Search content
Sort by
Showing 20 of 147 results by RetiredCoder
Re: [CHALLENGE] 5 BTC Reward – ECDSA Structured Nonce k Puzzle (1M Signatures)
...
💰 Prize: 5 BTC
...
💰 Prize: 5 BTC
...
Dear newbie,
such a bold topic name, so many words, and exactly zero proofs of reward.
First of all, put 5BTC to the address of your pubkey to confirm that you have these 5BTC to pay for this challenge
This is how challenges work.
Re: Solving ECDLP with Kangaroos: Part 1 + 2 + RCKangaroo
You also need to write 16 GB/s as well, since it's not a one-shot job. And there goes the 4090 max memory throughput.
So to compute even those minimum 250 MK/s, the first wall to pass is reading a file from disk at least at 8 GB/s, before even talking about GPUs and their memory bandwidth.
So to compute even those minimum 250 MK/s, the first wall to pass is reading a file from disk at least at 8 GB/s, before even talking about GPUs and their memory bandwidth.
Following this logic, you forgot to mention time required to write the list to the disk before reading, also time to prepare that list before writing to the disk
Well, ok, I just wanted to mention that there are some ways to calc random privkeys-to-pubkeys very quickly on GPU. Just a hint for those who are interested.
Re: Solving ECDLP with Kangaroos: Part 1 + 2 + RCKangaroo
That's great and all, but I'm not sure your estimations fit the context of what you've quoted.
I'm well aware that there are a lot of optimizations for scalar multiplication, and it's great you have really fast code to do it in CUDA as fast as you state (which sounds miraculous in itself to be honest), but there's one thing you maybe missed: the private keys are not random, they're fed as input. Yeah, maybe redo the math after crawling private keys from GPU memory
Not sure why you had to bring smth from page 520 of that topic here though. It'd be much more interesting if you instead update us on 135 progress
I'm well aware that there are a lot of optimizations for scalar multiplication, and it's great you have really fast code to do it in CUDA as fast as you state (which sounds miraculous in itself to be honest), but there's one thing you maybe missed: the private keys are not random, they're fed as input. Yeah, maybe redo the math after crawling private keys from GPU memory
Not sure why you had to bring smth from page 520 of that topic here though. It'd be much more interesting if you instead update us on 135 progress
Yeah may be I missed some context, I did not check carefully. But anyway, reading 0.5GK/s privkeys is only 16GB/s which is almost nothing for 4090 bandwidth.
I don't read "blah-blah" thread (it's disgusting), but sometimes when I'm bored I read your messages because you have some skills
Re: Solving ECDLP with Kangaroos: Part 1 + 2 + RCKangaroo
...
you will never get 250 MK/s on any GPU, by computing H160 out of some list of private keys.
...
you will never get 250 MK/s on any GPU, by computing H160 out of some list of private keys.
...
You just don't have enough experience in GPU coding or/and don't know about some efficient methods for EC scalar multiplication.
4090 can do >0.5GK/s at rndprivkey-to-h160, I can publish the code, just need to find some time to make my sources more readable to make them public.
Re: Solving ECDLP with Kangaroos: Part 1 + 2 + RCKangaroo
Hello, my name is Jean from Venezuela, I live in Brazil and I speak Spanish, I'm new to this and I saw that you have discovered the key to puzzle 69, I'm trying to test this but everyone is talking and fighting and I really don't understand, I like to try with the keyhunt options and try with gpt chat to create a script by python, I'm not a computer scientist or mathematician, in fact I use a google translator, could you help me with an approach to test in any other puzzle? any clue, a code snippet and I would try to search something or create something with AI because I'm not a programmer, I would appreciate it, the last thing I tried is a script that apparently filters 75% of the keys and does a partial comparison between hashes and I think it's a good approach but without a little clue as to how the ranges could be reduced or a different approach it is really almost impossible for me because I don't know much but if you explain it to me I understand, if you could help me with something I would appreciate it, congratulations on your achievement
Great.
I did not solve #69. Moreover, I never searched for low-level puzzles and I'm not going to do it in the future.
Re: Solving ECDLP with Kangaroos: Part 1 + 2 + RCKangaroo
⭐ Merited by kTimesG (1)
@RetiredCoder, How true is this?
This fight with random values is tremendous, especially with the sources, so I support it as I can! The answer is too boring as I said before, google gambler’s fallacy and Bayes' theorem if you are a nerd.
But instead of reading silly books, let's have some fun and write another 100 pages in "blah-blah" thread!
