Can Bitcoin be hacked? Has it ever been hacked?

[btc-room101]

Is it true that people can get private keys from public keys?

That people can randomly generate privates keys and match the generated addresses to valuable addresses? Is any of this true?

[ranochigo]

Is it true that people can get private keys from public keys?

No, the complexity of something like this is too high. With a quantum computer, you can lower the difficulty sufficiently with Shor's Algorithm. Problem being that currently none of the quantum computers are anywhere near the required qubit.

That people can randomly generate privates keys and match the generated addresses to valuable addresses?

Yes. They probably wouldn't be able to find one though. The key space is way too big and the probability of getting another address which has already been used before is astronomically low.

[bitmover]

Is it true that people can get private keys from public keys?

That people can randomly generate privates keys and match the generated addresses to valuable addresses? Is any of this true?

I posted this image some time ago. It is very  illustrative.

The amount of possibilities is so big that our human mind cannot understand it.

In simple terms: You cannot randomly generated private keys and find some coins. It is much easier to play and win in the loterry.

You money is secured by the laws of the universe.


source: https://www.reddit.com/r/Bitcoin/comments/1ohwvu/bitcoin_your_money_is_secured_by_the_laws_of_the/

[pooya87]

If it were possible bitcoin wouldn't have survived past the first month let alone reach 12 years and a price of nearly $60,000. People have been trying to "hack" bitcoin for as long as it existed, eventually they all either give up when they finally understand it is not possible and some of them end up trying another method to steal other people's money like publishing a malicious application for others to download and infect their computer so that they can steal their money.

[btc-room101]

Well a better argument is 2^256 is 10^77, and there are 10^76 known sub-atomic particles in the known universe ( that we can see and/or estimate )

So finding that 'key' of 10^77 permutations is like finding a lost electron in the universe, which is far more complex than just sun.

...

Obvious history is that brainflayer found 1,000's of bitcoins, because people used low-entropy keys generated from human dictionarys

That hack now is game-over

Say there are 300M addresses, but I would say less than 10k have real value, so randomly you your looking for 3*10^8 objects, lets say your gpu generates 2500M/sec as hashes, and tests them on a onboard bloom-filter, so in parallel if you have say 4 rtx-3070's, that's 10,000MB/sec, or 10^10, so now your down to almost 10^20, birthday problem says your hit has probability (10^35) 2^128, so your down to 10^15, you got 86400 seconds a day, so 10^5, drops you down, so now down to 10^10 days

I think if that typical mining farm using GPUS if they repurposed from mining, to scavenging they would have a pretty goods odds of hitting an address frequently.

However here we're assuming complete random choices in the region 2^256, if you restrict your generated private-key values to known regions the scope of random choices is reduced. A good example here is ML, using rnn to train an algo to map private-keys to public-addresses, the ML can estimate like areas to search, not unlike baby-step/giant-step
...

Then there is the more direct approach, use math, e.g. pairing attributes, and endomophisms of secp256k1 while safe, there are fields that have order N equal to P-1, P, and P+1, where the field can be mapped to a finite-field from the elliptic-curve field. While the nearest N=P to secp256k1 is very far away, there are many p+1 that are near secp256k1 prime

p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141

Once you have a ballpark estimate of a solution of a map from public-key to private-key in a region near secp256k1 prime, then you could use a range ECDLP algo like pollard's kangaroo, which only has a scope of 10^40, which means that your 'guess' has to be with 2^40 of the key, which is in the space 2^256

How do I know this stuff works, last year there are were over a 1,000 first gen satoshi +50BTC addresses with value, today its less than 900 and dropping weekly, so somebody is doing it.

Recall that prior to say 2014, the blockchain contained the public-address, now its hashed.

When hacking bitcoin if you have the public-key, then you can use 'math', otherwise if you have the hash, then you must do random guestimation, but the 'first guesses' can be in regions known to be used by real world keys.

The secp256k1 elliptic-curve contains 1,000s of endomorphisms, not just 1/3, or 1/6; all these generate unique patterns, like the chosen generator being a multiple of a small number.

[pooya87]

Obvious history is that brainflayer found 1,000's of bitcoins, because people used low-entropy keys generated from human dictionarys
That hack now is game-over

That is an entirely different matter which has nothing to do with your original question. And that's not a hack, I consider them more of a puzzle that were made (even if unintentionally and out of stupidity of the user) to be solved.

