Pollard's kangaroo ECDLP solver

[WanderingPhilospher]

I have a question, P = kG, k is in the range of [k1, k2], I am now solving for a public key, but I don’t know the range of [k1, k2], how should I use the kangaroo.exe program, or can I explain how Estimate the range of [k1, k2]?

There is no way to estimate the range. You would have to search range from 000000000000....1 to FFFFFFFFFFF...F (1 to 256)  which would be a really long time.

Is there any way to get other information from the public key, such as X coordinate?

yes, you can get x and y from pubkey.

[1713852986]

1713852986

[1713852986]

1713852986

[1713852986]

1713852986

[1713852986]

1713852986

[COBRAS]

I have a question, P = kG, k is in the range of [k1, k2], I am now solving for a public key, but I don’t know the range of [k1, k2], how should I use the kangaroo.exe program, or can I explain how Estimate the range of [k1, k2]?

There is no way to estimate the range. You would have to search range from 000000000000....1 to FFFFFFFFFFF...F (1 to 256)  which would be a really long time.

Is there any way to get other information from the public key, such as X coordinate?

yes, you can get x and y from pubkey.

Buddy, how to extract dead kangaroo parameters from work file or enower method ?

[dex1]

-snip-
...Here is server/client (source and compiled version) for bitcrack, you also need put cu or cl version of Bitcrack.exe to client folder https://drive.google.com/file/d/1pFTvBLwTDF4GZCyDpJHwnWqfuNeOT6Ik..

@Etar would you mind sharing the source code ?


Edit: Please disregard, I got it .

[Etar]

@JeanLuc can you add G (Generator point) to params in the next release? Thanks.
if someone wants to use the suggested arulbero method, then the parameter G must be changeable. (As i understand correct)

[patatasfritas]

If you or someone who can program can work on sending hashtable to textfiles (like your export option configuration) then there would be no need for save files and merging, etc. If you give user option to export tame and wild files with any amount they wish (example 20 tame and 20 wild files), then no merging or saving. Just compare the different tame and wild files for a collision/solution. This also eliminates any RAM issues.

Once you know the structure of a workfile it is not difficult to work with this type of file. I have created a small script in python as an example, anyone can modify it to suit their needs

https://gist.github.com/PatatasFritas/a0409df4306fb1bb81f9a53e70151ddc

[COBRAS]

@JeanLuc make please option for save all dead kangaroo to .txt file in readable format ? This is needed information for understand mistake with ranges and -d param.


@JeanLuc and make please counting +/- dead kangaroo: [Dead 10] -> [Dead total: 10 ["+" 8, "-" 2 ]]

BR.

[arulbero]

@JeanLuc can you add G to params in the next release? Thanks.
if someone wants to use the suggested arulbero method, then the parameter G must be changeable. (As i understand correct)

You would need to do these changes:

- a parameter 'reuse', to indicate that you want to reuse a DP file generated for a different search task, and the indication of the difference 'xbit'
*** xbit: current bit range -  previous bit range (for example, 119 bit - 114 bit = 5 bit)

- ** recompute all the previous private keys multiplying them by 2^xbit (for example, for all the 2^33.36 DPs found by Zielar,  each single privkey k -> k' = k*(2^5) )

- the point P needs to be converted in P' = inv(2^xbit) * P  (for example, P' = inv(2^5)*P)  

- the point G needs to be converted in G' = inv(2^xbit) * G  (for example, G' = inv(2^5)*G)


** this task is not strictly necessary, it is enough, once you have found a collision, to modify only the private key of the old DP involved in the collision, to retrieve the correct private key for P (remember that the points are the same); you could insert as parameter the public key of the previous search too, in this way you can avoid to transform all the old wild kangaroos in tame kangaroos, again you could do this transformation on the fly at the end, and only for the single wild kangaroo involved in the collision

*** you can use a xbit negative too, if current bit range < previous bit range, for example inv(2^-5) = 2^5; in this case all the old DPs have the new private keys (respect to G' = 32*G) that are 1/32 of the old private keys; on average only 1/32 of the old DPs will be available for the new search in the new interval; in this case you need to compute first the private keys of all old DPs in order to choose the correct ones; but in this case it would be simpler fetching directly the old DPs that lies in the new range too, without change G

[Jean_Luc]

Hi,
I don't understand well how this can work ?
If you change G, the path will also differ as jumps are a function of the X value.

[arulbero]

Tomorrow I will also investigate how long would it take with the VanitySearch engine optimized for V100 to solve #64.
Then we will make our choice on attacking #64 or #120.

In the search of #64 you will find several points with x-coordinate with the leading 60 bits = 0. You could use them here as jumps to save space (or to use more jumps in the same space).  But in this way you can't reuse the old DPs.