Re: Probabilistic search of prefixes vs random+sequential
Hey, don't spoil the fun with your balls!
Re: Probabilistic search of prefixes vs random+sequential
What if we have limited resources and can scan only part of range, for example, only 10%?
Difference becomes even more obvious.
Here is modified script:
Difference becomes even more obvious.
Here is modified script:
Code:
import hashlib
import random
import time
# Configuration
TOTAL_SIZE = 100000
RANGE_SIZE = 4096
PREFIX_LENGTH = 3
SIMULATIONS = 2000
SECP256K1_ORDER = int("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141", 16)
print(f"""
=== Configuration ===
Total numbers: {TOTAL_SIZE:,}
Block size: {RANGE_SIZE:,}
Prefix: {PREFIX_LENGTH} characters (16^{PREFIX_LENGTH} combinations)
Simulations: {SIMULATIONS}
secp256k1 Order: {SECP256K1_ORDER}
""")
def generate_h160(data):
h = hashlib.new('ripemd160', str(data).encode('utf-8'))
return h.hexdigest()
def shuffled_range(n):
arr = list(range(n + 1))
random.shuffle(arr)
return arr
def sequential_search(dataset, block, target_hash, order, max_iters):
checks = 0
for idx in order:
start = idx * block
end = start + block
for i in range(start, end):
checks += 1
if checks > max_iters:
return {"checks": TOTAL_SIZE, "found": False}
if generate_h160(dataset[i]) == target_hash:
return {"checks": checks, "found": True}
return {"checks": checks, "found": False}
def precise_search(dataset, block, prefix, target_hash, order, max_iters):
prefix_hash = target_hash[:prefix]
checks = 0
ranges = []
for idx in order:
start = idx * block
end = start + block
found_prefix = False
for i in range(start, end):
checks += 1
if checks > max_iters:
return {"checks": TOTAL_SIZE, "found": False}
h = generate_h160(dataset[i])
if h == target_hash:
return {"checks": checks, "found": True}
if not found_prefix and h.startswith(prefix_hash):
found_prefix = True
ranges.append({"start": i + 1, "end": end})
break
for r in ranges:
for i in range(r["end"] - 1, r["start"] - 1, -1):
checks += 1
if checks > max_iters:
return {"checks": TOTAL_SIZE, "found": False}
if generate_h160(dataset[i]) == target_hash:
return {"checks": checks, "found": True}
return {"checks": checks, "found": False}
def compare_methods():
results = {
"sequential": {"wins": 0, "total_checks": 0, "total_time": 0},
"precise": {"wins": 0, "total_checks": 0, "total_time": 0},
"ties": 0
}
for i in range(SIMULATIONS):
max_range = SECP256K1_ORDER - TOTAL_SIZE - 1
random_offset = random.randrange(max_range)
R = 1 + random_offset
dataset = [R + i for i in range(TOTAL_SIZE)]
target_num = random.choice(dataset)
target_hash = generate_h160(target_num)
blocks = TOTAL_SIZE // RANGE_SIZE
order = shuffled_range(blocks - 1)
#for test here we can scan only small part of range
max_iters = TOTAL_SIZE / 10
start_time = time.perf_counter()
seq_result = sequential_search(dataset, RANGE_SIZE, target_hash, order, max_iters)
end_time = time.perf_counter()
seq_time = end_time - start_time
start_time = time.perf_counter()
pre_result = precise_search(dataset, RANGE_SIZE, PREFIX_LENGTH, target_hash, order, max_iters)
end_time = time.perf_counter()
pre_time = end_time - start_time
if seq_result["found"]:
results["sequential"]["total_checks"] += seq_result["checks"]
results["sequential"]["total_time"] += seq_time
if pre_result["found"]:
results["precise"]["total_checks"] += pre_result["checks"]
results["precise"]["total_time"] += pre_time
if seq_result["checks"] < pre_result["checks"]:
results["sequential"]["wins"] += 1
elif seq_result["checks"] > pre_result["checks"]:
results["precise"]["wins"] += 1
else:
results["ties"] += 1
print(f"Simulation {i + 1}: Sequential = {seq_result['checks']} checks in {seq_time:.6f}s | Prefix = {pre_result['checks']} checks in {pre_time:.6f}s")
avg_success_rate_sequential = (results["sequential"]["total_checks"] / results["sequential"]["wins"]
if results["sequential"]["wins"] > 0 else float('inf'))
avg_success_rate_precise = (results["precise"]["total_checks"] / results["precise"]["wins"]
if results["precise"]["wins"] > 0 else float('inf'))
avg_time_sequential = (results["sequential"]["total_time"] / results["sequential"]["wins"]