I think if that typical mining farm using GPUS if they repurposed from mining, to scavenging they would have a pretty goods odds of hitting an address frequently.

No they wouldn't, they still wouldn't be able to search a tiny portion of the entire space let alone find a single address with a balance.

However here we're assuming complete random choices in the region 2^256, if you restrict your generated private-key values to known regions the scope of random choices is reduced. A good example here is ML, using rnn to train an algo to map private-keys to public-addresses, the ML can estimate like areas to search, not unlike baby-step/giant-step

First part is obvious but has nothing to do with the second part. You still can't know the range of a private key by seeing its public key.

How do I know this stuff works, last year there are were over a 1,000 first gen satoshi +50BTC addresses with value, today its less than 900 and dropping weekly, so somebody is doing it.

So your entire theory is based on the fact that some early adopters decided to cash out a small percentage of their fortune because price is millions of times higher compared when they started?!

Recall that prior to say 2014, the blockchain contained the public-address, now its hashed.

I'm assuming you mean "public key" not "public address" and you are wrong.
From the first bitcoin version (satoshi client 0.1.0) you could pay to pubkey hashes (ie. the P2PKH addresses we use today).
Here is the first P2PKH output from 16-Jan-2009
https://blockchair.com/bitcoin/transaction/6f7cf9580f1c2dfb3c4d5d043cdbb128c640e3f20161245aa7372e9666168516

When hacking bitcoin if you have the public-key, then you can use 'math', otherwise if you have the hash, then you must do random guestimation, but the 'first guesses' can be in regions known to be used by real world keys.

Travelling to Uranus is easier than travelling to Neptune since Uranus is closer to Earth and still we can't do either.

[suzanne5223]

Is it true that people can get private keys from public keys?

Yes and no but the current computing power it will take a billions of year before anyone can achieve that but if quantum computers is create there's chance for that to happen and it will take more year's than expected before that happen.

That people can randomly generate privates keys and match the generated addresses to valuable addresses? Is any of this true?

No

[HeRetiK]

Say there are 300M addresses, but I would say less than 10k have real value, so randomly you your looking for 3*10^8 objects, lets say your gpu generates 2500M/sec as hashes, and tests them on a onboard bloom-filter, so in parallel if you have say 4 rtx-3070's, that's 10,000MB/sec, or 10^10, so now your down to almost 10^20, birthday problem says your hit has probability (10^35) 2^128, so your down to 10^15, you got 86400 seconds a day, so 10^5, drops you down, so now down to 10^10 days

To be honest I don't quite understand what you are trying to say, but I'm pretty sure that that's not how the birthday problem works. Unfortunately I can't give you a correct probability either though as I think I just killed Wolfram Alpha with the magnitude of the parameters.

However here we're assuming complete random choices in the region 2^256, if you restrict your generated private-key values to known regions the scope of random choices is reduced. A good example here is ML, using rnn to train an algo to map private-keys to public-addresses, the ML can estimate like areas to search, not unlike baby-step/giant-step

Training a RNN on random input noise to create random output noise? Have fun with that.

How do I know this stuff works, last year there are were over a 1,000 first gen satoshi +50BTC addresses with value, today its less than 900 and dropping weekly, so somebody is doing it.

Keep in mind that after the first handful of blocks it wasn't just satoshi mining. At this point I'm impressed that there's still so many old 50+ BTC addresses left. (ignoring that many of those are probably not being moved due to lost private keys)

[BlackHatCoiner]

There isn't probably a better answer than ranochigo's, but I would like to show you some numbers to convince you that it is true. First things first, you should be more accurate with the topic's title. I wouldn't say that "hacking" Bitcoin has to do with secp256k1 public key reversal or with brute forcing addresses. Generally, the term "hack" is a bit misleading, but it'd have more sense if you were querying about the 51% attack.

Anyway, numbers' time! I'll present you the unbelievably small chances you have on finding someone else's address by comparing it with mining. A legacy address is a 160-bit message digest, represented in base 58. This means that every time you're generating an address you end up with a number between 1 and 2¹⁶⁰.

