Did we just pass the P2PK brute force price point, or are we getting prepared? \ stacker news ~bitcoin

Did we just pass the P2PK brute force price point, or are we getting prepared?

2668 sats \ 26 comments \ @antic 5 Mar bitcoin

Someone just moved ‎999.998 BTC from very old block reward payout addresses that were given as unhashed public keys:

https://mempool.space/tx/9f69e4b5f7d9330135178f2c6c1c9fbf18dd0803bad346dbe20cd7f451ed4355

These would be the prime target of using Shor's algorithm to attack bitcoin private keys--an unhashed address is exposed to factoring attacks.

I wrote a big detailed rant/rebuttal on Quantum now proving "The end of crypto": https://antic.substack.com/p/response-to-the-end-of-cryptocurrency

None of this changes.

But the question is now out there: was this the legitimate owner of these coins moving them to a more secure multisig (kudos to you), or was this an attacker getting ahead of the curve?

view all related items

30 sats \ 3 replies \ @ch0k1 5 Mar

Amazing article 👏

Can you recommend me a well written literature on the topic of the deep Bitcoin technicalities?

21 sats \ 1 reply \ @ZezzebbulTheMysterious 5 Mar

These are both good resources especially anything written by sipa.

https://bitcoin.stackexchange.com/ https://en.bitcoin.it/wiki/Main_Page

0 sats \ 0 replies \ @ch0k1 5 Mar

Thank you 🙏

0 sats \ 0 replies \ @Fabs 6 Mar

deleted by author

39 sats \ 10 replies \ @037447d9ca 5 Mar

afaik keys are only exposed once used. so they were safe... until now. address reuse is discouraged for this reason (amongst others)

56 sats \ 9 replies \ @antic OP 5 Mar

The thing that gets exposed when you spend from a P2PKH (pay to public key hash) is the unhashed PK (public key). Factoring large primes requires knowing one of the two large numbers. The private key is one number, the public key is the other number. By using P2PK, the original block rewards were paid out directly to the public key number itself without any secret being made of it. Hashing the public key prevents anyone from deriving the actual number that is the public key, which prevents using a number factoring attack (as long as you keep both the private key and the public key secret).

You could reduce this to make visualization easier by imagining a keyspace of only 10 numbers. By using P2PK, they were saying to the world, "my secret key maps to the public key for the number 6" and then someone can simply find the private key that matches the number 6. Hashing the public key prevents anyone from knowing which of the 10 numbers your private key pairs with, so they would have to brute force and test each one, which is very doable for a keyspace of 10, but relatively impossible for a keyspace of 2^128

40 sats \ 6 replies \ @ZezzebbulTheMysterious 5 Mar

Close but Bitcoin uses ECDSA and Schnorr Sigs, which don’t rely on hardness factoring primes like in RSA. They rely on the hardness of the Discrete Log Problem.

Otherwise yes, by double hashing the pub key, we make it much harder to find the actually used pubkey to try to attack the DLP with.

21 sats \ 5 replies \ @antic OP 5 Mar

ECDSA using Secp256k1 can still be brute forced (albeit inefficiently) using a discrete log solving method like rho:

from sympy import isprime, nextprime

def pollards_rho(G, Q, curve_order):
    x = G
    y = G
    factor = 1
    while factor == 1:
        x = curve_add(x, G, curve_order)
        y = curve_add(y, G, curve_order)
        y = curve_add(y, G, curve_order)
        factor = gcd(abs(x[0]-y[0]), curve_order)
    return factor

def curve_add(p1, p2, curve_order):
    # Simplified elliptic curve addition
    return (p1[0] + p2[0], p1[1] + p2[1]) % curve_order

def gcd(a, b):
    while b:
        a, b = b, a % b
    return a

# Example parameters (not for secp256k1)
G = (3, 7)  # Generator point
Q = (13, 17)  # Public key
curve_order = 19  # Elliptic curve order

d = pollards_rho(G, Q, curve_order)
print(f"Private key (d): {d}")

This would take a gazillion lifetimes of the universe to compute. It could be ported to Shor's on a quantum cluster if the cluster gets stupid large and actually corrects for errors.

Schnorr signatures are also reliant on the difficulty of solving the discrete log problem.

