Bitcoin puzzles are private keys with just a few unknown bits so that anyone can bruteforce them to collect a reward. Puzzle 66 contained 66 unknown bits and had 6.6 BTC deposited into it by the initial puzzle creator. The private key was 0x000000000000000000000000000000000000000000000002832ed74f2b5e35ee or 256 bits with mostly zeroes but 66 random ones.
The previous puzzle by order of difficulty was #64 (not #65, because see below) and was solved on 9/9/2022, so about 2 years ago. In other words, it took about 2 years of compute time to run the 2^66 bruteforcing task.
Puzzles that are multiple of 5 (#65 or #70) are special: they have twice more entropy. So that private key #65 doesn't have 65-bit of entropy but 130-bit of entropy. And the creator of the puzzle intentionally published their public key on the blockchain. When you know the public key, brutetforcing the n-bit private key only requires 2^(n/2) work. So puzzle #65 with a 130-bit key actually require bruteforcing up to only 2^65 keys.
This seems orthogonal to the concept. More efficiently than what?
Having the public key is easier than having an address because an address is the hash of a public key. So in order to crack an address, you must first find a public key that produces that address, and then find a private key corresponding to the public key.
n2d4 120 days ago [-]
More efficient than brute forcing a private key, as you would have to do when you don't have the public key.
Sure, finding a private key whose public key's hash is given might be 2x slower, but Pollard's rho algorithm is 2^128 times faster.
Asymptotically, an additional hash at the end doesn't matter when you brute force. But it prevents you from using Pollard's rho algorithm, which does make a difference asymptotically.
CamperBob2 121 days ago [-]
These keys are based on elliptic curves rather than products of primes, aren't they?
matthewdgreen 121 days ago [-]
There is one rho algorithm for discrete logarithms and one for factoring. Published three years apart.
sltkr 121 days ago [-]
Neither of which helps with elliptic curve cryptography.
n2d4 121 days ago [-]
Pollard's rho algorithm can be applied to not just numbers but any cyclic group, which secp256k1 (the elliptic curve used by Bitcoin) is.
arcastroe 121 days ago [-]
the problem of finding discrete logarithms is the same problem as breaking elliptic curve cryptography.
GTP 121 days ago [-]
Technically, while the two problems share the same name, the one on elliptic curves is matematically different from the one over finite fields modulo a prime number.
AnotherGoodName 121 days ago [-]
I politely don’t understand this. It’s taught in cryptography 101 that breaking ecc is just solving the discrete logarithm problem and there’s a ton of online articles about how to break ecc if you’ve solved the discrete logarithm problem (not that anyone has).
AlexCoventry 119 days ago [-]
There's a family of discrete logarithm problems, one for each representation of a group. (Where I mean "representation" in the usual sense, not the precise mathematical one. It's an important distinction because the secp256k1 group, for instance, is isomorphic to all cyclic groups of the same order, but the discrete logarithm problem on secp256k1 is harder than the additive group on Z/<order of secp256k1>Z, because the isomorphism is computationally intractable.) So there isn't simply one monolithic discrete logarithm problem.
GTP 121 days ago [-]
It's indeed called the discrete logarithm problem both in the case of finite fields modulo some number and elliptic curves modulo a number. In the first case, you are reversing an exponentiation, so you're indeed computing a logarithm. But in the case of elliptic curves you're not dealing with exponentiation, you're instead reversing the multiplication of a curve element (i. e. a point) by a scalar. The two problems (and the way you solve them) look similar in the end, and I think this is why we ended up using the same name. But, if we nitpick, those are different operations and so the two problems are different, despite the similarities.
Note for cryptographers/matematicians: I know that "reversing" isn't the correct term here, so you could accuse me of the same sin I'm calling out in my previous comment. But it makes the explanation shorter while still conveying the correct meaning in the end.
121 days ago [-]
mrb 121 days ago [-]
Yes, specifically secp256k1
keepamovin 121 days ago [-]
Wow, that thread is nuts. Scrolled up just a bit saw this.
My new public key search system is almost ready. I had to reinvent my binary database system because, although the database was lightweight https://bitcointalk.org/index.php?topic=5475626, I had efficiency issues with binary search. This is now a thing of the past. I have designed a system that stores 100 million public keys in an 80 KB file, yes, what you read 80KB!(in the future it will be smaller) that meets maximum efficiency. We would only be limited by the current speed of Secp256k1 when generating the 100 million or more public keys while creating the database. I am finishing designing the search script after months of being stuck due to personal issues, I am finally back on track.
I love these kind of mad inventor rabbit hole corners of the Internet. Kind of brings back the 90s for me when everything was exciting.
orf 121 days ago [-]
> This is now a thing of the past. I have designed a system that stores 100 million public keys in an 80 KB file
That’s 0.0064 bits per public key - so either there are lots of duplicates, or something is amiss here?
Edit: they don’t actually store the keys, so the quote is misleading.
bdamm 121 days ago [-]
Presumably there is a generator function that maps key IDs into actual keys that can be re-computed at will.
orf 121 days ago [-]
How could this work with less than 1 bit of data per key?
Assuming there are no duplicates, which is a sensible assumption, you’d need a minimum of 100,000,000 bits to store 100,000,000 unique entries larger than 1 bit with even a perfect hash function.
Dylan16807 120 days ago [-]
In general, when you're storing a list of numbers, there are many situations where you can go below 1 bit per number.
The easiest one to think about is storing the deltas between each number. Let's say 80% of your deltas are 5. If you use arithmetic encoding, then storing a 5 only takes about 1/3 of a bit. It's not hard to come up with probability distributions where the average amount of bits per entry is less than 1.
Also, back in the realm of perfect hashes, once you're more than half full it becomes more efficient to store the missing numbers. If your perfect hash has 100,003,000 possible outputs, then your worst case is around 50k unique entries. By the time you encounter 100k unique entries you only need to keep track of the 3000 you haven't seen yet.
orf 119 days ago [-]
Thank you for taking the time to explain this - it makes sense, and it’s interesting to invert the problem by storing missing numbers.
CalRobert 121 days ago [-]
Maybe storing ranges or similar
orf 120 days ago [-]
Assuming no duplicates, the only case that would make sense would be if all but a single byte was different (sequentially across all records). Even then you’d end up with more than the number of bytes we’re talking about, even excluding the size of the index (which would be non-trivial).
keepamovin 120 days ago [-]
Why don’t you just read what the guy said by following the links in the forum? Surely, you can find more explanation there that will answer some of your questions? Hahaha! :)
Dylan16807 120 days ago [-]
His thing has collisions, so it answers none of the questions.
Also they already did follow the link. That's why they said "they don’t actually store the keys, so the quote is misleading", which you responded to with a laugh and nothing else. And that happened many hours before you made this new comment.
keepamovin 119 days ago [-]
Heh, yeah. "Store" can have multiple meanings.
I'm not sure that guy really understood what was going on. If he'd followed the links he would've found the code. Or at least a technical description. So why need to play dumb and ask here, while trying to control the discussion?
I don't like that kind of thing. If you're okay with it, alright. But that's not me.
keepamovin 121 days ago [-]
“That quote is misleading” Hahaha! :)
mapt 122 days ago [-]
Am I correct in assuming that beyond a certain point, this is basically an existence proof for somebody having a quantum-supreme solution to Shor's Algorithm?
"Here's $400,000 sitting on the table, hope nobody takes it" which triggers an alarm telling us to replace all our old prequantum cryptography.
Maken 122 days ago [-]
If anyone developed a solution to integer factorization, I'm sure they would be after larger prices than mere 400k in crypto. A practical application of this puzzle could be to have an estimation of how long it takes to break a public key by conventional means. The moment one of these prices can be claimed in mere months you know it's time to double the size of the Bitcoin public keys.
mapt 122 days ago [-]
If you want to prove that somebody has the ability to pick locks in order to protect your valuables, you leave the prize sitting on the kitchen table (at 66 bits of entropy) behind your relatively easy front door lock, not in a secure vault with triple redundant mechanisms. Somebody with the solution is going to be able to claim the money in far, far less computing time than they could claim a larger prize by breaking industry standard prequantum key sizes.
The $400,000 is an inducement for any participant in that engineering effort to break the conspiracy and take the bag. It's effective during the period between the time that a quantum Shor's solver has been achieved for a given algorithm in theory for 256 bits (and in practice for 66 bits), and the time that a practical solution at 256 bits has been implemented.
anothernewdude 121 days ago [-]
Except they don't need to take it now, just before anyone else does.
mapt 121 days ago [-]
Let's say a given intelligence agency's quantum computing efforts have Shor working for 16 bit keys in 2025, for 64 bit keys in 2028, for 128 bit keys in 2033, and for 256 bit keys in 2038. Let's say competing intelligence agencies are 1-3 years behind. Let's say we make it to Puzzle 69 over the next four years. Nice.
I don't know how plausible that timeline is either in spacing or accuracy.
Sometime in early 2029, a bunch of people suddenly find that they're eligible for a $400,000 cash prize if they manage to secretly steal a bit of time on a working quantum computer. In 2030, that group of people doubles, and incorporates a new agency with its own security weaknesses. By 2031 we're talking about four separate countries with their own engineers that have managed to achieve the capability to claim that cash prize. Private corporations are somewhere on the horizon. Very soon this becomes an urgent imperative to anyone inclined, because the prize, like cash, disappears the moment that somebody else seizes it.
It's hard to keep conspiracies, particularly with a verifiable open offer of large amounts of highly portable money on the table to the first person to reveal secrets, and a gradually widening circle of access. The gradually expanding circle of access is what ensures we get some kind of alarm LONG before 2038. Keeping that secret to even 2033 requires hundreds of people and four agencies with diverse motivation and values to consistently turn down cash money for years on end in the interest of keeping their quantum capabilities hidden from the world.
EGreg 121 days ago [-]
In other words, anyone else with access to the same computing power, and part of the conspiracy
owlstuffing 121 days ago [-]
"access"
oniony 121 days ago [-]
Except your analogy doesn't work because every single bitcoin address has the same brand of lock.
kemitche 121 days ago [-]
Based on the other comments, is that true? The top comment here implied that the puzzle explicitly had a private key with all 0s except for 66 bits, so that lock was definitely weaker than a key with all bits unknown, right?
beepbooptheory 121 days ago [-]
Each key is a brand in the analogy.
GTP 121 days ago [-]
Why should the analogy consider each key as a different brand of lock? Each key needs to be cracked separately, but you can use the same method for all of them (assuming one finds a general method and not one based on some property that only a subset of the keys has). So it should be akin to locks of the same brand, using different keys to open them. But that, being of the same brand, can be picked in the same way.
michaelmior 121 days ago [-]
Perhaps each key is not a different brand, but given that the puzzle had only 66 known bits, it seems equivalent to knowing what some of the cuts are on a physical key.
avodonosov 121 days ago [-]
What larger prices (or prizes) do you mean?
I just think maybe public key crypto is not broken so far because there is no motivation for enough people to work on that. What whould one get, without endangering himself, if he breaks integer factorization?
n2d4 122 days ago [-]
Or someone "just" finding a fault in the cryptographic algorithms used in Bitcoin. Or whoever created the puzzles leaking their information.
sigmoid10 122 days ago [-]
>Or whoever created the puzzles leaking their information.
Or getting hacked. This is super common among people who are known to have high value wallets. Between physical attacks and zero days in everyday software, there's no chance to stay safe when you put that kind of target on your back.
Powdering7082 122 days ago [-]
> there's no chance to stay safe when you put that kind of target on your back.
Vitalik Buterin seems to be a counter example here, his net worth peaked around $1.46 billion. He has some interesting writing on how he stays secure. At one point the SHIBA token sent a huge amount of funds to his cold wallet and he details what he did to securely access those funds:
> The funds, he said, were initially in a cold wallet in the form of two numbers written on separate pieces of paper. Buterin said he had to combine the two numbers to get the private key. "One of those numbers was with me; the other number was with my family in Canada," he said. "So I had to call up my family in Canada and tell them to read their number to me."
> Buterin said that he entered the numbers into the computer he purchased from Target after putting the two numbers together. "I sent my ETH out by generating a transaction and then on a computer that I bought from Tarjay [Target] for about $300 bucks for just this purpose."
> Before disconnecting the laptop from the internet entirely, Buterin said he downloaded a program to generate QR codes. After generating the Ethereum transaction, he scanned the QR code with his phone, copied it to the laptop, and then put it into etherscan.io/push Tx. Finally, Buterin said he began sending out the tokens.
LikesPwsh 122 days ago [-]
Vitalik got indirectly pwned by the infamous DAO smart contract hack, but had the social clout to pause/rollback the supposedly decentralised/immutable Blockchain.
Maybe not the best example of cryptographic security.
vessenes 121 days ago [-]
This is not an accurate summary of what happened with TheDAO. Source: I publicized the attack vector for TheDAO here on HN.
TacticalCoder 121 days ago [-]
> ... but had the social clout to pause/rollback the supposedly decentralised/immutable Blockchain
Vitalik (and all DAO ETH hodlers) luckboxed in that the ETHs locked in the DAO, although "stolen", couldn't be withdrawn by the attacker before a few weeks.
There has been zero pause and zero rollback. Most people don't understand that: by chance the stolen funds were inaccessible to the attacker for a few weeks.
What Vitalik did is he forked (soft fork) the ETH blockchain to modify the rules. That soft fork happened before the cooldown period expired, so the attacker never got to access his funds.
Some members of the community said "adding new rules is against the spirit of decentralization, so we keep using the old chain". The old chain was named "Ethereum classic" while the forked chain kept the name "Ethereum".
But there's been no rollback.
idiotsecant 121 days ago [-]
Vitalik didn't rollback the chain. The entire community agreed that it was the correct thing to do and did it. Thats how consensus mechanisims work. This was easier then because the community was tiny. It would be impossible now.
The proof of this is that some people didn't agree with undoing that transaction. They stayed on the old chain, which is now worthless.
This is such a boring and widely known story now, but it has to come up literally any time someone wants to play crypto tribalisim.
refulgentis 121 days ago [-]
I was going to write a more indirect response by way of analogy, but it got too unwieldy. TL;DR: I was predisposed to taking the position you are advocating for, but this argument is incredibly weak while demonstrating the problem, to the point it made me wonder about my own priors. Shape-shifts from "this was totally fine and normal" to "but totally couldn't do it today" to "and guess what the ppl who didn't want to rollback went to 0" to "boring story" to "crypto tribalism", whatever that has to do with anything in this context.
idiotsecant 120 days ago [-]
That's what it means to have two chains. One chain undid the transaction. One did not. Do I really need to explain this? Both things happened because there are 2 chains. Only one of them is worth something but they both exist.
refulgentis 120 days ago [-]
I think you got too spun up by the evil They you usually hear talking about this: whatever you're saying here sounds obvious.
The reason why people got confused with your comment is because ex. you purport it was fine, it can never happen again, and everyone who didn't agree went to 0.
Lot of tensions between those things.
We also understand how one person could have those views and even steelman it into something intellectually consistent. But then the post seems really off because it's sort of a rushed, poor, justification for why you believe something, coupled to bemoaning some sort of unrelated group none of us are privy to.
cataphract 121 days ago [-]
Yeah, it's strange, the first paragraph seems to just say he didn't roll it back alone, it was a consensus thing, and then the second says actually it wasn't even rolled back because other people kept using the old chain (and somehow this "proves" what was said in the 1st place).
pas 121 days ago [-]
how would anything ever be immutable if people can reassign the symbol/pointer/name?
the DAO hack happened, immutably, no one disputes it. the hashes and blocks and transactions are well-known. so there was a "schism", that explicitly validates the fact that without this large-scale cooperation, without the redefinition of what Ethereum is, it would be still be what is on that other branch. these both provide evidence for the immutably and decentralization.
pcthrowaway 121 days ago [-]
The version of Ethereum after the hack became known as Ethereum Classic. The Ethereum foundation decided to go with a fork of the chain prior to the hack, and pretty much all the devs and the community followed. The value of Ethereum is entirely derived from what people are willing to pay for it, and community is a big part of that. The version of Ethereum which underwent the attack didn't cease to exist, and people can still use it; it's just called "Ethereum classic" now, whereas people who want to use the version of the chain that didn't suffer from the hack can use that version (generally understood to be "Ethereum".
The fact that there are far fewer users of Ethereum Classic (and the market cap is significantly lower) is a testament to how much people care about the community which chose to follow a different history of the Ethereum network.
bhaak 121 days ago [-]
Small nitpick. In both chains the attack happened.
But in one chain the whole community decided to disown the attacker by injecting hard coded transactions that would send the Ethers back to their original owners.
akoboldfrying 121 days ago [-]
It wasn't a rollback in much the same way that UPDATEing a row in an MVCC database doesn't actually overwrite that row, it just creates a new version of it that becomes the version that people tend to care about from that point on.
Powdering7082 121 days ago [-]
> Vitalik got indirectly pwned
How exactly was Vitalik "indirectly pwned"?
LikesPwsh 118 days ago [-]
Personal assets in The DAO
Scoundreller 121 days ago [-]
Is this basically saying he sent all the ETH out of his "account" (presumably to another one that was pre-generated & pre-shared half the private key with his family), so that it just had the Shiba tokens left in it?
Then he didn't have to worry about the Shiba related transactions affecting his ETH?
