Solving ECDLP with Kangaroos: Part 1 + 2 + RCKangaroo

[WanderingPhilospher]

Mirror = takes advantage of group symmetry - you have both P and -P with the same X. If DP is on X and a DP is found, then you basically have two DPs found instead of one. Also this helps with more collisions.

This doesn't make sense to me. Why would you need the same point in the database. I don't see how this is useful.

In general terms, first you bring the wild kangaroo to the (-N/2, N/2) range, and you are not sure if it landed on the positive side or the negative side of the range, so you need a way to calculate the next jump, taking in to consideration both possibilities but having the same resulting landing point. This means you begin in one point, calculate the negative (-Y) at no cost and then you choose the one with smaller Y to calculate the jump.

In practice if the tamed kangaroo lands on the positive or negative point, it will be a collision, and you will catch it at the next distinguished point.

Also you have the same range N and you double the amount of calculated points but with only 1 point computation per 2 points result cost.

About the database now 1 distinguished point will "Include" twice as much points in the trailing paths. Remember the X coordinate is the same for both points so the probability of finding one distinguished point stays the same. Also as KtimesG says you will have 2 distinguished points instead of 1, the same X with n trailing zeroes and different Y, one with +Y and -Y.

Yeah but if I am storing X points, I don't really care about having 2 in the database "will have 2 distinguished points instead of 1, the same X with n trailing zeroes and different Y, one with +Y and -Y"; I only need one of them stored to solve.

[kTimesG]

Mirror = takes advantage of group symmetry - you have both P and -P with the same X. If DP is on X and a DP is found, then you basically have two DPs found instead of one. Also this helps with more collisions.

This doesn't make sense to me. Why would you need the same point in the database. I don't see how this is useful.

Well a DP entry has a key (hash or whatever) and a value (distance from base point).

If the DP hash matches, you can compute for two possible values for each distance, because the collision may have happened on either the odd or even Y coord.

So, a 4-way match instead of just one. For tames, you know the distance, so you can compute both key values. For wilds, you can similarly consider the distance as being on the left or right side of the interval, so they can both be used as a potential match. It all checks out.

[Veliquant]

Mirror = takes advantage of group symmetry - you have both P and -P with the same X. If DP is on X and a DP is found, then you basically have two DPs found instead of one. Also this helps with more collisions.

This doesn't make sense to me. Why would you need the same point in the database. I don't see how this is useful.

In general terms, first you bring the wild kangaroo to the (-N/2, N/2) range, and you are not sure if it landed on the positive side or the negative side of the range, so you need a way to calculate the next jump, taking in to consideration both possibilities but having the same resulting landing point. This means you begin in one point, calculate the negative (-Y) at no cost and then you choose the one with smaller Y to calculate the jump.

In practice if the tamed kangaroo lands on the positive or negative point, it will be a collision, and you will catch it at the next distinguished point.

Also you have the same range N and you double the amount of calculated points but with only 1 point computation per 2 points result cost.

About the database now 1 distinguished point will "Include" twice as much points in the trailing paths. Remember the X coordinate is the same for both points so the probability of finding one distinguished point stays the same. Also as KtimesG says you will have 2 distinguished points instead of 1, the same X with n trailing zeroes and different Y, one with +Y and -Y.

Yeah but if I am storing X points, I don't really care about having 2 in the database "will have 2 distinguished points instead of 1, the same X with n trailing zeroes and different Y, one with +Y and -Y"; I only need one of them stored to solve.

Yes I believe, you only need to store the X coordinate (or its hash) and the corresponding Kangaroo ID

[WanderingPhilospher]

Mirror = takes advantage of group symmetry - you have both P and -P with the same X. If DP is on X and a DP is found, then you basically have two DPs found instead of one. Also this helps with more collisions.

This doesn't make sense to me. Why would you need the same point in the database. I don't see how this is useful.

Well a DP entry has a key (hash or whatever) and a value (distance from base point).

If the DP hash matches, you can compute for two possible values for each distance, because the collision may have happened on either the odd or even Y coord.

So, a 4-way match instead of just one. For tames, you know the distance, so you can compute both key values. For wilds, you can similarly consider the distance as being on the left or right side of the interval, so they can both be used as a potential match. It all checks out.

I still do not get why you have to store both, tame or wild, or both, all 4 DPs, a 4-way match as you said. Or just going back to the original statement, why it makes sense to store both, "...then you basically have two DPs found instead of one".

The kicker is, if you found one, you know that you have found both. They are the same value +/-. So I do not know why one would save both in a table.

Let us say we are searching for private key 0x15, public key 02352bbf4a4cdd12564f93fa332ce333301d9ad40271f8107181340aef25be59d5 at DP 0.