if results["sequential"]["wins"] > 0 else float('inf'))
avg_time_precise = (results["precise"]["total_time"] / results["precise"]["wins"]
if results["precise"]["wins"] > 0 else float('inf'))
print(f"""
=== FINAL RESULTS ===
Wins:
Sequential: {results['sequential']['wins']}
Prefix: {results['precise']['wins']}
Ties+Fails: {results['ties']}
Total Checks:
Sequential: {results['sequential']['total_checks']}
Prefix: {results['precise']['total_checks']}
Total Time:
Sequential: {results['sequential']['total_time']:.6f} seconds
Prefix: {results['precise']['total_time']:.6f} seconds
Averages (Total Time / Wins):
Sequential : {avg_time_sequential:.6f} seconds/victory
Prefix : {avg_time_precise:.6f} seconds/victory
Checks per Win:
Sequential : {avg_success_rate_sequential:.2f} checks/win
Prefix : {avg_success_rate_precise:.2f} checks/win
""")
if __name__ == '__main__':
compare_methods()
Code:
=== FINAL RESULTS ===
Wins:
Sequential: 56
Prefix: 128
Ties+Fails: 1816
Re: Probabilistic search of prefixes vs random+sequential
Yeah, finally I see something interesting here instead of endless blah-blah from people who think that they know everything, have >100 years of expertise etc.
To scan entire range (to get 100% probability of success), your method requires same number of ops as bruteforce (so it does not break any math laws), but it has better changes to find the key faster than bruteforce because it has non-linear probability of success (higher at the beginning and lower at the end comparing to bruteforce). Nice!
I think results can be improved a bit by using more complex logic, but your script demonstrates the main idea very well.
Thanks for the fun! I donated some btc to your address.
To scan entire range (to get 100% probability of success), your method requires same number of ops as bruteforce (so it does not break any math laws), but it has better changes to find the key faster than bruteforce because it has non-linear probability of success (higher at the beginning and lower at the end comparing to bruteforce). Nice!
I think results can be improved a bit by using more complex logic, but your script demonstrates the main idea very well.
Thanks for the fun!
I donated some btc to your address.Here's how I made it:
Correct!
We just need to use Scale = 1 | (2 << 64) | (3 << 128) | (4 << 192).
There are two ways:
1. Scale G: G' = G * Scale
or
2. Scale PubKey: PubKey' = PubKey / Scale.
And then use kangaroo or bsgs. Very easy!
Congrats to the winner!
Yes please!
Solved it!
Thank you RetiredCoder for the puzzle, a few more and I can buy a brand new rtx 5090
Should I also put how I managed to solve it?
Thank you RetiredCoder for the puzzle, a few more and I can buy a brand new rtx 5090
Should I also put how I managed to solve it?
Yes please!
Re: Solving ECDLP with Kangaroos: Part 1 + 2 + RCKangaroo
Congratulations on the 100 merits! What did you say you would do when you got here to celebrate? A mini puzzle or something else?
Sure!
https://bitcointalk.org/index.php?topic=5538285
Guys, let's have some fun again, I have one more mini-puzzle for you
There is 0.01 BTC on that address, so hurry up!
03150992937967192EBCD2539E5A949689AC69E6458F9178E7251356FFE079B7F0
Hint: private key is ABCD
where A (lowest bits of privkey) - some 64bit value
B = 2*A
C = 3*A
D = 4*A
PS. No BS here please, I will remove it.
PPS. For history, previous mini-puzzle is here: https://bitcointalk.org/index.php?topic=5526453
There is 0.01 BTC on that address, so hurry up!
03150992937967192EBCD2539E5A949689AC69E6458F9178E7251356FFE079B7F0
Hint: private key is ABCD
where A (lowest bits of privkey) - some 64bit value
B = 2*A
C = 3*A
D = 4*A
PS. No BS here please, I will remove it.
PPS. For history, previous mini-puzzle is here: https://bitcointalk.org/index.php?topic=5526453
Re: Solving ECDLP with Kangaroos: Part 1 + 2 + RCKangaroo
So my question is, how are the starting points for those Kangaroos created or selected?
Random, within some interval. For SOTA, these intervals are shown on the diagram on this page:
https://github.com/RetiredC/Kang-1
Therefore the rest of your assumptions are incorrect, learn sources to see how it works.
