solve key 66 67 Puzzle how to avoid double spends the tx?

[Airfin Same]

importing private key to electrum wallet then send to your address is it enough? or some bots can double spend tx

someone pls  advise how to avoid such attack i read that the second of the public key of key 66 67 is revealed looters can double spend tx and steal those coins

suppose someone lucky find the private key of the puzzle what he should do what wallet is more secure to use to send those coin

[1715235150]

1715235150

[1715235150]

1715235150

[1715235150]

1715235150

[1715235150]

1715235150

[un_rank]

Your question is not clear enough for me to give an answer. Where are you importing your private keys from and where (which address) are you sending to?

If you are asking if you are protected from double spending, Yes you are if you wait for 1 confirmation for lower amounts and 3 confirmations for very large amounts of bitcoin.

- Jay -

[Charles-Tim]

importing private key to electrum wallet then send to your address is it enough?

You import the private key and then send the coins to another address. Why not just sweep the private key instead. But if you just prefer to import and send the coin to another of your address, that is not also bad as long as the private key that you imported is not compromised and your if the wallet that you sent the coin to also is not compromised.

[Airfin Same]

Your question is not clear enough for me to give an answer. Where are you importing your private keys from and where (which address) are you sending to?

If you are asking if you are protected from double spending, Yes you are if you wait for 1 confirmation for lower amounts and 3 confirmations for very large amounts of bitcoin.

- Jay -

https://bitcointalk.org/index.php?topic=5454194.0


assuming someone found the private key
by using kangaroo the algorithme here  https://bitcointalk.org/index.php?topic=5244940.0 anyone can get the private key with the public key
public key will be known to everyone the second your transaction is shown

how to prevent looters from double spend this transaction? the amount is 6.6btc or 6.7btc or 6.8btc depend on the puzzle number 66,67,68

importing private key to electrum wallet then send to your address is it enough?

You import the private key and then send the coins to another address. Why not just sweep the private key instead. But if you just prefer to import and send the coin to another of your address, that is not also bad as long as the private key that you imported is not compromised and your if the wallet that you sent the coin to also is not compromised.

the private key will be compromise in seconds (1s) as i mention above with kangaroo or a similar algorithme


link to ann of the puzzle
https://bitcointalk.org/index.php?topic=1306983.msg63933672#msg63933672

here someone talk about double spend
https://bitcointalk.org/index.php?topic=5304723.msg63465321#msg63465321

[HeRetiK]

I don't really follow the Bitcoin Puzzle scene, but assuming the public keys for these particular puzzles are indeed within a range that could be derived within seconds, digaran already answered the question following the post you were linking:

you'd need to either have a bot that automatically double spends the tx or talk with a large mining pool to privately include your tx in a block

Though even that will not guarantee success if your adversary is able to broadcast their transaction at the roughly the same time (i.e. within seconds) as you: (1) They may attempt multiple double spends so now it just becomes a competition of who spams the network most effectively and (2) the mining pool you are colluding with may not be the one actually find the next block. Nonetheless following either approach would increase your chances over just hitting send and hoping for the best (though as mentioned above I can not asses the risk of getting looted for those particular puzzles).

[DaCryptoRaccoon]

Seems kind of pointless puzzle if when you do find a solution someone else can just rob the coins off you by spam attacking and kangaroo attack.

So really the whole point of the "weak" keys puzzle is flawed as many people will just be waiting for the TX to hit the network then just go after that.

In essence unless your conneced to some mining pool or have connections there is zero chance your going to get a pool to include this actually you may find they try steal it from you.

And yes there are people running this stuff on crazy crazy machines so there is a good chance once broadcast before it gets picked up someone else then it's fee race and yea before in the past this happened someone ended up paying a massive fee just to get what little coins they could.

So don't participate unless your well linked up and know exactly how to do this stuff or you will get mugged for your find on broadcast.

[vjudeu]

Seems kind of pointless puzzle if when you do find a solution someone else can just rob the coins off you by spam attacking and kangaroo attack.

