[HN Gopher] Bitcoin puzzle #66 was solved: 6.6 BTC (~$400k) with...
___________________________________________________________________
Bitcoin puzzle #66 was solved: 6.6 BTC (~$400k) withdrawn
Author : mrb
Score : 172 points
Date : 2024-09-15 13:30 UTC (9 hours ago)
(HTM) web link (www.blockchain.com)
(TXT) w3m dump (www.blockchain.com)
| mrb wrote:
| Discussion thread here:
| https://bitcointalk.org/index.php?topic=1306983.msg64526037#...
|
| Bitcoin puzzles are private keys with just a few unknown bits so
| that anyone can bruteforce them to collect a reward. Puzzle 66
| contained 66 unknown bits and had 6.6 BTC deposited into it by
| the initial puzzle creator. The private key was 0x000000000000000
| 000000000000000000000000000000002832ed74f2b5e35ee or 256 bits
| with mostly zeroes but 66 random ones.
|
| The next Bitcoin puzzle, #67, has 67 unknown bits, and contains
| 6.7 BTC up for grabs:
| https://www.blockchain.com/explorer/addresses/btc/1BY8GQbnue...
|
| The previous puzzle by order of difficulty was #64 (not #65,
| because see below) and was solved on 9/9/2022, so about 2 years
| ago. In other words, it took about 2 years of compute time to run
| the 2^66 bruteforcing task.
|
| Puzzles that are multiple of 5 (#65 or #70) are special: they
| have twice more entropy. So that private key #65 doesn't have
| 65-bit of entropy but 130-bit of entropy. And the creator of the
| puzzle intentionally published their public key on the
| blockchain. When you know the public key, brutetforcing the n-bit
| private key only requires 2^(n/2) work. So puzzle #65 with a
| 130-bit key actually require bruteforcing up to only 2^65 keys.
| wslh wrote:
| New to this puzzle! Do you have a more detailed resource to the
| puzzle? Is it basically brute forcing based on all public keys
| available on the Bitcoin blockchain? Could this be considered
| stealing?
| mrb wrote:
| Sure, here is a nice little presentation on the puzzle:
| https://rya.nc/forensic-bitcoin-cracking.html
|
| The main discussion thread on the bitcoin forum is this but
| it has a low signal-to-noise ratio:
| https://bitcointalk.org/index.php?topic=1306983.0
|
| There is a secondary thread here:
| https://bitcointalk.org/index.php?topic=5218972.0
|
| The point of the puzzle is indeed to brute force some private
| keys (not public keys), but not all, as 2^256 is
| computationally impossible. The private keys that have been
| discovered so far have obviously many zeros in them, so in
| practice you are never going to accidentally steal from a
| legitimate address with actually 256 bits of entropy.
|
| The creator of the puzzle is anonymous and never came forward
| (to my knowledge). The point of the puzzle is (1) to be a fun
| game, and (2) to be a publicly observable way of measuring
| current brute forcing capabilities.
| wslh wrote:
| First, a question: is there something similar for other
| blockchains? And, a clarification, when I said public keys
| I referred to public keys that match an unknown private key
| but I understand now (am I correct?) that this puzzle is
| purely brute forcing private keys with a lot of zeroes and
| then matching with the addresses in the blockchain (which
| would be a function from the public key).
| mrb wrote:
| I don't know if other blockchains have these puzzles. You
| are correct thas this puzzle is brute forcing private
| keys with a bunch of zeroes, from which a public key can
| be calculated.
| ForHackernews wrote:
| Is this a "puzzle"? Throwing compute at brute-forcing a random
| number doesn't seem like solving a puzzle to me, it's basically
| how bitcoin works.
| aeturnum wrote:
| I think the puzzle idea is that, if you could figure out a
| weakness in the hash, you could claim it faster than the
| brute force approach. So each prize that's claimed "on
| schedule" supports the idea that there aren't any widely
| known shortcuts.
|
| Obviously if you found a shortcut in the hash you might do
| other things first, but I think that's the idea.
| IshKebab wrote:
| Hmm yeah if I cracked Bitcoin then _last_ thing I 'd do is
| claim a prize that gave away the fact that I'd cracked
| Bitcoin.
| mr_mitm wrote:
| There is a difference between a weakness and complete
| breakage. You might have a small edge over brute force,
| but not enough to reverse any public key. This acts like
| a canary for weaknesses.
| dylan604 wrote:
| some people just want the cred though. their name will be
| immortal and live through history as being something, or
| some such nonsense that feeds an ego.
|
| also, if you were the type that thinks bitcoin is lame,
| this could be a way of undermining the concept to the
| point that people no longer use it because it's not
| secure as it was touted
| throwawaymaths wrote:
| What you would do is claim the prize slightly ahead of
| schedule and wait to be slightly ahead of schedule for
| the next one.