I have a tame that landed on private key (point) 0x16, point and distance stored:
421F5FC9A21065445C96FDB91C0C1E2F2431741C72713B4B99DDCB316F31E9FC :  16

Let's say we had a tame land on the + and the -; right or left side, etc. of private key (point) 0x1, or fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140; the point and distance stored would be:
421F5FC9A21065445C96FDB91C0C1E2F2431741C72713B4B99DDCB316F31E9FC :  1

or if you program in some wacky kind of way, it would be stored as:
421F5FC9A21065445C96FDB91C0C1E2F2431741C72713B4B99DDCB316F31E9FC :  fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140

Now you can jumble up the table and add some kind of switch that lets you know if it is right/left +/-, or have your solver code check both +/-, but I would never store the same exact points, for tames nor wilds. Just one for me

[kTimesG]

I still do not get why you have to store both, tame or wild, or both, all 4 DPs, a 4-way match as you said. Or just going back to the original statement, why it makes sense to store both, "...then you basically have two DPs found instead of one".

I think it was misunderstood. Where did I mention that both DPs need to be stored?

I said that when a DP is found, then you basically have two DPs. In a single database entry, since they both have the same X, hence the same hash (if Y is not used to affect the hash of the DP entry).

It shouldn't even be possible to store both - DP database keys must be unique for fast search. So an insertion will fail when a collision is detected, or when the DP hash collides, or when some kangaroo type collides with itself (and dies if the landed point is the stored DP point, not its opposite).

[JackMazzoni]

How many rtx 4090 gpu needed to solve puzzle 135 using your software?