Currently, the mining target is:

Code:

0000000000000000000bef930000000000000000000000000000000000000000

Every 10 minutes on average, someone brute forces a message and finds a hash result that is not greater than the above. By doing the calculation, your chances of finding such hash are 1 in 101,285,384,567,733,327,529,661.

A decoded address looks like this:

Code:

082550c974bbb58589d66ac46ab038ffbf692a04

Your chances are 1 in 16^{40 (amount of hex charactersits length)}. Would you like to see the differences?

Code:

1461501637330902918203684832716283019655932542976 (total addresses)
101285384567733327529660 (target)

This means, that despite the difficulty adjustment, it'd be easier (and more profitable) for you to mine 14000000000000000000000000 blocks, than trying to brute force an address. And note the procedure of generating an address requires more computational power than performing sha256 twice. (for mining)

[btc-room101]

There isn't probably a better answer than ranochigo's, but I would like to show you some numbers to convince you that it is true. First things first, you should be more accurate with the topic's title. I wouldn't say that "hacking" Bitcoin has to do with secp256k1 public key reversal or with brute forcing addresses. Generally, the term "hack" is a bit misleading, but it'd have more sense if you were querying about the 51% attack.

Anyway, numbers' time! I'll present you the unbelievably small chances you have on finding someone else's address by comparing it with mining. A legacy address is a 160-bit message digest, represented in base 58. This means that every time you're generating an address you end up with a number between 1 and 2¹⁶⁰.

Currently, the mining target is:

Code:

0000000000000000000bef930000000000000000000000000000000000000000

Every 10 minutes on average, someone brute forces a message and finds a hash result that is not greater than the above. By doing the calculation, your chances of finding such hash are 1 in 101,285,384,567,733,327,529,661.

A decoded address looks like this:

Code:

082550c974bbb58589d66ac46ab038ffbf692a04

Your chances are 1 in 16^{40 (amount of hex charactersits length)}. Would you like to see the differences?

Code:

1461501637330902918203684832716283019655932542976 (total addresses)
101285384567733327529660 (target)

This means, that despite the difficulty adjustment, it'd be easier (and more profitable) for you to mine 14000000000000000000000000 blocks, than trying to brute force an address. And note the procedure of generating an address requires more computational power than performing sha256 twice. (for mining)

That's NOT TRUE.

First you make the mistake to think that people are only looking for one key at a time, with 64GB bloom-filters you can scan 512MB keys all at once in a non-second and determine whether the current random guess is in the pool

Second there are many ways to "HACK" ECDLP using MATH, too many things to mention, I would just say google the lit on the subject "Discrete Log problem ECDLP", the NSA has been been doing this stuff since 1950's, and they have hired 10K math-sci ppl to work on this stuff

Third MINING was profitable during pre-mining stage, and say now when the remaining blocks get smaller, and the difficulty increases it makes more sense to target the block-chain, rather than try to mine; Your all lucky right now because BITCOIN is ASIC and that means the HW can't be reployed to do anything else than hash,

Hashing has nothing to do with hacking bitcoin, hashing is like 1% of the BTC source code. Hashing is just a one-way trap door that takes a random 2^256 number (sha-256 NSA) and randomizes it as a nonce. So, what? Difficulting just means how times you have to hash to have N leading zeros? So what?

...

Hacking BITCOIN is on two levels, one level is generating keys and looking into a super-large bloom filter to see if they're is an active address from that private-key. Right now I'm finding 2500MB/sec matches on RTX-3070 class cards. But note here I'm checking 350M keys per secon on those 2500MB/sec cycles, thus

That be 750,000TH, the current S-9 is what 12TH, that's from one RTX-3070

The problem is this block-reward goes down, the chance of hitting a high value address in time goes up. There are two curves here, and we passed the inflection point years ago.

...

The 51% doesn't have anything to do with hashing, or mining. It just say's that IF more than 51% of  the minors aren't colluding, then the system is FAIR, but the system ain't FAIR, cuz CHINA controls 67% of the MINING, and actually more given they make the worlds BITCOIN ASIC HW.

To date China has just cut the power to the miner's  in regional area's and you see BTC fee's go astro, I think for right now the CCP knows it owns a golden-goose, so why not ripoff the gwai-lo while you can for as long as you can, but be sure the plug will be pulled.