Powdering7082 121 days ago [-]
Unfortunately I couldn't find a better writeup, although I remember it.
He didn't want to have the signal be that he was happy holding SHIBA and was uncomfortable with that much power & control over SHIBA. So he wanted to be able to transfer his SHIBA out to a hot wallet and then burn most of it and donate the rest, given the amount of money involved he took extra steps like buying a new computer to generate the new keys, airgapping it from the internet while it held the cold wallet keys etc
EGreg 121 days ago [-]
I recommend to everyone to take their 12 words, write em 3 times on a piece of paper, cut it into 9 pieces and hide them in places only you’d know
bhaak 121 days ago [-]
So nobody will be able to recover them if you are hit by a bus or develop dementia?
This problem is harder if you want to pass on your crypto after you can't use them anymore.
EGreg 120 days ago [-]
That's exactly right
If you want to enable recovery, you should give ownership of things to smart contracts, which enable things like succession rules and a heatbeat checkin etc.
Public/private keys are not designed to solve that kind of governance problem.
evilfred 121 days ago [-]
or just use a more user friendly and accessible currency and banking system
mistrial9 121 days ago [-]
Target stores were early adopters of every-shopper profiling. Target has cameras on the purchase area, and have been known to refuse cash.
meowster 121 days ago [-]
I've heard about Target's tracking from reputable sources, but never of them refusing to take cash, do you have a reputable source for that?
mistrial9 121 days ago [-]
yes, in California, City of Albany, Target store near San Francisco, refused to take cash at the checkout not long ago.
14 121 days ago [-]
I saw a few places stop accepting cash during covid days but most have started accepting it again. The one place that I frequent that still doesn’t is the haircut store in my town. There are not a lot of options so it’s card or go somewhere that charges almost double.
sfn42 120 days ago [-]
What's weird to me is that you guys frame it as a bad thing. For me as a European it's the opposite, I'm in trouble if someone doesn't take card. Nobody carries cash any more.
I think pretty much all stores still accept cash, but most people here just never withdraw any. It's pretty much just old people and people buing illegal stuff
14 117 days ago [-]
What you deem illegal may not be the next day. Being able to do illegal things is actually healthy for a society. Otherwise we already have the technology to stop all crimes world wide. We could force every person to wear a body cam at all times and failure to do so results in life in prison. Done crime solved. But that would not be good no one wants that. But if we did stop every crime imagine how the world would be. Imagine 60 years ago we could stop all crime. Any homosexual would be found and persecuted. Anyone who became a whistleblower would be found a jailed. There are just so many reasons why being able to break the law is fundamental for a society to progress and thrive.
So this is why cash IS a good thing. Sex workers want to do their thing and Johns want to not be instantly called out for using sex workers. The people who long ago realized magic mushrooms work to cure depression want to be be able to get it without being jailed. Now, here in Canada, sex work is protected and magic mushrooms will not get you thrown in jail.
So even though you may deem things illegal, I ask you think of a greater good that cash allows as everything being digital reveals a lot of information that not all people are comfortable their government knowing. Be it homosexuals, depressed people trying illicit treatments, or extremely lonely discarded individuals reaching out to sex workers verses suicide.
Lastly according to a quick google search and a few spots I looked at, most only showing 2022 as latest information, most point of sale transactions in Europe are made with cash not card [1].
[1] https://www.statista.com/statistics/786680/share-of-cash-tra...
sfn42 117 days ago [-]
Just for the record I don't condemn victimless crimes. I'm fine with willing sex workers and I'm fine with drugs. As far as I'm concerned, alcohol is worse than most illegal drugs, and most of the harm from most illegal drugs comes from their illegal status not the drugs themselves. If it was up to me I'd legalize everything. You want to buy heroin just take a mandatory safety class explaining safe use, then go buy it at the pharmacy. People can get it either way, might as well get clean and taxed stuff. I realize that's probably not entirely realistic but that's my opinion anyway. Especially for lighter stuff, heroin and meth might be the exceptions but again, anyone can buy it whenever so honestly I don't see why they shouldn't be able to do it at a pharmacy.
And in northern Europe, pretty much nobody uses cash. In the rest of Europe, at least the places I've been, pretty much every store accepts card and often other digital payment methods.
I don't doubt your statistics, just stating my experience. I just think it's strange that people prefer cash for legitimate purchases. I definitely want cash to stay around, but these days we can use crypto for illegal stuff anyway do it's not really a big deal.
lobocinza 115 days ago [-]
Cash is superior to crypto for anonymity and most people have it, know how to use it and accept it. Bitcoin and the majority of other coins will leave a permanent trail which can be easily associated to the person due to KYC policies and onchain analysis firms. Sure there are privacy coins like Monero but they aren't trivial to acquire without KYC and to find someone that accepts it. So I'm happy that people still use cash despite not doing anything illegal (or immoral) and mostly making payments with card and instant payments.
115 days ago [-]
rsynnott 121 days ago [-]
Was this refusal of a normal cash transaction, or something silly (unreasonably large transaction/transaction all in one cent coins/transaction which would raise money laundering alarms etc)? Like, if you try to pay 10,000 dollars in cash, or, say, buy a stack of prepaid debit cards with cash, most places are going to be sceptical of that.
mistrial9 121 days ago [-]
a small shopping trip with ordinary items totaling less than thirty dollars, actually. Many places of various kinds in California are not accepting cash today - San Francisco passed local law to require accepting cash as one result.
owl57 122 days ago [-]
Is it likely that these particular private keys were wiped ~immediately after creation?
scotty79 121 days ago [-]
I don't think they kept private keys because why would they if their intentions were to give the money away not just dangle it briefly.
TrapLord_Rhodo 121 days ago [-]
That's all bitcoin is...
If someone had a quantum-supreme solution they would go after the sitoshi wallets. Some addresses have like $1B+ and combined represent ~$200B.
alex_duf 121 days ago [-]
But touch that $1B+ wallet and suddenly nothing is worth anything... so if I had the capability to silently steal money from the bitcoin blockchain, I would go slow, and in discrete places.
TrapLord_Rhodo 120 days ago [-]
Sitoshi wallets awaken all the time, and transfer to different wallets and go to sleep for years again.
Granted, moving a sitoshi era wallet to a coinbase wallet would raise red flags, but those sized deals are done otc.
Scramblejams 121 days ago [-]
Coin ignorant here: Why would it not be worth anything?
BlarfMcFlarf 121 days ago [-]
All transactions are publicly visible, so everyone would know that it was now possible for someone to take bitcoins from people. Value depends on resale. Why would anyone ever buy a bitcoin or accept payment with them if they can just disappear at any time?
Scramblejams 121 days ago [-]
Ah, I read it too fast and missed the theft context regarding Satoshi's wallet. Thanks. Part of me hopes that in the not-too-distant future Satoshi will do a tiny transaction on his wallet just so all the speculation ramps up again and we get another wave of entertainment.
julianeon 121 days ago [-]
If that's the problem, you just say "this person had lax security" or "their computer was compromised." In the absence of real proof that will be the default expectation anyway.
buzzert 120 days ago [-]
I think the other factor to consider is that once you try to sell $200B worth of Bitcoin, the value of Bitcoin suddenly drops to near zero (due to supply/demand).
mikhailfranco 120 days ago [-]
Which is also why all those company market caps you see quoted everywhere are totally ridiculous. A company is not worth the latest price of a small share transaction multiplied by all the outstanding shares.
Dylan16807 120 days ago [-]
There's enough depth in the stock market to make company market caps pretty real. If you had a big chunk of a company, you could sell it for close to the trading price. I'd be shocked if you couldn't get half, as a nice round example number.
I would not be shocked if trying to sell $200B in bitcoin gets you far less than half.
red_admiral 122 days ago [-]
Or some other number-theoretic advance that is significantly below exponential time on the particular type of field or curve being used.
The reason that we use elliptic curves these days, or if we must then something like 8k bit keys to get 128 bits of security over finite fields, is that for the old Z^*_q/Z_p setup, such a faster algorithm exists (index calculus).
Someone could in theory find a better calculus that works only for groups with some specific characteristics of Curve25519, for example. No quantum computers needed.
EDIT: we know that no _generic_ faster algorithm exists, that is one independent of the representation of the group involved, for the traditional computing model. But that doesn't exclude algorithms, as I said above, that work for very particular cases.
ernesto95 121 days ago [-]
Do you have a personal book recommendation on the group and/or number theory of this type of cryptography?
red_admiral 121 days ago [-]
Most of what I've learnt here was less from books and more from colleagues/seminars and reading research papers.
You can get a brief introduction at https://soatok.blog/2020/04/26/a-furrys-guide-to-digital-sig... (your own choice if you want that open in a tab at work or not, but there's nothing NSFW in the usual sense in there), and then read the details of each scheme in the RFCs. Some of the RFCs even talk about security implications.
"djb" as he is known in the crypto world has a good paper at https://eprint.iacr.org/2024/1265 , it's 68 pages so "almost a book". He also has a lot of resources on his page https://cr.yp.to . Be aware that he is sometimes ... controversial (not racist or anything, just has strong opinions on FIPS and the NSA and has actually taken the US government to court in the past over this). He's the author of Curve25519.
andrewla 121 days ago [-]
Except that the Bitcoin only has value so long as the cryptography behind it is secure. If it is broken, then the value drops to zero and all your coins are worth nothing.
zikduruqe 121 days ago [-]
That, or it is a trap to catch time travelers. :)
marcosdumay 121 days ago [-]
Well, a time-traveling computer can solve problems of an entirely different (much larger and a strict superset) category than the ones a quantum computer can.
You don't even need to travel far. A second or so is enough to break all cryptography, even the post-quantum one.
EGreg 121 days ago [-]
If someone solves Puzzle #72 before #67 it would be quite impressive ;-)
Cthulhu_ 121 days ago [-]
Not necessarily, if there's e.g. a trillion keys to try, every tried key as a 1 in 1-trillion chance to be it, so it could be found by chance after just one try.
(disclaimer, I don't know statistics, cryptography, bitcoin or chances)
GTP 121 days ago [-]
Yes, but in your example the probability of finding it at the first try would be one in a trillion, which is already so small to be negligible. And 2^66 is much bigger than that.
122 days ago [-]
derangedHorse 121 days ago [-]
I think you're mixing up the concept of entropy. The entropy is the measure of randomness in the data and with more entropy, the harder cryptographic schemes are to break. Going back to your comment, the asserted 130 bits of entropy in the key would be harder to break than 65 bits.
I'm also unclear on where you got the 'multiple of 5' bit about. It seems the keys corresponding to numbers divisible by 5 were used in a spend transaction by the puzzle creator. Using those addresses in spend transactions reveals the public key and saves compute that would be wasted hashing. It also enables direct attacks using Pollard's rho (which someone already posted a link for above).
Is this a "puzzle"? Throwing compute at brute-forcing a random number doesn't seem like solving a puzzle to me, it's basically how bitcoin works.
aeturnum 122 days ago [-]
I think the puzzle idea is that, if you could figure out a weakness in the hash, you could claim it faster than the brute force approach. So each prize that's claimed "on schedule" supports the idea that there aren't any widely known shortcuts.
Obviously if you found a shortcut in the hash you might do other things first, but I think that's the idea.
IshKebab 122 days ago [-]
Hmm yeah if I cracked Bitcoin then last thing I'd do is claim a prize that gave away the fact that I'd cracked Bitcoin.
mr_mitm 122 days ago [-]
There is a difference between a weakness and complete breakage. You might have a small edge over brute force, but not enough to reverse any public key. This acts like a canary for weaknesses.
throwawaymaths 122 days ago [-]
What you would do is claim the prize slightly ahead of schedule and wait to be slightly ahead of schedule for the next one.
dylan604 122 days ago [-]
some people just want the cred though. their name will be immortal and live through history as being something, or some such nonsense that feeds an ego.
also, if you were the type that thinks bitcoin is lame, this could be a way of undermining the concept to the point that people no longer use it because it's not secure as it was touted
dheera 121 days ago [-]
What would you do?
I'd claim the prize, sell for USD, then watch BTC crash
rogerrogerr 121 days ago [-]
It would crash before you could sell it. Guarantee major market makers are watching these wallets specifically, and autonomously.
lucubratory 121 days ago [-]
So if someone figures out how to do it, they then effectively have a button that destroys a massive amount of wealth worldwide owned by a pretty specific group of people? That's fascinating, with billions of dollars at stake people would absolutely kill for that, not to mention the governments that use crypto on a macro scale for avoiding sanctions etc. Would probably make a really good thriller.
rogerrogerr 121 days ago [-]
My theory: The wealth would probably effectively transfer to holders of other currencies. You aren’t really destroying wealth by destroying currency; the supply of stuff is still available. Just now the demand for it from crypto-holders is gone, so it’d get cheaper for USD-holders.
qingcharles 121 days ago [-]
It'd be possible to guess it right first time, though, in theory, if you were really, really lucky.
jsheard 122 days ago [-]
PoW crypto is an exercise in finding new ways to spin boiling the oceans as actually being productive.
teekert 122 days ago [-]
Electricity net controllers here are pretty happy when I boil some ocean on a sunny day. In fact at times they give me money for it. And then I can donate sats to indie content creators using podcasting 2.0 features.
But I think you are one of those people that threw out that baby with the bath water long ago.
kelnos 121 days ago [-]
The kind of use you describe is almost certainly a small minority of the whole.
teekert 121 days ago [-]
It’s certainly growing. We have many issues here where solar panel are turned off at peak hours. People get less and less money for delivering power to the net, and indeed sometimes have to pay to do so. This will only increase.
In fact solar panel sales are dropping very fast.
yosito 121 days ago [-]
Where is here for you?
teekert 121 days ago [-]
Netherlands, on an ANWB, variable, energy contract [0]
A lot of puzzles (e.g. sudoku) are things you could solve with a SAT/SMT solver
aeternum 122 days ago [-]
Optimization and efficiency are sometimes underappreciated puzzles. We know that the air contains nitrogen for example but without the wild efficiency of the Haber process, most of us would likely be dead right now.
Custom silicon and all kinds of related optimizations were likely used to successfully brute-force this number.
ramon156 122 days ago [-]
I'd assume there's a hint, but I can't find anything
Sandworm5639 122 days ago [-]
Is it known who set it up and for what purpose?
red_admiral 122 days ago [-]
Curious to know because I've never looked into this stuff: doesn't the _public_ key have to be available anyway so you can send the coins to the address in the first place and have that recorded on the ledger?
tomtomtom777 122 days ago [-]
A wallet address (where money is sent to) is the public key hashed. This money can than be spent with a transaction containing both the signature and the public key.
This is one of the reasons it is advised never to reuse an address. After using it once, your private key may still be private but your public key is exposed, reducing security.
red_admiral 121 days ago [-]
Thanks. The "hashed" part is what I was missing.
aeonik 122 days ago [-]
Once you have the private key, you would submit a transaction with that private key and authorize a transaction to a public key that you control, and doesn't have part of the private key available.
You don't need the public key, and IIRC most algorithms allow you to derive the public key from the private key, though I'm not sure that's the case with Bitcoin. I have vague memories that there are algorithms where this is not that case, but it's been a while.
red_admiral 121 days ago [-]
It's some kind of EC/DSA scheme, isn't it? Then from the private key you can indeed get the public key.
mistrial9 121 days ago [-]
Is this true? from an ECDSA private key you could derive many possible public keys? asking for a friend
aeonik 121 days ago [-]
I looked it up.
1. SHA-256: Used twice (double SHA-256) for block hashing and once in address generation.
2. RIPEMD-160: Used once in address generation (after SHA-256).
3. ECDSA: Used once for transaction signing and verification.
4. Base58Check: Used once for address encoding (includes a checksum generated using SHA-256).
treyd 121 days ago [-]
For simple key derivation no, just the one pubkey. However most crypto wallets use a "hierarchical derivation" [1] scheme.
If you have a normal ECDSA private key, you get only one public key. However, there are ways to get a 1-to-many scheme, and similar ideas are used in U2F (yubikey or similar) systems.
The basic idea is you pick one private key that's a sequence of 256 bits or so, call this k. When you need a keypair, you compute H(k, tag) to get another bitstring, then turn that into an ECDSA private key (minding the bear traps here) and that then has a single public key.
For example in U2F, the key derivation is H(k, domain, ...) where k is the secret baked into the USB token, domain is the domain you're logging in to (this is the part that protects against phishing, among other things) and further protocol-specific information.
122 days ago [-]
dheera 121 days ago [-]
It seems #125 is already solved? If so don't they have the power to solve #67, 68, 69?
wslh 122 days ago [-]
New to this puzzle! Do you have a more detailed resource to the puzzle? Is it basically brute forcing based on all public keys available on the Bitcoin blockchain? Could this be considered stealing?
The point of the puzzle is indeed to brute force some private keys (not public keys), but not all, as 2^256 is computationally impossible. The private keys that have been discovered so far have obviously many zeros in them, so in practice you are never going to accidentally steal from a legitimate address with actually 256 bits of entropy.