| ramon156 wrote:
| I'd assume there's a hint, but I can't find anything
| jsheard wrote:
| PoW crypto is an exercise in finding new ways to spin boiling
| the oceans as actually being productive.
| teekert wrote:
| Electricity net controllers here are pretty happy when I
| boil some ocean on a sunny day. In fact at times they give
| me money for it. And then I can donate sats to indie
| content creators using podcasting 2.0 features.
|
| But I think you are one of those people that threw out that
| baby with the bath water long ago.
| kelnos wrote:
| The kind of use you describe is almost certainly a small
| minority of the whole.
| yosito wrote:
| Where is here for you?
| PaulHoule wrote:
| A lot of puzzles (e.g. sudoku) are things you could solve
| with a SAT/SMT solver
| aeternum wrote:
| Optimization and efficiency are sometimes underappreciated
| puzzles. We know that the air contains nitrogen for example
| but without the wild efficiency of the Haber process, most of
| us would likely be dead right now.
|
| Custom silicon and all kinds of related optimizations were
| likely used to successfully brute-force this number.
| Sandworm5639 wrote:
| Is it known who set it up and for what purpose?
| n2d4 wrote:
| For those curious, the reason why a public key lets you find a
| private key more efficiently is Pollard's rho algorithm:
| https://en.wikipedia.org/wiki/Pollard%27s_rho_algorithm_for_...
| CamperBob2 wrote:
| These keys are based on elliptic curves rather than products
| of primes, aren't they?
| matthewdgreen wrote:
| There is one rho algorithm for discrete logarithms and one
| for factoring. Published three years apart.
| mrb wrote:
| Yes, specifically secp256k1
| mapt wrote:
| Am I correct in assuming that beyond a certain point, this is
| basically an existence proof for somebody having a quantum-
| supreme solution to Shor's Algorithm?
|
| "Here's $400,000 sitting on the table, hope nobody takes it"
| which triggers an alarm telling us to replace all our old
| prequantum cryptography.
| n2d4 wrote:
| Or someone "just" finding a fault in the cryptographic
| algorithms used in Bitcoin. Or whoever created the puzzles
| leaking their information.
| sigmoid10 wrote:
| >Or whoever created the puzzles leaking their information.
|
| Or getting hacked. This is super common among people who
| are known to have high value wallets. Between physical
| attacks and zero days in everyday software, there's no
| chance to stay safe when you put that kind of target on
| your back.
| owl57 wrote:
| Is it likely that these particular private keys were
| wiped ~immediately after creation?
| Powdering7082 wrote:
| > there's no chance to stay safe when you put that kind
| of target on your back.
|
| Vitalik Buterin seems to be a counter example here, his
| net worth peaked around $1.46 billion. He has some
| interesting writing on how he stays secure. At one point
| the SHIBA token sent a huge amount of funds to his cold
| wallet and he details what he did to securely access
| those funds:
|
| https://decrypt.co/91000/ethereum-founder-vitalik-
| buterin-du...
|
| > The funds, he said, were initially in a cold wallet in
| the form of two numbers written on separate pieces of
| paper. Buterin said he had to combine the two numbers to
| get the private key. "One of those numbers was with me;
| the other number was with my family in Canada," he said.
| "So I had to call up my family in Canada and tell them to
| read their number to me."
|
| > Buterin said that he entered the numbers into the
| computer he purchased from Target after putting the two
| numbers together. "I sent my ETH out by generating a
| transaction and then on a computer that I bought from
| Tarjay [Target] for about $300 bucks for just this
| purpose."
|
| > Before disconnecting the laptop from the internet
| entirely, Buterin said he downloaded a program to
| generate QR codes. After generating the Ethereum
| transaction, he scanned the QR code with his phone,
| copied it to the laptop, and then put it into
| etherscan.io/push Tx. Finally, Buterin said he began
| sending out the tokens.
| LikesPwsh wrote:
| Vitalik got indirectly pwned by the infamous DAO smart
| contract hack, but had the social clout to pause/rollback
| the supposedly decentralised/immutable Blockchain.
|
| Maybe not the best example of cryptographic security.
| pas wrote:
| how would anything ever be immutable if people can
| reassign the symbol/pointer/name?
|
| the DAO hack happened, immutably, no one disputes it. the
| hashes and blocks and transactions are well-known. so
| there was a "schism", that explicitly validates the fact
| that without this large-scale cooperation, without the
| redefinition of what Ethereum is, it would be still be
| what is on that other branch. these both provide evidence
| for the immutably and decentralization.
| vessenes wrote:
| This is not an accurate summary of what happened with
| TheDAO. Source: I publicized the attack vector for TheDAO
| here on HN.
| TacticalCoder wrote:
| > ... but had the social clout to pause/rollback the
| supposedly decentralised/immutable Blockchain
|
| Vitalik (and all DAO ETH hodlers) _luckboxed_ in that the
| ETHs locked in the DAO, although "stolen", couldn't be
| withdrawn by the attacker before a few weeks.