CHINA CCP goes slow, they just took ANT-BITMAIN from Jack Ma in the last six months, they need to study, and decide who they trust to re-deploy the new use of the HW, or they might just cut the power, and shut it all down. IMHO it would be more logical to seize the infrastructure and re-purpose it, given that Jack Ma, put backdoors into ALL BITMAIN ASIC miners, it only seems logical that he help the CCP take over the worlds digital mining operation. It's either that or he dies.

Is it true that people can get private keys from public keys?

That people can randomly generate privates keys and match the generated addresses to valuable addresses? Is any of this true?

Well the 'woke' run BITCOIN, and if they say its never been hacked, then let that be so.

But between me&you, lets just agree that to date a majority of BTC in all hits history has been stolen. The majority of all coin has been tainted, and is now unclean in the eyes of the USA Dept of Treasury.

Then there is the current problem of mixing, once mixed or 'tumbled' its tainted and the IRS gate-keepers like COINBASE will not accept tainted coin ( addresses ), guess what majority is tainted, so then you have to sell on the black-market and get 50% on the dollar for post.

Then you have the Chinese running 67% of the worlds mining cap, and owning 90% of the worlds ASIC mining hw, and they're generating pristine coin, that has 2X the value that of 'good coin' as defined by IRS(COINBASE) gate-keepers.

So now you have a three level price or value of BTC, it was NOT supposed to be this way, all BTC was supposed to be of equal value. But the 'woke' will deny this.

There's a river in Bitcoinia called the 'denial' and most drink the water from it.

To question Bitcoin is to hate Bitcoin, so say the work. To hate Bitcoin goes against god. Now all know where that leads.

Then they say if you don't worship BTC its because you weren't an early player. They assume that everybody on earth only eats & sleeps in order to ripoff their fellow human beings, lots of people on earth dont' care about money. But you can never explain this to a Woke-Bitcoiner.

So I ask again? Has Bitcoin ever been hacked?

The thing about the 'woke' is they ignore history, all history. They say "History is for the Haters". Go figure

Is it true that people can get private keys from public keys?

Yes and no but the current computing power it will take a billions of year before anyone can achieve that but if quantum computers is create there's chance for that to happen and it will take more year's than expected before that happen.

That people can randomly generate privates keys and match the generated addresses to valuable addresses? Is any of this true?

No

Have you actually done the math?

The 50% odds ( birthday ) problem for running on an RTX-3070 with bloom-filters that have all the addresses of value is about 10,000 days. Now if your running lots of racks, with lots of rtx-3000 class cards your talking rather quick.

The entire narrative of billions of years is if your looking for ONE COIN, but only a fool would look for one coin. The entire purpose of computers, especially these days with cheap memory and GPUS with 5,000 cores, and bloom-filters with 64gb, which lets you verify 2000M keys in a nanosecond as to whether a key is in set of keys of value.

All the code on GITHUB plays the same game, even the ever popular bitcrack, brute-forces one at a time, even the Kangaroo only checks on public-key at a time. This is insane, its almost like the narrative is held, because nobody knows how to code, and everybody is spoon-fed crippled software.

Has BTC been hacked? Hell Yes, is it being cracked? Hell yes, is it being crack or hacked by anybody on this forum? I doubt, because they're believers of the woke paradigm, that's designed for fools to believe.

The problem of course is this means that even BITCOIN core is controlled and maintained by the same fools. What does this say about the future of Bitcoin?

Lastly there is no such thing as a 'quantum computer', right now they have 8-qubit computers that cost $1m USD, in order to have a functional quantum-computer to hack bitcoin, it would have to have 4 billion or more qubits. This will not exist for perhaps another 50 years. So nobody even needs to talk about Quantum-Computers because they don't exist.

But NVIDIA graphics cards are 10X'ing every year in terms of their hacking bitcoin's ECDLP algo, so today's 1,000 days will soon be 100 day, and then 10 days to hack bitcoin addresses

[moderator's note: consecutive posts merged]

[HeRetiK]

Have you actually done the math?

The 50% odds ( birthday ) problem for running on an RTX-3070 with bloom-filters that have all the addresses of value is about 10,000 days. Now if your running lots of racks, with lots of rtx-3000 class cards your talking rather quick.

Have you done the math?