[Cricktor]

~~~

Do you understand that the way you asked your question is plain stupid? And because you didn't put much effort into your question, I will answer deliberately on the same level: you need just one RTX 4090 to solve puzzle 135 eventually, in few hundreds of years. You could also use just zero RTX 4090 and go cpu-only, we're then in a time frame of many thousands of years.

I'm sure it's not precisely the answer you were looking for. Ask your questions with a bit more brain involved.

[Akito S. M. Hosana]

How many rtx 4090 gpu needed to solve puzzle 135 using your software?

Around 2,500 RTX 4090 GPUs would take approximately two months to solve the puzzle. For Puzzle 140, you would need to be Elon Musk and have over 10,000 GPUs.

[Gourav77]

Hello sir , Could you please allow me to contact you? I am a first-year Computer Science student at IIT (India). I recently heard about the BTC puzzle and would love to solve these puzzles, but I am a complete beginner.

I genuinely want to learn and understand the concepts rather than simply copying others' scripts and running them on my PC. I would be truly grateful if you could guide me in solving these puzzles. Would you be willing to take me under your guidance? I promise to put in my best effort to learn and understand.

As a student, I am not in a good financial condition, but I am eager to learn. Kindly consider my request and reply at your convenience.

Thank you 🙏

[farou9]

how much time does it take to break 107 bit key using rckangaroo ?

[kTimesG]

how much time does it take to break 107 bit key using rckangaroo ?

It is well known that bit keys are a bit tough. Usually a single bit takes some effort, depending on how much of a hammer you use to crack it open. It also depends on your body constitution and any known medical conditions. Some people take them slow, others jump right on it with full force.

So 107 bits might take somewhere between one Planck time unit and some infinite amount of time well beyond after the last proton in the Universe decays.

[farou9]

how much time does it take to break 107 bit key using rckangaroo ?

It is well known that bit keys are a bit tough. Usually a single bit takes some effort, depending on how much of a hammer you use to crack it open. It also depends on your body constitution and any known medical conditions. Some people take them slow, others jump right on it with full force.

So 107 bits might take somewhere between one Planck time unit and some infinite amount of time well beyond after the last proton in the Universe decays.

so my question is , let say we have 2^27 points stored in a file and we guarantee that one of theme's scalar is between 1 and 2^107 , what is the fastest approach we can take to solve it?

[kTimesG]

how much time does it take to break 107 bit key using rckangaroo ?

It is well known that bit keys are a bit tough. Usually a single bit takes some effort, depending on how much of a hammer you use to crack it open. It also depends on your body constitution and any known medical conditions. Some people take them slow, others jump right on it with full force.

So 107 bits might take somewhere between one Planck time unit and some infinite amount of time well beyond after the last proton in the Universe decays.

so my question is , let say we have 2^27 points stored in a file and we guarantee that one of theme's scalar is between 1 and 2^107 , what is the fastest approach we can take to solve it?

Easy-peasy. You need one tame kangaroo and 2^27 types of wild kangaroos. They all walk one step at a time until you have a tame-wildX collision or a wildX/wildX collision (same type of wild). Basically that's running 2^27 Kangaroo instances at once.

If some point indeed has a scalar less than 2^107 then the shenanigan stops after around 2^54 steps or so. But it may not, because we only used one wild kangaroo for every problem. What to do? Create a new wild kangaroo for each type and start over. This will, again take more or less than 2^54 steps.

By that time you'll have jumped some good 2^(27 + 54) * numberOfRestarts steps, that's 2^80 jumps at least. Equivalent of Puzzle 160. Multiply that by the number of restarts.

Or simply start off 2^27 Kangaroo instances. Set and forget, until one yields something. It may not. Who's to know.  

[vaccar73]

hi RetiredCoder, thank you for sharing your hard work with us, I am new to this, so I do not really understand much of what is mentioned here.

Have you posted any pictures of your hardware setup anywhere ?


Anyway I tested puzzle 85, I have two of the 3060M Frankenstein Cards in my desktop

Code:

C:\rck>RCKangaroo.exe -dp 16 -range 84 -start 1000000000000000000000 -pubkey 0329c4574a4fd8c810b7e42a4b398882b381bcd85e40c6883712912d167c83e73a
********************************************************************************
*                    RCKangaroo v3.0  (c) 2024 RetiredCoder                    *
********************************************************************************

This software is free and open-source: https://github.com/RetiredC
It demonstrates fast GPU implementation of SOTA Kangaroo method for solving ECDLP
Windows version
CUDA devices: 2, CUDA driver/runtime: 12.8/12.8
GPU 0: NVIDIA GeForce RTX 3060 Laptop GPU, 6.00 GB, 30 CUs, cap 8.6, PCI 1, L2 size: 3072 KB
