Brute-forceable puzzle - free crypto for whoever manages to crack it [SOLVED]

[f3tus]

I saw this thread of "don't do's" on Reddit and decided to do the opposite; I will write down and post my mnemonic seed words for everyone to see:

Code:

bacon bitter goddess sheriff differ kit sock stomach rhythm skill trade drastic

There is an x amount of crypto I put there as an award for whomever manages to get ahold of it. It is encrypted with a date shift cipher using this script I wrote: Seedshift. I basically used 1-4 dates in YYYY-MM-DD format to shift the mnemonic words (modulo 2048 to wrap around the wordlist, you can do it manually without the script).

Basically you can brute-force my encrypted seed words by trying date combinations until you find the correct x ones I used and get the crypto prize.

This in itself could also be considered a real-time simulation of how long it would take for a potential thief (with programming background and who also magically knows it is encrypted with a date shift cipher) to steal my crypto before I manage to transfer it somewhere safe (and also to validate how safe and secure my method of storing my mnemonic seed words is).

So anyway, good luck to everyone and get crackin'!

Edit:
The puzzle got solved. See the write-up here: https://www.reddit.com/r/CryptoCurrency/comments/p2jkh3/how_i_solved_utoshiromiballzas_puzzle_in_just/

[BrewMaster]

x amount of crypto

you should also include the address containing the funds and the amount of it. this puzzle may not even be worth the time for example if it contains some small amount of a shitcoin.

[COBRAS]

Put 0,5 btc to adders, send from this adress 0.0000000001 btc to any address, wait and you see result.

[f3tus]

you should also include the address containing the funds and the amount of it. this puzzle may not even be worth the time for example if it contains some small amount of a shitcoin.

It's not a shitcoin wallet, and you wouldn't know how much (and of what) an encrypted wallet you found/stole contained either until you cracked it.

I'll just say it has more than $10.

[PawGo]

Doable...

Could you at least say which address we should check (first?) and if it is BIP32 or BIP84 or... ?

[f3tus]

BIP44, and some more clues from Reddit: I used 2 dates from 1900-2021.

[NotATether]

Doable...

Could you at least say which address we should check (first?) and if it is BIP32 or BIP84 or... ?

748016^3 combinations of dates if we use years from 0-2048 and all months/days and ignore 1900-2021 range.

OP, which timezone/country are you in?

Did you move the coins in the address before or after you posted this challenge?


UPDATE:

using python datetime() + timedelta of 693595 gives 1900-01-01 and + 738154 gives 2021-21-31, so that is our range, and the difficulty is:

Code:

minv=693595
maxv=738154
print(maxv-minv)
print(pow(maxv-minv,3))
import math
print(math.log(pow(maxv-minv,3),2))

44559
88472094168879
46.330287706213426

i.e. unless you have hundreds of CPUs then it's not doable on CPU. However 2^46 can be tackled by one GPU.

[f3tus]

748016^3 combinations of dates if we use years from 0-2048 and all months/days and ignore 1900-2021 range.

OP, which timezone/country are you in?

Did you move the coins in the address before or after you posted this challenge?

Timezone/country doesn't matter and I put the coins there before the challenge. The 2 dates I used are in 1900-2021 range, shifted in YYYY-MM-DD format from oldest to youngest date, so knowing that, the number of possible combinations lowers, because the 1st date you shift should always be older than the second.

[PawGo]

I have a working solution - knowing address would make it much easier (faster), now I am stuck on creating list of addresses and checking them against addresses with balance (I must transfer file between machines etc.).

[NotATether]

Timezone/country doesn't matter

Oh it does   it allows us to go to a block explorer and skim it for addresses inside transactions made between midnight (wherever your TZ is) and date of the OP so we can check the results against a list of addresses instead of making an expensive network call. This assumes you made the transaction today though, where "today" begins at midnight, your timzeone.

But if you don't tell us we can always assume it was made in Hawaii timezone (UTC-10) which isn't going to add too many extra addresses if we use its midnight as the starting point.  