The creator of the puzzle is anonymous and never came forward (to my knowledge). The point of the puzzle is (1) to be a fun game, and (2) to be a publicly observable way of measuring current brute forcing capabilities.
wslh 122 days ago [-]
First, a question: is there something similar for other blockchains? And, a clarification, when I said public keys I referred to public keys that match an unknown private key but I understand now (am I correct?) that this puzzle is purely brute forcing private keys with a lot of zeroes and then matching with the addresses in the blockchain (which would be a function from the public key).
mrb 122 days ago [-]
I don't know if other blockchains have these puzzles. You are correct thas this puzzle is brute forcing private keys with a bunch of zeroes, from which a public key can be calculated.
thisconnect 121 days ago [-]
Other bc's are centralized and don't need it as they can just revert or change their state.
Dylan16807 120 days ago [-]
Note: The size of the puzzle is the number of unknown bits plus one, because the top bit is always set. Puzzle #66 had 65 unknown bits.
HPsquared 121 days ago [-]
So exponential increase in difficulty, linear increase in reward. Unless the price goes exponential too! (Which was the case for a while)
fidelramos 121 days ago [-]
My take on this [0] is that Bitcoin price was growing exponentially with demand, or more exactly with the expected future demand. Cryptocurrency always have had a lot of speculation behind them, not unlike any startup, and that is OK.
As shown by the graph [0], adoption slowed down after 2016 when BTC blocks got consistently full and transaction fees rose to $50 and more. I believe if BTC had scaled to support more transactions the price would be much higher today, as Bitcoin would likely be used as a means of payment across the Internet and in many physical stores at well.
Discussions regarding the decentralization of larger blocks aside, something that is not clear to many people is that scaling a blockchain to handle more transactions doesn't mean a linear increase in energy use. In the case of BTC its Proof-of-Work algorithm operates over the root of the last block's Merkle tree, which is a hash of all the transactions in the block. Being a fixed-size hash it doesn't matter if the block contains 1,000, 1 million or 1 billion transactions. Arguably a more popular Bitcoin would be more valuable and therefore would attract more miners, increasing its energy consumption, but that just reinforces my original point.
I think you're describing Bitcoin Cash, but AFAIK it's worth less than original BTC. What you're not considering is the brand value of BTC being the first and most famous crypto currency.
fidelramos 121 days ago [-]
I agree with part of what you say but not with the implication. Yes, Bitcoin Cash [0] is the Bitcoin that chose to scale on-chain. The split happened in 2017 and since then it has decreased in price both compared to BTC and USD.
What I strongly disagree with is that a Bitcoin with bigger blocks and hence larger transaction capacity is inherently less valuable. That is an unfair comparison because Bitcoin Cash, when the split happened in Aug 2017, could have been recognized as Bitcoin by the ecosystem, but it wasn't, and Bitcoin Core retained the BTC ticker. Because of that Bitcoin Cash had to start adoption from the beginning, losing Bitcoin's established network effects.
My original argument was that if Bitcoin had increased its blocksize before 2016 as Satoshi Nakamoto originally intended [1], then the Bitcoin Cash split wouldn't have happened, Bitcoin adoption would have continued growing (remember that back in the day big players like Microsoft, Dell, Steam and Newegg started accepting Bitcoin payments) and miners would progressively see more of their rewards coming from transaction fees and less from the block rewards.
This last point is one of the big problems with BTC right now: the network security will decrease in the face of dwindling block rewards unless transaction fees rise. I argue that Bitcoin was always supposed to scale in number of transactions, so the aggregate of transaction fees, even if individually inexpensive (roughly 1 cent), would become larger than the block reward. In other words: the block reward was just an economic incentive to kick-start the Bitcoin network, to attract miners that would secure it, but the transaction volume was meant to keep increasing to replace it.
I didn't say that having larger blocks makes a crypocurrency hinerently less valuable, my point was that it's not enough to obtain the widespread adoption and the consequent increase in value you were talking about. But I also see your point on having those improvements baked in BTC at the right moment vs having a new crypocurrency. But afaik Ethereum is able to handle many more payments than BTC (not sure if transaction fees are reasonable though) and is one of the most popular crypocurrencies. But still, my impression is that it's adoption as actual currency to pay for goods is similar to BTC, despite these improvements.
In my opinion there are two main issues that prevent crypocurrencies from being actually used as currency:
1. How many transactions per seconds can be handled
2. Their extremely high volatility compared to fiat currency
While blockchains can scale to fix point 1, point 2 is driven by forces outside the technology.
fidelramos 121 days ago [-]
Blockchain scalability while keeping decentralization is now a solved problem, you can research how sharding is implemented in cryptocurrencies such as XTZ or EGLD, or read this rationale [0] for terabyte blocks in Bitcoin Cash. Why do blockchains such as BTC or ETH refuse to scale on-chain then? That's a separate debate, but I believe there are vested interests in them not scaling.
Regarding volatility I agree that it's currently an issue, but not an insurmountable problem in my opinion:
1. Payment gateways can offer automatic asset conversion to minimize volatility risk for payment takers. This means I could pay in whichever cryptocurrency the payment gateway would take and the receiver would get whatever currency they have set up in their account. They might want to keep some currencies and convert others, so the payment gateway could offer an option to decide that, and in which amounts (e.g. "keep 10% of each BTC payment, convert the rest to USD").
2. Price volatility should reduce as a cryptocurrency is more widely used. In the alternate universe where BTC scaled to be larger than all credit card networks combined its price could be more stable than many fiat currencies.
Yes, but computer performance also goes up exponentially - especially when GPUs and ASICs were built and optimized for the maths needed for crypto - so in a sense they're keeping up. In theory.
danielfisher77 118 days ago [-]
[dead]
gzer0 121 days ago [-]
Whoever solved it left a rather intriguing, albeit slightly mocking, message:
This is a signed transaction. So the one who stole the prize.
One of the really interesting thing about the blockchain, is that you can write a smart contract script that will permiate forever.
using a hashed transaction instead of a signed transaction is a wierd mistake to make, but not an uncommon one of people who are just learning to write blockchain code. I know we are talking about BTC here and opcode is rather limited, but this type of thing pervades on ETH.
Imagine writing a PWN script as a 14 year old and waking up when you are in your late 20's to a millions dollars in crypto.
csomar 121 days ago [-]
If the real puzzle solver didn't see this coming, he kinda does deserve it. Bitcoin blocks takes 10-20 minutes to confirm. This leaves enough time for a bot/human to take over. I am pretty sure he could have contacted a miner/pool and arranged a deal with them.
fidelramos 121 days ago [-]
How could a bot/human steal the funds without knowing the private key?
Edit: typo
fidelramos 121 days ago [-]
Ok there is one good explanation for this case that I found in another comment here [0]: the person who found the private key made a transaction moving only part of the full reward, but in doing so exposed the full public key. A was monitoring the puzzle address for activity, picked up the public key, used it to crack the private key quickly and moved the rest of the funds.
Fascinating that the original cracker wouldn't know these details about Bitcoin transactions.
You can't derive an secp256k1 privkey from the associated pubkey. That's the whole point.
fidelramos 121 days ago [-]
You are right in the general case. But the public key is included in a transaction when it gets signed, and in this particular case the attackers already had part of the private key, that's what allowed a different attacker to combine both pieces and break the private key quickly.
csomar 121 days ago [-]
I am not sure about this one but for the other puzzles, the solution is usually hashed and the submitter has to provide the solution in the Bitcoin script to solve for the hash. This disclose the solution (and thus the private key). This is not the case for signed Bitcoin transactions but these have special script functions. So if you don't use those, you lose these protections.
ralfd 121 days ago [-]
Can you explain that? So the real puzzle solver could have theoretically triggered the transaction, but lurking bots are stealing the transaction from them?
I'll try to give a brief here about how Bitcoin script works but you'd better read up on the Bitcoin wiki.
Essentially, to make a transaction valid, your script needs to pass.
1. <PubKey> + <Signature> -> This is how most transactions are handled. You provide the transaction with a signature. This doesn't expose your private key and lock the receiver. (as the receiver is signed)
2. <Hash> + <Hashed Content> -> To solve for Hash, you need to provide the Hash Content essentially solving the puzzle. Problem is, if you provide the Hashed Content publicly in the Script, anyone can also submit a competing transaction and set himself as the receiver.
throwawayffffas 121 days ago [-]
It's not particularly intriguing, he is trash talking the competition.
throwaway314155 121 days ago [-]
that it's relatively self aware, in particular about energy consumption concerns, is mildly intriguing i think
fsckboy 121 days ago [-]
the global warming consensus dominates the public discourse, the idea that somebody involved in crypto is not aware of energy consumption is a bit absurd
121 days ago [-]
Quindecillion 121 days ago [-]
What's wrong with energy consumption?
I think you might be confusing it with greenhouse gas emissions.
GTP 121 days ago [-]
How's the electricity you're using produced? ;)
kragen 121 days ago [-]
are we talking about people doing bitcoin mining or hash cracking?
bitcoin mining is an extremely competitive business of finding the cheapest sources of energy and mining hardware; because the cheapest energy sources are all renewable, mining bitcoin with fossil-fuel-produced power is unprofitable. so the electricity we're using to mine bitcoin is mostly solar, wind, and hydroelectric
as for the cracking, i don't think we know anything about where it was done or how much energy was needed, but if the energy cost was significant, i'd expect the solver to have done it somewhere where energy was cheap
BobAliceInATree 121 days ago [-]
electricity is basically fungible (minus a distance factor). So if you're using up the cheap, renewable electricity for mining, guess what you're using for everyone else's day-to-day electricity? Yep, fossil fuels. (https://www.theguardian.com/technology/2022/feb/18/bitcoin-m...)
One major exception to this is geothermal electricity in places like iceland where there's abundant green electricity, but you can't transport it to any neighbors.
So just using renewable sources for electricity doesn't actually make mining renewable until we're in a society that's 100% renewable.
kragen 120 days ago [-]
the distance factor is a primary consideration when it comes to electricity; most electricity is consumed within hundreds of kilometers from where it's produced, because only in china is there uhvdc transmission, and even inside china there isn't nearly enough uhvdc and hvdc transmission capacity to meet demand
consequently, there are lots of places where there's abundant green electricity that can't be economically transported to any neighbors, which is why green electricity is cheaper than coal, nuclear, and gas energy. if it could be economically transported, it would be; instead, it is sold locally at much lower prices. only rarely is this seen by residential end-users, but in much of the world the 15-minute prices paid on the wholesale market by electric utilities are public information, so you can easily verify this
as a result of that, just using renewable sources for electricity does actually make mining renewable
as for the grauniad article, there are a lot of people doing unprofitable business things in lots of businesses, but they tend to be self-limiting, because those people run out of money before long
kragen 120 days ago [-]
correction, since 02017, there's also uhvdc transmission in brazil from the belo monte dam. 66% of electrical generation in brazil is hydroelectric
I'm not super familiar with the concept (and I'm too lazy to look into it TBH), but I think the would-be winner posted the private key before enough (any?) blocks were mined, and the thief posted a transaction with a bigger fee, and the thief's transaction was in the block that got mined.
mrb 121 days ago [-]
No private key was posted too early. What happened is the person who spent all the computing power to brute force the 66 bits broadcasted, naively, a transaction to send the 6.6 BTC reward to his wallet. However, when doing so, the public key is by design revealed on the blockchain. Someone's bot whose sole purpose is to steal this puzzles rewards was monitoring the blockchain and spotted the transaction before it got confirmed (on average confirmations occur every 10 minutes), then it processed the now known public key from which the private key can be recovered in 2^33 operations (2^(n/2)), then crafted another transaction to send the reward to his wallet, with a higher fee, so his transaction got confirmed, instead of the discoverer's lower-fee transaction.
This is a well-known attack. The discoverer was sophisticated enough to brute force, but not enough to know about this risk :)
Terr_ 121 days ago [-]
This is another useful example to have handy against the canard: "You're only skeptical of cryptocurrencies/blockchain because you haven't learned enough about how they work."
I believe the correlation is the other way around... at least once you get past some early local maxima near "people who don't understand how money can be in a computer."
P.S.: To digress (rant) a bit: The linchpin is whether your system needs to allow anybody to create and control any number of new participant-nodes at any time. That fundamental requirement is actually very rare, and it's also the root causing a cascading tree of workarounds, compromises, inefficiencies, and risks.
mandmandam 121 days ago [-]
This attack wouldn't have worked in a mining free, fee-less cryptocurrency with sub-second confirmation times (ie, block lattice).
The only reason we're still talking about BTC is bag-holders. It's vastly technologically inferior on every metric.
Talking about BTC's failures as if they exemplify cryptocurrency is just like attacking solar panels on the basis of whale oil's flaws.
killerstorm 121 days ago [-]
How is this "block lattice" secured?
mandmandam 121 days ago [-]
Quite well, thank you! Coming up on nine years without hacks, and apparently quantum-resistant.
The next release of Nano (the original and best imo*) manages spam to the point where fee-less sub-second transactions can be maintained even while under a directed spam attack.
If you want to learn more there's plenty of documentation:
* - I love how it was distributed, and the team are extremely focused on making it work at a "commercial grade" as opposed to working up hype.
yunohn 121 days ago [-]
I was wondering where your previous comment was heading - I assumed you were referring to Yet Another Niche Cryptocoin, and that was confirmed. Thanks!
mandmandam 121 days ago [-]
People said the same thing about renewable energy for decades ... "It's so niche! How could it ever replace fossil fuel?".
The point stands - BTC's limitations mean nothing to the potential of digital currency as a whole. Cryptocurrency has been proven not to need fees or mining, and yet people love to attack it on that basis. Anything to feel superior I guess.
yunohn 121 days ago [-]
It’s not about superiority, it’s about the pie in the sky claims made by crypto, none of which have demonstrably helped real world use cases at any scale.
Even taking your example coin, they’re making it production-grade, for what? How many people seriously use it? What is the real plan to adoption? Or is it just another fun tech project.
mandmandam 121 days ago [-]
Each transaction uses a tenth the energy of a credit card, confirmed in milliseconds. It's decentralized. It's secure. Isn't controlled by a shadowy entity working to hoard wealth and power backed up by military threat. Etc.
Why am I doing basic research for you?
These aren't "pie in the sky" "claims", they are statements of fact that can be verified by trying it out yourself. I already linked the docs if you want to know how it works, what the upcoming milestones are, what work has already been done, etc.
One example of a great use case is Nano-gpt(.com), where you can try the latest AI models straight away and pay by the question. The bottleneck here is your imagination.
yunohn 120 days ago [-]
My point about the features you claim have to do with adoption and scale. You don’t need crypto to make a more efficient payment network.
Regarding nano-gpt, that’s already a solved problem. Literally all API platforms support pay-as-you-go credits. I went to your link, and I loved the irony of them asking for a 0.10$ minimum deposit - note the complete lack of crypto rates. That is par for the course for crypto apps, nobody cares what the coin conversion is - it’s just a gimmick.
Terr_ 120 days ago [-]
> nobody cares what the coin conversion is
TBF, that particular data-point tends to have a "damned if you do, damned if you don't" extrapolation, ex:
1. "If sellers only care about what regular currency it can be turned into, that means it has failed as a currency because it's just an intermediate payment scheme."
2. "If sellers don't care about what regular currency it can become, that probably means it has failed as a currency because it's really just a speculative-bubble asset."
yunohn 120 days ago [-]
Sure, but it’s really easy to list both - even that almost never happens.
edm0nd 121 days ago [-]
imo nano had it's time in the limelight to shine and has just slowly died out.
The Raiblocks and BitGrail hack sealed it's death.
mandmandam 121 days ago [-]
Raiblocks was never hacked, an exchange was (though it could have been an inside job, and BitGrail was at the very least negligent). Very different, though yes, still damaging.
And this isn't about personal beliefs, market cap, market share, etc. The conversational point was that it's technically vastly superior to BTC, which it undeniably is. On market cap, adoption and hype, BTC wins hands down, for now, but there's no reason at all for that to always be the case.
People here love dunking on cryptocurrency for the slow times and the mining and the hacks (like this post) - yet none of that is a necessary characteristic of cryptocurrency.
Btw, Nano is very much alive. V27 is coming out soon making major improvements, regardless of like, your opinion man.
edm0nd 120 days ago [-]
I love crypto, not dunking on it.
The FranciscoTheBomber admin of BitGrail should have served prison time over the entire thing. He got off basically with zero consequences.
Nano will never be in the top 100 of crypto projects ever again. That's just a fact.
mandmandam 120 days ago [-]
> That's just a fact.
Do I need to paste the definitions of fact, vs prediction, prophecy, belief and opinion in here?
I remember hearing similar pronouncements presented as 'ironclad fact' after Mt. Gox, and after the DAO hack, and even during the Bitcoin Cash debate. The field is more full to the brim of people presenting opinions as fact than I would ever have believed. Even if you were someone I'd heard of and respected, a known expert; if you claimed your opinion in this space as fact I would yawn and put my respect for you down a notch.
And, the discussion wasn't about market cap, top 100, or anything like that - just verifiable technical characteristics.