|
| There has been _zero_ pause and _zero_ rollback. Most
| people don 't understand that: by chance the stolen funds
| were inaccessible to the attacker for a few weeks.
|
| What Vitalik did is he _forked_ (soft fork) the ETH
| blockchain to modify the rules. That soft fork happened
| _before_ the cooldown period expired, so the attacker
| never got to access his funds.
|
| Some members of the community said "adding new rules is
| against the spirit of decentralization, so we keep using
| the old chain". The old chain was named "Ethereum
| classic" while the forked chain kept the name "Ethereum".
|
| But there's been _no_ rollback.
| mistrial9 wrote:
| Target stores were early adopters of every-shopper
| profiling. Target has cameras on the purchase area, and
| have been known to refuse cash.
| Scoundreller wrote:
| Is this basically saying he sent all the ETH out of his
| "account" (presumably to another one that was pre-
| generated & pre-shared half the private key with his
| family), so that it just had the Shiba tokens left in it?
|
| Then he didn't have to worry about the Shiba related
| transactions affecting his ETH?
| Maken wrote:
| If anyone developed a solution to integer factorization, I'm
| sure they would be after larger prices than mere 400k in
| crypto. A practical application of this puzzle could be to
| have an estimation of how long it takes to break a public key
| by conventional means. The moment one of these prices can be
| claimed in mere months you know it's time to double the size
| of the Bitcoin public keys.
| mapt wrote:
| If you want to prove that somebody has the ability to pick
| locks in order to protect your valuables, you leave the
| prize sitting on the kitchen table (at 66 bits of entropy)
| behind your relatively easy front door lock, not in a
| secure vault with triple redundant mechanisms. Somebody
| with the solution is going to be able to claim the money in
| far, far less computing time than they could claim a larger
| prize by breaking industry standard prequantum key sizes.
|
| The $400,000 is an inducement for any participant in that
| engineering effort to break the conspiracy and take the
| bag. It's effective during the period between the time that
| a quantum Shor's solver has been achieved for a given
| algorithm in theory for 256 bits (and in practice for 66
| bits), and the time that a practical solution at 256 bits
| has been implemented.
| oniony wrote:
| Except your analogy doesn't work because every single
| bitcoin address has the same brand of lock.
| beepbooptheory wrote:
| Each key is a brand in the analogy.
| anothernewdude wrote:
| Except they don't need to take it now, just before anyone
| else does.
| red_admiral wrote:
| Or some other number-theoretic advance that is significantly
| below exponential time on the particular type of field or
| curve being used.
|
| The reason that we use elliptic curves these days, or if we
| must then something like 8k bit keys to get 128 bits of
| security over finite fields, is that for the old Z^*_q/Z_p
| setup, such a faster algorithm exists (index calculus).
|
| Someone could in theory find a better calculus that works
| only for groups with some specific characteristics of
| Curve25519, for example. No quantum computers needed.
|
| EDIT: we know that no _generic_ faster algorithm exists, that
| is one independent of the representation of the group
| involved, for the traditional computing model. But that
| doesn't exclude algorithms, as I said above, that work for
| very particular cases.
| red_admiral wrote:
| Curious to know because I've never looked into this stuff:
| doesn't the _public_ key have to be available anyway so you can
| send the coins to the address in the first place and have that
| recorded on the ledger?
| tomtomtom777 wrote:
| A wallet address (where money is sent to) is the public key
| _hashed_. This money can than be spent with a transaction
| containing both the signature and the public key.
|
| This is one of the reasons it is advised never to reuse an
| address. After using it once, your private key may still be
| private but your public key is exposed, reducing security.
| red_admiral wrote:
| Thanks. The "hashed" part is what I was missing.
| aeonik wrote:
| Once you have the private key, you would submit a transaction
| with that private key and authorize a transaction to a public
| key that you control, and doesn't have part of the private
| key available.
|
| You don't need the public key, and IIRC most algorithms allow
| you to derive the public key from the private key, though I'm
| not sure that's the case with Bitcoin. I have vague memories
| that there are algorithms where this is not that case, but
| it's been a while.
| red_admiral wrote:
| It's some kind of EC/DSA scheme, isn't it? Then from the
| private key you can indeed get the public key.
| mistrial9 wrote:
| Is this true? from an ECDSA private key you could derive
| many possible public keys? asking for a friend
| aeonik wrote:
| I looked it up.
|
| 1. SHA-256: Used twice (double SHA-256) for block hashing
| and once in address generation.
|
| 2. RIPEMD-160: Used once in address generation (after
| SHA-256).
|
| 3. ECDSA: Used once for transaction signing and
| verification.
|
| 4. Base58Check: Used once for address encoding (includes
| a checksum generated using SHA-256).
| rboyd wrote:
| probably discussed in the bitcointalk thread, but how do we know
| it's not just the creator of the puzzle reclaiming his own
| bitcoin?