GPU 1: NVIDIA GeForce RTX 3060 Laptop GPU, 6.00 GB, 30 CUs, cap 8.6, PCI 3, L2 size: 3072 KB
Total GPUs for work: 2

MAIN MODE

Solving public key
X: 29C4574A4FD8C810B7E42A4B398882B381BCD85E40C6883712912D167C83E73A
Y: 0E02C3AFD79913AB0961C95F12498F36A72FFA35C93AF27CEE30010FA6B51C53
Offset: 0000000000000000000000000000000000000000001000000000000000000000

Solving point: Range 84 bits, DP 16, start...
SOTA method, estimated ops: 2^42.202, RAM for DPs: 3.062 GB. DP and GPU overheads not included!
Estimated DPs per kangaroo: 39.253.
GPU 0: allocated 2899 MB, 983040 kangaroos. OldGpuMode: Yes
GPU 1: allocated 2899 MB, 983040 kangaroos. OldGpuMode: Yes
GPUs started...
MAIN: Speed: 3037 MKeys/s, Err: 0, DPs: 449K/77175K, Time: 0d:00h:00m/0d:00h:27m
MAIN: Speed: 3326 MKeys/s, Err: 0, DPs: 974K/77175K, Time: 0d:00h:00m/0d:00h:25m
MAIN: Speed: 3318 MKeys/s, Err: 0, DPs: 1484K/77175K, Time: 0d:00h:00m/0d:00h:25m

MAIN: Speed: 3244 MKeys/s, Err: 0, DPs: 109584K/77175K, Time: 0d:00h:36m/0d:00h:25m
MAIN: Speed: 3244 MKeys/s, Err: 0, DPs: 110079K/77175K, Time: 0d:00h:36m/0d:00h:25m
Stopping work ...
Point solved, K: 1.648 (with DP and GPU overheads)


PRIVATE KEY: 00000000000000000000000000000000000000000011720C4F018D51B8CEBBA8


C:\rck>

[Cricktor]

Have you posted any pictures of your hardware setup anywhere ?

Are you too lazy to look for yourself in RetiredCoder's post history? Just invest a little bit of time yourself, instead of asking to be spoon-fed, how tiresome!

Quick overview: https://ninjastic.space/search?author=RetiredCoder  ---  Look, Ma, I can read!

[vaccar73]

Have you posted any pictures of your hardware setup anywhere ?

Are you too lazy to look for yourself in RetiredCoder's post history? Just invest a little bit of time yourself, instead of asking to be spoon-fed, how tiresome!

Quick overview: https://ninjastic.space/search?author=RetiredCoder  ---  Look, Ma, I can read!

why are you cluttering this thread with your useless pompous comments, stop hijacking peoples threads

OP asked to post speed results of different cards, so I did, it was my first post ever on this forum, and I purposely
 joined so that I can post my results and try to contribute some data to this thread, and then you reply to it with your snotty comment, what is wrong with you, get over yourself, you are not that important


Just because I showed interest in his hardware setup of 400 gpus, does not mean I want to be spoon fed, I was just wanting to see what a 400 gpu setup looks like.

I did look threw his post history and did not see pictures, maybe he posted them some where else, did you happen do consider that?

[mjojo]

Have you posted any pictures of your hardware setup anywhere ?

Are you too lazy to look for yourself in RetiredCoder's post history? Just invest a little bit of time yourself, instead of asking to be spoon-fed, how tiresome!

Quick overview: https://ninjastic.space/search?author=RetiredCoder  ---  Look, Ma, I can read!

why are you cluttering this thread with your useless pompous comments, stop hijacking peoples threads

OP asked to post speed results of different cards, so I did, it was my first post ever on this forum, and I purposely
 joined so that I can post my results and try to contribute some data to this thread, and then you reply to it with your snotty comment, what is wrong with you, get over yourself, you are not that important


Just because I showed interest in his hardware setup of 400 gpus, does not mean I want to be spoon fed, I was just wanting to see what a 400 gpu setup looks like.

I did look threw his post history and did not see pictures, maybe he posted them some where else, did you happen do consider that?

I just wonder RC when he said use more than 400 gpus for solving P130, what kind of single motherboard can accept that all gpus for running RCkang?? I never see that even for mining rig when ETH in POW. so I just make conclusion (disclaimer maybe its wrong) he split the range of P130 and his 400 gpus in several rig. make illustration for explaining  the range is 200 and number gpus is 80 then split to 4 range (1 - 50, 50 - 100, 100 -150, 150 - 200) and each range use 20 gpus for running RCkang.

[vaccar73]

So I did another puzzle 84 test with 5 RTX 3060m Frankenstein cards, and 1 RTX 2070 card

It solved it in 10 minutes

It seem the MKeys/s goes down over time for some reason.

Any suggestions on what command parameters I should use for puzzle 135 with this current Gpu setup, I am not sure what the dp and tames parameters do exactly.

Would it be better to split up the 135 range ?

I hopes it is OK that I am asking questions, like I said before I am new to this.

Code:

C:\rck>RCKangaroo.exe -dp 16 -range 84 -start 1000000000000000000000 -pubkey 0329c4574a4fd8c810b7e42a4b398882b381bcd85e40c6883712912d167c83e73a
********************************************************************************
*                    RCKangaroo v3.0  (c) 2024 RetiredCoder                    *
********************************************************************************

This software is free and open-source: https://github.com/RetiredC
It demonstrates fast GPU implementation of SOTA Kangaroo method for solving ECDLP
Windows version
CUDA devices: 6, CUDA driver/runtime: 12.8/12.8
GPU 0: NVIDIA GeForce RTX 3060 Laptop GPU, 6.00 GB, 30 CUs, cap 8.6, PCI 3, L2 size: 3072 KB
