the puzzle.

[Wanderingaran]

In other words, is the ownership of the one who finds the key second (from the transaction) legitimate? My subjective opinion is no. Since this does not meet the main purpose of the puzzle (testing the security of keys) and such a condition for acquiring ownership of the reward is not explicitly stipulated by the creator of the puzzle.

This is a loophole in the puzzle's design, not a flaw in Bitcoin itself. The solver’s failure to protect their claim (e.g., by using tools like Mara or broadcasting with high fees) could be seen as negligence in a competitive environment. This ambiguity is why clear rules (or better puzzle designs) are needed. Without them, the "law of the jungle" (or in this case, the law of the mempool) prevails.


The creator’s statement clarifies:

https://bitcointalk.org/index.php?topic=1306983.msg18765941#msg18765941

The puzzle is a measuring instrument for the "cracking strength of the community."

It rewards brute-force tools (like the "Large Bitcoin Collider"), not mempool-sniping bots.

There’s no mention of RBF, transaction racing, or ownership transfer via mempool spies.

This implies the creator intended the reward to go to whoever cryptographically solves the key and not to opportunistic bots that exploit transaction propagation.

The creator could argue:

The bot did not solve the puzzle as intended.

It exploited a loophole (mempool snooping) unrelated to cryptographic security.

This violates the spirit of the experiment (transaction racing).


If the creator’s identity is known, they might try to argue theft under "unauthorized access" laws but this is untested.

[brainless]

In other words, is the ownership of the one who finds the key second (from the transaction) legitimate? My subjective opinion is no. Since this does not meet the main purpose of the puzzle (testing the security of keys) and such a condition for acquiring ownership of the reward is not explicitly stipulated by the creator of the puzzle.

This is a loophole in the puzzle's design, not a flaw in Bitcoin itself. The solver’s failure to protect their claim (e.g., by using tools like Mara or broadcasting with high fees) could be seen as negligence in a competitive environment. This ambiguity is why clear rules (or better puzzle designs) are needed. Without them, the "law of the jungle" (or in this case, the law of the mempool) prevails.


The creator’s statement clarifies:

https://bitcointalk.org/index.php?topic=1306983.msg18765941#msg18765941

The puzzle is a measuring instrument for the "cracking strength of the community."

It rewards brute-force tools (like the "Large Bitcoin Collider"), not mempool-sniping bots.

There’s no mention of RBF, transaction racing, or ownership transfer via mempool spies.

This implies the creator intended the reward to go to whoever cryptographically solves the key and not to opportunistic bots that exploit transaction propagation.

The creator could argue:

The bot did not solve the puzzle as intended.

It exploited a loophole (mempool snooping) unrelated to cryptographic security.

This violates the spirit of the experiment (transaction racing).


If the creator’s identity is known, they might try to argue theft under "unauthorized access" laws but this is untested.

Here role of cryptography community inform to minners development authority for apply rbf at user level as previous work, that's only way is user protection

[Bram24732]

Wanted to ask, given the latest puzzle and last couple of solved puzzles are unprofitable to crack by renting from, say vast.ai or clore.ai, what do you guys think these people who cracked last couple of puzzles rented those 1000s of GPUs?

Current prices say they should spend around 1.5 million usd to crack 6.9 btc puzzle which is not at all profitable. So, how are they doing it? Stolen/hacked GPU compute?

Large scale GPU grids over long-term contracts, possibly interruptible instances for an even cheaper price. And obviously, very fast software and a bullet-proof distributed communication system to sync work.

If you think the puzzles are solvable by clicking "Rent" buttons and uploading some binaries to print BS on the terminal shell, too bad.

A mix of all that.

Private contracts with economies of scale.
Cheapest vast and clore instances
Fast code
Ability to restart on error without losing progress for interruptible instances.

[Akito S. M. Hosana]

In other words, is the ownership of the one who finds the key second (from the transaction) legitimate? My subjective opinion is no. Since this does not meet the main purpose of the puzzle (testing the security of keys) and such a condition for acquiring ownership of the reward is not explicitly stipulated by the creator of the puzzle.

This violates the spirit of the experiment (transaction racing).


If the creator’s identity is known, they might try to argue theft under "unauthorized access" laws but this is untested.