121 sats \ 4 replies \ @ZezzebbulTheMysterious 5 Mar

Yes correct, Nothing to do with prime factoring as your previous message indicated. Did ChatGPT write that code block?

0 sats \ 3 replies \ @antic OP 5 Mar

hah, my brain is still wired in GPG/PGP thinking. Correct, I have a tendency to blurt "large primes! It's all primes!" in my sleep. And yes, that's some unoptimized quick hackery from chatgpt in python. Not usable but readable enough to make the point.

111 sats \ 2 replies \ @ZezzebbulTheMysterious 5 Mar

AI gen code sucks, you will notice it’s importing but not using the isprime, nextprime. We generally called that “Pollards Rho”, not “Rho”.

It’s hallucinating fragments contextually related from a cryptography library.

I would recommend not using chatgpt for code.

0 sats \ 1 reply \ @antic OP 5 Mar

it is absolute garbage at writing code. I didn't even notice that excess import. It did at least correctly name the function pollards_rho :)

view replies

21 sats \ 1 reply \ @ch0k1 5 Mar

I would need a simpler explanation of this concept. Can you please rephrase it or at least provide a reading material where you got this information?

21 sats \ 0 replies \ @ZezzebbulTheMysterious 5 Mar

Sipa explained this in 2018: https://bitcoin.stackexchange.com/questions/72184/why-is-p2pkh-used-instead-of-the-simpler-p2pk

I don’t think it’s a problem today.

270 sats \ 1 reply \ @supertestnet 5 Mar

was this an attacker getting ahead of the curve?

I doubt an attacker would target bitcoin first. Much more to be gained by compromising TLS secured internet traffic, e.g. bank accounts and such.

21 sats \ 0 replies \ @antic OP 5 Mar

absolutely. And, like I said in the linked article, wouldn't it have been so much fun and profitable to sign a bunch of messages using those keys pretending to be Satoshi and sending markets into chaos? The owner of those 2010 block rewards had huge power to pretend to be Satoshi... could have made up a lot of interesting stories. Glad they didn't, but it was in their power.

132 sats \ 0 replies \ @fredosha 5 Mar

We are just getting prepared

0 sats \ 6 replies \ @ZezzebbulTheMysterious 5 Mar

It’s someone moving to sell. Maybe someone moving to a P2TR output.

Nobody has broken ECDSA :-)

31 sats \ 5 replies \ @antic OP 5 Mar

It looks like it went to an exchange. The multisig payout address then shot it all out (9 minutes later) to a collection of segwit addresses as 11.23080108 BTC each and to some multisigs... and the segwit addresses shot them out to more places that appear to be distribution gatway addresses (like https://mempool.space/address/bc1qpn5jcmqjfx3j00j6ktzgrn2gdlf534cjcgtwdq) maybe this is a big odd washing system...

111 sats \ 4 replies \ @ZezzebbulTheMysterious 5 Mar

They will be sitting in Coinbase custody or Gemini custody wallets earmarked as ETF AUM within 24h. :-)

Frankly I’m surprised they sold now! All coins go to Blackrock, except the coins you refuse to sell!

10 sats \ 3 replies \ @antic OP 6 Mar

This person probably has many thousands of bitcoin offline anyway still. Selling this batch of 1,000 might have just been a way to get $68M for spending money for the rest of their lives/retirement.

111 sats \ 2 replies \ @ZezzebbulTheMysterious 6 Mar

Maybe. There ain't many folks with this kind of coin to throw around that are not MS. I suspect most of the early players have been identified or are public at this point.

1,000 coins was always quite a large slice to either mine OR buy IMHO.

10 sats \ 1 reply \ @antic OP 6 Mar

Totally, which is why this particular batch is so interesting. Why stop at moving precisely 1,000 of mined bitcoin unless it’s just a round chunk of a bigger set of holdings.

10 sats \ 0 replies \ @antic OP 6 Mar

Jokes on everyone, Elon Musk has been mining bitcoin since 2010 and he moved it to an exchange so he could ape it into Dogecoin to drive it to $1 before dumping Doge back for 7,000 bitcoin.

Carnage.

0 sats \ 0 replies \ @SaToSHiWoMaN 6 Mar outlawed

stackers have outlawed this. turn on wild west mode in your /settings to see outlawed content.