GPU 1: NVIDIA GeForce RTX 3060 Laptop GPU, 6.00 GB, 30 CUs, cap 8.6, PCI 4, L2 size: 3072 KB
GPU 2: NVIDIA GeForce RTX 3060 Laptop GPU, 6.00 GB, 30 CUs, cap 8.6, PCI 5, L2 size: 3072 KB
GPU 3: NVIDIA GeForce RTX 3060 Laptop GPU, 6.00 GB, 30 CUs, cap 8.6, PCI 6, L2 size: 3072 KB
GPU 4: NVIDIA GeForce RTX 3060 Laptop GPU, 6.00 GB, 30 CUs, cap 8.6, PCI 8, L2 size: 3072 KB
GPU 5: NVIDIA GeForce RTX 2070, 8.00 GB, 36 CUs, cap 7.5, PCI 9, L2 size: 4096 KB
Total GPUs for work: 6

MAIN MODE

Solving public key
X: 29C4574A4FD8C810B7E42A4B398882B381BCD85E40C6883712912D167C83E73A
Y: 0E02C3AFD79913AB0961C95F12498F36A72FFA35C93AF27CEE30010FA6B51C53
Offset: 0000000000000000000000000000000000000000001000000000000000000000

Solving point: Range 84 bits, DP 16, start...
SOTA method, estimated ops: 2^42.202, RAM for DPs: 3.062 GB. DP and GPU overheads not included!
Estimated DPs per kangaroo: 12.662.
GPU 0: allocated 2899 MB, 983040 kangaroos. OldGpuMode: Yes
GPU 1: allocated 2899 MB, 983040 kangaroos. OldGpuMode: Yes
GPU 2: allocated 2899 MB, 983040 kangaroos. OldGpuMode: Yes
GPU 3: allocated 2899 MB, 983040 kangaroos. OldGpuMode: Yes
GPU 4: allocated 2899 MB, 983040 kangaroos. OldGpuMode: Yes
GPU 5: allocated 3477 MB, 1179648 kangaroos. OldGpuMode: Yes
GPUs started...
MAIN: Speed: 8204 MKeys/s, Err: 0, DPs: 1202K/77175K, Time: 0d:00h:00m/0d:00h:10m
MAIN: Speed: 10167 MKeys/s, Err: 0, DPs: 2774K/77175K, Time: 0d:00h:00m/0d:00h:08m
MAIN: Speed: 10142 MKeys/s, Err: 0, DPs: 4346K/77175K, Time: 0d:00h:00m/0d:00h:08m
MAIN: Speed: 10133 MKeys/s, Err: 0, DPs: 5872K/77175K, Time: 0d:00h:00m/0d:00h:08m
...
MAIN: Speed: 9439 MKeys/s, Err: 0, DPs: 92661K/77175K, Time: 0d:00h:10m/0d:00h:08m
MAIN: Speed: 9432 MKeys/s, Err: 0, DPs: 94099K/77175K, Time: 0d:00h:10m/0d:00h:08m
MAIN: Speed: 9440 MKeys/s, Err: 0, DPs: 95549K/77175K, Time: 0d:00h:10m/0d:00h:08m
Stopping work ...
Point solved, K: 1.432 (with DP and GPU overheads)


PRIVATE KEY: 00000000000000000000000000000000000000000011720C4F018D51B8CEBBA8


C:\rck>

[kTimesG]

It seem the MKeys/s goes down over time for some reason.

Yeah, I really wonder why as well. I think it has to do with some basic laws of physics, like... things heat up, and heat = energy, so you're losing more energy on disipating heat rather than on jumping RC kangaroos.

Any suggestions on what command parameters I should use for puzzle 135 with this current Gpu setup, I am not sure what the dp and tames parameters do exactly.

Would it be better to split up the 135 range ?

I hopes it is OK that I am asking questions, like I said before I am new to this.

I suggest you don't, since this a demo program. You will waste your time, you need a fully distributed software system, not an .exe Frankly, all of your questions are kinda stupid. Computing power is a commodity that can be bought, and you are asking people to show pictures of their oil drilling setup just because they drove a car. Or setup of their solar power grid just because they can light up their TV.

[Dontbeatool2]

Hi all,

Here is my research about using kangaroo methods to solve ECDLP, Part 1.
Open source:  https://github.com/RetiredC/Kang-1

This software demonstrates various ways to solve the ECDLP using Kangaroos.
The required number of operations is approximately K * sqrt(range), where K is a coefficient that depends on the method used.
This software demonstrates four methods:

1 - Classic. The simplest method. There are two groups of kangaroos: tame and wild.
As soon as a collision between any tame and wild kangaroos happens, the ECDLP is solved.
In practice, K is approximately 2.10 for this method.

2 - 3-way. A more advanced method. There are three groups of kangaroos: tame, wild1, and wild2.
As soon as a collision happens between any two types of kangaroos, the ECDLP is solved.
In practice, K is approximately 1.60 for this method.

3 - Mirror. This method uses two groups of kangaroos and the symmetry of the elliptic curve to improve K.
Another trick is to reduce the range for wild kangaroos.
In practice, K is approximately 1.30 for this method.
The main issue with this method is that the kangaroos loop continuously.

4 - SOTA. This method uses three groups of kangaroos and the symmetry of the elliptic curve.
In practice, K is approximately 1.15 for this method. The main issue is the same as in the Mirror method.
I couldn’t find any papers about this method, so let's assume that I invented it

Important note: this software handles kangaroo looping in a very simple way.
This method is bad for large ranges higher than 100 bits.
Next part will demonstrate a good way to handle loops.

PS. Please don't post any stupid messages here, I will remove them.

Hello.
I find it difficult to understand C or C++ language in math operations.

Instead, I develop algorithms with the Fastecdsa Library in Python. I then switch to C or C++ for performance and then use it with GPU performance.

When I tried to read your article, I tried to understand what the value of K is based on. If I see this rule of 4 algorithm you mentioned (such as Fastecdsa or Sagemath in Python), I can join your conversation more.

Just wanted to point out. I am following your topic.

Thank you very much.

import threading
from hashlib import sha256
from ecdsa import SECP256k1, ellipticcurve
from binascii import unhexlify