Well, there is a way to fix it, but unfortunately, it requires OP_CAT. Because in general, if it would be possible to claim the puzzle with any public key, for which OP_HASH160 gives some value below a given target, then it would require the same effort, but could no longer be solved by Kangaroo or other similar attacks, because then nobody would know the starting point.

Also, I shared the script for doing that kind of puzzle for public keys:

4. Provably fair transaction puzzles:
Input script: "<signature> <pubkeyTail>"
Output script: "<pubkeyHead> OP_SWAP OP_CAT OP_CHECKSIG"
Execution:

Code:

<signature> <pubkeyTail> <pubkeyHead> OP_SWAP
<signature> <pubkeyHead> <pubkeyTail> OP_CAT
<signature> <pubkey> OP_CHECKSIG
OP_TRUE

Then, if you pick for example 0xbadc0ded as your <pubkeyHead>, then people could mine a public key, starting with x-value equal to 0xbadc0ded, and that would be a proof, that someone can break 32-bit public keys. Of course, any non-zero pattern will do (the only reason why zero will not work, is the half of the generator).

Which means, that if you want to do the same thing with OP_HASH160, then after a small modification, it should also work, when OP_CAT would be activated:

Input script: "<signature> <pubkey> <hashTail>"
Output script: "<hashHead> OP_SWAP OP_CAT OP_OVER OP_HASH160 OP_EQUALVERIFY OP_CHECKSIG"
Execution:

Code:

<signature> <pubkey> <hashTail> <hashHead> OP_SWAP
<signature> <pubkey> <hashHead> <hashTail> OP_CAT
<signature> <pubkey> <hashOne> OP_OVER
<signature> <pubkey> <hashOne> <pubkey> OP_HASH160
<signature> <pubkey> <hashOne> <hashTwo> OP_EQUALVERIFY
<signature> <pubkey> OP_CHECKSIG
OP_TRUE

As many people already noticed, a lot of problems could be solved, if we only would have OP_CAT. But I still wonder, if it would be activated or not.

[a8832021]

If the pubkey is revealed,may someone use BSGS algorithm to crack the privkey and double spend the coins?

[seoincorporation]

If the pubkey is revealed,may someone use BSGS algorithm to crack the privkey and double spend the coins?

The public key is already known information, but that is not enough to crack the private key, and if someone get's access to the private key first they need to spend the coins before be able to double spend it. But looks like you are lost in the topic, what op means is.

Let's say someone finds the private key from puzzles 66 and 67, if they spend the coins and make public the private key, som users could use that private key to make a double spend from the same coins and if they use bigger fees then they could steal those coins. But the way to avoid that is to not make public the private key until it has more than 1 confirmation.

[Airfin Same]

Seems kind of pointless puzzle if when you do find a solution someone else can just rob the coins off you by spam attacking and kangaroo attack.

So really the whole point of the "weak" keys puzzle is flawed as many people will just be waiting for the TX to hit the network then just go after that.

In essence unless your conneced to some mining pool or have connections there is zero chance your going to get a pool to include this actually you may find they try steal it from you.

And yes there are people running this stuff on crazy crazy machines so there is a good chance once broadcast before it gets picked up someone else then it's fee race and yea before in the past this happened someone ended up paying a massive fee just to get what little coins they could.

So don't participate unless your well linked up and know exactly how to do this stuff or you will get mugged for your find on broadcast.

thanks for replying
appreciate your advice

If the pubkey is revealed,may someone use BSGS algorithm to crack the privkey and double spend the coins?

YES, there is a bunch of tools to do that some people running crazy crazy machines
the pubkey is not revealed yet and because of the small range 2^66..

you can try this buy yourself pick a random prvtkey 0x2AAA5555000FFFFFF run kangaroo and see!


The public key is already known information, but that is not enough to crack the private key, and if someone get's access to the private key first they need to spend the coins before be able to double spend it. But looks like you are lost in the topic, what op means is.

