[CLAIMED!] Bounty: 0.25 BTC. Find the Bitcoins hidden in plain sight.

[mmdough]

And follow the instructions on bitbills to import.

THAT'S what I was trying to figure out.

To bad it doesn't seem to work

[casascius]

How to convert 32 byte hex private key into Base58-key that can be imported into a wallet...

1. take your 32 bytes...
2. tack 0x80 on at the beginning as the first byte (so now you have 33 bytes)
3. take sha256(sha256(those 33 bytes))
4. tack the first 4 bytes of the result of step 3 onto the end (so now you have 37 bytes)
5. compute base58 of the resulting 37 bytes

Base58 key will always start with a '5' in part because of the constant 0x80 being the first byte.

Working Microsoft C# code that does it:

Code:

        private string ByteArrayToBase58Check(byte[] ba) {
            // it is assumed that ba is 33 bytes long and starts with 0x80
            byte[] bb = new byte[ba.Length + 4];
            Array.Copy(ba, bb, ba.Length);
            SHA256CryptoServiceProvider sha256 = new SHA256CryptoServiceProvider();
            byte[] thehash = sha256.ComputeHash(ba);
            thehash = sha256.ComputeHash(thehash);
            for (int i = 0; i < 4; i++) bb[ba.Length + i] = thehash[i];
            return ByteArrayToBase58(bb);
        }

        private string ByteArrayToBase58(byte[] ba) {
            Org.BouncyCastle.Math.BigInteger addrremain = new Org.BouncyCastle.Math.BigInteger(1,ba);
            Org.BouncyCastle.Math.BigInteger big0 = new Org.BouncyCastle.Math.BigInteger("0");
            Org.BouncyCastle.Math.BigInteger big58 = new Org.BouncyCastle.Math.BigInteger("58");

            string b58 = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
            string rv = "";

            while (addrremain.CompareTo(big0) > 0) {
                int d = Convert.ToInt32(addrremain.Mod(big58).ToString());
                addrremain = addrremain.Divide(big58);
                rv = b58.Substring(d, 1) + rv;
            }

            // handle leading zeroes
            foreach (byte b in ba) {
                if (b != 0) break;
                rv = "1" + rv;
            }
            return rv;
        }

[gentakin]

I studied the vanitygen code, and I probably figured it out. Just noticed your C# explanation now. (edit: Huh, if I remember correctly, I only used sha256 once... So this is maybe not going to work..?)

I did a -rescan and the 0.25 showed up. Then it took me another minute to figure out an amount where bitcoin wouldn't complain about transaction fees. Now waiting to see if my transaction goes through or if someone was faster than me.

Anyway, it was fun! Thanks a lot for the challenge.

[julz]

lol.. well there goes my theory that casascius was throwing out this little puzzle to demonstrate how easy and convenient it is to import the keys from paper wallets!

[mmdough]

lol.. well there goes my theory that casascius was throwing out this little puzzle to demonstrate how easy and convenient it is to import the keys from paper wallets!

That's what I figured, too. I did a google search for "Plain Sight Bitcoin" and found http://sprucecodes.com/ who cross-promotes the paper wallets heavily. SO SURE I was on the right track!

Ah well, kept me from cleaning the house for a few hours :-P.

Congrats to the skillful winner!

[SgtSpike]

I studied the vanitygen code, and I probably figured it out. Just noticed your C# explanation now. (edit: Huh, if I remember correctly, I only used sha256 once... So this is maybe not going to work..?)

I did a -rescan and the 0.25 showed up. Then it took me another minute to figure out an amount where bitcoin wouldn't complain about transaction fees. Now waiting to see if my transaction goes through or if someone was faster than me.

Anyway, it was fun! Thanks a lot for the challenge.

Care to elaborate?  Once the transaction goes through, of course...

[gentakin]

There is no winner yet! My transaction shows up at bitcoincharts.com/bitcoin, however it is listed as low priority. So.. if it works, I will be asleep by that time.

The last block was found 30 minutes ago.. come on. I can't wait any longer.. I will check tomorrow, and if I see the BTC in my wallet, I will update here to explain how it worked.

[casascius]

lol.. well there goes my theory that casascius was throwing out this little puzzle to demonstrate how easy and convenient it is to import the keys from paper wallets!

That's just it, it's not yet easy.

I was mainly trying to show that Bitcoins can be hidden in short amounts of plain text.  Any text will do, as long as it's not too short that it can be guessed by brute force.