import random

# Elliptic Curve Parameters
curve = SECP256k1.curve
G = SECP256k1.generator
order = SECP256k1.order

# Puzzle 135 Compressed Public Key
pubkey_hex = '02145d2611c823a396ef6712ce0f712f09b9b4f3135e3e0aa3230fb9b6d08d1e16'
pubkey_bytes = unhexlify(pubkey_hex)

def decompress_pubkey(pubkey_bytes):
    prefix = pubkey_bytes[0]
    x = int.from_bytes(pubkey_bytes[1:], 'big')
    alpha = (x ** 3 + 7) % curve.p()
    beta = pow(alpha, (curve.p() + 1) // 4, curve.p())
    y = beta if (beta % 2 == 0 and prefix == 2) or (beta % 2 == 1 and prefix == 3) else curve.p() - beta
    return ellipticcurve.Point(curve, x, y)

P_target = decompress_pubkey(pubkey_bytes)

# Puzzle 135 Range
lower_bound = int("4000000000000000000000000000000000", 16)
upper_bound = int("7fffffffffffffffffffffffffffffffff", 16)

# Generate fixed step table
def generate_step_table(n=64):
    random.seed(42)
    return [random.randint(1 << 16, 1 << 20) for _ in range(n)]

# Step function using point hash
def step_function(P, table):
    h = int(sha256(P.x().to_bytes(32, 'big') + P.y().to_bytes(32, 'big')).hexdigest(), 16)
    idx = h % len(table)
    s = table[idx]
    return s, s * G

# Walk logic
def kangaroo_walk(start_scalar, start_point, table, max_iters=500000):
    X = start_point
    a = start_scalar
    visited = {}

    for _ in range(max_iters):
        s, sG = step_function(X, table)
        X = X + sG
        a = (a + s) % order

        if (X.x() & ((1 << 20) - 1)) == 0:
            key = (X.x(), X.y())
            if key in visited:
                return visited[key], a, key
            visited[key] = a

    return None, a, None

# Threaded worker
def kangaroo_thread(thread_id, table):
    secret_scalar = random.randint(lower_bound, upper_bound)
    wild_point = secret_scalar * G
    _, wild_a, wild_key = kangaroo_walk(0, wild_point, table)

    tame_point = upper_bound * G
    _, tame_a, tame_key = kangaroo_walk(upper_bound, tame_point, table)

    if tame_key and wild_key and tame_key == wild_key:
        recovered = (tame_a - wild_a) % order
        if recovered == secret_scalar:
            print(f"[Thread {thread_id}] SUCCESS: Recovered key {hex(recovered)} matches {hex(secret_scalar)}")
        else:
            print(f"[Thread {thread_id}] Collision found but recovery failed.")
    else:
        print(f"[Thread {thread_id}] No collision found in this walk.")

# Main launcher
def run_kangaroo_threads(num_threads=10):
    step_table = generate_step_table()
    threads = []

    for i in range(num_threads):
        t = threading.Thread(target=kangaroo_thread, args=(i, step_table))
        t.start()
        threads.append(t)

    for t in threads:
        t.join()

# Run all
if __name__ == "__main__":
    run_kangaroo_threads(10)
This was closest I came with python hope it helps still raw.

Hi all,

Here is my research about using kangaroo methods to solve ECDLP, Part 1.
Open source:  https://github.com/RetiredC/Kang-1

This software demonstrates various ways to solve the ECDLP using Kangaroos.
The required number of operations is approximately K * sqrt(range), where K is a coefficient that depends on the method used.
This software demonstrates four methods:

1 - Classic. The simplest method. There are two groups of kangaroos: tame and wild.
As soon as a collision between any tame and wild kangaroos happens, the ECDLP is solved.
In practice, K is approximately 2.10 for this method.

2 - 3-way. A more advanced method. There are three groups of kangaroos: tame, wild1, and wild2.
As soon as a collision happens between any two types of kangaroos, the ECDLP is solved.
In practice, K is approximately 1.60 for this method.

3 - Mirror. This method uses two groups of kangaroos and the symmetry of the elliptic curve to improve K.
Another trick is to reduce the range for wild kangaroos.
In practice, K is approximately 1.30 for this method.
The main issue with this method is that the kangaroos loop continuously.

4 - SOTA. This method uses three groups of kangaroos and the symmetry of the elliptic curve.
In practice, K is approximately 1.15 for this method. The main issue is the same as in the Mirror method.
I couldn’t find any papers about this method, so let's assume that I invented it

Important note: this software handles kangaroo looping in a very simple way.
This method is bad for large ranges higher than 100 bits.
Next part will demonstrate a good way to handle loops.

PS. Please don't post any stupid messages here, I will remove them.

Hello.
I find it difficult to understand C or C++ language in math operations.

Instead, I develop algorithms with the Fastecdsa Library in Python. I then switch to C or C++ for performance and then use it with GPU performance.

When I tried to read your article, I tried to understand what the value of K is based on. If I see this rule of 4 algorithm you mentioned (such as Fastecdsa or Sagemath in Python), I can join your conversation more.

Just wanted to point out. I am following your topic.

Thank you very much.

sorry posted wrong script previously this is raw script with the new methods:
import threading
import multiprocessing
import hashlib
import cupy as cp
from ecdsa import SECP256k1, ellipticcurve
from binascii import unhexlify
import os

# === CONFIGURATION ===
NUM_THREADS = 10
BATCH_SIZE = 1_000_000
LOG_DIR = "./logs"