Let's say someone finds the private key from puzzles 66 and 67, if they spend the coins and make public the private key, som users could use that private key to make a double spend from the same coins and if they use bigger fees then they could steal those coins. But the way to avoid that is to not make public the private key until it has more than 1 confirmation.

you got me wrong, the address has no Outputs tx yet


#66 — Unsolved
×
Key range
(265)...(266)
Reward
6.6005673 BTC
Decimal start point
36893488147419103232 = (265)
Decimal end point
73786976294838206463 = (266)
HEX start point
20000000000000000
HEX end point
3ffffffffffffffff
Total keys
36893488147419103232
Target
13zb1hQbWVsc2S7ZTZnP2G4undNNpdh5so

assuming you hit the private key can you share a method or a secure way to get these coins without double spend

which is faster to get confirmation
sending to segwit 3
or to legacy

appreciate any help and advise

[seoincorporation]

assuming you hit the private key can you share a method or a secure way to get these coins without double spend

Let's say you found the private key, the first step would be to change the Private key Hexadecimal format to WIF. And you DON'T want to do this with an online tool, all has to be done from your PC.

For this, you can use the "Bitcoin Address Utility" https://en.bitcoin.it/wiki/Bitcoin_Address_Utility or any other tool.

Code:

$ bu YourHexPrivateKey

Then, you can import the WIF private key to a wallet like Electrum, or an online wallet like Blockchain.com But i hardly recommend to do this under a Linux Computer, if you want to do it from Windows there could be some risks.

which is faster to get confirmation
sending to segwit 3
or to legacy

appreciate any help and advise

The speed of the confirmations is based on the fees you use and not on the type of address. If you want a fast confirmation then verify how much you need to pay to have a confirmation in the next block, for that you can use the next site: https://mempool.space/ Right now 58 sat/vB is a high priority.

And about your double spend fear, there is no way someone else double spend the coins if they don't have the Private Keys.

[nc50lc]

-snip-

OP is talking about "puzzle transaction" outputs with 66 and 67 bit range private key which can be easily computed from the public key.
(check the puzzle's mid ranges with revealed public keys, divisible by 5)

The main concern is; the public key will be made public the second he broadcast a transaction that spends that output.
Thus, every users that set-up a bot to compute the private key can immediately send a replacement transaction.

-snip-

Unfortunately, the idea of using other scripts wont work in existing puzzles, that specific puzzle's outputs (check "details") are simple P2PKH scripts.
The (new) puzzle has to be specifically made using it.

I bet you already think of disabling rbf flag?
However, even without opt-in-rbf flag, nodes with mempoolrbf option (full-rbf) will still accept a replacement to your transaction.
And there are miners that also support full-rbf.

The only safe way to do this is to ask a solo miner or pool to include the transaction without relaying it to the network,
but that also comes with the issue of trusting the miner whether they wouldn't take the puzzle reward themselves or not.

[Airfin Same]

-snip-

...

-snip-

.
...

The only safe way to do this is to ask a solo miner or pool to include the transaction without relaying it to the network,
but that also comes with the issue of trusting the miner whether they wouldn't take the puzzle reward themselves or not.

seems this is the only solution so far for those key
thanks

[vjudeu]

but that also comes with the issue of trusting the miner whether they wouldn't take the puzzle reward themselves or not

Well, it is also possible to share some data, which is needed to mine a block (like transaction ID, transaction Segwit ID, etc.), without sharing transaction data. Then, it would be sufficient to mine a block, but the pool wouldn't know, if it is valid or not.

And also, if you want to prove, that you know the public key, but you don't want to reveal it, then you can share for example SHA-256 of that key, and then everyone can validate, that RIPEMD-160 of it is equal to the address, used in the puzzle.

For example:

This is the public key, which you want to keep secret: 04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef3 8c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f
This is what you can share to prove, that you know the public key: 261c1eb21fc4708c6acbe1cfc6d4565652e9e768b620782898936b93000a6c02
This is the hash used in the address: 62e907b15cbf27d5425399ebf6f0fb50ebb88f18

Edit: And also, you can deposit funds on-chain, for example into "OP_RIPEMD160 62e907b15cbf27d5425399ebf6f0fb50ebb88f18 OP_EQUALVERIFY <yourScript>", and then, it would be possible to move those coins, only if you reveal the in-between step (which is 261c1eb21fc4708c6acbe1cfc6d4565652e9e768b620782898936b93000a6c02 in that example), and "<yourScript>" could contain any conditions, like some new public key, to avoid getting those funds captured by other mining pools.