When huge number of kangaroos is used basically you can assume that you use birthday paradox to find a collision.
Re: == Bitcoin challenge transaction: ~1000 BTC total bounty to solvers! ==UPDATED==
We've completed a quick analysis of challenge 68, specifically the hex value bebb3940cd0fc1491. This entry was not found in our database ...
That's all you need to know about any attempts to find a random value faster
Re: Solving ECDLP with Kangaroos: Part 1 + 2 + RCKangaroo
I have been studying the puzzles for a year now. I was able to comunicate with professor Teske and professor Galbraith, they both worked with professor Pollard, and pointed me in the right direction. I have some questions and some original ideas about the pollard methods.
I understand that you use a base magnitude for the jumps and add a random portion to make the jumps, in a different way for each of the 3 heards, I will study this in detail.
It seems you don't know how it works even after a year. The jump table is the same for all herds, otherwise it won't work.
I'm not able to find an implementation for batch inversion on your code, do you use batch inversion to speed up the computation of the inverses? I understand that in the Classic Pollard method, you can use this approach, computing the next point for a group kangaroo paths. This will make the cost for one inversion only 3 - 4 multiplications? Is that correct?
For CPU code I don't use batch inversion because I tried to make the code as simple as possible. That code demonstrates various methods for ECDLP and loop handling, not optimizations.
For RCKangaroo I use batch inversion, check its CUDA sources.
Re: Solving ECDLP with Kangaroos: Part 1 + 2 + RCKangaroo
From my experience, 64 jumps are better than 32 by about 2%, so better use 64 when possible. For symmetry methods you need at least 256 jumps.
Your idea is to have 2^32 jumps, right? It will take 240GB of RAM, so not suitable for GPUs. The end, sorry.
Thank's for your answer.I have other question:
I have studied bitcrack and kangaroo (From Jean-Luc Pons) in detail. In the Pollard method with only 2 heards, Pollard recommends using a jump formula of powers of 2. When I tried to understand the Van-Oorschot method of parallelization, I realized that if you double the amount of Kangaroos, you must double the jump size mean. This results in huge jumps for a big range and a big number of kangaroos if you use powers of 2. Do you recommend better selecting the jump size using random K's in a given interval?
Thanks
There are several ways to choose good jump sizes, I just use random sizes in some interval, check my sources for details. Also in my approach the average size of jumps does not depend on the number of kangs are used and it still works fine. There are not any known ways to improve K somehow by choosing jumps in some special way, all known good ways get same result, so it's not important what way to use.
Re: Solving ECDLP with Kangaroos: Part 1 + 2 + RCKangaroo
May I ask how you came up with this remarkable approach?
It was an interesting task
SOTA method itself is based on classic 3-way and mirror methods with some adjustments about ranges for wilds and tames.
But for loops I had to examine them carefully to find a good and fast way to handle them.
Teske in her paper says it is ok to use 32 types of jumps to give enough randomness. What about using more jump types, let´s say 2**32 types of jumps?
From my experience, 64 jumps are better than 32 by about 2%, so better use 64 when possible. For symmetry methods you need at least 256 jumps.
Your idea is to have 2^32 jumps, right? it will take 240GB of RAM, so not suitable for at least GPUs. The end, sorry.
Re: Solving ECDLP with Kangaroos: Part 1 + 2 + RCKangaroo
Ok, let's keep all our achievements secret, it will be a great progress for science
Take care, I will come back when something interesting happens, for example, if someone publishes a method with K lower than mine.
Take care, I will come back when something interesting happens, for example, if someone publishes a method with K lower than mine.
Re: Solving ECDLP with Kangaroos: Part 1 + 2 + RCKangaroo
The complexity doubles with every new range.
So count how many 4090s one needs to solve 135bits or 250-256bits ranges?
Kangaroo-wise solution will not do that. As of now there is no solution to do that.
So count how many 4090s one needs to solve 135bits or 250-256bits ranges?
Kangaroo-wise solution will not do that. As of now there is no solution to do that.
#135 takes about 5.6 more calculations than #130, so I think #135 is the last high puzzle that will be solved in this decade.
I will make public a solver that does at least 10.5 Gk/s on RTX 4090 by the end of this year. I believe I can make it reach 11 Gk/s by then. Combined with symmetry and 3-kang method, it will be at least as fast as RC's solver, per total, if not faster.
About zero code, may be people mean this your post where you promise to show something? It's ok that you changed your mind