A few gems I'll post here; they are the basis for a client-server implementation I'm writing that'll let everyone share the load on their systems:

Server:

Code:

!/usr/bin/env python
# Python Network Programming Cookbook,
   Second Edition -- Chapter - 1 
# This program is optimized for Python 2.7.12
   and Python 3.5.2. 
# It may run on any other version with/without 
  modifications. 
 
import socket 
import sys 
import argparse 
 
host = 'localhost' 
data_payload = 2048 
 
def echo_server(port): 
    """ A simple echo server """ 
    # Create a UDP socket 
    sock = socket.socket(socket.AF_INET, 
                         socket.SOCK_DGRAM) 
 
    # Bind the socket to the port 
    server_address = (host, port) 
    print ("Starting up echo server 
            on %s port %s" % server_address) 
 
    sock.bind(server_address) 
 
    while True: 
        print ("Waiting to receive message
                 from client") 
        data, address = sock.
                        recvfrom(data_payload) 
     
        print ("received %s bytes 
                from %s" % (len(data), address)) 
        print ("Data: %s" %data)

        if data == "PROOFOFWORK":
            pass
          # validates via block explorer
        elif data == "GETWORK":
            # generate work and send it to client
        else:
            # unrecognized command

        if proof_of_work == true:
            message = "MATCH {} {} {}".format(address, pubkey, prvkey)
            # send this to all clients:

            for address in addressess:
                sent = sock.sendto(message, address) 
        else:
        # Normally this would be whether the work is
        # the correct address or not but here we just
        # insert a dummy
            message = "NOTMATCH {} {} {}" .format(address, pubkey, prvkey);
            sent = sock.sendto(data, address) 
    
 
if __name__ == '__main__': 
    parser = argparse.ArgumentParser
             (description='Seedshifter Cracker Server') 
    parser.add_argument('--port', action="store", dest="port", type=int, required=True) 
    given_args = parser.parse_args()  
    port = given_args.port 
    echo_server(port) 
 

Client:

Code:

#!/usr/bin/env python
# Python Network Programming Cookbook, Second Edition -- Chapter - 1 
# This program is optimized for Python 2.7.12 and Python 3.5.2. 
# It may run on any other version with/without modifications. 
 
import socket 
import sys 
import argparse 
 
host = 'localhost' 
data_payload = 2048 
 
def echo_client(port): 
    """ A simple echo client """ 
    # Create a UDP socket 
    sock = socket.socket(socket.AF_INET, 
                         socket.SOCK_DGRAM) 
 
    server_address = (host, port)
 
    while true:
        try: 
    
            # Send data
            message = "GETWORK"
            sent = sock.sendto(message.encode
                  ('utf-8'), server_address) 
    
            # Receive response 
            message, server = sock.recvfrom(data_payload) 
            # get head of message
            if message == "WORK"
                # perform work on GPU
            elif message == "FOUND"
                # record private key, public key and address and break
                break
            else:
                # ignore all unrecognized commands
          except Exception as e:
            break
    
    print ("Closing connection to the server") 
    sock.close() 
 
if __name__ == '__main__': 
    parser = argparse.ArgumentParser
             (description='Seedshifter Cracker Client') 
    parser.add_argument('--port', action="store", dest="port", type=int, required=True) 
    given_args = parser.parse_args()  
    port = given_args.port 
    echo_client(port) 

It won't run as is though because this is just a skeleton I found in a book and slightly adapted to act as a PoW server, similar to the stratum servers used in mining.

EDIT:

I just tried querying Blockchair's API, it limits me to 10 records per call, ironically I went to buy an API key but their only payment processor is PayPal (!) I mean, not even CC, much less crypto.

So this means unless someone already has an API key it is technically infeasible to gather a large number of addresses.

I think this highlights one of the big problems with the current state of APIs, namely, there is no easy way to [pay to] query them in bulk, if you can even query them at all - and Blockchair is pretty much the only one with this feature (blockchain.info has a very very limited set of endpoints).