| altairprime wrote:
| By what means might you prove or disprove this theory?
| stonegray wrote:
| Having the the solver post all 2^66 -2 incorrect private keys
| would prove that they solved it fairly and had no prior
| knowledge of the key.
|
| You'd just need to download the 6,505,548 TB list of keys and
| re-derive the public key for each to check that they're
| valid; unfortunately it would take in the ballpark of a
| kiloyear of compute time assuming you have 3x RTX 3090s.
| totallyunknown wrote:
| This is just sick.
| whiterknight wrote:
| Why?
| amelius wrote:
| Can't we come up with puzzles where at least something of
| value is created when the puzzle is solved (and a tremendous
| amount of resources is not wasted)?
| CaptainOfCoit wrote:
| > puzzles where at least something of value is created when
| the puzzle is solved
|
| What puzzles create something of value when they're solved
| today? A puzzle is typically a thing you do for fun and
| entertainment, not something you try to solve for the
| purpose of creating value.
|
| I guess you're thinking more about logic/mathematical
| puzzles and alike? Would make sense in that case, but
| that's not the only type of puzzle.
| commodoreboxer wrote:
| We can and do, all the time. And all puzzles are a "waste
| of resources", really.
|
| I'm not into crypto and I do think Bitcoin is stupid and
| wasteful, but I don't find it "sick" or all what upsetting
| that this kind of puzzle exists, though I think some smart
| contract-based Ethereum puzzles could be much more
| interesting, demanding solutions to more interesting
| problems that don't directly relate to the blockchain
| itself. Imagine a smart contract with a pot anybody can pay
| into that pays out to whoever could crack a particular
| previously unsolvable problem. Basically a public bounty.
| The only downside is that it has to be a problem that can
| be validated algorithmically.
| wruza wrote:
| Puzzles are training and intellectual entertainment,
| something you cannot have a web server without, cause sad
| nerds are unproductive.
| kelnos wrote:
| This isn't really a puzzle, though. A puzzle requires
| intellectual curiosity and creativity to solve.
|
| This was just a race to see who could burn the most
| CPU/GPU cycles the fastest.
|
| Even when a real puzzle has a monetary reward for solving
| it, a big component of the reward is the solving itself.
| For this, the reward is just money.
| erulabs wrote:
| The use of the word "we" is curious. You didn't come up
| with the puzzle, you didn't "waste" the resources. The
| purpose of the we is to appoint yourself judge and arbiter
| and to steal yourself into the in-group. Just post your
| judgement: you don't like that _someone else_ did something
| you don't like with _their resources_.
| amelius wrote:
| That sounds like an ad-hominem attack to avoid the
| question, tbh.
| erulabs wrote:
| At the risk of sounding snarky: It wasn't. It does
| however, answer the question. "We" do not need to change
| our allocation strategy whatsoever because "we" didn't
| allocate any resources towards this and "we" aren't the
| arbiter of what others can or cannot do with _their_
| resources.
| amelius wrote:
| "We" as in "us humans".
| timacles wrote:
| Pretty sure all puzzles are a tremendous waste of time and
| create no value.
| fluoridation wrote:
| That wouldn't be a puzzle, then. It would some kind of
| engineering challenge. A puzzle starts by knowing the
| answer and then putting some circuitous path between it and
| the player, that they have to figure out how to navigate.
| It's inherently wasteful to construct puzzles.
| amelius wrote:
| Unless the people solving the puzzles learn something
| valuable on the way.
|
| Anyway, I don't agree that puzzles by definition have
| known answers, unless you want to nitpick and I just
| change my "puzzle" into "challenge".
| samatman wrote:
| The sibling comments are all correct that you're special-
| pleading the criterion that a puzzle create something of
| value.
|
| But, as it happens, this one does: it offers economic
| incentive to develop more efficient attacks on elliptic
| curves. The curve Bitcoin uses isn't widely used outside of
| it, but that doesn't mean that an efficient attack on
| Secp256k1 wouldn't apply elsewhere.
|
| Is this modest as positive externalities go? Probably yes.
| Could someone with a better attack on the curve just empty
| wallets? Not necessarily, and probably not: the point of
| the puzzle is that the entropy has been deliberately
| reduced to make it crackable with brute force, so, say
| someone worked out a factor of four improvement: that isn't
| going to get you into the Genesis Wallet, but it
| substantially lowers the price of claiming some of the
| puzzles.
|
| Also, being a cryptographer and being a thief are unrelated
| professions. Some people might be inclined to both, but I
| would guess that most are not.
| wruza wrote:
| Why should "we"? You can hear "we should/must" from all
| corners here but then remember it's an US start-up'ers
| forum with people who plan morning meetings for email
| regexps.
|
| Bitcoin may be an inefficiency, but is it the? Most
| everyday things modern first-world people do are equivalent
| to burning oil and shredding trees for little to no reason.
| You just can't see it as clearly as in PoW crypto.