The scam talked about in this thread wouldn't work in Nano, because Nano doesn't require mining or fees. Many other coins have the same characteristics, Nano was an example. I would bet that any other example would have been just as triggering to people.
motoxpro 121 days ago [-]
As much as this sucks, I absolutely love how the blockchain is real life version of a Dark Forest
Broadcasting the secret and it immediately getting annihilated by some anonymous, stronger third party. Very much so.
dgellow 121 days ago [-]
As long as it isn’t used for anything in the real world, I agree. It’s a fascinating ecosystem to watch from far away. If the crypto bros get their way and integrate blockchains with the real world, that becomes a horror show
Dibby053 121 days ago [-]
That must hurt. In case I crack the next puzzle... how should I go about collecting the prize without having to mine a block myself or trust a miner not to screw me over?
mrb 121 days ago [-]
To avoid this risk: either you solo mine your transaction, or you submit your transaction to a mining pool that will not broadcast it to the P2P network until it is mined. Some pools offer this as a service (eg. https://slipstream.mara.com/). This is kludgey but this is because the puzzle is inherently limited by its technical design.
Note that this issue doesn't exist with puzzle numbers that are multiple of 5, because these addresses have their public key already known. So everyone is on a level playing field. The multiple of 5 have been solved up to #125: https://privatekeys.pw/puzzles/bitcoin-puzzle-tx
drexlspivey 121 days ago [-]
There is also another puzzle for finding a sha256 collision, the address script just checks if the 2 inputs are different but have the same hash and if true it unlocks the coins.
That one is even easier to steal because it doesn't even require a digital signature and there are tons of bots out there inspecting live transactions and if they don't require a signature they just create a new transaction with an increased fee and their own address as recipient.
Dibby053 121 days ago [-]
I didn't know there was a formal service for it, that's very cool. Still, it relies on the miner keeping its word instead of cracking the private key. In practice it would definitely not bother risking its reputation like that, but I wonder if there's way around it, with smart contracts or something.
beeflet 121 days ago [-]
I am not a bitcoiner, but I think there is a way to have transactions on bitcoin that are the hash of the script you want. So maybe you could submit the script hash and then submit the script in the next block? IDK if how that would work but I overheard some sort of hash-of-script functionality described by bitcoiners to save space. Hold on, let me see if I can find it.
Edit: nevermind, I got confused with P2SH: https://learnmeabitcoin.com/technical/script/p2sh/ pretty sure you can't unlock outputs with a hashed script unless the creator of those outputs did it ahead of time.
121 days ago [-]
Stagnant 121 days ago [-]
That is correct. Basically you have to get lucky that after submitting the transaction a new block would be confirmed within 1-2 minutes which I think is around the timeframe what it will take for a top consumer GPU to bruteforce the private key.
I'd be curious to know if it is possible at all to "securely" send the funds of these puzzles or if there is some hard limit that requires the pubkey to be published with the transaction.
hanniabu 121 days ago [-]
> processed the now known public key from which the private key can be recovered in 2^33 operations (2^(n/2))
So anybody that has sent a transaction can have their private key cracked just from their public address? How is this considered secure? That's absurd...
wkat4242 121 days ago [-]
Well this isn't a normal key. It's a key with extremely reduced entropy for the sake of the puzzle. Most of the private key is already known and is in fact all zero.
So this would not be possible with a normal Bitcoin transaction with regular entropy.
dheera 121 days ago [-]
But I guess this means that all Bitcoin transactions have half the entropy we think they do?
marcosdumay 121 days ago [-]
Well, no, because "we" think it has half the entropy their length implies. This is widely known, and the length was selected with that information in mind.
drexlspivey 121 days ago [-]
All security assumptions on bitcoin rely on 128bit entropy (256 bits in a private key divided by 2)
dheera 121 days ago [-]
Is that true for all of the future? I suppose it's only a matter of time before Satoshi's and all the lost wallets will be broken?
Even if it's 70 years from now before we have the compute to do that, the wallets will be worth so much by then that whoever does that will end up with a level of money that is high enough to menace and threaten entire countries if they are malicious.
Why doesn't Bitcoin require keys to get longer over time? Require 256 bit now but require 65536 bit in 20 years to make any transaction?
drexlspivey 121 days ago [-]
I think you underestimate how big the number of 2^128 ECDSA operations are. It is 20 orders of magnitude bigger than the puzzle that was just solved (that took 2 years). There is no way we scale our compute that much in 70 years unless we start building Dyson spheres.
To answer your question that change in bitcoin can happen at any point in time with a protocol update. It would probably won’t even require a hard fork, a soft fork would suffice.
dheera 120 days ago [-]
> no way we scale our compute that much in 70 years
Huh? Ask someone in 1950 if we would ever achieve petaflops on a desktop-sized PC. Yet here we are with H100's. About 10 decimal orders of magnitude faster than the state of the art in 1950.
Quantum computing will also happen, and I think 70 years is more than a realistic time frame.
drexlspivey 120 days ago [-]
The bottleneck is energy you can’t scale human energy consumption by 20 orders of magnitude (not in 70 years anyway). There is just not enough of it.
wkat4242 121 days ago [-]
How would you enforce this to cold wallets? The owner would still have to prove their ownership with the old key.
wkat4242 121 days ago [-]
Effectively, yes.
hanniabu 121 days ago [-]
How is most of the let known of it's a puzzle? Why would people make their progress public?
wkat4242 121 days ago [-]
Because this is how the puzzle works. Most of the key bytes are zero. Only the last 66 had to be guessed. And their solution was made public by doing the payment.
Normal keys can't be cracked as they use 256-bit public keys providing 128-bit security, which is still secure.
fernandopj 121 days ago [-]
But how could he have avoided this attack? I'm only familiar with Bitcoin's blockchain on a begginner level. But I assume the only way would be to avoid revealing the answer key (public) when sending the transaction to get the reward?
Jerrrrrrry 121 days ago [-]
There is actually no way to avoid this, aside from setting the Fee nearly to the reward.
It's essentially MitM all the way down.
even the private mempool can attempt a double-spend with a larger fee, get one transaction ahead, then try to maintain an edge long enough to be the "longest branch" for consensus - the 51% attack only needs 33% in reality, much less when your the private mempool that can take advantage of the birthday paradox to jump two blocks ahead.
you have to literally mine your own coin with the reward transaction included.
of course, zpk+ would solve this issue entirely.
Alice and Bob wouldn't ever doubt each other again.
sourraspberry 121 days ago [-]
Isn't this a bit insane? Does this not imply the entire Bitcoin protocol is fundamentally flawed?
loopdoend 121 days ago [-]
No because it is not normal to have such low entropy for private keys. It wasn't designed with these puzzles in mind, nor should it be.
fernandopj 121 days ago [-]
Your reply and Jerrrrrrry's closed this understanding for me.
The attack itself can't be mitigated because there's the incentive to try to force the blockchain with your own theft block because your fee is much higher for what appears to be the same transaction. But this attack, like you said, is only feasible for this niche domain of low entropy private keys.
Workaccount2 121 days ago [-]
The bitcoin protocol isn't fundamentally flawed, but it is fundamentally outdated. If it wasn't for public bitcoin/crypto FOMO, bitcoin would have been deprecated years ago.
kfrzcode 121 days ago [-]
Of course, you could avoid this entirely with Hedera HBAR and fair consensus on the hashgraph. But the puzzles are on BTC where the money is.
drexlspivey 121 days ago [-]
One way would be to not broadcast the transaction publicly but send it to a mining pool directly
119 days ago [-]
hoerzu 121 days ago [-]
Private mempool transaction
nkrisc 121 days ago [-]
I’m a relatively smart person, probably above average, but glad bitcoin hasn’t taken over banking because I don’t understand any of this.
a_dabbler 121 days ago [-]
You don't need to. Most of us will never understand the complexity of banking either
zeagle 121 days ago [-]
You mean the one where someone else pays a higher ATM fee and scoops my cheque deposit? We can talk about reduced bits in the puzzle vs a regular transaction but when you need to consider how you are going to safely claim your money as if you are laundering you have to admit this is a little nuts.
pushedx 121 days ago [-]
The only reason that this opportunity exists to swoop in and forge a transaction is that the reward in question is a reward for fundamentally breaking a weak version of the cryptography underlying the BTC blockchain, the technqiue for which happens to have a second mathematical weakness.
No other transactions are subject to this weakness, and it's this puzzle which proves that.
stavros 121 days ago [-]
You're discounting how nuts it is that a third party has veto over whether you can spend your money and how.
zeagle 120 days ago [-]
I think it's part of living in a society with rules and law. It also protects me from rampant fraud and theft and also helps ensure taxes are paid for the benefits I use like roads, hospitals, and education.
chr15m 121 days ago [-]
idk $34 billion in annual global card fraud is also a little nuts.
gosub100 121 days ago [-]
I've never used any coins in my life, but I think what is unique here is that the reward IS the entire wallet itself, not just a transaction from the "contest holder". They revealed many of the bits of the private key already. Somehow, you cannot use the wallet without briefly revealing the rest of the private bits.
hoerzu 121 days ago [-]
You can run your own node and then mine the transaction into the block or use private pools.
Look up MEV
hammeiam 121 days ago [-]
Yes, no such thing as dark pools in traditional finance /s
GTP 121 days ago [-]
It shouldn't be so easy to derive a private key from the corresponding public key. Is the attack you're referring to working because most of the bits of the private key are already known or am I missing something else here?
shakiXBT 121 days ago [-]
That's precisely what happened, knowing the public key of an address is commonplace (as long as the address has done at least one tx) and doesn't compromise the security of its private key
Dylan16807 120 days ago [-]
> It shouldn't be so easy to derive a private key from the corresponding public key.
What specifically are you calling "so easy"?
If we're talking about "2^(n/2)", I don't see the problem. Why shouldn't it be that?
GTP 119 days ago [-]
The problem is that OP specifically said 2^33, which is quite darn easy. I didn't immediately realize that he was saying so just because, in this specific case, only 66 bits needed to be found, which indeed gives 2^33 by applying the usual formula.
the_clarence 121 days ago [-]
You need 2^65 operations so this is likely not what happened. What you're thinking about is the birthday attack that only works to find collisions and not to find a specific "pre-image"
rtkwe 121 days ago [-]
No knowing the public key reduces the number of keys you have to attempt to find the corresponding private key. If it required the same number of attempts they would have just found it first without having to wait for the broadcast to snipe it.
Wait Pollard rho runtime is based on the order of the group not the size of the private key. Maybe there's more to it? This strikes me as more of a hidden number problem. But to make it work you need to observe something using that small number. A transaction might have been enough.
rtkwe 121 days ago [-]
The exact details are beyond me but knowing the public key cuts the required private keys you need to test in half. Public keys are included in the transaction but normal keys have enough bits they're effectively protected even with their raw entropy cut in half. 128 bits are still more than you can effectively brute force but the 33 bits left for this challenge is far easier which let the attacker snipe the reward by exploiting the low fee offered on the original solve message sent to the transaction pool.
the_clarence 120 days ago [-]
Half of 2^66 is 2^65
rtkwe 119 days ago [-]
I meant the entropy in bits is cut by half.
nullc 120 days ago [-]
It's very easy to make sqrt(n) DLP solvers for known subranges.
Here is a trivial one:
In advance, make a table of all the pubkeys xG for secret key s = (0,2^33].
When you get a target key T, compute T - (2^33)xG for x = (0,2^33] and look up the result in the table.
When you get a hit, you've found the private key for T it's (2^33)x + s.
Of course, this is a trivialized example, many optimizations are possible and you can specialize any generic DL solver to work in a known range.
the_clarence 120 days ago [-]
But that's not the range in question, this one has 66 bits. You're describing a meet in the middle attack but the runtime would be too high
nullc 120 days ago [-]
My example is specifically for a 66-bit range. There are two loops in my post, one removes 2^33 multiples of 2^33, the other builds a table to check for values with a 33-bit range. My example will find a solution in a 66-bit range using only 2^34 point operations and 2^33 table lookups.
Work thought it, I think it'll be more informative than me simply repeating myself further. If you're still confused, ask specific questions and I'll be glad to answer.
the_clarence 120 days ago [-]
Oh right nevermind. For about 300GB of data. I would assume this is what they did them
rkagerer 121 days ago [-]
How would said bot have recognized this transaction was one of these puzzles, and thus worth brute-forcing?
Given only a random public key, is it possible to quickly recognize when its corresponding private key has weak entropy?
fragmede 121 days ago [-]
The bot was written specifically to steal the winnings of the puzzle.
aaronmdjones 121 days ago [-]
> Given only a random public key, is it possible to quickly recognize when its corresponding private key has weak entropy?
No, but it is possible to quickly recognise that it matches a published puzzle address, which is derived from the public key. And the amount held by that address is public knowlege (it's on the blockchain).
jamalaramala 121 days ago [-]
Let me see if I understand it.
If someone knows that a given address has a huge sum of money, they can create a bot to monitor that particular address, overriding any transactions to his own address?
Would that be possible???
quentinadam 121 days ago [-]
No that’s not how it works.
When a transaction is submitted on the blockchain to withdraw funds from an address it needs to be signed by the private key and it exposes the full public key. A bot that would monitor such transactions would therefore see the public key. With just the public key you can’t create a valid signature, you still need the private key, however for this particular case, knowing the public key reduces the entropy of the puzzle by a factor of 2 (from 66 bits to 33 bits), so this puzzle was easier to solve for the bot knowing the public key published by the person who found the private key. This is very specific to this specific puzzle which had 66 bits of entropy. In general, bitcoin transactions have 256 bits of entropy.
KMnO4 121 days ago [-]
If you have the private key you can send money as you see fit.
The purpose of the puzzle is to find the private key given only 75% of it.
Let’s imagine that takes 1 year to brute force the last 25%. But if you have the public key as well, it only takes 1 minute.
As soon as the coins were sent, the private key was known since it inherently revealed the public key.
thrtythreeforty 121 days ago [-]
What is the less-naive way to claim this type of puzzle?
Aren't you effectively trusting that service not to front run you?
drexlspivey 121 days ago [-]
Yes, the only other way is to mine it yourself. They are a public company that run their own miners if it makes you feel any better.
thrtythreeforty 121 days ago [-]
If you were designing this puzzle, could you do better so that this wasn't necessary? Maybe a two step protocol:
- Send some money to an address, which would temporarily stop accepting money from anywhere else. The fee gives the sender the exclusive right to solve the puzzle for, say, 15 blocks.
- After that transaction is validated, a second transaction (which now cannot be forged by bots) can be sent through.
I am pretty sure you could do something like this on Ethereum but I don't know if the BTC protocol would allow this. I also know very little about the guts of the respective VMs in general.
lyu07282 121 days ago [-]
So there is an avenue to sue them / ruin their reputation
DoctorOetker 121 days ago [-]
No, the other way would be for the organizer to author proper scripts that prevent front-running.
DoctorOetker 120 days ago [-]
Please provide substantive feedback, I don't mind a downvote, but there is no learning opportunity without feedback content.
I wish HN eliminated downvotes without posting associated feedback
I stand by my point: pay peanuts, get monkeys.
If you don't take extra measures to ensure the safe reception of the reward, don't be surprised your security gauge turns out sticky.
ode 121 days ago [-]
How much would the solver have paid as a fee if he had used this service?
121 days ago [-]
funnyfoobar 121 days ago [-]
noob here:
but are not the public keys anyway available on block chain? that means literally every thing can be brute forced?
rtkwe 121 days ago [-]
The puzzles have a set number of unknown bits smaller than the total key length making them more vulnerable to these attacks. For true unknown keys the reduction in your search space doesn't bring it down into the range where it's computationally possible to do.
dools 121 days ago [-]
So someone stole the prize and left some sort of calling card mocking everyone solving bitcoin puzzles?
That one is sending money to the address, not taking money from it.
pushedx 121 days ago [-]
Exactly, the person who swiped the 6.6 BTC reward, uses the same computing power to forge some public keys so he can send a message to the guesser, sending a tiny amount of BTC to the guesser in the process.
DoctorOetker 121 days ago [-]
from the peanut gallery it is impossible to differentiate organizer vs thief, the organizer did invest the money to host the prize, but not the critical thinking to organize a convincing prize?
GistNoesis 121 days ago [-]
>posted the private key before
When you post a transaction, the public key is in the transaction (inside the field "sigscript") .
With the public key known you only need 2^(66/2) checks (instead of 2^66), which can be done really fast.
So some bot watched the address, obtained the public key, computed the private key from it, and front-ran the original submitter probably with a deal from a mining pool to make sure his transaction is enforced.
ChrisClark 121 days ago [-]
Edit: I see it's because I'm this instance there was less entropy, I guess a normal transaction has a lot more bits to guess
Why doesn't this happen with every large transaction then? Someone tries to move 10 BTC, instantly stolen?
Basically you're saying that every single Bitcoin transaction can be stolen "really fast".
Am I missing a step here?
Stagnant 121 days ago [-]
It is based on the fact that the upper range limit of the private key used in the puzzle is known. A securely generated private key would not be vulnerable even if its public key is known.
The second post on this thread[0] has a helpful chart that makes it easier to understand.
> When you post a transaction, the public key is in the transaction (inside the field "sigscript")
Is that true for every single Bitcoin transaction?
> With the public key known you only need 2^(66/2) checks (instead of 2^66), which can be done really fast.
Then how comes not all Bitcoin transactions are front-ran like that and Bitcoin is not worth zero already? 2^33 is indeed nothing: 8 billion (so I understand this can be easily cracked).
GistNoesis 121 days ago [-]
>Is that true for every single Bitcoin transaction
I think so, for outgoing transaction (aka to remove from the address), it's kind of needed to verify the signature.
The 2^66 is only for this game where only 66 bits were left unknown.