There was an interesting question in a previous message of this topic:
Why paths are important and why not adding DP without computing paths ?

Using only DP:
It is like drawing a random number in a reduced space N/2^dpbit so time to solve will be O( sqrt(N/2^dpbit) )
However, it is true, that you can reach a DP faster in this way by computing consecutive points.

Using paths:
It is like drawing a bunch of 2^dpbit random points at each DP, so time to solve is O( sqrt(N)/2^dpbit )
The "gain" using path is 2^dpbit while without paths, the "gain" is only sqrt(2^dpbit)

So even if reaching a DP without path is faster, the gain is not enough to beat path.

I think that a DP worth is equal to the length of the path you computed to find it.
 
If you find a DP with 25 bits = 0 after 2^27 steps, that point should be worth like 4 points, each with 25 bits = 0 and found after 2^25 steps. It is like a DP with 25 bits = 0 is equal to a DP with 27 bits = 0.

If you reuse only the DPs you found after 2^27 steps, you will have a better ratio "space occupied / chance to find a collision"

[arulbero]

Hi,
I don't understand well how this can work ?
If you change G, the path will also differ as jumps are a function of the X value.

Jumps (the points) are the same, only their private keys are different;

instead of using, for example, 2543*G as jump, you use (2543*32)*G', where G' = inv(32)*G

in this way the DP points are the same, the jumps are the same and all the old paths are the same too.

The same interval

A = [1G, 2G...., (2^114 - 1)*G]

can be viewed as

B = [32*G', 2*32*G'...., 32*(2^114 - 1)*G']

and this interval is a subset of the interval

C = [1*G', 2*G', 3*G',...., (2^119 - 1)*G']

Note that C has the same number of elements of

D = [1*G, 2*G, ...., (2^119 - 1)*G]

but C != D.

To recap:  

A = B, A subset C
A subset D

What is the difference? Why to work in C instead of D, since the old points in A are already in D?

The advantage is that the old DPs, that lie in A, are uniformly spread out in C, while the same points are not uniformly spread out in D.

Now, P lies in the interval D, not in C, but P' = inv(32)*P does, and the private key of P' respect to G' is the same as the private key of P respect to G.

-----------------------------------------------------
Note:

C is not the original interval D = [0*G, 2*G, ...., (2^119 - 1)*G], C is a 'contraction' of D, on other hand the very original interval (where the real public key P lies) is E = [2^119 *G, ..., (2^120 - 1)*G].

Usually you shift E to D and P to P' = P - 2^119*G.

Now I suggest to add another move:

move D to C and P' to P'' = inv(32)*P' ; I call this move a 'contraction', because I divide G by 32.

[WhyMe]

Yes thanks for this tip
I'm building a map to compute with accuracy the DP overhead as I didn't yet managed to get the correct analytical expression but only the 2 asymptote (0 and infinity)
Tomorrow I will also investigate how long would it take with the VanitySearch engine optimized for V100 to solve #64.
Then we will make our choice on attacking #64 or #120.

Can you please let the #64 for normal guys not owning/renting tons of gpu ?

[brainless]

Hi,
I don't understand well how this can work ?
If you change G, the path will also differ as jumps are a function of the X value.

Jumps (the points) are the same, only their private keys are different;

instead of using, for example, 2543*G as jump, you use (2543*32)*G', where G' = inv(32)*G

in this way the points are the same and the paths are the same. The same interval

A = [1G, 2G...., (2^114 - 1)*G]

can be viewed as

B = [32*G', 2*32*G'...., 32*(2^114 - 1)*G']

and this interval is a subset of the interval

C = [1*G', 2*G', 3*G',...., (2^119 - 1)*G']

Note that C has the same number of elements of

D = [1*G, 2*G, ...., (2^119 - 1)*G]

but C != D.

To recap:  

A = B, A subset C
A subset D

What is the difference? Why using C instead of D?

The advantage is that the old DPs, that lie in A = B, lie in C too, but now they are uniformly spread out in C, while the same points are not uniformly spread out in D.

Now, P lies in the interval D, not in C, but P' = inv(32)*P does, and the private key of P' respect to G' is the same as the private key of P respect to G.

-----------------------------------------------------
Note:

C is not the original interval D = [0*G, 2*G, ...., (2^119 - 1)*G], C is a 'contraction' of D, on other hand the very original interval (where the real public key P lies) is E = [2^119 *G, ..., (2^120 - 1)*G].

Usually you shift E to D and P to P' = P - 2^119*G; note that it is like you changed G to G' = G - 2^119G.

Now I suggest to add another move:

move D to C and P' to P'' = inv(32)*P' ; I call this move a 'contraction', because I divide G by 32.

Actually you r saying upword in multiple mode
And i said long time ago downside multiple mode.