[Airfin Same]

but that also comes with the issue of trusting the miner whether they wouldn't take the puzzle reward themselves or not

Well, it is also possible to share some data, which is needed to mine a block (like transaction ID, transaction Segwit ID, etc.), without sharing transaction data. Then, it would be sufficient to mine a block, but the pool wouldn't know, if it is valid or not.

And also, if you want to prove, that you know the public key, but you don't want to reveal it, then you can share for example SHA-256 of that key, and then everyone can validate, that RIPEMD-160 of it is equal to the address, used in the puzzle.

For example:

This is the public key, which you want to keep secret: 04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef3 8c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f
This is what you can share to prove, that you know the public key: 261c1eb21fc4708c6acbe1cfc6d4565652e9e768b620782898936b93000a6c02
This is the hash used in the address: 62e907b15cbf27d5425399ebf6f0fb50ebb88f18

Edit: And also, you can deposit funds on-chain, for example into "OP_RIPEMD160 62e907b15cbf27d5425399ebf6f0fb50ebb88f18 OP_EQUALVERIFY <yourScript>", and then, it would be possible to move those coins, only if you reveal the in-between step (which is 261c1eb21fc4708c6acbe1cfc6d4565652e9e768b620782898936b93000a6c02 in that example), and "<yourScript>" could contain any conditions, like some new public key, to avoid getting those funds captured by other mining pools.

application example:
this is the addr: 1GG6mV7acidZ461XvLJNcUxNicdpTFAL9Q
privkey: **
pubkey(to keep secret): 024693A3AED2774C420787C8DFCFB7B04A5CC456F49D724C20B919A9E42527EE78
i share this:
sha256: 07e96ec7a607ae6fef04c1a04786bdfdc1450c16388d4236e0890f100ae1c566
hash160: a764f0b1e02f57f995676949950e8d5bdc951966

[COBRAS]

but that also comes with the issue of trusting the miner whether they wouldn't take the puzzle reward themselves or not

Well, it is also possible to share some data, which is needed to mine a block (like transaction ID, transaction Segwit ID, etc.), without sharing transaction data. Then, it would be sufficient to mine a block, but the pool wouldn't know, if it is valid or not.

And also, if you want to prove, that you know the public key, but you don't want to reveal it, then you can share for example SHA-256 of that key, and then everyone can validate, that RIPEMD-160 of it is equal to the address, used in the puzzle.

For example:

This is the public key, which you want to keep secret: 04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef3 8c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f
This is what you can share to prove, that you know the public key: 261c1eb21fc4708c6acbe1cfc6d4565652e9e768b620782898936b93000a6c02
This is the hash used in the address: 62e907b15cbf27d5425399ebf6f0fb50ebb88f18

Edit: And also, you can deposit funds on-chain, for example into "OP_RIPEMD160 62e907b15cbf27d5425399ebf6f0fb50ebb88f18 OP_EQUALVERIFY <yourScript>", and then, it would be possible to move those coins, only if you reveal the in-between step (which is 261c1eb21fc4708c6acbe1cfc6d4565652e9e768b620782898936b93000a6c02 in that example), and "<yourScript>" could contain any conditions, like some new public key, to avoid getting those funds captured by other mining pools.

application example:
this is the addr: 1GG6mV7acidZ461XvLJNcUxNicdpTFAL9Q
privkey: **
pubkey(to keep secret): 024693A3AED2774C420787C8DFCFB7B04A5CC456F49D724C20B919A9E42527EE78
i share this:
sha256: 07e96ec7a607ae6fef04c1a04786bdfdc1450c16388d4236e0890f100ae1c566
hash160: a764f0b1e02f57f995676949950e8d5bdc951966

your example not in block chain, of course you know pubkey  address maked by youself.lol.


show pubkey from this address:

1JDM9dpQvTHCCcSUan6k1st6VPzqQXTwLZ


and this has160

a764f0b1e02f57f995676949950e8d5bdc951966

 invalid.