In the general case obtaining the private key from the public key is much longer.
TacticalCoder 121 days ago [-]
Ah gotcha, that's what I missed. Thanks for your explanation. For a regular address, even with the public key, if there are 256 unknown bits it'd be 2^128, which is statistically unlikely to be solvable.
121 days ago [-]
mannyv 121 days ago [-]
So how do you test your generated key? You can't just go and submit lots of transactions. That would presumably be expensive.
kneel 121 days ago [-]
That's not how bitcoin works
dartos 121 days ago [-]
That’s exactly how bitcoins works.
As a miner, if I see two conflicting transactions I will prioritize the one which pays more rather than the one I saw first.
dheera 121 days ago [-]
So can I avoid the attack by voluntarily paying a super high fee?
baobabKoodaa 121 days ago [-]
The attacker can see what fee you are offering, so they just offer higher
dartos 121 days ago [-]
Assuming it’s higher than the bot can post, yes.
therein 121 days ago [-]
Yeah unless the miner favors the other transaction for personal reasons.
ffsm8 121 days ago [-]
Feel free to click on the link.
cj 122 days ago [-]
Interesting: Reading the first page of the bitcointalk forum, the puzzle originated from this wallet, which has an incredible amount of volume going through it. 10,000+ transactions and over a million BTC sent/received.
We had fraudsters using modal.com compute to solve this challenge. It's not traditional mining software so it didn't initially get flagged, but we've updated our detection to catch it now[1].
Context: these users were not paying, were using stolen credit card numbers.
ficklepickle 120 days ago [-]
FYI something is wrong with your client side routing. From the blog post, clicking on your logo, the URL updates to the homepage but the content doesn't change til I do a full page reload.
ggrelet 121 days ago [-]
Just here to say I think modal is really cool. Keep up the good work!
mmsc 121 days ago [-]
Your blog 404s when an iPhone user uses lockdown mode. In fact your whole website fails to load.
gizmo385 122 days ago [-]
Is there something unique or special about the private keys that are guessed? This seems like an incredibly wasteful allocation of compute (which wouldn’t be surprising given that it’s bitcoin but still)
kobalsky 122 days ago [-]
controlled arms race to improve things on both sides and it doubles as a canary.
LegionMammal978 122 days ago [-]
If someone had totally broken the hash in secret, I doubt they'd burn it on such a low-stakes canary.
kobalsky 121 days ago [-]
the canary is there for a gas leak, not for an asteroid destroying the earth.
the canaries that are left are worth several million of USD combined, if there's any incremental progress towards cracking them, that's a strong incentive not to leave the money on the table.
if someone comes up with a full crack sponteously, then yeah the canaries won't protect you, or anything else for that matter.
p4bl0 122 days ago [-]
I had the same reaction. Isn't Bitcoin wasting enough energy as it is?
sammy2255 122 days ago [-]
What if it’s 100% green energy? Is it a waste?
qwertox 122 days ago [-]
Probably. The energy could have been available to any energy intensive industry, helping them if the resource is too scarce and eventually lowering production prices if it wasn't scarce. You notice it in Germany where energy has become very costly in the last couple of years, where it then makes more sense to limit production or even close all together.
ericd 121 days ago [-]
My impression is that transmission capacity is often the limiting factor, so you can’t really think of eg solar energy as being fully fungible. At least in the US, there are frequently multi-year delays on solar deployments because the transmission capacity to where it could be reasonably used isn’t there. The interconnection queue is extremely long in many places.
As something that’s eminently portable, I think crypto mining might actually have a use in derisking building out solar deployments, as a sort of buyer of last resort.
It might be nice to have other very portable energy sinks to eat up temporarily cheap locally available electricity. I think this might be part of the dream of the hydrogen proponents.
danw1979 121 days ago [-]
Yes.
You can do actual useful stuff with electricity no matter where it came from, like smelting aluminium, training AI models or desalinating water. Wasting it on mining bitcoin is literally the last thing we should be doing with spare energy.
If that spare energy doesn’t have a use yet, negative pricing will find one… but allowing that use to be “computing mathematical puzzles to support a deregulated financial instrument whose chief uses are illicit transactions and speculative investment” is just absurd and we should regulate this away.
throitallaway 121 days ago [-]
I'd argue that the jet fuel used to fly private planes around is also wasted energy. Let's tack on idling transport/personal vehicles while we're at it please.
Byxxi 122 days ago [-]
I would argue that it's still a waste, because that energy could be put to an otherwise better use. Now that energy has to be replaced by a non-green counterpart since it's been spent.
keyringlight 122 days ago [-]
And adding green energy to the grid would let you displace/turn off non-green generation if the load wasn't increasing (as much).
throwawaymaths 122 days ago [-]
What if you're using that energy in your hot tub, or to heat your house during the winter?
Byxxi 122 days ago [-]
Are you arguing staying alive through winter as something less beneficial to bitcoin mining?
thinkmassive 121 days ago [-]
If electricity is being used to generate heat (for a house, hot tub, etc), and that heat happens to be generated by a bitcoin miner, is it more or less wasteful than only using the electricity to generate heat?
BenjiWiebe 121 days ago [-]
That's fine, provided you weren't going to heat it with a heat pump before you decided to use a Bitcoin miner. I suppose there's also a slight environmental cost in producing a Bitcoin miner vs producing a heating coil but I'm going to assume that's negligible.
fecal_henge 121 days ago [-]
Depends if they are wintering inside or in the hot tub.
Mountain_Skies 122 days ago [-]
Since energy isn't easily transported, wouldn't that really depend on where the energy was produced?
qwertox 122 days ago [-]
I'd argue that no other thing, apart from information, is transported as easily as electricity, once the grid exists. Sure, there are capacity limits, but I doubt that shutting down crypto mining would cause problems to the grid.
I recently read that some are thinking about connecting the US with Europe via DC cabling.
Here's a related, old article: "Submarine power cable between Europe and North America: A techno-economic analysis" (2018)
• Developed a 2030 power dispatch model of Europe and North America (NA).
• Identified socio-economic benefits of European-NA electricity trading through a HVDC cable.
• A 4000 MW cable increases social welfare by 177 M€ on an annual basis.
• This benefit for society is sufficient to cover the investment costs.
I did not expect the the energy would flow so heavily to North America (24.1:3.3 TWh ratio over a year).
nephanth 122 days ago [-]
Yes? If the energy could be used for something productive, but is instead used for something unproductive, then it is a waste
While that energy technically serves the purpose of letting a monetary system function, traditional monetary infrastructure requires vastly smaller amounts of energy, thus this is a wasteful use of it
Jach 121 days ago [-]
Last time I did some numbers, bank of america spent around $1bn per year in cybersecurity alone, and bitcoin mining energy cost about 10x that. For ensuring the security of a trustless worldwide monetary system, it's not that bad in comparison.
misnome 121 days ago [-]
… unless your trustless worldwide monetary system wants to process more than seven transactions per second.
I guess BoA probably handles a little more than that?
fidelramos 121 days ago [-]
The energy expense of Bitcoin is dominated by its Proof-of-Work algorithm, the cost of processing transactions is negligible compared to that. And the PoW operates over the root of the last block's Merkle tree, which is a hash of all the transactions in the block. Being a fixed-size hash it doesn't matter if the block contains 1,000, 1 million or 1 billion transactions.
Therefore Bitcoin could scale to handle millions of transactions per second with a sublinear increase in electricity spent. [0]
> CarbonCapture cited “intense competition from data centers” in the region for electricity as partially the reason why it is moving from Wyoming.
Wyoming is a very popular state for cryptocurrency mining due to substantial state support, cheap energy, cool climate, etc. Miners use a lot of clean energy that would have been used for more useful purposes, as shown by the article I linked.
monkeyfun 122 days ago [-]
There may not be a continuous fuel expenditure, but there is a maintenance cost for the grid infrastructure, keeping panels or turbines in good working condition, etc. -- not to mention the manufacturing costs and, since no organizations are currently engaged in microwave power transmission from solar-power satellites in space -- not insignificant associated monetary and opportunity costs to the land used.
Conclusion: yes, it's still a waste, unless that energy was surplus absolutely not going to be used for anything better or able to be stored, although even then the compute resources could have probably been used for more useful problems.
Only in very limited scenarios. Namely when there is excess production and it is used near production of that green energy. And the green energy is not dispatchable. So wind or solar in times of excess production.
Which as a whole is very limited scenario.
TZubiri 122 days ago [-]
Not unless everyone is using green energy.
California uses green energy, but in doing so increases the mining reward, which increases the mining from countries like china and russia, who do not use green energy.
jgalt212 122 days ago [-]
It's all one energy market however. It's a bit a of rough approximation, but green energy wasted on unnecessary purposes is green energy not used for necessary things.
rtkwe 121 days ago [-]
There's no where that is oversaturated with renewables 24/7 and these kind of workloads aren't scaling up and down to just use renewable excess so it's a moot question. Except in the very peak of solar generation when there's a grid excess every watt spent on BTC or any other PoW chain is wasted. They're all speculative toys.
danogentili 122 days ago [-]
It's even more of a waste.
tgv 121 days ago [-]
Until green energy can cover all the other power use, this will still have wasted non-renewable energy by precluding others from using it and thus contributed to climate change.
chx 122 days ago [-]
Of course. It's still energy produced which could be used for something that is not a scam; that is not just funding North Korea with extra steps.
LadyCailin 122 days ago [-]
Given that green energy is currently finite, and shortfalls are (generally) made up for by non-green energy, yes.
adastra22 122 days ago [-]
Yes, there are opportunity costs.
dodoisdodo 122 days ago [-]
You still have to pay infrastructure deprecation costs, financing costs and labor costs.
rboyd 122 days ago [-]
probably discussed in the bitcointalk thread, but how do we know it's not just the creator of the puzzle reclaiming his own bitcoin?
daedrdev 121 days ago [-]
It got stolen from the original solver by someone who noticed the transaction and posted a bigger fee
altairprime 122 days ago [-]
By what means might you prove or disprove this theory?
stonegray 121 days ago [-]
Having the the solver post all 2^66 -2 incorrect private keys would prove that they solved it fairly and had no prior knowledge of the key.
You'd just need to download the 6,505,548 TB list of keys and re-derive the public key for each to check that they're valid; unfortunately it would take in the ballpark of a kiloyear of compute time assuming you have 3x RTX 3090s.
What I don't understand, hopefully someone is still reading it here: The hint says this:
>> First output: take random number from 2^0 upto 2^1-1, use it as private key
>> Second output: take random number from 2^1 upto 2^2-1, use it as private key
>> Third output: take random number from 2^2 upto 2^3-1, use it as private key
To me it sounds like that wallet #10 has a range from 2^9 to 2^10 - 1 - so you don't actually need to check previous bits. But somehow it seems like everyone is crawling through the whole range of possible private key. Doesn't make sense, does it? Am I missing something?
Dylan16807 120 days ago [-]
What do you mean by previous bits? Where are you seeing how "everyone is crawling"?
With each puzzle, you know that the top bit is 1, and nothing else. Every bit below that is unknown, and you need to go through the whole range of n-1 bits. Puzzle #10 has 9 bits to guess, because it's between 10_0000_0000 and 11_1111_1111. Puzzle #66 has 65 bits to guess. If someone says 66 unknown bits they've misspoken.
y42 120 days ago [-]
yeah, thats what i meant, just to make clear "how" I am thinking it: It's just iterating through integers from n to k and calculating secp256k1, sha-256 and ripemd. So:
>> Puzzle #10 has 9 bits to guess, because it's between 10_0000_0000 and 11_1111_1111
means that I don't have to start at 0000 0000 0000 ... everytime, I can actually start at 2^5 and look up to 2^6 - 1, for example for the 6th address.
Dylan16807 120 days ago [-]
But show me someone that's starting at zero? You said it "seems like everyone" is doing that. Where?
I thought cracking anything to steal bitcoin was impossible due to the keys sizes involved? Is this possible because a portion of the key is already available so there is less to crack?
Which key is known? The public or private? Another comment said the “now known public” but then also said the private key can now be recovered by cracking it? Two keys need to be cracked?
What kind computing power is needed to crack both keys and how long?
Thanks. Sorry, I’m an idiot when it comes to bitcoin.
CamperBob2 121 days ago [-]
As I understand it, they are basically private keys. The idea is to find the wallet address that they go with. Once that is done, the winner can create a transaction that sends the contents of the wallet to their own as a prize.
This would normally be computationally intractable but these keys are much smaller than normal, with most of their leading digits intentionally zeroed out to make it easier to 'steal' the funds from the corresponding wallet. If anyone knows who set this up, or why, they aren't talking.
In the process of creating the transaction to claim the prize, the winner must generate a corresponding public key based on some sort of hash of the private key and wallet address. I don't know how they can tell when they've succeeded; hopefully someone else can clarify/correct this point. But once they do succeed, the transaction is then posted in public to allow miners to add it to the blockchain.
Unfortunately, due to mathematical witchfuckery, knowledge of both the private key and a valid public key makes it possible to solve the puzzle as if the already-shortened private key had half the number of bits. In that case, finding the wallet address might take only a minute or two on a standard GPU rather than the months of time on a whole warehouse full of them that the original winner had to spend.
Knowing this, people who are bad and who should feel bad set up bots to watch for the prize-claiming transactions. The bots are designed to recompute the source wallet address independently and front-run the winner's transaction by resubmitting it for the benefit of the thief, using a higher reward to incentivize miners to prioritize their transaction over their original one. Bitcoin blocks are mined about every 20 minutes, so on average the thief has about 10 minutes to create an overriding transaction once the original transaction is posted. Sucks to be the winner who expended so much effort to claim the prize, as they are now out about $400K. Nothing left but a huge electric bill.
y42 121 days ago [-]
As of this thread, which is AFAIK the starting point, it's about Public Keys and the goal is to find the according Private Key:
Though, I don't understand the actual task. It's a couple of transactions and one have to "guess" (aka bruteforce) the private key to a known public key. There's an increasing level of complexity, which makes it harder, the higher you get in this list.
Would appreciate any more details.
wodenokoto 121 days ago [-]
That’s not a trivial price. Who finance these puzzles?
y42 121 days ago [-]
It's somewhere hidden in those million threads. The puzzle was created 10 years ago when Bitcoin was cheap.
shoshino 121 days ago [-]
> 2023-04-16: somebody (maybe the owner) increased the unsolved puzzles prizes again by x10. Now the puzzle #66 prize is 6.6 BTC, #67 is 6.7 BTC and so on... puzzle #160 prize is 16 BTC.
my assumption is the only way you will be able to stop any bot from double spend attack is to multisig the puzzle address when its solved so any transaction there forth would need your main wallets or any wallet that you set up to need its signature or signature(s) if using multiple before any transactions are made but you will need to be quick about it maybe even setting up your own script or bot to do so i find it wild that the solver didn't think that someone could swoop in and take the reward i multisig all my addresses for that very reason and yes i know a lot about mutisig it's impossible to use a double spend attack with that set up
ivanjermakov 122 days ago [-]
Who is paying to the puzzle solvers?
PcChip 122 days ago [-]
The btc has been in the wallet since the puzzle was created
horacemorace 122 days ago [-]
Everyone who trades fiat for crypto.
lm28469 121 days ago [-]
The person who created the wallets in 2015 when BTC wasn't worth much
doctorwhat 122 days ago [-]
Three letters agencies? Could be a nice way to find out if a foreign entity has an enormous brute-force capability? But more likely I'd say they got their bitcoin back when a core2duo was enough to generate a few of them overnight...
cmcaleer 121 days ago [-]
Prize pool would have to be much more than $400k to justify a state actor flexing that kind of capability, NK makes far more than that exploiting DeFi protocols.
kurtispatrick9 112 days ago [-]
[dead]
rue9576 111 days ago [-]
[dead]
Marcus_Ford 112 days ago [-]
[dead]
MELEKE 114 days ago [-]
[dead]
MELEKE 114 days ago [-]
[dead]
MELEKE 117 days ago [-]
[dead]
MELEKE 118 days ago [-]
[dead]
jcauley89 108 days ago [-]
[dead]
Andrewkimberly 120 days ago [-]
[dead]
dmikke 120 days ago [-]
[dead]
unapapa 120 days ago [-]
[dead]
thor25 116 days ago [-]
[dead]
Blackgamer 120 days ago [-]
[dead]
frolovairinaa 118 days ago [-]
[flagged]
150520BITCOIN 114 days ago [-]
[flagged]
venck 119 days ago [-]
[flagged]
VICTORIAARCHIE 121 days ago [-]
[flagged]
VICTORIAARCHIE 119 days ago [-]
[flagged]
imrankhanjoya 121 days ago [-]
[flagged]
totallyunknown 122 days ago [-]
This is just sick.
whiterknight 122 days ago [-]
Why?
amelius 122 days ago [-]
Can't we come up with puzzles where at least something of value is created when the puzzle is solved (and a tremendous amount of resources is not wasted)?
erulabs 122 days ago [-]
The use of the word “we” is curious. You didn’t come up with the puzzle, you didn’t “waste” the resources. The purpose of the we is to appoint yourself judge and arbiter and to steal yourself into the in-group. Just post your judgement: you don’t like that someone else did something you don’t like with their resources.
amelius 122 days ago [-]
That sounds like an ad-hominem attack to avoid the question, tbh.
erulabs 122 days ago [-]
At the risk of sounding snarky: It wasn’t. It does however, answer the question. “We” do not need to change our allocation strategy whatsoever because “we” didn’t allocate any resources towards this and “we” aren’t the arbiter of what others can or cannot do with their resources.