MATCH_LOG = os.path.join(LOG_DIR, "135match.txt")
PROGRESS_LOG = os.path.join(LOG_DIR, "kangaroo_progress.log")

# === ECDSA SETUP ===
curve = SECP256k1.curve
G = SECP256k1.generator
order = SECP256k1.order

# Puzzle 135 compressed public key
pubkey_hex = '02145d2611c823a396ef6712ce0f712f09b9b4f3135e3e0aa3230fb9b6d08d1e16'
pubkey_bytes = unhexlify(pubkey_hex)

def decompress_pubkey(pubkey_bytes):
    prefix = pubkey_bytes[0]
    x = int.from_bytes(pubkey_bytes[1:], 'big')
    alpha = (x ** 3 + 7) % curve.p()
    beta = pow(alpha, (curve.p() + 1) // 4, curve.p())
    y = beta if (beta % 2 == 0 and prefix == 2) or (beta % 2 == 1 and prefix == 3) else curve.p() - beta
    return ellipticcurve.Point(curve, x, y)

P_target = decompress_pubkey(pubkey_bytes)

# Puzzle 135 keyspace
lower_bound = int("4000000000000000000000000000000000", 16)
upper_bound = int("7fffffffffffffffffffffffffffffffff", 16)
keyspace = upper_bound - lower_bound

# === LOGGING SETUP ===
os.makedirs(LOG_DIR, exist_ok=True)
log_lock = threading.Lock()

def log_progress(message):
    with log_lock:
        with open(PROGRESS_LOG, "a") as f:
            f.write(message + "\n")
        print(message)

def log_match(scalar_hex):
    with log_lock:
        with open(MATCH_LOG, "a") as f:
            f.write(scalar_hex + "\n")
        print(f"[MATCH FOUND] {scalar_hex}")

# === STEP TABLE ===
def generate_step_table(n=256):
    cp.random.seed(42)
    return cp.array(cp.random.randint(1 << 12, 1 << 20, size=(n, 3), dtype=cp.uint64))

def step_function_3jump(P, table):
    h = int(hashlib.sha256(P.x().to_bytes(32, 'big') + P.y().to_bytes(32, 'big')).hexdigest(), 16)
    idx = h % table.shape[0]
    steps = table[idx]
    s1, s2, s3 = int(steps[0]), int(steps[1]), int(steps[2])
    total = s1 + s2 + s3
    return total, s1 * G + s2 * G + s3 * G

# === KANGAROO WALK ===
def kangaroo_walk(start_scalar, start_point, table, max_iters=500000):
    X = start_point
    a = start_scalar
    visited = {}

    for _ in range(max_iters):
        s, sG = step_function_3jump(X, table)
        X = X + sG
        a = (a + s) % order
        if (X.x() & ((1 << 20) - 1)) == 0:
            key = (X.x(), X.y())
            if key in visited:
                return visited[key], a, key
            visited[key] = a
    return None, a, None

# === WORKER FUNCTION ===
def kangaroo_worker(proc_id, start_base, step_table):
    threads = []

    def thread_func(thread_id, thread_offset):
        batch_start = start_base + thread_offset * BATCH_SIZE
        batch_end = min(batch_start + BATCH_SIZE, upper_bound)
        secret_scalar = batch_start
        wild_point = secret_scalar * G
        _, wild_a, wild_key = kangaroo_walk(0, wild_point, step_table)

        tame_point = upper_bound * G
        _, tame_a, tame_key = kangaroo_walk(upper_bound, tame_point, step_table)

        if tame_key and wild_key and tame_key == wild_key:
            recovered = (tame_a - wild_a) % order
            if recovered == secret_scalar:
                log_match(hex(recovered))
            else:
                log_progress(f"[Proc {proc_id}][Thread {thread_id}] Collision mismatch.")
        else:
            log_progress(f"[Proc {proc_id}][Thread {thread_id}] Range {hex(batch_start)} - {hex(batch_end)} completed with no match.")

    for i in range(NUM_THREADS):
        t = threading.Thread(target=thread_func, args=(i, i))
        t.start()
        threads.append(t)
    for t in threads:
        t.join()

# === MULTIPROCESS CONTROL ===
def launch_processes(total_batches=5):
    step_table = generate_step_table()
    processes = []

    for i in range(total_batches):
        start = lower_bound + i * NUM_THREADS * BATCH_SIZE
        if start >= upper_bound:
            break
        p = multiprocessing.Process(target=kangaroo_worker, args=(i, start, step_table))
        p.start()
        processes.append(p)

    for p in processes:
        p.join()

# === START ===
if __name__ == "__main__":
    launch_processes(total_batches=5)

Hi all,

Here is my research about using kangaroo methods to solve ECDLP, Part 1.
Open source:  https://github.com/RetiredC/Kang-1

This software demonstrates various ways to solve the ECDLP using Kangaroos.
The required number of operations is approximately K * sqrt(range), where K is a coefficient that depends on the method used.
This software demonstrates four methods:

1 - Classic. The simplest method. There are two groups of kangaroos: tame and wild.
As soon as a collision between any tame and wild kangaroos happens, the ECDLP is solved.
In practice, K is approximately 2.10 for this method.

2 - 3-way. A more advanced method. There are three groups of kangaroos: tame, wild1, and wild2.
As soon as a collision happens between any two types of kangaroos, the ECDLP is solved.
In practice, K is approximately 1.60 for this method.

3 - Mirror. This method uses two groups of kangaroos and the symmetry of the elliptic curve to improve K.
Another trick is to reduce the range for wild kangaroos.
In practice, K is approximately 1.30 for this method.
The main issue with this method is that the kangaroos loop continuously.

4 - SOTA. This method uses three groups of kangaroos and the symmetry of the elliptic curve.
In practice, K is approximately 1.15 for this method. The main issue is the same as in the Mirror method.