| gizmo385 wrote:
| Is there something unique or special about the private keys that
| are guessed? This seems like an incredibly wasteful allocation of
| compute (which wouldn't be surprising given that it's bitcoin but
| still)
| p4bl0 wrote:
| I had the same reaction. Isn't Bitcoin wasting enough energy as
| it is?
| sammy2255 wrote:
| What if it's 100% green energy? Is it a waste?
| LadyCailin wrote:
| Given that green energy is currently finite, and shortfalls
| are (generally) made up for by non-green energy, yes.
| adastra22 wrote:
| Yes, there are opportunity costs.
| chx wrote:
| Of course. It's still energy produced which could be used
| for something that is not a scam; that is not just funding
| North Korea with extra steps.
| danogentili wrote:
| It's even more of a waste.
| Byxxi wrote:
| I would argue that it's still a waste, because that energy
| could be put to an otherwise better use. Now that energy
| has to be replaced by a non-green counterpart since it's
| been spent.
| throwawaymaths wrote:
| What if you're using that energy in your hot tub, or to
| heat your house during the winter?
| Byxxi wrote:
| Are you arguing staying alive through winter as something
| less beneficial to bitcoin mining?
| fecal_henge wrote:
| Depends if they are wintering inside or in the hot tub.
| thinkmassive wrote:
| If electricity is being used to generate heat (for a
| house, hot tub, etc), and that heat happens to be
| generated by a bitcoin miner, is it more or less wasteful
| than only using the electricity to generate heat?
| BenjiWiebe wrote:
| That's fine, provided you weren't going to heat it with a
| heat pump before you decided to use a Bitcoin miner. I
| suppose there's also a slight environmental cost in
| producing a Bitcoin miner vs producing a heating coil but
| I'm going to assume that's negligible.
| Mountain_Skies wrote:
| Since energy isn't easily transported, wouldn't that
| really depend on where the energy was produced?
| qwertox wrote:
| I'd argue that no other thing, apart from information, is
| transported as easily as electricity, once the grid
| exists. Sure, there are capacity limits, but I doubt that
| shutting down crypto mining would cause problems to the
| grid.
|
| I recently read that some are thinking about connecting
| the US with Europe via DC cabling.
|
| Here's a related, old article: "Submarine power cable
| between Europe and North America: A techno-economic
| analysis" (2018)
|
| * Developed a 2030 power dispatch model of Europe and
| North America (NA).
|
| * Identified socio-economic benefits of European-NA
| electricity trading through a HVDC cable.
|
| * A 4000 MW cable increases social welfare by 177 MEUR on
| an annual basis.
|
| * This benefit for society is sufficient to cover the
| investment costs.
|
| https://www.sciencedirect.com/science/article/pii/S095965
| 261...
| grues-dinner wrote:
| I did not expect the the energy would flow so heavily
| _to_ North America (24.1:3.3 TWh ratio over a year).
| keyringlight wrote:
| And adding green energy to the grid would let you
| displace/turn off non-green generation if the load wasn't
| increasing (as much).
| jgalt212 wrote:
| It's all one energy market however. It's a bit a of rough
| approximation, but green energy wasted on unnecessary
| purposes is green energy not used for necessary things.
| dodoisdodo wrote:
| You still have to pay infrastructure deprecation costs,
| financing costs and labor costs.
| monkeyfun wrote:
| There may not be a continuous fuel expenditure, but there
| is a maintenance cost for the grid infrastructure, keeping
| panels or turbines in good working condition, etc. -- not
| to mention the manufacturing costs and, since no
| organizations are currently engaged in microwave power
| transmission from solar-power satellites in space -- not
| insignificant associated monetary and opportunity costs to
| the land used.
|
| Conclusion: yes, it's still a waste, unless that energy was
| surplus absolutely not going to be used for anything better
| or able to be stored, although even then the compute
| resources could have probably been used for more useful
| problems.
| TZubiri wrote:
| Not unless everyone is using green energy.
|
| California uses green energy, but in doing so increases the
| mining reward, which increases the mining from countries
| like china and russia, who do not use green energy.
| qwertox wrote:
| Probably. The energy could have been available to any
| energy intensive industry, helping them if the resource is
| too scarce and eventually lowering production prices if it
| wasn't scarce. You notice it in Germany where energy has
| become very costly in the last couple of years, where it
| then makes more sense to limit production or even close all
| together.
| ericd wrote:
| My impression is that transmission capacity is often the
| limiting factor, so you can't really think of eg solar
| energy as being fully fungible. At least in the US, there
| are frequently multi-year delays on solar deployments
| because the transmission capacity to where it could be
| reasonably used isn't there. The interconnection queue is
| extremely long in many places.
|
| As something that's eminently portable, I think crypto
| mining might actually have a use in derisking building
| out solar deployments, as a sort of buyer of last resort.
|
| It might be nice to have other very portable energy sinks
| to eat up temporarily cheap locally available
| electricity. I think this might be part of the dream of
| the hydrogen proponents.