122 days ago [-]
amelius 122 days ago [-]
"We" as in "us humans".
recursive 121 days ago [-]
You have my permission. This is snark.
commodoreboxer 122 days ago [-]
We can and do, all the time. And all puzzles are a "waste of resources", really.
I'm not into crypto and I do think Bitcoin is stupid and wasteful, but I don't find it "sick" or all what upsetting that this kind of puzzle exists, though I think some smart contract-based Ethereum puzzles could be much more interesting, demanding solutions to more interesting problems that don't directly relate to the blockchain itself. Imagine a smart contract with a pot anybody can pay into that pays out to whoever could crack a particular previously unsolvable problem. Basically a public bounty. The only downside is that it has to be a problem that can be validated algorithmically.
kelnos 121 days ago [-]
This isn't really a puzzle, though. A puzzle requires intellectual curiosity and creativity to solve.
This was just a race to see who could burn the most CPU/GPU cycles the fastest.
Even when a real puzzle has a monetary reward for solving it, a big component of the reward is the solving itself. For this, the reward is just money.
commodoreboxer 119 days ago [-]
I agree with you. I think it's a bit wasteful and dumb, I just don't find it either sick or confusing.
wruza 122 days ago [-]
Puzzles are training and intellectual entertainment, something you cannot have a web server without, cause sad nerds are unproductive.
wruza 122 days ago [-]
Why should “we”? You can hear “we should/must” from all corners here but then remember it’s an US start-up’ers forum with people who plan morning meetings for email regexps.
Bitcoin may be an inefficiency, but is it the? Most everyday things modern first-world people do are equivalent to burning oil and shredding trees for little to no reason. You just can’t see it as clearly as in PoW crypto.
CaptainOfCoit 122 days ago [-]
> puzzles where at least something of value is created when the puzzle is solved
What puzzles create something of value when they're solved today? A puzzle is typically a thing you do for fun and entertainment, not something you try to solve for the purpose of creating value.
I guess you're thinking more about logic/mathematical puzzles and alike? Would make sense in that case, but that's not the only type of puzzle.
timacles 122 days ago [-]
Pretty sure all puzzles are a tremendous waste of time and create no value.
fluoridation 122 days ago [-]
That wouldn't be a puzzle, then. It would some kind of engineering challenge. A puzzle starts by knowing the answer and then putting some circuitous path between it and the player, that they have to figure out how to navigate. It's inherently wasteful to construct puzzles.
amelius 122 days ago [-]
Unless the people solving the puzzles learn something valuable on the way.
Anyway, I don't agree that puzzles by definition have known answers, unless you want to nitpick and I just change my "puzzle" into "challenge".
samatman 122 days ago [-]
The sibling comments are all correct that you're special-pleading the criterion that a puzzle create something of value.
But, as it happens, this one does: it offers economic incentive to develop more efficient attacks on elliptic curves. The curve Bitcoin uses isn't widely used outside of it, but that doesn't mean that an efficient attack on Secp256k1 wouldn't apply elsewhere.
Is this modest as positive externalities go? Probably yes. Could someone with a better attack on the curve just empty wallets? Not necessarily, and probably not: the point of the puzzle is that the entropy has been deliberately reduced to make it crackable with brute force, so, say someone worked out a factor of four improvement: that isn't going to get you into the Genesis Wallet, but it substantially lowers the price of claiming some of the puzzles.
Also, being a cryptographer and being a thief are unrelated professions. Some people might be inclined to both, but I would guess that most are not.
notfed 121 days ago [-]
As in "sick, bruh!" Or "disturbing"? (There needs to be a "Poe's law" for the word sick.)
a lot of people created co2 to take part in a btc lottery and the winner was now randomly found.
I hate crypto :|
amjnsx 121 days ago [-]
It’s easy to put those two pieces of information together and arrive at crypto bad.
I think it’s worth noting that bitcoin uses a fraction of the energy required to mine gold for example.
It’s also a driving force in renewables, by stabilising energy grids (mining can use the spare capacity during quiet periods and switch off during peak hours).
So I don’t think it’s as black and white as “bitcoin uses energy = bad”
Meganet 121 days ago [-]
Bitcoin doesn't stabilize the power grid. Its stupid greewashing. There is no motivation for a Bitcoin miner to leverage 'overenergy' the only motivation is to get cheap energy as much as possible.
In NYC they bought a Gas power plant only for bitcoin. In Texas they had to pay millions to bitcoin miners for them to shut down. In china they stole power from normal people left and right.
It also allows to sell local limited energy globally and pushing energy into the trading/gambling area. Instead of giving local people cheap energy, some bitcoin miner will try to get as much of that cheap energy possible. It also incentivives using bitcoin miners to use flare gas instead of doing something to actually capture and use it as it is a limited resource.
Nonetheless PoW is stupid. its the worst scenario we can come up with in a society with scare resources and a very limited co2 budget by now ( have you watched the TED talk? ). And at the end bitcoins PoW system even still stand on our existing PoW system. Someone stole your bitcoins? You go to the police... Without our existing PoS System, you would need to keep your bitcoin wallet and address always anonyme otherwise you would trust our law and order (part of our PoS system) and you could literaly only send bitcoins around and nothing else. (Smart contracts are also not scalable and not stable solution to this issue).
Btw. yes gold need energy to be mined but its a one time cost YOU HAVE TO DO to use this material. Bitcoin is a Waste Resource all the time to use. And Gold has real value in science, manufacturing and in styling/model/art. Nonetheless we need to get the co2 production of Gold down and Bitcoin we just don't need. The best solution is to get rid of bitcoin and keep reducing co2 production for gold.
And yes i do have a lot more arguments on why bitcoin is useless.
Dwedit 122 days ago [-]
Do they have a buyer for that $400k? If not, it's not worth $400K.
FileSorter 122 days ago [-]
One of the most profoundly dumb comments I have read here.
It takes 3 seconds to look up the 24h volume for BTC and it is $9.6 Billion
latchkey 122 days ago [-]
No matter how dumb it is, in general, it is always better to just respond with the answer and not comment on the comment itself.
"Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes."
TrackerFF 122 days ago [-]
Might sound dumb, but there are still places in the world where having $400k worth of BTC != $400k in the bank.
Plenty of banks will freeze your bank account instantly.
And good luck convincing them that you stumbled upon $400k by solving a puzzle - only takes one suspicious fraud/risk manager to conclude that there’s a higher chance of fraud than legitimacy.
(But you are right, no problem to find someone to pay you the market price. That’s a done deal in seconds)
kolinko 122 days ago [-]
Examples of such places? I did KYC/AML with multiple European banks when withdrawing crypto, and while they checked thoroughly, there were never any issues.
TrackerFF 121 days ago [-]
From personal experience, a bunch of Norwegian banks. I’ve had transactions that are equivalent to $5k trigger such events. And you get grilled.
xboxnolifes 121 days ago [-]
You don't need to sell it all at once.
jakobov 122 days ago [-]
Dont be mean
outofpaper 122 days ago [-]
The current market easily eats up 6.6 BTC without much movement. Are you looking at a smaller pool like Canada exclusively. Look at the Euro or USD markets. They are much much deeper.
Powdering7082 122 days ago [-]
24h Volume: $9,800,480,342
Liquidity of less than a million worth of BTC hasn't been a problem for a long time
thfuran 122 days ago [-]
Bitcoin is more than liquid enough to offload a half dozen without issue.
somebodythere 122 days ago [-]
The market is liquid enough to absorb a sale for $400K.
btcpuzzle888 120 days ago [-]
[dead]
londons_explore 122 days ago [-]
400k I think is no problem. I heard of someone with 10,000 BTC having some serious trouble finding a buyer though.
cmcaleer 121 days ago [-]
I can't imagine that getting that filled OTC reasonably close to the mark would be serious trouble. Germany managed to sell 50,000 BTC without much trouble a few months ago.
Then again, it may be serious trouble if you have serious issues explaining the source.
sandos 121 days ago [-]
MtGox also sold 60,000 BTC.
adastra22 122 days ago [-]
That’s 5% of the daily trade volume. Shouldn’t be an issue.
londons_explore 122 days ago [-]
Except trade in bitcoin is fee-free and mostly regulation-free, so there is a lot of wash trading.
122 days ago [-]
umanwizard 122 days ago [-]
1. Create Coinbase account
2. Deposit bitcoin
3. Market order sell all
4. Withdraw USD
CaptainOfCoit 122 days ago [-]
Step 2.5 Argue with Coinbase about if you're a legitimate owner or not
Step 2.6 Coinbase blocks your account citing "Suspicious activity"
Step 2.7 Sign up to three other exchanges, split the loot across them
Step 5 Argue with the bank about the source of funds
Step 6 Argue with tax agency that you'll fill out your taxes correctly
kolinko 121 days ago [-]
Kraken would cause no problems for 2.5-2.7
Taxing this is super simple, you just mark as "other" - akin to finding money on the ground.
Arguing with bank - which specific bank would cause problems here?
umanwizard 122 days ago [-]
Even if this is true (and I suspect it's exaggerated), I'd be happy to go through this trivial amount of hassle for $400K.
red_admiral 122 days ago [-]
For something like $10k-20k I bet you could get someone (good lawyer?) to solve those problems for you, leaving you with $399-398k. Worth the deal, I think.
Biganon 121 days ago [-]
The math doesn't check out
CamperBob2 121 days ago [-]
Hence the need for a really good lawyer
sowbug 121 days ago [-]
Still better than depositing $400K of cash in a US bank.
cmcaleer 121 days ago [-]
If you have all of your ducks in a row this is actually much easier than it sounds.
Rendered at 08:24:55 GMT+0000 (Coordinated Universal Time) with Vercel.
Bitcoin puzzles are private keys with just a few unknown bits so that anyone can bruteforce them to collect a reward. Puzzle 66 contained 66 unknown bits and had 6.6 BTC deposited into it by the initial puzzle creator. The private key was 0x000000000000000000000000000000000000000000000002832ed74f2b5e35ee or 256 bits with mostly zeroes but 66 random ones.
The next Bitcoin puzzle, #67, has 67 unknown bits, and contains 6.7 BTC up for grabs: https://www.blockchain.com/explorer/addresses/btc/1BY8GQbnue...
The previous puzzle by order of difficulty was #64 (not #65, because see below) and was solved on 9/9/2022, so about 2 years ago. In other words, it took about 2 years of compute time to run the 2^66 bruteforcing task.
Puzzles that are multiple of 5 (#65 or #70) are special: they have twice more entropy. So that private key #65 doesn't have 65-bit of entropy but 130-bit of entropy. And the creator of the puzzle intentionally published their public key on the blockchain. When you know the public key, brutetforcing the n-bit private key only requires 2^(n/2) work. So puzzle #65 with a 130-bit key actually require bruteforcing up to only 2^65 keys.
Having the public key is easier than having an address because an address is the hash of a public key. So in order to crack an address, you must first find a public key that produces that address, and then find a private key corresponding to the public key.
Sure, finding a private key whose public key's hash is given might be 2x slower, but Pollard's rho algorithm is 2^128 times faster.
Asymptotically, an additional hash at the end doesn't matter when you brute force. But it prevents you from using Pollard's rho algorithm, which does make a difference asymptotically.
Note for cryptographers/matematicians: I know that "reversing" isn't the correct term here, so you could accuse me of the same sin I'm calling out in my previous comment. But it makes the explanation shorter while still conveying the correct meaning in the end.
My new public key search system is almost ready. I had to reinvent my binary database system because, although the database was lightweight https://bitcointalk.org/index.php?topic=5475626, I had efficiency issues with binary search. This is now a thing of the past. I have designed a system that stores 100 million public keys in an 80 KB file, yes, what you read 80KB!(in the future it will be smaller) that meets maximum efficiency. We would only be limited by the current speed of Secp256k1 when generating the 100 million or more public keys while creating the database. I am finishing designing the search script after months of being stuck due to personal issues, I am finally back on track.
I love these kind of mad inventor rabbit hole corners of the Internet. Kind of brings back the 90s for me when everything was exciting.
That’s 0.0064 bits per public key - so either there are lots of duplicates, or something is amiss here?
Edit: they don’t actually store the keys, so the quote is misleading.
Assuming there are no duplicates, which is a sensible assumption, you’d need a minimum of 100,000,000 bits to store 100,000,000 unique entries larger than 1 bit with even a perfect hash function.
The easiest one to think about is storing the deltas between each number. Let's say 80% of your deltas are 5. If you use arithmetic encoding, then storing a 5 only takes about 1/3 of a bit. It's not hard to come up with probability distributions where the average amount of bits per entry is less than 1.
Also, back in the realm of perfect hashes, once you're more than half full it becomes more efficient to store the missing numbers. If your perfect hash has 100,003,000 possible outputs, then your worst case is around 50k unique entries. By the time you encounter 100k unique entries you only need to keep track of the 3000 you haven't seen yet.
Also they already did follow the link. That's why they said "they don’t actually store the keys, so the quote is misleading", which you responded to with a laugh and nothing else. And that happened many hours before you made this new comment.
I'm not sure that guy really understood what was going on. If he'd followed the links he would've found the code. Or at least a technical description. So why need to play dumb and ask here, while trying to control the discussion?
I don't like that kind of thing. If you're okay with it, alright. But that's not me.
"Here's $400,000 sitting on the table, hope nobody takes it" which triggers an alarm telling us to replace all our old prequantum cryptography.
The $400,000 is an inducement for any participant in that engineering effort to break the conspiracy and take the bag. It's effective during the period between the time that a quantum Shor's solver has been achieved for a given algorithm in theory for 256 bits (and in practice for 66 bits), and the time that a practical solution at 256 bits has been implemented.
I don't know how plausible that timeline is either in spacing or accuracy.
Sometime in early 2029, a bunch of people suddenly find that they're eligible for a $400,000 cash prize if they manage to secretly steal a bit of time on a working quantum computer. In 2030, that group of people doubles, and incorporates a new agency with its own security weaknesses. By 2031 we're talking about four separate countries with their own engineers that have managed to achieve the capability to claim that cash prize. Private corporations are somewhere on the horizon. Very soon this becomes an urgent imperative to anyone inclined, because the prize, like cash, disappears the moment that somebody else seizes it.
It's hard to keep conspiracies, particularly with a verifiable open offer of large amounts of highly portable money on the table to the first person to reveal secrets, and a gradually widening circle of access. The gradually expanding circle of access is what ensures we get some kind of alarm LONG before 2038. Keeping that secret to even 2033 requires hundreds of people and four agencies with diverse motivation and values to consistently turn down cash money for years on end in the interest of keeping their quantum capabilities hidden from the world.
I just think maybe public key crypto is not broken so far because there is no motivation for enough people to work on that. What whould one get, without endangering himself, if he breaks integer factorization?
Or getting hacked. This is super common among people who are known to have high value wallets. Between physical attacks and zero days in everyday software, there's no chance to stay safe when you put that kind of target on your back.
Vitalik Buterin seems to be a counter example here, his net worth peaked around $1.46 billion. He has some interesting writing on how he stays secure. At one point the SHIBA token sent a huge amount of funds to his cold wallet and he details what he did to securely access those funds:
https://decrypt.co/91000/ethereum-founder-vitalik-buterin-du...
> The funds, he said, were initially in a cold wallet in the form of two numbers written on separate pieces of paper. Buterin said he had to combine the two numbers to get the private key. "One of those numbers was with me; the other number was with my family in Canada," he said. "So I had to call up my family in Canada and tell them to read their number to me."
> Buterin said that he entered the numbers into the computer he purchased from Target after putting the two numbers together. "I sent my ETH out by generating a transaction and then on a computer that I bought from Tarjay [Target] for about $300 bucks for just this purpose."
> Before disconnecting the laptop from the internet entirely, Buterin said he downloaded a program to generate QR codes. After generating the Ethereum transaction, he scanned the QR code with his phone, copied it to the laptop, and then put it into etherscan.io/push Tx. Finally, Buterin said he began sending out the tokens.
Maybe not the best example of cryptographic security.
Vitalik (and all DAO ETH hodlers) luckboxed in that the ETHs locked in the DAO, although "stolen", couldn't be withdrawn by the attacker before a few weeks.
There has been zero pause and zero rollback. Most people don't understand that: by chance the stolen funds were inaccessible to the attacker for a few weeks.
What Vitalik did is he forked (soft fork) the ETH blockchain to modify the rules. That soft fork happened before the cooldown period expired, so the attacker never got to access his funds.
Some members of the community said "adding new rules is against the spirit of decentralization, so we keep using the old chain". The old chain was named "Ethereum classic" while the forked chain kept the name "Ethereum".
But there's been no rollback.
The proof of this is that some people didn't agree with undoing that transaction. They stayed on the old chain, which is now worthless.
This is such a boring and widely known story now, but it has to come up literally any time someone wants to play crypto tribalisim.
The reason why people got confused with your comment is because ex. you purport it was fine, it can never happen again, and everyone who didn't agree went to 0.
Lot of tensions between those things.
