Bitcoin puzzle transaction ~32 BTC prize to who solves it

[brainless]

Someone have web servers, and can give me ftp access for upload addresses list, for all fellows to download and try to find 135 puzzle pk

[stwenhao]

YMMV, I'm genuinely interested how others see it. Please, try to explain if your opinion differs. I might be wrong with my own opinion and if so, I'd like to learn why!

I think it is technically possible to prove, that you are the real solver. Which means, that everyone would know, if coins were stolen or not. Solvers just don't use such proofs, but it can be done.

First, any solver can deposit any coins into its own, strong key, and a proof of being the one, who solved the puzzle. The output Script is:

Code:

<strongPubkey> OP_CHECKSIGVERIFY OP_RIPEMD160 <puzzleHash> OP_EQUAL

Then, the solver can wrap it behind P2WSH, and wait for getting enough confirmations. After a while, a solver can move the coins from this Script, to the desired destination of the puzzle. It can even be done in the same transaction, which would sweep the puzzle, if desired.

And then, it won't prevent coins from being stolen, but it would prove to the outside world, if they were stolen or not.

Another thing is proving knowledge of some public key with ZK-proofs, DLEQ proofs, or something similar. It can be done, and it could be battle-tested on puzzles, before introducing any "quantum-resistant" things globally.

[Frequence]

Instead of discussing how to find the key, the talk is about how to steal it. Those claiming it is ethical have no sense of manners, and those saying the RC test is part of the game should note that the creator deliberately leaked the public key to test how fast it could be cracked. but he never said to steal from someone else after finding it.

[ExernalVN]

It's unethical and very common.

It's ethical.... whatever those bots are doing to low entropy puzzles is what RC is doing to puzzles over 115 bits with his RCKangaroo.

From outgoing transaction -> extract public key -> from public key find private key -> create and sign another transaction with the private key.

It does not matter who created the first outgoing transaction in the first place.

what algorithm should be used to calculate the private key if the public key and the hash range from the private key are known?

[kTimesG]

Instead of discussing how to find the key, the talk is about how to steal it. Those claiming it is ethical have no sense of manners, and those saying the RC test is part of the game should note that the creator deliberately leaked the public key to test how fast it could be cracked. but he never said to steal from someone else after finding it.

I've said it times and again: using the term "stealing" assumes initial ownership. So, who are we stealing from? Someone who purposely brute-forced his way into cracking a wallet, and later let 8 billion people instantly know the private key, and asking for ethics on everyone, except himself? This is ridiculous: "The pot calling the kettle black". Maybe you're better off with trusting your bank fiat account more than crypto.

It's sad that most people using Bitcoin have zero clue on how Bitcoin works, and asking for things that are exactly the opposite of the problems that it aims to solve.

[BlackAKAAngel]

"That's not ethical. Hmmm. What is ethical today? A white cat? They are working for the government and doing the same hacking like accessing a private desktop, mobile device, or account today, that’s a reality. I can write a code similar to ChatGPT to attack whatever i want.every day, 10-15 times, someone tries to hack my desktop to change my email password today that's considered normal, and it's getting worse

[LOCKACO]

Hello, I'm new to this platform, and I came across this thread, It seem interesting and want to join in active participation 

[SimonNeedsBitcoin]

To solve puzzle 135, is RCKangaroo better than keyhunt's bsgs?

[analyticnomad]

Hello, I'm new to this platform, and I came across this thread, It seem interesting and want to join in active participation  

Welcome. You don't have to announce that you want to join in participation, you can just participate.

Right now they're all talking about ethics in bot use for the 10,000,000th GD time. Coming up next; someone will bring up how these puzzles are "illegal", a "scam" or "impossible", and stay tuned next week for the prefix vs. deterministic iterations debate!

[Menowa*]

Hello, I'm new to this platform, and I came across this thread, It seem interesting and want to join in active participation  

Welcome. You don't have to announce that you want to join in participation, you can just participate.

Right now they're all talking about ethics in bot use for the 10,000,000th GD time. Coming up next; someone will bring up how these puzzles are "illegal", a "scam" or "impossible", and stay tuned next week for the prefix vs. deterministic iterations debate!

Or maybe about broadcasting to mempool while Mara is a scam

[Wanderingaran]

these puzzles are "illegal", a "scam" or "impossible"

Yo, even if you crack the code, who’s to say you’ll even get the bag? That’s mad sus. How’s that a fair race? Straight-up scam vibes. 💯

[analyticnomad]

these puzzles are "illegal", a "scam" or "impossible"

Yo, even if you crack the code, who’s to say you’ll even get the bag? That’s mad sus. How’s that a fair race? Straight-up scam vibes. 💯

Oh look! here's one now! jk

[teguh54321]

Found funny address
1PWo3JeB9jpRt9dKR4PpzCAZYHWMm2rxf3

At 63xxx

CAZY
Mean we all crazy ? 🤪

[Kelvin555]

Instead of discussing how to find the key, the talk is about how to steal it. Those claiming it is ethical have no sense of manners, and those saying the RC test is part of the game should note that the creator deliberately leaked the public key to test how fast it could be cracked. but he never said to steal from someone else after finding it.

lol.... The supposed creator made only a bitcointalk forum post about the challenge, he never said anything about rules on how to compete in the challenge or how to get the coins to your wallet, he also never mentioned anything about leaking puzzles with multiples of 5's public keys so to test how fast it can be cracked.