| nephanth wrote:
| Yes? If the energy could be used for something productive,
| but is instead used for something unproductive, then it is
| a waste
|
| While that energy technically serves the purpose of letting
| a monetary system function, traditional monetary
| infrastructure requires vastly smaller amounts of energy,
| thus this is a wasteful use of it
| Jach wrote:
| Last time I did some numbers, bank of america spent
| around $1bn per year in cybersecurity alone, and bitcoin
| mining energy cost about 10x that. For ensuring the
| security of a trustless worldwide monetary system, it's
| not that bad in comparison.
| Ekaros wrote:
| Only in very limited scenarios. Namely when there is excess
| production and it is used near production of that green
| energy. And the green energy is not dispatchable. So wind
| or solar in times of excess production.
|
| Which as a whole is very limited scenario.
| jwr wrote:
| > What if it's 100% green energy?
|
| It is very much not: https://www.theguardian.com/technology
| /2022/feb/18/bitcoin-m...
| kobalsky wrote:
| controlled arms race to improve things on both sides and it
| doubles as a canary.
| LegionMammal978 wrote:
| If someone had totally broken the hash in secret, I doubt
| they'd burn it on such a low-stakes canary.
| gosub100 wrote:
| somewhat-related:
| https://en.wikipedia.org/wiki/RSA_Factoring_Challenge
| cj wrote:
| Interesting: Reading the first page of the bitcointalk forum, the
| puzzle originated from this wallet, which has an incredible
| amount of volume going through it. 10,000+ transactions and over
| a million BTC sent/received.
|
| https://www.blockchain.com/explorer/addresses/btc/173ujrhEVG...
| ivanjermakov wrote:
| Who is paying to the puzzle solvers?
| horacemorace wrote:
| Everyone who trades fiat for crypto.
| doctorwhat wrote:
| Three letters agencies? Could be a nice way to find out if a
| foreign entity has an enormous brute-force capability? But more
| likely I'd say they got their bitcoin back when a core2duo was
| enough to generate a few of them overnight...
| cmcaleer wrote:
| Prize pool would have to be much more than $400k to justify a
| state actor flexing that kind of capability, NK makes far
| more than that exploiting crypto protocols.
| PcChip wrote:
| The btc has been in the wallet since the puzzle was created
| Dwedit wrote:
| Do they have a buyer for that $400k? If not, it's not worth
| $400K.
| Powdering7082 wrote:
| 24h Volume: $9,800,480,342
|
| Liquidity of less than a million worth of BTC hasn't been a
| problem for a long time
| somebodythere wrote:
| The market is liquid enough to absorb a sale for $400K.
| thfuran wrote:
| Bitcoin is more than liquid enough to offload a half dozen
| without issue.
| FileSorter wrote:
| One of the most profoundly dumb comments I have read here.
|
| It takes 3 seconds to look up the 24h volume for BTC and it is
| $9.6 Billion
| jakobov wrote:
| Dont be mean
| latchkey wrote:
| No matter how dumb it is, in general, it is always better to
| just respond with the answer and not comment on the comment
| itself.
|
| https://news.ycombinator.com/newsguidelines.html
|
| "Be kind. Don't be snarky. Converse curiously; don't cross-
| examine. Edit out swipes."
| TrackerFF wrote:
| Might sound dumb, but there are still places in the world
| where having $400k worth of BTC != $400k in the bank.
|
| Plenty of banks will freeze your bank account instantly.
|
| And good luck convincing them that you stumbled upon $400k by
| solving a puzzle - only takes one suspicious fraud/risk
| manager to conclude that there's a higher chance of fraud
| than legitimacy.
|
| (But you are right, no problem to find someone to pay you the
| market price. That's a done deal in seconds)
| kolinko wrote:
| Examples of such places? I did KYC/AML with multiple
| European banks when withdrawing crypto, and while they
| checked thoroughly, there were never any issues.
| TrackerFF wrote:
| From personal experience, a bunch of Norwegian banks.
| I've had transactions that are equivalent to $5k trigger
| such events. And you get grilled.
| xboxnolifes wrote:
| You don't need to sell it all at once.
| outofpaper wrote:
| The current market easily eats up 6.6 BTC without much
| movement. Are you looking at a smaller pool like Canada
| exclusively. Look at the Euro or USD markets. They are much
| much deeper.
| umanwizard wrote:
| 1. Create Coinbase account
|
| 2. Deposit bitcoin
|
| 3. Market order sell all
|
| 4. Withdraw USD
| CaptainOfCoit wrote:
| Step 2.5 Argue with Coinbase about if you're a legitimate
| owner or not
|
| Step 2.6 Coinbase blocks your account citing "Suspicious
| activity"
|
| Step 2.7 Sign up to three other exchanges, split the loot
| across them
|
| Step 5 Argue with the bank about the source of funds
|
| Step 6 Argue with tax agency that you'll fill out your taxes
| correctly
| umanwizard wrote:
| Even if this is true (and I suspect it's exaggerated), I'd
| be happy to go through this trivial amount of hassle for
| $400K.