?

[nc50lc]

but that also comes with the issue of trusting the miner whether they wouldn't take the puzzle reward themselves or not

Well, it is also possible to share some data, which is needed to mine a block (like transaction ID, transaction Segwit ID, etc.), without sharing transaction data. Then, it would be sufficient to mine a block, but the pool wouldn't know, if it is valid or not.

Fair enough, the miner can start to "mine" the block header without the actual transaction.

In the event that they produced a hash lower than the target, they wouldn't be able to broadcast the block without the actual raw transaction. (or would they? Please CMIIAW)
And in mining, every millisecond counts so if the transmission of raw transaction isn't coordinated well and quick, other pools/solo miners could broadcast a block in their place.
This would need a specialized software in both miner's and user's side to be automated for low latency.

And also, if you want to prove, that you know the public key, but you don't want to reveal it, then you can share for example SHA-256 of that key, and then everyone can validate, that RIPEMD-160 of it is equal to the address, used in the puzzle.

Good idea, but I'd like to know how can this be applied exactly to existing P2PKH outputs like what OP is pertaining to?
If not possible, the creator of the puzzle may have to consider spending those weak ranges into your proposed output.

• Original "Puzzle" Transaction: 08389f34c98c606322740c0be6a7125d9860bb8d5cb182c02f98461e5fa6cd15
  
• Supplementary Transaction: 12f34b58b04dfb0233ce889f674781c0e0c7ba95482cca469125af41a78d13b3
  
  • Puzzle 66 address: blockstream.info/address/13zb1hQbWVsc2S7ZTZnP2G4undNNpdh5so
  • Puzzle 67 address: blockstream.info/address/1BY8GQbnueYofwSuFAT3USAhGjPrkxDdW9

[vjudeu]

they wouldn't be able to broadcast the block without the actual raw transaction. (or would they? Please CMIIAW)

They would be able to share only the block header. Because to share the actual block, all nodes need to know all transactions behind that. So, it is a game of incentives: there are hashes here and there, and it is a matter of planning, what to share, where, and by whom. Because the reward for the puzzle is something, which can be compared with the basic block reward. So, if one side can say: "we can sweep your reward, if you give us your public key", then another side has similar tools to say "we will keep our spending transaction secret, so you won't be able to do that, and you will lose a block". So, the risk is then on both sides: a key owner risks losing the reward from the puzzle, but the mining pool also risks losing a block.

And in mining, every millisecond counts so if the transmission of raw transaction isn't coordinated well and quick, other pools/solo miners could broadcast a block in their place.
This would need a specialized software in both miner's and user's side to be automated for low latency.

Exactly. It is hard to do, but it is possible to make it trustless.

Good idea, but I'd like to know how can this be applied exactly to existing P2PKH outputs like what OP is pertaining to?

For example, it is possible to spend some coins from such script, and get that transaction deeply confirmed. Then, every mining pool can see, that "the first person, who announced 'I have the public key' signal, is in transaction X, so that reward should go to address Y". And then, it is possible to prepare for claiming that reward, by creating an agreement with major mining pools, that they will accept only a transaction, sending coins to address Y. Then, if some pool will sweep those funds, it will be possible to show everyone a publicly available proof, that "funds from this puzzle were stolen by pool Z". And I bet if no pool will take a risk of destroying their reputation like that, then claiming the reward will be successful.

[satashi_nokamato]

Some words from satoshi himself while undercover. 

There's simply no feasible way to withdraw the funds on lower end puzzles like #66. It will be snatched up by bots. Not maybe, but it's 100% guaranteed. There will be hundreds of withdrawal transactions with varying fees all battling each other. You will simply be left in the dust.