We also understand how one person could have those views and even steelman it into something intellectually consistent. But then the post seems really off because it's sort of a rushed, poor, justification for why you believe something, coupled to bemoaning some sort of unrelated group none of us are privy to.
the DAO hack happened, immutably, no one disputes it. the hashes and blocks and transactions are well-known. so there was a "schism", that explicitly validates the fact that without this large-scale cooperation, without the redefinition of what Ethereum is, it would be still be what is on that other branch. these both provide evidence for the immutably and decentralization.
The fact that there are far fewer users of Ethereum Classic (and the market cap is significantly lower) is a testament to how much people care about the community which chose to follow a different history of the Ethereum network.
But in one chain the whole community decided to disown the attacker by injecting hard coded transactions that would send the Ethers back to their original owners.
How exactly was Vitalik "indirectly pwned"?
Then he didn't have to worry about the Shiba related transactions affecting his ETH?
The basic problem was that they transferred into his "cold wallet" https://www.nerdwallet.com/article/investing/hot-wallet-vs-c...
He didn't want to have the signal be that he was happy holding SHIBA and was uncomfortable with that much power & control over SHIBA. So he wanted to be able to transfer his SHIBA out to a hot wallet and then burn most of it and donate the rest, given the amount of money involved he took extra steps like buying a new computer to generate the new keys, airgapping it from the internet while it held the cold wallet keys etc
This problem is harder if you want to pass on your crypto after you can't use them anymore.
If you want to enable recovery, you should give ownership of things to smart contracts, which enable things like succession rules and a heatbeat checkin etc.
Public/private keys are not designed to solve that kind of governance problem.
I think pretty much all stores still accept cash, but most people here just never withdraw any. It's pretty much just old people and people buing illegal stuff
So this is why cash IS a good thing. Sex workers want to do their thing and Johns want to not be instantly called out for using sex workers. The people who long ago realized magic mushrooms work to cure depression want to be be able to get it without being jailed. Now, here in Canada, sex work is protected and magic mushrooms will not get you thrown in jail.
So even though you may deem things illegal, I ask you think of a greater good that cash allows as everything being digital reveals a lot of information that not all people are comfortable their government knowing. Be it homosexuals, depressed people trying illicit treatments, or extremely lonely discarded individuals reaching out to sex workers verses suicide.
Lastly according to a quick google search and a few spots I looked at, most only showing 2022 as latest information, most point of sale transactions in Europe are made with cash not card [1]. [1] https://www.statista.com/statistics/786680/share-of-cash-tra...
And in northern Europe, pretty much nobody uses cash. In the rest of Europe, at least the places I've been, pretty much every store accepts card and often other digital payment methods.
I don't doubt your statistics, just stating my experience. I just think it's strange that people prefer cash for legitimate purchases. I definitely want cash to stay around, but these days we can use crypto for illegal stuff anyway do it's not really a big deal.
If someone had a quantum-supreme solution they would go after the sitoshi wallets. Some addresses have like $1B+ and combined represent ~$200B.
Granted, moving a sitoshi era wallet to a coinbase wallet would raise red flags, but those sized deals are done otc.
I would not be shocked if trying to sell $200B in bitcoin gets you far less than half.
The reason that we use elliptic curves these days, or if we must then something like 8k bit keys to get 128 bits of security over finite fields, is that for the old Z^*_q/Z_p setup, such a faster algorithm exists (index calculus).
Someone could in theory find a better calculus that works only for groups with some specific characteristics of Curve25519, for example. No quantum computers needed.
EDIT: we know that no _generic_ faster algorithm exists, that is one independent of the representation of the group involved, for the traditional computing model. But that doesn't exclude algorithms, as I said above, that work for very particular cases.
You can get a brief introduction at https://soatok.blog/2020/04/26/a-furrys-guide-to-digital-sig... (your own choice if you want that open in a tab at work or not, but there's nothing NSFW in the usual sense in there), and then read the details of each scheme in the RFCs. Some of the RFCs even talk about security implications.
"djb" as he is known in the crypto world has a good paper at https://eprint.iacr.org/2024/1265 , it's 68 pages so "almost a book". He also has a lot of resources on his page https://cr.yp.to . Be aware that he is sometimes ... controversial (not racist or anything, just has strong opinions on FIPS and the NSA and has actually taken the US government to court in the past over this). He's the author of Curve25519.
You don't even need to travel far. A second or so is enough to break all cryptography, even the post-quantum one.
(disclaimer, I don't know statistics, cryptography, bitcoin or chances)
I'm also unclear on where you got the 'multiple of 5' bit about. It seems the keys corresponding to numbers divisible by 5 were used in a spend transaction by the puzzle creator. Using those addresses in spend transactions reveals the public key and saves compute that would be wasted hashing. It also enables direct attacks using Pollard's rho (which someone already posted a link for above).
Src: https://bitcointalk.org/index.php?topic=1306983.msg51466379#... https://en.wikipedia.org/wiki/Pollard%27s_rho_algorithm_for_...
Another interesting discussion on bitcointalk about using Pollard's kangaroo: https://bitcointalk.org/index.php?topic=5244940.0
Obviously if you found a shortcut in the hash you might do other things first, but I think that's the idea.
also, if you were the type that thinks bitcoin is lame, this could be a way of undermining the concept to the point that people no longer use it because it's not secure as it was touted
I'd claim the prize, sell for USD, then watch BTC crash
But I think you are one of those people that threw out that baby with the bath water long ago.
In fact solar panel sales are dropping very fast.
[0] https://www.anwb.nl/energie (Dutch)
Custom silicon and all kinds of related optimizations were likely used to successfully brute-force this number.
This is one of the reasons it is advised never to reuse an address. After using it once, your private key may still be private but your public key is exposed, reducing security.
You don't need the public key, and IIRC most algorithms allow you to derive the public key from the private key, though I'm not sure that's the case with Bitcoin. I have vague memories that there are algorithms where this is not that case, but it's been a while.
1. SHA-256: Used twice (double SHA-256) for block hashing and once in address generation.
2. RIPEMD-160: Used once in address generation (after SHA-256).
3. ECDSA: Used once for transaction signing and verification.
4. Base58Check: Used once for address encoding (includes a checksum generated using SHA-256).
[1] https://www.ledger.com/academy/crypto/what-are-hierarchical-...
The basic idea is you pick one private key that's a sequence of 256 bits or so, call this k. When you need a keypair, you compute H(k, tag) to get another bitstring, then turn that into an ECDSA private key (minding the bear traps here) and that then has a single public key.
For example in U2F, the key derivation is H(k, domain, ...) where k is the secret baked into the USB token, domain is the domain you're logging in to (this is the part that protects against phishing, among other things) and further protocol-specific information.
The main discussion thread on the bitcoin forum is this but it has a low signal-to-noise ratio: https://bitcointalk.org/index.php?topic=1306983.0
There is a secondary thread here: https://bitcointalk.org/index.php?topic=5218972.0
The point of the puzzle is indeed to brute force some private keys (not public keys), but not all, as 2^256 is computationally impossible. The private keys that have been discovered so far have obviously many zeros in them, so in practice you are never going to accidentally steal from a legitimate address with actually 256 bits of entropy.
The creator of the puzzle is anonymous and never came forward (to my knowledge). The point of the puzzle is (1) to be a fun game, and (2) to be a publicly observable way of measuring current brute forcing capabilities.
As shown by the graph [0], adoption slowed down after 2016 when BTC blocks got consistently full and transaction fees rose to $50 and more. I believe if BTC had scaled to support more transactions the price would be much higher today, as Bitcoin would likely be used as a means of payment across the Internet and in many physical stores at well.
Discussions regarding the decentralization of larger blocks aside, something that is not clear to many people is that scaling a blockchain to handle more transactions doesn't mean a linear increase in energy use. In the case of BTC its Proof-of-Work algorithm operates over the root of the last block's Merkle tree, which is a hash of all the transactions in the block. Being a fixed-size hash it doesn't matter if the block contains 1,000, 1 million or 1 billion transactions. Arguably a more popular Bitcoin would be more valuable and therefore would attract more miners, increasing its energy consumption, but that just reinforces my original point.
[0] https://x.com/ampajaro/status/1782850107529973990
What I strongly disagree with is that a Bitcoin with bigger blocks and hence larger transaction capacity is inherently less valuable. That is an unfair comparison because Bitcoin Cash, when the split happened in Aug 2017, could have been recognized as Bitcoin by the ecosystem, but it wasn't, and Bitcoin Core retained the BTC ticker. Because of that Bitcoin Cash had to start adoption from the beginning, losing Bitcoin's established network effects.
My original argument was that if Bitcoin had increased its blocksize before 2016 as Satoshi Nakamoto originally intended [1], then the Bitcoin Cash split wouldn't have happened, Bitcoin adoption would have continued growing (remember that back in the day big players like Microsoft, Dell, Steam and Newegg started accepting Bitcoin payments) and miners would progressively see more of their rewards coming from transaction fees and less from the block rewards.
This last point is one of the big problems with BTC right now: the network security will decrease in the face of dwindling block rewards unless transaction fees rise. I argue that Bitcoin was always supposed to scale in number of transactions, so the aggregate of transaction fees, even if individually inexpensive (roughly 1 cent), would become larger than the block reward. In other words: the block reward was just an economic incentive to kick-start the Bitcoin network, to attract miners that would secure it, but the transaction volume was meant to keep increasing to replace it.
[0] https://bitcoincash.org/
[1] https://bitcointalk.org/index.php?topic=1347.msg15366#msg153...
In my opinion there are two main issues that prevent crypocurrencies from being actually used as currency:
1. How many transactions per seconds can be handled 2. Their extremely high volatility compared to fiat currency
While blockchains can scale to fix point 1, point 2 is driven by forces outside the technology.
Regarding volatility I agree that it's currently an issue, but not an insurmountable problem in my opinion:
1. Payment gateways can offer automatic asset conversion to minimize volatility risk for payment takers. This means I could pay in whichever cryptocurrency the payment gateway would take and the receiver would get whatever currency they have set up in their account. They might want to keep some currencies and convert others, so the payment gateway could offer an option to decide that, and in which amounts (e.g. "keep 10% of each BTC payment, convert the rest to USD").
2. Price volatility should reduce as a cryptocurrency is more widely used. In the alternate universe where BTC scaled to be larger than all credit card networks combined its price could be more stable than many fiat currencies.
[0] https://blog.vermorel.com/journal/2017/12/17/terabyte-blocks...
One of the really interesting thing about the blockchain, is that you can write a smart contract script that will permiate forever.
using a hashed transaction instead of a signed transaction is a wierd mistake to make, but not an uncommon one of people who are just learning to write blockchain code. I know we are talking about BTC here and opcode is rather limited, but this type of thing pervades on ETH.
Imagine writing a PWN script as a 14 year old and waking up when you are in your late 20's to a millions dollars in crypto.
Edit: typo
Fascinating that the original cracker wouldn't know these details about Bitcoin transactions.
[0] https://news.ycombinator.com/user?id=mrb
I'll try to give a brief here about how Bitcoin script works but you'd better read up on the Bitcoin wiki.
Essentially, to make a transaction valid, your script needs to pass.
1. <PubKey> + <Signature> -> This is how most transactions are handled. You provide the transaction with a signature. This doesn't expose your private key and lock the receiver. (as the receiver is signed)
2. <Hash> + <Hashed Content> -> To solve for Hash, you need to provide the Hash Content essentially solving the puzzle. Problem is, if you provide the Hashed Content publicly in the Script, anyone can also submit a competing transaction and set himself as the receiver.
I think you might be confusing it with greenhouse gas emissions.
bitcoin mining is an extremely competitive business of finding the cheapest sources of energy and mining hardware; because the cheapest energy sources are all renewable, mining bitcoin with fossil-fuel-produced power is unprofitable. so the electricity we're using to mine bitcoin is mostly solar, wind, and hydroelectric
as for the cracking, i don't think we know anything about where it was done or how much energy was needed, but if the energy cost was significant, i'd expect the solver to have done it somewhere where energy was cheap
One major exception to this is geothermal electricity in places like iceland where there's abundant green electricity, but you can't transport it to any neighbors.
So just using renewable sources for electricity doesn't actually make mining renewable until we're in a society that's 100% renewable.
consequently, there are lots of places where there's abundant green electricity that can't be economically transported to any neighbors, which is why green electricity is cheaper than coal, nuclear, and gas energy. if it could be economically transported, it would be; instead, it is sold locally at much lower prices. only rarely is this seen by residential end-users, but in much of the world the 15-minute prices paid on the wholesale market by electric utilities are public information, so you can easily verify this
as a result of that, just using renewable sources for electricity does actually make mining renewable
as for the grauniad article, there are a lot of people doing unprofitable business things in lots of businesses, but they tend to be self-limiting, because those people run out of money before long
https://en.wikipedia.org/wiki/Xingu-Estreito_HVDC_transmissi...
https://en.wikipedia.org/wiki/Xingu-Rio_HVDC_transmission_li...
> https://bitcointalk.org/index.php?topic=1306983.msg64535839#...
I'm not super familiar with the concept (and I'm too lazy to look into it TBH), but I think the would-be winner posted the private key before enough (any?) blocks were mined, and the thief posted a transaction with a bigger fee, and the thief's transaction was in the block that got mined.
This is a well-known attack. The discoverer was sophisticated enough to brute force, but not enough to know about this risk :)
I believe the correlation is the other way around... at least once you get past some early local maxima near "people who don't understand how money can be in a computer."
P.S.: To digress (rant) a bit: The linchpin is whether your system needs to allow anybody to create and control any number of new participant-nodes at any time. That fundamental requirement is actually very rare, and it's also the root causing a cascading tree of workarounds, compromises, inefficiencies, and risks.
The only reason we're still talking about BTC is bag-holders. It's vastly technologically inferior on every metric.
Talking about BTC's failures as if they exemplify cryptocurrency is just like attacking solar panels on the basis of whale oil's flaws.
The next release of Nano (the original and best imo*) manages spam to the point where fee-less sub-second transactions can be maintained even while under a directed spam attack.
If you want to learn more there's plenty of documentation:
Overview: https://docs.nano.org/what-is-nano/overview/
More technical docs: https://docs.nano.org/#
* - I love how it was distributed, and the team are extremely focused on making it work at a "commercial grade" as opposed to working up hype.
The point stands - BTC's limitations mean nothing to the potential of digital currency as a whole. Cryptocurrency has been proven not to need fees or mining, and yet people love to attack it on that basis. Anything to feel superior I guess.
Even taking your example coin, they’re making it production-grade, for what? How many people seriously use it? What is the real plan to adoption? Or is it just another fun tech project.
Why am I doing basic research for you?
These aren't "pie in the sky" "claims", they are statements of fact that can be verified by trying it out yourself. I already linked the docs if you want to know how it works, what the upcoming milestones are, what work has already been done, etc.
One example of a great use case is Nano-gpt(.com), where you can try the latest AI models straight away and pay by the question. The bottleneck here is your imagination.
Regarding nano-gpt, that’s already a solved problem. Literally all API platforms support pay-as-you-go credits. I went to your link, and I loved the irony of them asking for a 0.10$ minimum deposit - note the complete lack of crypto rates. That is par for the course for crypto apps, nobody cares what the coin conversion is - it’s just a gimmick.
TBF, that particular data-point tends to have a "damned if you do, damned if you don't" extrapolation, ex:
1. "If sellers only care about what regular currency it can be turned into, that means it has failed as a currency because it's just an intermediate payment scheme."
2. "If sellers don't care about what regular currency it can become, that probably means it has failed as a currency because it's really just a speculative-bubble asset."
The Raiblocks and BitGrail hack sealed it's death.
And this isn't about personal beliefs, market cap, market share, etc. The conversational point was that it's technically vastly superior to BTC, which it undeniably is. On market cap, adoption and hype, BTC wins hands down, for now, but there's no reason at all for that to always be the case.
People here love dunking on cryptocurrency for the slow times and the mining and the hacks (like this post) - yet none of that is a necessary characteristic of cryptocurrency.
Btw, Nano is very much alive. V27 is coming out soon making major improvements, regardless of like, your opinion man.
The FranciscoTheBomber admin of BitGrail should have served prison time over the entire thing. He got off basically with zero consequences.
Nano will never be in the top 100 of crypto projects ever again. That's just a fact.
Do I need to paste the definitions of fact, vs prediction, prophecy, belief and opinion in here?
I remember hearing similar pronouncements presented as 'ironclad fact' after Mt. Gox, and after the DAO hack, and even during the Bitcoin Cash debate. The field is more full to the brim of people presenting opinions as fact than I would ever have believed. Even if you were someone I'd heard of and respected, a known expert; if you claimed your opinion in this space as fact I would yawn and put my respect for you down a notch.
And, the discussion wasn't about market cap, top 100, or anything like that - just verifiable technical characteristics.
The scam talked about in this thread wouldn't work in Nano, because Nano doesn't require mining or fees. Many other coins have the same characteristics, Nano was an example. I would bet that any other example would have been just as triggering to people.
Note that this issue doesn't exist with puzzle numbers that are multiple of 5, because these addresses have their public key already known. So everyone is on a level playing field. The multiple of 5 have been solved up to #125: https://privatekeys.pw/puzzles/bitcoin-puzzle-tx
That one is even easier to steal because it doesn't even require a digital signature and there are tons of bots out there inspecting live transactions and if they don't require a signature they just create a new transaction with an increased fee and their own address as recipient.