[f3tus]

Oh it does   it allows us to go to a block explorer and skim it for addresses inside transactions made between midnight (wherever your TZ is) and date of the OP so we can check the results against a list of addresses instead of making an expensive network call.

Hey, that's cheating! 

[pooya87]

Shift ciphers aren't considered strong and should never be used to encrypt anything important such as a bitcoin mnemonic.
Also whether or not someone solves this "puzzle" should not be used as an indication of security of this algorithm.

[f3tus]

Shift ciphers aren't considered strong and should never be used to encrypt anything important such as a bitcoin mnemonic.
Also whether or not someone solves this "puzzle" should not be used as an indication of security of this algorithm.

Is it safer than storing it in plain-text? Yes. Does it give you a lot of more time to react and move your coins in case someone breaks in and steals your written down seed words? Yes.

What's a safer and easier alternative to store your seed words and in case something happens to you, your loved ones can decrypt the words? Other than a complex passphrase on a Trezor/Ledger, which you would also need to write down in plain-text and make it a security risk?

[pooya87]

What's a safer and easier alternative to store your seed words and in case something happens to you, your loved ones can decrypt the words?

Encryption using a cryptographic strong encryption algorithm such as AES using a proper passphrase then creating proper backups from the encrypted result and the passphrase used and storing them separately.

Other than a complex passphrase on a Trezor/Ledger, which you would also need to write down in plain-text and make it a security risk?

Even though this is called "passphrase" but it is not encrypting anything, it is "extending" the seed phrase and should not be considered a proper security measure.


P.S. https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own

[f3tus]

How do I explain to my mother to AES decrypt "71TjQQYPkadCq8qUA6Lqt7FhUBEjPSzgDSbBA6spbtD/j8v3JXp9Vpco0H8rS/TK2/IOMS0aHF5QIyLihGuP2dSgdoKdyDrb82O72tNPdT4=" and ensure to type it out correctly?

Birthdays and anniversaries everyone remembers, and with 24 seed words you can shift it with up to 8 dates. Never said it's unbreakable, but it's not easy to break either, it gives you plenty of time to react in case of theft and it's simple enough by knowing the dates to do it by hand.

[NotATether]

Field day 2, so to get a list of addresses that could've been OP's challenge address, I went to the "outputs" database dumps of Blockchair and downloaded the spreadsheets for August 1 and July 31 (the former was not available until today hence the wait). It is a little slow, but the download speed is a manageable 10 minutes on a high-speed ethernet network.

The next step is to (1) filter out all the coinbase outputs, (2) filter all the non- pubkeyhash outputs and (3) filter out all outputs <= $10.

Then we filter outputs that are less than $100 because let's be honest, a challenge worth less than $100 are not worth solving when I applied this filter on the website it eliminated a surprisingly large number of transactions.

I am expecting to be left with some 10 thousand addresses which can then be placed in a bloom filter.

All spreadsheet software are either lagging or outright crash when I open the DB dump so I have to resort to dirty Python tricks again to apply the above.

How do I explain to my mother to AES decrypt "71TjQQYPkadCq8qUA6Lqt7FhUBEjPSzgDSbBA6spbtD/j8v3JXp9Vpco0H8rS/TK2/IOMS0aHF5QIyLihGuP2dSgdoKdyDrb82O72tNPdT4=" and ensure to type it out correctly?

I'm sure even most developers have trouble doing that.

[f3tus]

Remember that you don't know which crypto wallet this is, or if the award is only on one or more crypto wallets with the same seed words.

[PawGo]

Remember that you don't know which crypto wallet this is, or if the award is only on one or more crypto wallets with the same seed words.

Does it mean that award is not on the first address (from first account)?

[f3tus]

It means it could be BTC or ETH or both.

[PawGo]

It means it could be BTC or ETH or both.

Oh, so I gave up. I processed around 10% dates & BTC addresses - first ones from the seed in BIP44: m/44'/0'/0'/0/0, but if your coins could be anywhere and even we do not know which coins we look for - it is waste of energy.