It's a fundamental flaw in this puzzle that was originally aimed to bring the community together and try to solve the puzzle. The puzzle creator did not think much about the puzzle, and this is proof of it.

The only way the original solver will get the funds of puzzle #66 is if they can prove to be in possession of the private keys directly to the puzzle creator. The puzzle creator then withdraws the funds at a 6BTC fee (they can afford it) to your address.

[Airfin Same]

Some words from satoshi himself while undercover.  

There's simply no feasible way to withdraw the funds on lower end puzzles like #66. It will be snatched up by bots. Not maybe, but it's 100% guaranteed. There will be hundreds of withdrawal transactions with varying fees all battling each other. You will simply be left in the dust.

It's a fundamental flaw in this puzzle that was originally aimed to bring the community together and try to solve the puzzle. The puzzle creator did not think much about the puzzle, and this is proof of it.

The only way the original solver will get the funds of puzzle #66 is if they can prove to be in possession of the private keys directly to the puzzle creator. The puzzle creator then withdraws the funds at a 6BTC fee (they can afford it) to your address.

no doubt on that!
the speed now is crazy imagine

how to reach the creator? his last appear here 2019?
i believe this the only guaranteed way by giving a proof te the creator that you hit the private key and let him transfer to you

[mckemo]

If the pubkey is revealed,may someone use BSGS algorithm to crack the privkey and double spend the coins?

The public key is already known information, but that is not enough to crack the private key, and if someone get's access to the private key first they need to spend the coins before be able to double spend it. But looks like you are lost in the topic, what op means is.

Let's say someone finds the private key from puzzles 66 and 67, if they spend the coins and make public the private key, som users could use that private key to make a double spend from the same coins and if they use bigger fees then they could steal those coins. But the way to avoid that is to not make public the private key until it has more than 1 confirmation.

if the public key is known,the bsgs will solve it in seconds. i get 48 exahashes per second.

[COBRAS]

but that also comes with the issue of trusting the miner whether they wouldn't take the puzzle reward themselves or not

Well, it is also possible to share some data, which is needed to mine a block (like transaction ID, transaction Segwit ID, etc.), without sharing transaction data. Then, it would be sufficient to mine a block, but the pool wouldn't know, if it is valid or not.

Fair enough, the miner can start to "mine" the block header without the actual transaction.

In the event that they produced a hash lower than the target, they wouldn't be able to broadcast the block without the actual raw transaction. (or would they? Please CMIIAW)
And in mining, every millisecond counts so if the transmission of raw transaction isn't coordinated well and quick, other pools/solo miners could broadcast a block in their place.
This would need a specialized software in both miner's and user's side to be automated for low latency.

And also, if you want to prove, that you know the public key, but you don't want to reveal it, then you can share for example SHA-256 of that key, and then everyone can validate, that RIPEMD-160 of it is equal to the address, used in the puzzle.

Good idea, but I'd like to know how can this be applied exactly to existing P2PKH outputs like what OP is pertaining to?
If not possible, the creator of the puzzle may have to consider spending those weak ranges into your proposed output.

• Original "Puzzle" Transaction: 08389f34c98c606322740c0be6a7125d9860bb8d5cb182c02f98461e5fa6cd15
  
• Supplementary Transaction: 12f34b58b04dfb0233ce889f674781c0e0c7ba95482cca469125af41a78d13b3
  
  • Puzzle 66 address: blockstream.info/address/13zb1hQbWVsc2S7ZTZnP2G4undNNpdh5so
  • Puzzle 67 address: blockstream.info/address/1BY8GQbnueYofwSuFAT3USAhGjPrkxDdW9

puzzless addresses has RBF  transactions...

[graphite]

the private key will be compromise in seconds (1s) as i mention above with kangaroo or a similar algorithme

I was looking at https://github.com/JeanLucPons/Kangaroo and he says it would take several years to crack #130 with an exposed public key which is 129bits of entropy but don't some wallets use a 128bit private key? This would mean they could be cracked if their public key is exposed and the attack has a decent amount of compute. I know some wallets allow 12 words seeds but when they actually produce private keys from that seed do they make it a 256bit private key or 128bit?