Upside *32 mean u still stand 1 part of 32 part
And down side u r stand for 32/1
So i know this stage of multiple pub keys you have 90% work n time savings.
Hope u will not understand. Other jean luc will leave everything and rush to develop multipub key search ver .
Bc after long junps in thinking he will come to this stage in last
Example i said
2 x 100 = 200
But he listening
2+2+2 till 200
2+3 till 200
2x2 x2 till 200

Hope u all moving slowly to multiple keys or multiple bits
But dont try to understand my words. As its from brainless

[Jean_Luc]

Jumps (the points) are the same, only their private keys are different;

So in practical, I let the old #115 DP as they are and for the new search #120 I use inv(32)*G instead of G ?

[brainless]

Jumps (the points) are the same, only their private keys are different;

So in practical, I let the old #115 DP as they are and for the new search #120 I use inv(32)*G instead of G ?

yes above is 1 point, and you need 2.5 points (25dp) in search
so if i generate 80 (2.5 per point) coresponding pubkeys, that could save more 80% time saving
those 80 keys only need to search in old 115bit save.work file
but i know u r hesitate to multipubkeys
so better use inv(32)*G instead of G with 1 pubeky

[arulbero]

Jumps (the points) are the same, only their private keys are different;

So in practical, I let the old #115 DP as they are and for the new search #120 I use inv(32)*G instead of G ?

Exactly.

You have to change P too, from P to P' = inv(32)*G.

The points are the same, not the distances, you have to multiply all the 32 distances of the jumps by 32.

And when you find a collision and you retrieve the private key, if the collision has happened with a old DP  T = oldprivatekey*G:


P' + distance*G' =  T  (old DP point)

P' = T - distance*G'

P' = oldprivatekey*G - distance*G'

k*G' = oldprivatekey*32*G' - distance*G'

k = (oldprivatekey*32 - distance) mod n



I suggest do not check if a DP is 'old' or not, when you have a collision you can try both way:

k = privatekey of T - distance   mod n

and

k = (privatekey of T)*32 - distance   mod n

[brainless]

Jumps (the points) are the same, only their private keys are different;

So in practical, I let the old #115 DP as they are and for the new search #120 I use inv(32)*G instead of G ?

yes above is 1 point, and you need 2.5 points (25dp) in search
so if i generate 80 (2.5 per point) coresponding pubkeys, that could save more 80% time saving
those 80 keys only need to search in old 115bit save.work file
but i know u r hesitate to multipubkeys
so better use inv(32)*G instead of G with 1 pubeky

more over
for 25dp, you can go more downbit to 25bit down, final bit range would be 95bit, but with 2.5m corresponding pubkeys
can you imagine, where you can stand in finding solution ( time and resources )

[Jean_Luc]

OK I see, I will try to implement this.
Thanks

[arulbero]

OK I see, I will try to implement this.
Thanks

Ok.

Remember: first shift P to P - 2^119*G and then inv(32)*(P - 2^119**G) = inv(32)*P - 2^(119-5)*G

inv(32)*(original P) is not correct.

You could let all the old wild DPs as they are, and computing at the end the private key only for the collision, if you store the old P (point #114) too

[j2002ba2]

Jumps (the points) are the same, only their private keys are different;

instead of using, for example, 2543*G as jump, you use (2543*32)*G', where G' = inv(32)*G

It sounds quite useless to me.

To get the benefits of kangaroo algorithm, you need to use a specific mean step.

G' makes all the steps multiple of 32, visiting only 1/32 of the points. This is instant sqrt(32) times slowdown.

The other thing is transforming P.

If it stays the same or is translated, you get 32 times bigger interval, and sqrt(32) times slowdown.

If you do P' = inv(32)*P, then you have 1/32 chance that it lays in the target interval, so 1/32 chance to solve it, 31/32 chance that algorithm takes forever.

If you do 32 parallel P' kangaroo searches, so at least one fits in the target interval, you loose sqrt advantage. Instead of sqrt(32) slowdown of #120 compared to #115, you get 32 times slowdown.

[arulbero]

Jumps (the points) are the same, only their private keys are different;

instead of using, for example, 2543*G as jump, you use (2543*32)*G', where G' = inv(32)*G

It sounds quite useless to me.

To get the benefits of kangaroo algorithm, you need to use a specific mean step.

G' makes all the steps multiple of 32, visiting only 1/32 of the points. This is instant sqrt(32) times slowdown.

Why you are visiting only 1/32 of the points? You are working in a interval with more points, then it is normal to use larger jumps.

The optimal would be increase the length of the jumps by sqrt(32) instead of 32, but you have to increase it.

If you do P' = inv(32)*P, then you have 1/32 chance that it lays in the target interval, so 1/32 chance to solve it, 31/32 chance that algorithm takes forever.

I didn't understand that.