Like mentioned above there seems to be a fundamental misunderstanding of how to apply or even calculate the birthday problem. Accordingly the core premise of the argument doesn't hold up.

[BlackHatCoiner]

That's NOT TRUE.

Before saying anything, I'd suggest you to calm down. I've seen you on other technical threads and you're "yelling" with non-sense propagandas. Usually, propagandists aren't taken seriously on the internet, because they don't provide anything rather than FUD. Yes, saying that NSA can crack secp256k1 isn't proved so I consider it a propaganda.

Second there are many ways to "HACK" ECDLP using MATH, too many things to mention, I would just say google the lit on the subject "Discrete Log problem ECDLP", the NSA has been been doing this stuff since 1950's, and they have hired 10K math-sci ppl to work on this stuff

I didn't talk about ECDLP. Reversing a public key isn't impossible (such as with a hash function) and that's why I only talked about the RIPEMD-160 brute forcing.

Third MINING was profitable during pre-mining stage, and say now when the remaining blocks get smaller, and the difficulty increases it makes more sense to target the block-chain, rather than try to mine; Your all lucky right now because BITCOIN is ASIC and that means the HW can't be reployed to do anything else than hash,

What do you mean to "target" the block chain? And who told you that mining isn't profitable anymore? The halving event and the difficulty parameter are the geniuses parts of mining. If mining stops being profitable for many people, then the difficulty will be reduced which would result on being profitable. And I'm not even talking about the price of Bitcoin. Right now, those 6.25 BTC worth more than the 12.5 BTC a year ago.

Hashing has nothing to do with hacking bitcoin, hashing is like 1% of the BTC source code. Hashing is just a one-way trap door that takes a random 2^256 number (sha-256 NSA) and randomizes it as a nonce. So, what? Difficulting just means how times you have to hash to have N leading zeros? So what?

That's why I said that using the term "hack" is misleading. There is no hacking on Bitcoin such as account compromisation. I used it to explain that if the account is your address and the password is your private key, then finding my key essentially means that you're compromising my address. Translate it however you want.

But note here I'm checking 350M keys per secon on those 2500MB/sec cycles

Great, congratulations.

The 51% doesn't have anything to do with hashing, or mining. It just say's that IF more than 51% of  the minors aren't colluding, then the system is FAIR, but the system ain't FAIR, cuz CHINA controls 67% of the MINING, and actually more given they make the worlds BITCOIN ASIC HW.

China is a country. Not an authority that can abuse their computational power to destroy the network. It's like saying that the world owns the 100%. Okay, so? There isn't a pool that has gathered China's power and thus, there is no authority that can perform such attack.

The problem is this block-reward goes down, the chance of hitting a high value address in time goes up. There are two curves here, and we passed the inflection point years ago.

That's wrong. What does block-reward have to do with your chances of successfully finding a private key for an already existent address? Stop spreading FUD.

[ranochigo]

Hmm, why bother structuring your topic as a question when you could've just made your statement as the OP

Calculation for the quantum computer is off by a couple of billion of qubits, estimates puts it at about ~1200 I think. I'm almost certain that your math and assertions are not correct. Perhaps try to show us a working example instead?

[HeRetiK]

Have you actually done the math?

The 50% odds ( birthday ) problem for running on an RTX-3070 with bloom-filters that have all the addresses of value is about 10,000 days. Now if your running lots of racks, with lots of rtx-3000 class cards your talking rather quick.

Have you done the math?

Like mentioned above there seems to be a fundamental misunderstanding of how to apply or even calculate the birthday problem. Accordingly the core premise of the argument doesn't hold up.

Upon second thought, let's actually do the math. Especially since I just stumbled over a neat python script to do the work for me:

Code:

"""Calculate the probability of generating a duplicate random number after
generating "n" random numbers in the range "d".
Usage: python birthday_probability.py n [d=365]
Each value can either be an integer directly, or in the format "2**x", where
x is the number of bits in the value.
For example, to calculate the probability that two people will have the same
birthday in a room with 23 people:
$ python birthday_probability.py 23
Probability is 0.5155095380615168, or about 1 in 2
Or to calculate the probability of a collision with 1,000,000 items and a
range of 2**48:
$ python birthday_probability.py 1000000 2**48
Probability is 0.001774780051374103, or about 1 in 563
"""

from __future__ import division

import math
import sys


def birthday_probability(n, d):
    """Calculate the probability of generating a duplicate random number after
    generating "n" random numbers in the range "d".
    """
    # Formula taken from: https://en.wikipedia.org/wiki/Birthday_problem
    return 1 - math.e ** (-n**2 / (2 * d))


if __name__ == '__main__':
    def error(message):
        sys.stderr.write(message)
        sys.exit(1)

    def convert(s):
        if s.startswith('2**'):
            return 2 ** int(s[3:])
        else:
            return int(s)

    if len(sys.argv) < 2:
        error(__doc__)

    try:
        n = convert(sys.argv[1])
        d = convert(sys.argv[2]) if len(sys.argv) > 2 else 365
    except ValueError:
        error('ERROR: "n" and "d" must be integers or in the form "2**x"\n')

    probability = birthday_probability(n, d)
    print('Probability is {}, or about 1 in {:,d}'.format(
            probability, int(round(1 / probability))))

Let's start with one of your assumptions and be extra generous -- a magical RTX3700 that not merely generates 2.5 * 10^9 hashes per second but 2.5 * 10^9 Bitcoin addresses.


So we get one rig with 4 GPUs at 10^10 addresses/sec resulting in 3 * 10^17 addresses per year.

We rent a proper industrial hall and set up 10 million of these rigs, so we generate 3 * 10^24 addresses per year.

We keep this running for 100 years and get total of 3 * 10^26 addresses.

Now at this point the already existing 3 * 10^8 addresses we originally targeted are but a rounding error, so we can safely ignore those.


So let's punch those numbers in:

3 * 10^26 "people" for 10^77 "possible birthdays"

And we get... *drumroll*

Code:

ZeroDivisionError: float division by zero

Ok, apparently the resulting probability is too low for a regular float so let's up the numbers a bit.


10 billion rigs running for 100 thousand years.

3 * 10^32 "people" for 10^77 "possible birthdays"

And we get... *drumroll*

Code:

Probability is 4.49640324973e-14, or about 1 in 22,239,998,159,854

So a probability of 0.000000000004406% that even just one of these addresses ends up being a duplicate.


...and that's including the empty addresses the attacker generated themselves.

(meaning that even if a duplicate address is found, the chance that it's one of the target addresses is 3 * 10^8 in 3 * 10^32 ie. 0.000000000000000000000001%)






...I think we're safe.

[philipma1957]

Is it true that people can get private keys from public keys?

That people can randomly generate privates keys and match the generated addresses to valuable addresses? Is any of this true?

yes and yes.


but it is harder than finding 1 grain of sand in all the world's sand using a shovel and a pail and walking along the beaches of the world.

[NotATether]

But NVIDIA graphics cards are 10X'ing every year in terms of their hacking bitcoin's ECDLP algo, so today's 1,000 days will soon be 100 day, and then 10 days to hack bitcoin addresses

Eventually, but not anytime soon, the speed increases from Moore's Law for GPUs (as I like to call it) will become flat, just like it did for CPUs after Pentium 4 was made.

Second there are many ways to "HACK" ECDLP using MATH, too many things to mention, I would just say google the lit on the subject "Discrete Log problem ECDLP", the NSA has been been doing this stuff since 1950's, and they have hired 10K math-sci ppl to work on this stuff

I didn't talk about ECDLP. Reversing a public key isn't impossible (such as with a hash function) and that's why I only talked about the RIPEMD-160 brute forcing.

It's also theoretically possible to brute force a RIPEMD160 hash.

The way it works is that you take some private keys, ECmultiply them to get public keys and run SHA256 on them. Then we create a data structure called a bloom filter that tests for inclusion in a set extremely fast. However it is a "noisy" test, so a percentage of these tests make false positives, but never false negatives (it will always tell you correctly that a hash160 is not in a set).

We decode the target addresses into hashes and test them for inclusion in this bloom filter of random RIPEMD160 addresses.

For faster run time, we can take advantage of the fact the search space is contiguous and next to each other on the number line, and for some private key range m:n, we cache the ECmultiply result of 0G to (n-m)G somewhere on disk so that just point add them back to mG without having to do expensive ECmultiply instructions each round (nobody's done this optimization before).