[satashi_nokamato]

All standard wallets generate 256 bit private keys. With algorithms like kangaroo, it takes only 2**128 operations to crack one of the 256 bit keys out there.
I have no idea how many hashes all the miners generate to this date but certainly it's less than 2**85. And mining is a global effort worth billions, can you find such a group of people to come together just to crack a single private key?

[graphite]

All standard wallets generate 256 bit private keys. With algorithms like kangaroo, it takes only 2**128 operations to crack one of the 256 bit keys out there.
I have no idea how many hashes all the miners generate to this date but certainly it's less than 2**85. And mining is a global effort worth billions, can you find such a group of people to come together just to crack a single private key?

I wasn't clear on if some wallets used 128bit private keys or not but if wallets were actually using 128bit private keys and the public key was exposed it would take 2**64 operations to crack it. Which is doable based on puzzle #64. Initially This was a shock to me because i know some people use wallets with master private keys that are 128bit entropy but if the private keys derived from that seed are 256 bits then its no problem right? In this example the 256bit private key is derived from a 128bit seed so the 256bit private key is effectively 128bits of entropy. but I'm assuming the kangaroo method wouldn't be able to extend past the public and private key and take advantage of the 128bit seed.

[nc50lc]

-snip- but I'm assuming the kangaroo method wouldn't be able to extend past the public and private key and take advantage of the 128bit seed.

Correct, kangaroo is utilizing ECDLP for secp256k1 curve which computes the private key from its public key pair
so it's not applicable to compute the seed from the public key which doesn't directly involve secp256k1.

In this example the 256bit private key is derived from a 128bit seed so the 256bit private key is effectively 128bits of entropy.

The "master private key" derived from the seed is calculated with HMAC-SHA512 which outputs 256-bit private key and 256-bit chain code regardless if the seed is 128bits.
So still an overall of 128-bit security: it requires 128-bit operations to compute the (master) private key from (master) public key via ECDLP or 128-bit operations to blindly bruteforce the seed.

[Veliquant]

Some words from satoshi himself while undercover.  

There's simply no feasible way to withdraw the funds on lower end puzzles like #66. It will be snatched up by bots. Not maybe, but it's 100% guaranteed. There will be hundreds of withdrawal transactions with varying fees all battling each other. You will simply be left in the dust.

It's a fundamental flaw in this puzzle that was originally aimed to bring the community together and try to solve the puzzle. The puzzle creator did not think much about the puzzle, and this is proof of it.

The only way the original solver will get the funds of puzzle #66 is if they can prove to be in possession of the private keys directly to the puzzle creator. The puzzle creator then withdraws the funds at a 6BTC fee (they can afford it) to your address.

no doubt on that!
the speed now is crazy imagine

how to reach the creator? his last appear here 2019?
i believe this the only guaranteed way by giving a proof te the creator that you hit the private key and let him transfer to you

Sadly... the moment a lucky person finds the private key to puzzle 66, and post the transaction using the private key found,
the transaction itself will reveal the public key that it contains.

Right now the public key is not known (only the hash is known), the only way to solve the puzzle is guessing every possible private key,
calculate the public key, sha256 hash, and the ripemd 160.

Then compare each value to the already known hash value of the public key. There is no way to use Big Step,
Little Step algorithm or to use Pollard's Kangaroo method without knowing the public key in advance.

When the public key is revealed, then the puzzle 66 could be solved in less than one second using a normal computer with BSLS.

If you precompute a big enough database, let´s say 2^41 public key coordinates, you will only need to calculate about 8 million more points (2^23),
and solve the puzzle.

A RTX 1650 can get about 300 million keys/second so the puzzle will be effectively 100% sure, as you say, snatched by the bots.

If you post the transaction, with a very big transaction fee (6btc), all the money will go to the mining pool instead.

How will it work if many bots spend from the same address, all with very high fees?

[COBRAS]

Some words from satoshi himself while undercover.  