| red_admiral wrote:
| For something like $10k-20k I bet you could get someone
| (good lawyer?) to solve those problems for you, leaving you
| with $399-398k. Worth the deal, I think.
| Biganon wrote:
| The math doesn't check out
| kolinko wrote:
| Kraken would cause no problems for 2.5-2.7
|
| Taxing this is super simple, you just mark as "other" -
| akin to finding money on the ground.
|
| Arguing with bank - which specific bank would cause
| problems here?
| londons_explore wrote:
| 400k I think is no problem. I heard of someone with 10,000 BTC
| having some serious trouble finding a buyer though.
| adastra22 wrote:
| That's 5% of the daily trade volume. Shouldn't be an issue.
| londons_explore wrote:
| Except trade in bitcoin is fee-free and mostly regulation-
| free, so there is a lot of wash trading.
| odyssey7 wrote:
| What category of taxable income would this be in the US?
| bornfreddy wrote:
| Asking for a friend?
| greyface- wrote:
| 1040 Schedule 1 Line 8(z) "Other income"
|
| IANAL, etc.
| jncfhnb wrote:
| Losses due to theft
| arcanemachiner wrote:
| Looks like the coins were stolen by a bot:
|
| > https://bitcointalk.org/index.php?topic=1306983.msg64535839#...
|
| I'm not super familiar with the concept (and I'm too lazy to look
| into it TBH), but I think the would-be winner posted the private
| key before enough (any?) blocks were mined, and the thief posted
| a transaction with a bigger fee, and the thief's transaction was
| in the block that got mined.
| kneel wrote:
| That's not how bitcoin works
| ffsm8 wrote:
| Feel free to click on the link.
| dartos wrote:
| That's exactly how bitcoins works.
|
| As a miner, if I see two conflicting transactions I will
| prioritize the one which pays more rather than the one I saw
| first.
| dools wrote:
| So someone stole the prize and left some sort of calling card
| mocking everyone solving bitcoin puzzles?
|
| 1Jvv4yWkE9MhbuwGU66666666669sugEF 0.00000001
| 1YouAreSoDumbLoL666666666667K5aR4 0.00000002
| 1WhatWereUThinking6666666662wkqq1 0.00000003
| 1YouDeserveNothing6666666665sbbBC 0.00000004
| 1YouEpicFaiLure66666666666688GSDA 0.00000005
| 1BitchAssLoser66666666666669dBUVg 0.00000006
| 1AndEveryoneELse666666666669Vnc8C 0.00000007
| 1ThisisALosingGame6666666667HAZdf 0.00000008
| 1JustGetAReaLJob666666666665vGKVD 0.00000009
| 1YoureWastingTimeAndMoney664CVExC 0.00000010
| 1AndCausingCLimateChange6666HK8Qc 0.00000011
| 13zb1hQbWVsc2S7ZTZnP2G4undNNpdh5so 0.00000012
| 1Jvv4yWkE9MhbuwGUoqFYzDjRVQHaLWuJd 0.00000013
| 1FK5PjPNARQmg94n2cNHTo9417kWfXUDBQ 0.00002125
| lmz wrote:
| That one is sending money to the address, not taking money
| from it.
| GistNoesis wrote:
| >posted the private key before
|
| When you post a transaction, the public key is in the
| transaction (inside the field "sigscript") . With the public
| key known you only need 2^(66/2) checks (instead of 2^66),
| which can be done really fast.
|
| So some bot watched the address, obtained the public key,
| computed the private key from it, and front-ran the original
| submitter probably with a deal from a mining pool to make sure
| his transaction is enforced.
| TacticalCoder wrote:
| > When you post a transaction, the public key is in the
| transaction (inside the field "sigscript")
|
| Is that true for every single Bitcoin transaction?
|
| > With the public key known you only need 2^(66/2) checks
| (instead of 2^66), which can be done really fast.
|
| Then how comes not _all_ Bitcoin transactions are front-ran
| like that and Bitcoin is not worth zero already? 2^33 is
| indeed nothing: 8 billion (so I understand this can be easily
| cracked).
| GistNoesis wrote:
| >Is that true for every single Bitcoin transaction
|
| I think so, for outgoing transaction (aka to remove from
| the address), it's kind of needed to verify the signature.
|
| The 2^66 is only for this game where only 66 bits were left
| unknown. In the general case obtaining the private key from
| the public key is much longer.
| TacticalCoder wrote:
| Ah gotcha, that's what I missed. Thanks for your
| explanation. For a regular address, even with the public
| key, if there are 256 unknown bits it'd be 2^128, which
| is statistically unlikely to be solvable.