Ayo, my dude, you out here writing dissertations like you the puzzle man’s pro bono lawyer or somethin’!   Who put you on retainer? You getting a cut of that BTC or just a really strong opinion?

Bruh, if the creator wanted rules, he shoulda wrote ’em in the blockchain ain’t no fine print in the mempool! Dude stayed anonymous like a scared witness, and now you out here defending his ‘spirit of the experiment’ like it’s a Supreme Court case. Man’s probably sippin’ a margarita somewhere in Dubai laughing at y’all fighting over his ghost rules.  

[mahmood1356]

In other words, is the ownership of the one who finds the key second (from the transaction) legitimate? My subjective opinion is no. Since this does not meet the main purpose of the puzzle (testing the security of keys) and such a condition for acquiring ownership of the reward is not explicitly stipulated by the creator of the puzzle.

This is a loophole in the puzzle's design, not a flaw in Bitcoin itself. The solver’s failure to protect their claim (e.g., by using tools like Mara or broadcasting with high fees) could be seen as negligence in a competitive environment. This ambiguity is why clear rules (or better puzzle designs) are needed. Without them, the "law of the jungle" (or in this case, the law of the mempool) prevails.


The creator’s statement clarifies:

https://bitcointalk.org/index.php?topic=1306983.msg18765941#msg18765941

The puzzle is a measuring instrument for the "cracking strength of the community."

It rewards brute-force tools (like the "Large Bitcoin Collider"), not mempool-sniping bots.

There’s no mention of RBF, transaction racing, or ownership transfer via mempool spies.

This implies the creator intended the reward to go to whoever cryptographically solves the key and not to opportunistic bots that exploit transaction propagation.

The creator could argue:

The bot did not solve the puzzle as intended.

It exploited a loophole (mempool snooping) unrelated to cryptographic security.

This violates the spirit of the experiment (transaction racing).


If the creator’s identity is known, they might try to argue theft under "unauthorized access" laws but this is untested.

Here role of cryptography community inform to minners development authority for apply rbf at user level as previous work, that's only way is user protection

In my opinion, if the forum were to take care of the final step, for example, by allocating a section to provide the key so that anyone could solve it and obtain the key, present it in the relevant section, and the forum would take care of the transfer, then no one's rights would be lost or stolen.

Of course, it should also be considered that finding the key to the puzzle is like finding a treasure or a cache. When you find the treasure, it's a headache at first and you have to find a way to sell it. Finding the key to the puzzles is one difficulty, and transferring the funds inside is the next difficulty. So perhaps the creator of the puzzles also agrees with this new challenge!!

[krems_hive]

Wanted to ask, given the latest puzzle and last couple of solved puzzles are unprofitable to crack by renting from, say vast.ai or clore.ai, what do you guys think these people who cracked last couple of puzzles rented those 1000s of GPUs?

Current prices say they should spend around 1.5 million usd to crack 6.9 btc puzzle which is not at all profitable. So, how are they doing it? Stolen/hacked GPU compute?

Large scale GPU grids over long-term contracts, possibly interruptible instances for an even cheaper price. And obviously, very fast software and a bullet-proof distributed communication system to sync work.

If you think the puzzles are solvable by clicking "Rent" buttons and uploading some binaries to print BS on the terminal shell, too bad.

I agree 100%. But I have checked 10s of websites and cheapest ones are vast.ai interruptible ones. And you can't rent more than 200 GPUs without price going up massively. Using that as benchmark I got 1.5 mil price tag.

It will take 5k 4090 GPUs * 114 days (total of 13.7m gpu hrs) to solve 69 puzzle which is 2^68 keys of work.

At cheap prices of 0.1 usd/gpu/hr it costs 1.37m usd.

Based on info from chatgpt, even for datacenters running at 2 cents/kwh and 5 year depreciation on hardware - it costs 800k. Which barely breaks even.

We should also note that this particular puzzle 69, the key was unusually beginning of the search space which is an absolute win if the cracker was working on batches sequentially.

In any case, puzzle 68 was profitable for data centers and break even for bulk renters.
Puzzle 69 is break even for data centers.

So, puzzle 71 (which is 4x harder and resource intensive than 69) in theory should be uncrackable. Unless you have compromised a whole data center and stealing their 1000s of GPU compute resources and they didn't notice for months.