I couldn’t find any papers about this method, so let's assume that I invented it

Important note: this software handles kangaroo looping in a very simple way.
This method is bad for large ranges higher than 100 bits.
Next part will demonstrate a good way to handle loops.

PS. Please don't post any stupid messages here, I will remove them.

Hello.
I find it difficult to understand C or C++ language in math operations.

Instead, I develop algorithms with the Fastecdsa Library in Python. I then switch to C or C++ for performance and then use it with GPU performance.

When I tried to read your article, I tried to understand what the value of K is based on. If I see this rule of 4 algorithm you mentioned (such as Fastecdsa or Sagemath in Python), I can join your conversation more.

Just wanted to point out. I am following your topic.

Thank you very much.

Here is my best shot at nailing Sota+ It is still raw but if it helps:
import threading
import multiprocessing
import hashlib
import cupy as cp
from ecdsa import SECP256k1, ellipticcurve
from binascii import unhexlify
import os

# === CONFIGURATION ===
NUM_THREADS = 10
BATCH_SIZE = 1_000_000
LOG_DIR = "./logs"
MATCH_LOG = os.path.join(LOG_DIR, "135match.txt")
PROGRESS_LOG = os.path.join(LOG_DIR, "kangaroo_progress.log")
USE_SOTA_PLUS = True  # Toggle SOTA+ mode

# === ECDSA SETUP ===
curve = SECP256k1.curve
G = SECP256k1.generator
order = SECP256k1.order
p = curve.p()

pubkey_hex = '02145d2611c823a396ef6712ce0f712f09b9b4f3135e3e0aa3230fb9b6d08d1e16'
pubkey_bytes = unhexlify(pubkey_hex)

def decompress_pubkey(pubkey_bytes):
    prefix = pubkey_bytes[0]
    x = int.from_bytes(pubkey_bytes[1:], 'big')
    alpha = (x ** 3 + 7) % p
    beta = pow(alpha, (p + 1) // 4, p)
    y = beta if (beta % 2 == 0 and prefix == 2) or (beta % 2 == 1 and prefix == 3) else p - beta
    return ellipticcurve.Point(curve, x, y)

P_target = decompress_pubkey(pubkey_bytes)

lower_bound = int("4000000000000000000000000000000000", 16)
upper_bound = int("7fffffffffffffffffffffffffffffffff", 16)
keyspace = upper_bound - lower_bound

# === LOGGING ===
os.makedirs(LOG_DIR, exist_ok=True)
log_lock = threading.Lock()

def log_progress(message):
    with log_lock:
        with open(PROGRESS_LOG, "a") as f:
            f.write(message + "\n")
        print(message)

def log_match(scalar_hex):
    with log_lock:
        with open(MATCH_LOG, "a") as f:
            f.write(scalar_hex + "\n")
        print(f"[MATCH FOUND] {scalar_hex}")

# === STEP TABLE ===
def generate_step_table(n=256):
    cp.random.seed(42)
    return cp.array(cp.random.randint(1 << 12, 1 << 20, size=(n, 3), dtype=cp.uint64))

def step_function_sota(P, table):
    h = int(hashlib.sha256(P.x().to_bytes(32, 'big') + P.y().to_bytes(32, 'big')).hexdigest(), 16)
    idx = h % table.shape[0]
    steps = table[idx]
    s1, s2, s3 = int(steps[0]), int(steps[1]), int(steps[2])
    total = s1 + s2 + s3
    direction = h & 1  # 50/50 split for forward/inverse

    jump = s1 * G + s2 * G + s3 * G
    if USE_SOTA_PLUS and direction == 1:
        jump = ellipticcurve.Point(curve, jump.x(), (-jump.y()) % p)
        total = -total % order
    return total, jump

# === WALK ===
def kangaroo_walk(start_scalar, start_point, table, max_iters=500000):
    X = start_point
    a = start_scalar
    visited = {}

    for _ in range(max_iters):
        s, sG = step_function_sota(X, table)
        X = X + sG
        a = (a + s) % order
        if (X.x() & ((1 << 20) - 1)) == 0:
            key = (X.x(), X.y())
            if key in visited:
                return visited[key], a, key
            visited[key] = a
    return None, a, None

# === THREAD WORKER ===
def kangaroo_worker(proc_id, start_base, step_table):
    threads = []

    def thread_func(thread_id, thread_offset):
        batch_start = start_base + thread_offset * BATCH_SIZE
        batch_end = min(batch_start + BATCH_SIZE, upper_bound)
        secret_scalar = batch_start
        wild_point = secret_scalar * G
        _, wild_a, wild_key = kangaroo_walk(0, wild_point, step_table)

        tame_point = upper_bound * G
        _, tame_a, tame_key = kangaroo_walk(upper_bound, tame_point, step_table)

        if tame_key and wild_key and tame_key == wild_key:
            recovered = (tame_a - wild_a) % order
            if recovered == secret_scalar:
                log_match(hex(recovered))
            else:
                log_progress(f"[Proc {proc_id}][Thread {thread_id}] Collision mismatch.")
        else:
            log_progress(f"[Proc {proc_id}][Thread {thread_id}] Range {hex(batch_start)} - {hex(batch_end)} complete.")

    for i in range(NUM_THREADS):
        t = threading.Thread(target=thread_func, args=(i, i))
        t.start()
        threads.append(t)
    for t in threads:
        t.join()

# === MULTIPROCESS CONTROL ===
def launch_processes(total_batches=5):
    step_table = generate_step_table()
    processes = []

    for i in range(total_batches):
        start = lower_bound + i * NUM_THREADS * BATCH_SIZE
        if start >= upper_bound:
            break
        p = multiprocessing.Process(target=kangaroo_worker, args=(i, start, step_table))
        p.start()
        processes.append(p)

    for p in processes:
        p.join()

# === START ===
if __name__ == "__main__":
    launch_processes(total_batches=5)