Step into reality for a moment and you will realize that your feelings or anyone else's feelings does not matter about ethics in this competition, since no rules were stated for the challenge anything is acceptable.

[ytrezq]

A completely new class of method for computing discrete logarithms

This paper seems to be about a specific case http://web.archive.org/web/20250725043122/https://cr.yp.to/dlog/cuberoot-20120919.pdf but in reality, the method is generic. They talk about small discrete logarithms in the same vein that pollard rho has a complexity too high to handle large discrete logarithms…

Victor Shoup theorized that no generic discrete logarithm solving method could perform better than x^½. This is indeed the complexity of Pollard Kangaroo and Pollard rho. But he also theorized than an algorithm with precomputation can yield at best a complexity of x^⅓ which means the lower bound to break full sized secp256k1 is far less than the 2¹²⁸ estimated security.

This paper is indeed diving in that class of faster speed at the expense of memory storage.

anyone to turn it’s mathematical description into implementation ?

[kTimesG]

A completely new class of method for computing discrete logarithms

This paper seems to be about a specific case http://web.archive.org/web/20250725043122/https://cr.yp.to/dlog/cuberoot-20120919.pdf but in reality, the method is generic. They talk about small discrete logarithms in the same vein that pollard rho has a complexity too high to handle large discrete logarithms…

Victor Shoup theorized that no generic discrete logarithm solving method could perform better than x^½. This is indeed the complexity of Pollard Kangaroo and Pollard rho. But he also theorized than an algorithm with precomputation can yield at best a complexity of x^⅓ which means the lower bound to break full sized secp256k1 is far less than the 2¹²⁸ estimated security.

This paper is indeed diving in that class of faster speed at the expense of memory storage.

anyone to turn it’s mathematical description into implementation ?

Yes. That paper is the very basis of everything I was talking about numerous times, when saying that the DLP can be solved much faster.

You can also see it in practice whenever you hear anyone talking about precomputed data.

Note that reaching the 1/3 exponent complexity also requires doing the 2/3 exponent pre-work, so for secp256k1, if you want to reach that lower bound, you first have to do 2**170 group operations (and also storing a very large amount of data, depending on the desired DP frequency; in any case, much much more than the number of bits in all the storage drives in existence, raised to the power of 2).

And another thing is that that 1/3 + 2/3 refers to an optimal tradeoff between precomputed effort and solving effort, because there's nothing (except memory and time limits) stopping anyone from computing the full log, storing it, and solving any key in a single O(1) lookup step. And nothing stopping anyone from computing, let's say, half of the full log domain, and solving any key in 2 steps. And so on and so forth.

[ytrezq]

A completely new class of method for computing discrete logarithms

This paper seems to be about a specific case http://web.archive.org/web/20250725043122/https://cr.yp.to/dlog/cuberoot-20120919.pdf but in reality, the method is generic. They talk about small discrete logarithms in the same vein that pollard rho has a complexity too high to handle large discrete logarithms…

Victor Shoup theorized that no generic discrete logarithm solving method could perform better than x^½. This is indeed the complexity of Pollard Kangaroo and Pollard rho. But he also theorized than an algorithm with precomputation can yield at best a complexity of x^⅓ which means the lower bound to break full sized secp256k1 is far less than the 2¹²⁸ estimated security.

This paper is indeed diving in that class of faster speed at the expense of memory storage.

anyone to turn it’s mathematical description into implementation ?

Yes. That paper is the very basis of everything I was talking about numerous times, when saying that the DLP can be solved much faster.

You can also see it in practice whenever you hear anyone talking about precomputed data.

Note that reaching the 1/3 exponent complexity also requires doing the 2/3 exponent pre-work, so for secp256k1, if you want to reach that lower bound, you first have to do 2**170 group operations (and also storing a very large amount of data, depending on the desired DP frequency; in any case, much much more than the number of bits in all the storage drives in existence, raised to the power of 2).

And another thing is that that 1/3 + 2/3 refers to an optimal tradeoff between precomputed effort and solving effort, because there's nothing (except memory and time limits) stopping anyone from computing the full log, storing it, and solving any key in a single O(1) lookup step. And nothing stopping anyone from computing, let's say, half of the full log domain, and solving any key in 2 steps. And so on and so forth.