What are your thoughts on this?

Wanted to ask, given the latest puzzle and last couple of solved puzzles are unprofitable to crack by renting from, say vast.ai or clore.ai, what do you guys think these people who cracked last couple of puzzles rented those 1000s of GPUs?

Current prices say they should spend around 1.5 million usd to crack 6.9 btc puzzle which is not at all profitable. So, how are they doing it? Stolen/hacked GPU compute?

Large scale GPU grids over long-term contracts, possibly interruptible instances for an even cheaper price. And obviously, very fast software and a bullet-proof distributed communication system to sync work.

If you think the puzzles are solvable by clicking "Rent" buttons and uploading some binaries to print BS on the terminal shell, too bad.

A mix of all that.

Private contracts with economies of scale.
Cheapest vast and clore instances
Fast code
Ability to restart on error without losing progress for interruptible instances.

Could you name some of the data centers which could beat vast.ai interruptible pricing? I have 100s of GPUs running on vast.ai and clore.ai. I would love to rent 1000s more of consumer grade GPUs for a task not related to this puzzle tx.

[brainless]

Simple calc
Any report bitcrack or similar when u set from end bit range it's tell u how much time, resulted multiple thousand years,
And actually you see difference from 67 to 69 within 1 year 3 keys found , and most some individual with 1 or few one GPU, it's mean clear your thoughts not calc
Simple using these gpu with formula or strategy can reduce multiple years to few months,
As I stated before 71 puzzle could be found with 1000 gpu max 7 days...
If you have less GPUs you can try to find puzzle 135 with my strategy,

[kTimesG]

It will take 5k 4090 GPUs * 114 days (total of 13.7m gpu hrs) to solve 69 puzzle which is 2^68 keys of work.

At cheap prices of 0.1 usd/gpu/hr it costs 1.37m usd.

I think 0.1 isn't cheap. And also you assume that a 4090 can only do 7 GK/s just because that's the fastest public SW. Anyway, 69 was too risky from the start.

[crytoestudo]

4090 7 GK? Not even the 5090 does that.

It will take 5k 4090 GPUs * 114 days (total of 13.7m gpu hrs) to solve 69 puzzle which is 2^68 keys of work.

At cheap prices of 0.1 usd/gpu/hr it costs 1.37m usd.

I think 0.1 isn't cheap. And also you assume that a 4090 can only do 7 GK/s just because that's the fastest public SW. Anyway, 69 was too risky from the start.

[Virtuose]

During my test with a modified KeyQuest (cpu), I found instant the private key of puzzle 65. I guess I got lucky but it's really surprising! So I think random can also bring luck sometimes.

[Bram24732]

Could you name some of the data centers which could beat vast.ai interruptible pricing? I have 100s of GPUs running on vast.ai and clore.ai. I would love to rent 1000s more of consumer grade GPUs for a task not related to this puzzle tx.

DM me a contact email and a quick recap of what you’re looking for.
I’ll message the people I had private deals with for 67 and 68 to see if they are interested.

[krems_hive]

It will take 5k 4090 GPUs * 114 days (total of 13.7m gpu hrs) to solve 69 puzzle which is 2^68 keys of work.

At cheap prices of 0.1 usd/gpu/hr it costs 1.37m usd.

I think 0.1 isn't cheap. And also you assume that a 4090 can only do 7 GK/s just because that's the fastest public SW. Anyway, 69 was too risky from the start.

What would you say is cheap price for 4090 renting in bulk say 1000 nos or more for 6 months? Also any guess on cracking rate of private repos on 4090 with super optimized cuda/ptx code?

[krems_hive]

I have a bunch of unused 4090s and 5090s lying around. Could you point me to the latest and most optimised public repo/codebase to run? I can share some benchmarks here.

4090 7 GK? Not even the 5090 does that.

It will take 5k 4090 GPUs * 114 days (total of 13.7m gpu hrs) to solve 69 puzzle which is 2^68 keys of work.

At cheap prices of 0.1 usd/gpu/hr it costs 1.37m usd.

I think 0.1 isn't cheap. And also you assume that a 4090 can only do 7 GK/s just because that's the fastest public SW. Anyway, 69 was too risky from the start.