There's simply no feasible way to withdraw the funds on lower end puzzles like #66. It will be snatched up by bots. Not maybe, but it's 100% guaranteed. There will be hundreds of withdrawal transactions with varying fees all battling each other. You will simply be left in the dust.

It's a fundamental flaw in this puzzle that was originally aimed to bring the community together and try to solve the puzzle. The puzzle creator did not think much about the puzzle, and this is proof of it.

The only way the original solver will get the funds of puzzle #66 is if they can prove to be in possession of the private keys directly to the puzzle creator. The puzzle creator then withdraws the funds at a 6BTC fee (they can afford it) to your address.

no doubt on that!
the speed now is crazy imagine

how to reach the creator? his last appear here 2019?
i believe this the only guaranteed way by giving a proof te the creator that you hit the private key and let him transfer to you

Sadly... the moment a lucky person finds the private key to puzzle 66, and post the transaction using the private key found,
the transaction itself will reveal the public key that it contains.

Right now the public key is not known (only the hash is known), the only way to solve the puzzle is guessing every possible private key,
calculate the public key, sha256 hash, and the ripemd 160.

Then compare each value to the already known hash value of the public key. There is no way to use Big Step,
Little Step algorithm or to use Pollard's Kangaroo method without knowing the public key in advance.

When the public key is revealed, then the puzzle 66 could be solved in less than one second using a normal computer with BSLS.

If you precompute a big enough database, let´s say 2^41 public key coordinates, you will only need to calculate about 8 million more points (2^23),
and solve the puzzle.

A RTX 1650 can get about 300 million keys/second so the puzzle will be effectively 100% sure, as you say, snatched by the bots.

If you post the transaction, with a very big transaction fee (6btc), all the money will go to the mining pool instead.

How will it work if many bots spend from the same address, all with very high fees?

If you precompute a big enough database, let´s say 2^41 public key coordinates, you will only need to calculate about 8 million more points (2^23),
and solve the puzzle.


unfortunately no, you need additional 2^23 * 2**41 - 2^41 .

[Veliquant]

unfortunately no, you need additional 2^23 * 2**41 - 2^41 .

Good afternoon, I´m positive about only needing to calculate 2^23 coordinates if you use the BSGS algorithm and pre compute 2^41 points.

The set I propose is like this:

You precompute points from k =1 to k=2^41 with a step of 1 (small step sequentially), store the last 64 bits of every x coordinate in a database.
Because of the symmetry of the secp256k1 curve over the x axis, you can set the big step to 2*2^41= 2^42. Every +k point is equivalent to -k.

If the target coordinate of the unknown K is near 2^66 (worst case), first you subtract the point (x,y) = 2^65, so now your range is from 0 to 2^65.

Then beginning from your unknown (x,y) you will subtract sequentially (x,y)= 2^42 * n times, checking each step x coordinate against the x coordinates on the database.

Because of symmetry, k = (x,y) and -k = (x, -y) have the same x coordinate, so computing the positive x's is equivalent to compute the negative x's.

If you jump 2^23 jumps *2^42 distance, you get 2^65 total distance, and at most 2^23 you have to land in the database in a deterministic way.

I was able to discard the first 2^65 Keys in puzze 130 , with my own implementation of the BSGS algorithm in python on CPU only, and a 2TB database.

I see it as a reverse BSGS because you go backwards from the unknown K to k = 0 in big jumps.

I understand Shank's algorithm is at most 2*sqrt(N) operations with no use of symmetry.

If you use symmetry, every point is like calculating 2, and now the total number of operations should be at most 2*sqrt(N/2) = sqrt(2)*sqrt(N) approx. 1.4 sqrt(N) operations.

Instead of calculating 2^32 for the database and 2^32 points, you trade more storage and more operations now, for less operations later.

My very slow implementation in 1 CPU and python manages to calculate 200.000 coordinates/sec, I have 12 cores, I make 2.4 million keys/second.

I believe I could solve it in less than 4 seconds, after the public key is made public, if I manage to store a 16 TB database.