Edit: nevermind, I got confused with P2SH: https://learnmeabitcoin.com/technical/script/p2sh/ pretty sure you can't unlock outputs with a hashed script unless the creator of those outputs did it ahead of time.
I'd be curious to know if it is possible at all to "securely" send the funds of these puzzles or if there is some hard limit that requires the pubkey to be published with the transaction.
So anybody that has sent a transaction can have their private key cracked just from their public address? How is this considered secure? That's absurd...
So this would not be possible with a normal Bitcoin transaction with regular entropy.
Even if it's 70 years from now before we have the compute to do that, the wallets will be worth so much by then that whoever does that will end up with a level of money that is high enough to menace and threaten entire countries if they are malicious.
Why doesn't Bitcoin require keys to get longer over time? Require 256 bit now but require 65536 bit in 20 years to make any transaction?
To answer your question that change in bitcoin can happen at any point in time with a protocol update. It would probably won’t even require a hard fork, a soft fork would suffice.
Huh? Ask someone in 1950 if we would ever achieve petaflops on a desktop-sized PC. Yet here we are with H100's. About 10 decimal orders of magnitude faster than the state of the art in 1950.
Quantum computing will also happen, and I think 70 years is more than a realistic time frame.
mrb describes it better: https://news.ycombinator.com/item?id=41547443
It's essentially MitM all the way down.
even the private mempool can attempt a double-spend with a larger fee, get one transaction ahead, then try to maintain an edge long enough to be the "longest branch" for consensus - the 51% attack only needs 33% in reality, much less when your the private mempool that can take advantage of the birthday paradox to jump two blocks ahead.
you have to literally mine your own coin with the reward transaction included.
of course, zpk+ would solve this issue entirely.
Alice and Bob wouldn't ever doubt each other again.
The attack itself can't be mitigated because there's the incentive to try to force the blockchain with your own theft block because your fee is much higher for what appears to be the same transaction. But this attack, like you said, is only feasible for this niche domain of low entropy private keys.
No other transactions are subject to this weakness, and it's this puzzle which proves that.
Look up MEV
What specifically are you calling "so easy"?
If we're talking about "2^(n/2)", I don't see the problem. Why shouldn't it be that?
https://en.wikipedia.org/wiki/Pollard%27s_rho_algorithm_for_...
Here is a trivial one:
In advance, make a table of all the pubkeys xG for secret key s = (0,2^33].
When you get a target key T, compute T - (2^33)xG for x = (0,2^33] and look up the result in the table.
When you get a hit, you've found the private key for T it's (2^33)x + s.
Of course, this is a trivialized example, many optimizations are possible and you can specialize any generic DL solver to work in a known range.
Work thought it, I think it'll be more informative than me simply repeating myself further. If you're still confused, ask specific questions and I'll be glad to answer.
Given only a random public key, is it possible to quickly recognize when its corresponding private key has weak entropy?
No, but it is possible to quickly recognise that it matches a published puzzle address, which is derived from the public key. And the amount held by that address is public knowlege (it's on the blockchain).
If someone knows that a given address has a huge sum of money, they can create a bot to monitor that particular address, overriding any transactions to his own address?
Would that be possible???
The purpose of the puzzle is to find the private key given only 75% of it.
Let’s imagine that takes 1 year to brute force the last 25%. But if you have the public key as well, it only takes 1 minute.
As soon as the coins were sent, the private key was known since it inherently revealed the public key.
- Send some money to an address, which would temporarily stop accepting money from anywhere else. The fee gives the sender the exclusive right to solve the puzzle for, say, 15 blocks.
- After that transaction is validated, a second transaction (which now cannot be forged by bots) can be sent through.
I am pretty sure you could do something like this on Ethereum but I don't know if the BTC protocol would allow this. I also know very little about the guts of the respective VMs in general.
I wish HN eliminated downvotes without posting associated feedback
I stand by my point: pay peanuts, get monkeys.
If you don't take extra measures to ensure the safe reception of the reward, don't be surprised your security gauge turns out sticky.
but are not the public keys anyway available on block chain? that means literally every thing can be brute forced?
1Jvv4yWkE9MhbuwGU66666666669sugEF 0.00000001 1YouAreSoDumbLoL666666666667K5aR4 0.00000002 1WhatWereUThinking6666666662wkqq1 0.00000003 1YouDeserveNothing6666666665sbbBC 0.00000004 1YouEpicFaiLure66666666666688GSDA 0.00000005 1BitchAssLoser66666666666669dBUVg 0.00000006 1AndEveryoneELse666666666669Vnc8C 0.00000007 1ThisisALosingGame6666666667HAZdf 0.00000008 1JustGetAReaLJob666666666665vGKVD 0.00000009 1YoureWastingTimeAndMoney664CVExC 0.00000010 1AndCausingCLimateChange6666HK8Qc 0.00000011 13zb1hQbWVsc2S7ZTZnP2G4undNNpdh5so 0.00000012 1Jvv4yWkE9MhbuwGUoqFYzDjRVQHaLWuJd 0.00000013 1FK5PjPNARQmg94n2cNHTo9417kWfXUDBQ 0.00002125
When you post a transaction, the public key is in the transaction (inside the field "sigscript") . With the public key known you only need 2^(66/2) checks (instead of 2^66), which can be done really fast.
So some bot watched the address, obtained the public key, computed the private key from it, and front-ran the original submitter probably with a deal from a mining pool to make sure his transaction is enforced.
Why doesn't this happen with every large transaction then? Someone tries to move 10 BTC, instantly stolen?
Basically you're saying that every single Bitcoin transaction can be stolen "really fast".
Am I missing a step here?
The second post on this thread[0] has a helpful chart that makes it easier to understand.
0: https://bitcointalk.org/index.php?topic=5218972.0
Is that true for every single Bitcoin transaction?
> With the public key known you only need 2^(66/2) checks (instead of 2^66), which can be done really fast.
Then how comes not all Bitcoin transactions are front-ran like that and Bitcoin is not worth zero already? 2^33 is indeed nothing: 8 billion (so I understand this can be easily cracked).
I think so, for outgoing transaction (aka to remove from the address), it's kind of needed to verify the signature.
The 2^66 is only for this game where only 66 bits were left unknown. In the general case obtaining the private key from the public key is much longer.
As a miner, if I see two conflicting transactions I will prioritize the one which pays more rather than the one I saw first.
https://www.blockchain.com/explorer/addresses/btc/173ujrhEVG...
1. https://modal.com/blog/catching-cryptominers
the canaries that are left are worth several million of USD combined, if there's any incremental progress towards cracking them, that's a strong incentive not to leave the money on the table.
if someone comes up with a full crack sponteously, then yeah the canaries won't protect you, or anything else for that matter.
As something that’s eminently portable, I think crypto mining might actually have a use in derisking building out solar deployments, as a sort of buyer of last resort.
It might be nice to have other very portable energy sinks to eat up temporarily cheap locally available electricity. I think this might be part of the dream of the hydrogen proponents.
You can do actual useful stuff with electricity no matter where it came from, like smelting aluminium, training AI models or desalinating water. Wasting it on mining bitcoin is literally the last thing we should be doing with spare energy.
If that spare energy doesn’t have a use yet, negative pricing will find one… but allowing that use to be “computing mathematical puzzles to support a deregulated financial instrument whose chief uses are illicit transactions and speculative investment” is just absurd and we should regulate this away.
I recently read that some are thinking about connecting the US with Europe via DC cabling.
Here's a related, old article: "Submarine power cable between Europe and North America: A techno-economic analysis" (2018)
• Developed a 2030 power dispatch model of Europe and North America (NA).
• Identified socio-economic benefits of European-NA electricity trading through a HVDC cable.
• A 4000 MW cable increases social welfare by 177 M€ on an annual basis.
• This benefit for society is sufficient to cover the investment costs.
https://www.sciencedirect.com/science/article/pii/S095965261...
While that energy technically serves the purpose of letting a monetary system function, traditional monetary infrastructure requires vastly smaller amounts of energy, thus this is a wasteful use of it
I guess BoA probably handles a little more than that?
Therefore Bitcoin could scale to handle millions of transactions per second with a sublinear increase in electricity spent. [0]
[0] http://blog.vermorel.com/journal/2017/12/17/terabyte-blocks-...
https://cowboystatedaily.com/2024/09/03/giant-wyoming-carbon...
> CarbonCapture cited “intense competition from data centers” in the region for electricity as partially the reason why it is moving from Wyoming.
Wyoming is a very popular state for cryptocurrency mining due to substantial state support, cheap energy, cool climate, etc. Miners use a lot of clean energy that would have been used for more useful purposes, as shown by the article I linked.
Conclusion: yes, it's still a waste, unless that energy was surplus absolutely not going to be used for anything better or able to be stored, although even then the compute resources could have probably been used for more useful problems.
It is very much not: https://www.theguardian.com/technology/2022/feb/18/bitcoin-m...
Which as a whole is very limited scenario.
California uses green energy, but in doing so increases the mining reward, which increases the mining from countries like china and russia, who do not use green energy.
You'd just need to download the 6,505,548 TB list of keys and re-derive the public key for each to check that they're valid; unfortunately it would take in the ballpark of a kiloyear of compute time assuming you have 3x RTX 3090s.
>> First output: take random number from 2^0 upto 2^1-1, use it as private key >> Second output: take random number from 2^1 upto 2^2-1, use it as private key >> Third output: take random number from 2^2 upto 2^3-1, use it as private key
To me it sounds like that wallet #10 has a range from 2^9 to 2^10 - 1 - so you don't actually need to check previous bits. But somehow it seems like everyone is crawling through the whole range of possible private key. Doesn't make sense, does it? Am I missing something?
With each puzzle, you know that the top bit is 1, and nothing else. Every bit below that is unknown, and you need to go through the whole range of n-1 bits. Puzzle #10 has 9 bits to guess, because it's between 10_0000_0000 and 11_1111_1111. Puzzle #66 has 65 bits to guess. If someone says 66 unknown bits they've misspoken.
>> Puzzle #10 has 9 bits to guess, because it's between 10_0000_0000 and 11_1111_1111
means that I don't have to start at 0000 0000 0000 ... everytime, I can actually start at 2^5 and look up to 2^6 - 1, for example for the 6th address.
I thought cracking anything to steal bitcoin was impossible due to the keys sizes involved? Is this possible because a portion of the key is already available so there is less to crack?
Which key is known? The public or private? Another comment said the “now known public” but then also said the private key can now be recovered by cracking it? Two keys need to be cracked?
What kind computing power is needed to crack both keys and how long?
Thanks. Sorry, I’m an idiot when it comes to bitcoin.
This would normally be computationally intractable but these keys are much smaller than normal, with most of their leading digits intentionally zeroed out to make it easier to 'steal' the funds from the corresponding wallet. If anyone knows who set this up, or why, they aren't talking.
In the process of creating the transaction to claim the prize, the winner must generate a corresponding public key based on some sort of hash of the private key and wallet address. I don't know how they can tell when they've succeeded; hopefully someone else can clarify/correct this point. But once they do succeed, the transaction is then posted in public to allow miners to add it to the blockchain.
Unfortunately, due to mathematical witchfuckery, knowledge of both the private key and a valid public key makes it possible to solve the puzzle as if the already-shortened private key had half the number of bits. In that case, finding the wallet address might take only a minute or two on a standard GPU rather than the months of time on a whole warehouse full of them that the original winner had to spend.
Knowing this, people who are bad and who should feel bad set up bots to watch for the prize-claiming transactions. The bots are designed to recompute the source wallet address independently and front-run the winner's transaction by resubmitting it for the benefit of the thief, using a higher reward to incentivize miners to prioritize their transaction over their original one. Bitcoin blocks are mined about every 20 minutes, so on average the thief has about 10 minutes to create an overriding transaction once the original transaction is posted. Sucks to be the winner who expended so much effort to claim the prize, as they are now out about $400K. Nothing left but a huge electric bill.
https://bitcointalk.org/index.php?topic=1305887.0
Someone, back in the 2015, created this puzzle when BTC was cheap. He/she posted a couple of public keys (Wallet Addresses):
https://bitcointalk.org/index.php?topic=5218972.0
Though, I don't understand the actual task. It's a couple of transactions and one have to "guess" (aka bruteforce) the private key to a known public key. There's an increasing level of complexity, which makes it harder, the higher you get in this list.
Would appreciate any more details.
https://www.blockchain.com/explorer/transactions/btc/12f34b5...
Bitcoin was not cheap in 2023, this is someone with $50m to spare!
IANAL, etc.
I'm not into crypto and I do think Bitcoin is stupid and wasteful, but I don't find it "sick" or all what upsetting that this kind of puzzle exists, though I think some smart contract-based Ethereum puzzles could be much more interesting, demanding solutions to more interesting problems that don't directly relate to the blockchain itself. Imagine a smart contract with a pot anybody can pay into that pays out to whoever could crack a particular previously unsolvable problem. Basically a public bounty. The only downside is that it has to be a problem that can be validated algorithmically.
This was just a race to see who could burn the most CPU/GPU cycles the fastest.
Even when a real puzzle has a monetary reward for solving it, a big component of the reward is the solving itself. For this, the reward is just money.
Bitcoin may be an inefficiency, but is it the? Most everyday things modern first-world people do are equivalent to burning oil and shredding trees for little to no reason. You just can’t see it as clearly as in PoW crypto.
What puzzles create something of value when they're solved today? A puzzle is typically a thing you do for fun and entertainment, not something you try to solve for the purpose of creating value.
I guess you're thinking more about logic/mathematical puzzles and alike? Would make sense in that case, but that's not the only type of puzzle.
Anyway, I don't agree that puzzles by definition have known answers, unless you want to nitpick and I just change my "puzzle" into "challenge".
But, as it happens, this one does: it offers economic incentive to develop more efficient attacks on elliptic curves. The curve Bitcoin uses isn't widely used outside of it, but that doesn't mean that an efficient attack on Secp256k1 wouldn't apply elsewhere.
Is this modest as positive externalities go? Probably yes. Could someone with a better attack on the curve just empty wallets? Not necessarily, and probably not: the point of the puzzle is that the entropy has been deliberately reduced to make it crackable with brute force, so, say someone worked out a factor of four improvement: that isn't going to get you into the Genesis Wallet, but it substantially lowers the price of claiming some of the puzzles.
Also, being a cryptographer and being a thief are unrelated professions. Some people might be inclined to both, but I would guess that most are not.
a lot of people created co2 to take part in a btc lottery and the winner was now randomly found.
I hate crypto :|
I think it’s worth noting that bitcoin uses a fraction of the energy required to mine gold for example.
It’s also a driving force in renewables, by stabilising energy grids (mining can use the spare capacity during quiet periods and switch off during peak hours).
So I don’t think it’s as black and white as “bitcoin uses energy = bad”
In NYC they bought a Gas power plant only for bitcoin. In Texas they had to pay millions to bitcoin miners for them to shut down. In china they stole power from normal people left and right.
It also allows to sell local limited energy globally and pushing energy into the trading/gambling area. Instead of giving local people cheap energy, some bitcoin miner will try to get as much of that cheap energy possible. It also incentivives using bitcoin miners to use flare gas instead of doing something to actually capture and use it as it is a limited resource.
Nonetheless PoW is stupid. its the worst scenario we can come up with in a society with scare resources and a very limited co2 budget by now ( have you watched the TED talk? ). And at the end bitcoins PoW system even still stand on our existing PoW system. Someone stole your bitcoins? You go to the police... Without our existing PoS System, you would need to keep your bitcoin wallet and address always anonyme otherwise you would trust our law and order (part of our PoS system) and you could literaly only send bitcoins around and nothing else. (Smart contracts are also not scalable and not stable solution to this issue).
Btw. yes gold need energy to be mined but its a one time cost YOU HAVE TO DO to use this material. Bitcoin is a Waste Resource all the time to use. And Gold has real value in science, manufacturing and in styling/model/art. Nonetheless we need to get the co2 production of Gold down and Bitcoin we just don't need. The best solution is to get rid of bitcoin and keep reducing co2 production for gold.
And yes i do have a lot more arguments on why bitcoin is useless.
It takes 3 seconds to look up the 24h volume for BTC and it is $9.6 Billion
https://news.ycombinator.com/newsguidelines.html
"Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes."
Plenty of banks will freeze your bank account instantly.
And good luck convincing them that you stumbled upon $400k by solving a puzzle - only takes one suspicious fraud/risk manager to conclude that there’s a higher chance of fraud than legitimacy.
(But you are right, no problem to find someone to pay you the market price. That’s a done deal in seconds)
Liquidity of less than a million worth of BTC hasn't been a problem for a long time
Then again, it may be serious trouble if you have serious issues explaining the source.
2. Deposit bitcoin
3. Market order sell all
4. Withdraw USD
Step 2.6 Coinbase blocks your account citing "Suspicious activity"
Step 2.7 Sign up to three other exchanges, split the loot across them
Step 5 Argue with the bank about the source of funds
Step 6 Argue with tax agency that you'll fill out your taxes correctly
Taxing this is super simple, you just mark as "other" - akin to finding money on the ground.
Arguing with bank - which specific bank would cause problems here?