No, because as far I understand, in the case of http://web.archive.org/web/20250725043122/https://cr.yp.to/dlog/cuberoot-20120919.pdf the complexity is decreased by the square of the size of the table. And anyway, the challenge here indeed involve computing several discrete logarithms so reusing precomputation would be worthwhile compared to sticking to pollard kangaroo isn’t it ?

[kTimesG]

No, as far I understand, in the case of http://web.archive.org/web/20250725043122/https://cr.yp.to/dlog/cuberoot-20120919.pdf the complexity is decreased by the square of the size of the table. And anyway, the challenge indeed involve computing several discrete logarithms so reusing precomputation would be worthwhile isn’t it ?

In theory, yes. In practice, the algorithm you use may or may not allow you to reuse the precomputed data, because you have to factor in the fact that the DLPs are in a higher and higher range, and the data you precomputed might have only been optimal up to a limiting upper bound (otherwise, it would have been inefficient in solving the very first DLP).

To sum it up: this is only useful if one wants to solve a large amount of DLPs, up to some upper bound. For example, all the puzzles up to 120 bits, in absence of having any pubKeys already, can use a precomputed data that allows ANY 120 or lower bits key to be found. For example, it can solve Puzzle 1, 2, 3, 4, .... 70, 71, 72, .... 115, 116... up to 120 bits. But it will have a 50% chance of failing to find a 121-bits key, a 75% chance of failing to find a 122 bits key, etc. because the new keys may be outside the precomputed domain and finding them may or may not be possible.

It is useless to do it for puzzles that are unsolved and have the pubKey exposed, because in THAT case, the most efficient algorithm is to simply merge the precomputing with the solving, to obtain the minimum effort (e.g. 1/2 + 1/2 exponents, times whatever constant factor + any overheads).

[krems_hive]

Wanted to ask, given the latest puzzle and last couple of solved puzzles are unprofitable to crack by renting from, say vast.ai or clore.ai, what do you guys think these people who cracked last couple of puzzles rented those 1000s of GPUs?

Current prices say they should spend around 1.5 million usd to crack 6.9 btc puzzle which is not at all profitable. So, how are they doing it? Stolen/hacked GPU compute?

[Cricktor]

I think it is technically possible to prove, that you are the real solver. Which means, that everyone would know, if coins were stolen or not. Solvers just don't use such proofs, but it can be done.

I'm trying to understand what you try to impose for a "real solver". Did the puzzle creator specify what "real solving" means? I don't think so. The puzzle creator offered puzzles to be solved by any means, AFAIR.

The stated analogy by someone here of some thief waiting at the bank's door for someone who just collected some cash in the bank is plain stupid. In my jurisdiction a theft is defined as taking away physical things that you don't own which would be difficult for digital coins anyway, but that's not the point. Taking someone else's cash in such a situation, usually by necessary force, is theft, no need to argue over that.
A grinding solver broadcasting a vulnerable transaction in the public doesn't own the coins until the transaction is actually confirmed. Am I wrong with this? I'd love to hear why, seriously!

Normal Bitcoin transactions are safe because there's not enough energy and time on this planet to find the same private key(s) that allows to sign a transaction to move coins secured by high entropy random private key(s). This is the simple safety of very very large random numbers.
Mathematically is totally possible that you find the same private key(s) that I use to secure my coins. It's not impossible, it's just so utterly unlikely and improbable that I've no worries about my coins. Even if you try a billion times per second for whatnot many years, it's still not likely you will ever find a funded private key by random chance.

Exposing a vulnerable public key in public mempools opens the opportunity to use faster methods than brute-force grinding of the private key. If a real grinding solver ignores this, whoes fault is this, seriously?

Bots don't steal the private key, they find it with faster methods because it is possible to use those faster methods from publicly available data that is open to everyone! This is the consequence of publicly known weak and vulnerable low entropy private keys. Do not ignore this simple fact.

What exactly is wrong or unethical or whatnot to use publicly available data to find a private key faster that allows you to sign a transaction to move coins that are "controlled" by such a vulnerable low entropy private key? The root problem is the vulnerable low entropy private key where you risk exposure of it with public transactions. You should not publish transactions in the open public for such vulnerable low entropy private keys because public exposure of their matching public keys is not safe.

It's maybe drifting away from the topic of this mega-thread. How do we define "ownership" of coins? The owner has a "normal" private key to move those coins. Owner's duty is to keep this private key secret, at all cost. If it's a strong entropy private key, it's totally improbable that someone else could gain possession of the same private key by random chance and/or grinding. Stealing those coins would be only possible by taking away the sole possession of a safe private key from the "owner" of that private key.

Hm, it's getting difficult. I don't neglect moral aspects, even when it seems so. I'm happy if someone points out moral flaws.