An entire wallet could be generated from a short amount of plain text as well - simply by adding a counter onto the end of the string.  That's been proposed as a "deterministic wallet".  If done that way, one would never need to back it up, as long as they kept the original string safe and secure.

[randomguy7]

Wild guess: the string is base58. Decode it, import resulting 32 bytes as private key, grab a cookie

edit: Are i and l allowed in base58? Afaik not, will this produce some result when trying to decode it or will it fail?

[willphase]

Wild guess: the string is base58. Decode it, import resulting 32 bytes as private key, grab a cookie

edit: Are i and l allowed in base58? Afaik not, will this produce some result when trying to decode it or will it fail?

i (eye) is allowed by l (ell) isn't.   Annoying for someone with L's in my name... it's hard to keep up with the 1JonesesnUrF3mMFYmJbKHzRrvpdUP7Tke with an L in your name...

Will

[EricJ2190]

It was claimed while I was trying to do so myself. Somebody beat me to it. 

Anyway, the secret is that the SHA-256 hash of the string is the private key for that address.

[spruce]

I was mainly trying to show that Bitcoins can be hidden in short amounts of plain text.  Any text will do, as long as it's not too short that it can be guessed by brute force.

Yeah, that's actually pretty neat.

I've been doing it the other way round, i.e. starting with a specific address and key and then obfuscating the key somehow. It hadn't occurred to me to start with some convenient text and then generate a private key and public address from that.

Hey Casascius — you could include in your business creating public/private keys on paper based on a specific passphrase. I don't know how popular that would be, although there is no real difference in the trust involved.

I think I prefer my unbreakable one-time code. Apart from the slight problem that I don't know of a simple way for someone not a computer genius to get their bitcoins out again.

[Bitcoin Swami]

You guys are so smart.

[casascius]

Here is also why I became interested in hiding bitcoins in strings:

I have considered making some sort of physical bitcoins (like coins, or poker chips, or whatever) - who knows if I'll do it - but it occurred to me that hiding 51 legible characters in a small object might be difficult.  But I thought that if I could hide even 20 characters, and simply define the private key as SHA256 of those 20 characters, that it would be just as secure.

[SgtSpike]

Time to start SHA-256ing dictionary words to see if the bitcoin addresses that match have a balance. 

[casascius]

Time to start SHA-256ing dictionary words to see if the bitcoin addresses that match have a balance. 

A brute force attack on keys like this would be computationally intensive.  Getting the bitcoin address from the private key requires a slow EC point multiplication.  It would run as slowly as a vanity bitcoin address search, and would be difficult to port to a GPU due to recursion.

I could see a future bitcoin client allowing redemption of coins sitting on "passphrases", and the creation of those same passphrases, and suckers choosing poor passphrases as places to put their coins.

[sgravina]

"This string contains 0.25 BTC hiding in plain sight."

Whoever can first figure out how I have hidden the 0.25 BTC gets it.  The 0.25 BTC are waiting for you at 1AJ3vE2NNYW2Jzv3fLwyjKF1LYbZ65Ez64 (just sent it now).

This is real cute but I don't think the puzzle as presented was accurate.  The string holds the private key.  But you need the private key and the address to spend the bitcoins.  The second sentence is necessary to find the bitcoins.

Sam

[casascius]

"This string contains 0.25 BTC hiding in plain sight."

Whoever can first figure out how I have hidden the 0.25 BTC gets it.  The 0.25 BTC are waiting for you at 1AJ3vE2NNYW2Jzv3fLwyjKF1LYbZ65Ez64 (just sent it now).

This is real cute but I don't think the puzzle as presented was accurate.  The string holds the private key.  But you need the private key and the address to spend the bitcoins.  The second sentence is necessary to find the bitcoins.

Sam

It actually was not necessary. The address can be computed from the private key. I gave the address to prove the existence of the bounty and as a hint.

[sgravina]

It actually was not necessary. The address can be computed from the private key. I gave the address to prove the existence of the bounty and as a hint.

So every address has a unique private key.  The private key can generate the address but each address can't generate a private key?  Is that true?

Sam

[DamienBlack]

It actually was not necessary. The address can be computed from the private key. I gave the address to prove the existence of the bounty and as a hint.

So every address has a unique private key.  The private key can generate the address but each address can't generate a private key?  Is that true?

Sam

That is exactly it. Bends the mind a little bit the first time you here of such one-way functions. But the math is solid.