| ChrisClark wrote:
| Edit: I see it's because I'm this instance there was less
| entropy, I guess a normal transaction has a lot more bits to
| guess
|
| Why doesn't this happen with every large transaction then?
| Someone tries to move 10 BTC, instantly stolen?
|
| Basically you're saying that every single Bitcoin transaction
| can be stolen "really fast".
|
| Am I missing a step here?
| Stagnant wrote:
| It is based on the fact that the upper range limit of the
| private key used in the puzzle is known. A securely
| generated private key would not be vulnerable even if its
| public key is known.
|
| The second post on this thread[0] has a helpful chart that
| makes it easier to understand.
|
| 0: https://bitcointalk.org/index.php?topic=5218972.0
| mrb wrote:
| No private key was posted too early. What happened is the
| person who spent all the computing power to brute force the 66
| bits broadcasted, naively, a transaction to send the 6.6 BTC
| reward to his wallet. However, when doing so, the public key is
| by design revealed on the blockchain. Someone's bot whose sole
| purpose is to steal this puzzles rewards was monitoring the
| blockchain and spotted the transaction before it got confirmed
| (on average confirmations occur every 10 minutes), then it
| processed the now known public key from which the private key
| can be recovered in 2^33 operations (2^(n/2)), then crafted
| another transaction to send the reward to his wallet, with a
| higher fee, so his transaction got confirmed, instead of the
| discoverer's lower-fee transaction.
|
| This is a well-known attack. The discoverer was sophisticated
| enough to brute force, but not enough to know about this risk
| :)
| motoxpro wrote:
| As much as this sucks, I absolutely love how the blockchain
| is real life version of a Dark Forest
| Terr_ wrote:
| I feel like this is another useful example to have handy
| against the canard: "You're only skeptical of
| cryptocurrencies/blockchain because you haven't learned
| enough about how they work."
|
| I think the correlation is the other way around, at least
| once you get past some very early local maxima of "people who
| don't understand how money can be in a computer."
|
| P.S.: To digress (rant) a bit: The linchpin is whether your
| system needs to allow anybody creating any number of new
| participants nodes at any time. That core requirement is
| actually _very rare_ , and it's the root for a cascading tree
| of workarounds and compromises and inefficiencies. (Mining,
| proof of work/stake, clearing times, transaction fees, etc.)
| fernandopj wrote:
| But how could he have avoided this attack? I'm only familiar
| with Bitcoin's blockchain on a begginner level. But I assume
| the only way would be to avoid revealing the answer key
| (public) when sending the transaction to get the reward?
| drexlspivey wrote:
| One way would be to not broadcast the transaction publicly
| but send it to a mining pool directly
| hoerzu wrote:
| Private mempool transaction
| Jerrrrrrry wrote:
| There is actually no way to avoid this, aside from setting
| the Fee nearly to the reward.
|
| It's essentially MitM all the way down.
|
| even the private mempool can attempt a double-spend with a
| larger fee, get one transaction ahead, then try to maintain
| an edge long enough to be the "longest branch" for
| consensus - the 51% attack only needs 33% in reality, much
| less when your the private mempool that can take advantage
| of the birthday paradox to jump two blocks ahead.
|
| you have to literally mine your own coin with the reward
| transaction included.
|
| of course, zpk+ would solve this issue entirely.
|
| Alice and Bob wouldn't ever doubt each other again.
| thrtythreeforty wrote:
| What is the less-naive way to claim this type of puzzle?
| Stagnant wrote:
| That is correct. Basically you have to get lucky that after
| submitting the transaction a new block would be confirmed
| within 1-2 minutes which I think is around the timeframe what
| it will take for a top consumer GPU to bruteforce the private
| key.
|
| I'd be curious to know if it is possible at all to "securely"
| send the funds of these puzzles or if there is some hard
| limit that requires the pubkey to be published with the
| transaction.
| Dibby053 wrote:
| That must hurt. In case I crack the next puzzle... how should
| I go about collecting the prize without having to mine a
| block myself or trust a miner not to screw me over?
| thundergolfer wrote:
| We had fraudsters using modal.com compute to solve this
| challenge. It's not traditional mining software so it didn't
| initially get flagged, but we've updated our detection to catch
| it now[1].
|
| 1. https://modal.com/blog/catching-cryptominers
| ggrelet wrote:
| Just here to say I think modal is really cool. Keep up the good
| work!
| iJohnDoe wrote:
| Can someone EILI5?
|
| I thought cracking anything to steal bitcoin was impossible due
| to the keys sizes involved? Is this possible because a portion of
| the key is already available so there is less to crack?
|
| Which key is known? The public or private? Another comment said
| the "now known public" but then also said the private key can now
| be recovered by cracking it? Two keys need to be cracked?
|
| What kind computing power is needed to crack both keys and how
| long?
|
| Thanks. Sorry, I'm an idiot when it comes to bitcoin.
___________________________________________________________________
(page generated 2024-09-15 23:00 UTC)