Bitcoin puzzles are private keys with just a few unknown bits so that anyone can bruteforce them to collect a reward. Puzzle 66 contained 66 unknown bits and had 6.6 BTC deposited into it by the initial puzzle creator. The private key was 0x000000000000000000000000000000000000000000000002832ed74f2b5e35ee or 256 bits with mostly zeroes but 66 random ones.
The previous puzzle by order of difficulty was #64 (not #65, because see below) and was solved on 9/9/2022, so about 2 years ago. In other words, it took about 2 years of compute time to run the 2^66 bruteforcing task.
Puzzles that are multiple of 5 (#65 or #70) are special: they have twice more entropy. So that private key #65 doesn't have 65-bit of entropy but 130-bit of entropy. And the creator of the puzzle intentionally published their public key on the blockchain. When you know the public key, brutetforcing the n-bit private key only requires 2^(n/2) work. So puzzle #65 with a 130-bit key actually require bruteforcing up to only 2^65 keys.
This seems orthogonal to the concept. More efficiently than what?
Having the public key is easier than having an address because an address is the hash of a public key. So in order to crack an address, you must first find a public key that produces that address, and then find a private key corresponding to the public key.
More efficient than brute forcing a private key, as you would have to do when you don't have the public key.
Sure, finding a private key whose public key's hash is given might be 2x slower, but Pollard's rho algorithm is 2^128 times faster.
Asymptotically, an additional hash at the end doesn't matter when you brute force. But it prevents you from using Pollard's rho algorithm, which does make a difference asymptotically.
Technically, while the two problems share the same name, the one on elliptic curves is matematically different from the one over finite fields modulo a prime number.
I politely don’t understand this. It’s taught in cryptography 101 that breaking ecc is just solving the discrete logarithm problem and there’s a ton of online articles about how to break ecc if you’ve solved the discrete logarithm problem (not that anyone has).
There's a family of discrete logarithm problems, one for each representation of a group. (Where I mean "representation" in the usual sense, not the precise mathematical one. It's an important distinction because the secp256k1 group, for instance, is isomorphic to all cyclic groups of the same order, but the discrete logarithm problem on secp256k1 is harder than the additive group on Z/<order of secp256k1>Z, because the isomorphism is computationally intractable.) So there isn't simply one monolithic discrete logarithm problem.
It's indeed called the discrete logarithm problem both in the case of finite fields modulo some number and elliptic curves modulo a number. In the first case, you are reversing an exponentiation, so you're indeed computing a logarithm. But in the case of elliptic curves you're not dealing with exponentiation, you're instead reversing the multiplication of a curve element (i. e. a point) by a scalar. The two problems (and the way you solve them) look similar in the end, and I think this is why we ended up using the same name. But, if we nitpick, those are different operations and so the two problems are different, despite the similarities.
Note for cryptographers/matematicians: I know that "reversing" isn't the correct term here, so you could accuse me of the same sin I'm calling out in my previous comment. But it makes the explanation shorter while still conveying the correct meaning in the end.
Wow, that thread is nuts. Scrolled up just a bit saw this.
My new public key search system is almost ready. I had to reinvent my binary database system because, although the database was lightweight https://bitcointalk.org/index.php?topic=5475626, I had efficiency issues with binary search. This is now a thing of the past. I have designed a system that stores 100 million public keys in an 80 KB file, yes, what you read 80KB!(in the future it will be smaller) that meets maximum efficiency. We would only be limited by the current speed of Secp256k1 when generating the 100 million or more public keys while creating the database. I am finishing designing the search script after months of being stuck due to personal issues, I am finally back on track.
I love these kind of mad inventor rabbit hole corners of the Internet. Kind of brings back the 90s for me when everything was exciting.
How could this work with less than 1 bit of data per key?
Assuming there are no duplicates, which is a sensible assumption, you’d need a minimum of 100,000,000 bits to store 100,000,000 unique entries larger than 1 bit with even a perfect hash function.
In general, when you're storing a list of numbers, there are many situations where you can go below 1 bit per number.
The easiest one to think about is storing the deltas between each number. Let's say 80% of your deltas are 5. If you use arithmetic encoding, then storing a 5 only takes about 1/3 of a bit. It's not hard to come up with probability distributions where the average amount of bits per entry is less than 1.
Also, back in the realm of perfect hashes, once you're more than half full it becomes more efficient to store the missing numbers. If your perfect hash has 100,003,000 possible outputs, then your worst case is around 50k unique entries. By the time you encounter 100k unique entries you only need to keep track of the 3000 you haven't seen yet.
Assuming no duplicates, the only case that would make sense would be if all but a single byte was different (sequentially across all records). Even then you’d end up with more than the number of bytes we’re talking about, even excluding the size of the index (which would be non-trivial).
Why don’t you just read what the guy said by following the links in the forum? Surely, you can find more explanation there that will answer some of your questions? Hahaha! :)
His thing has collisions, so it answers none of the questions.
Also they already did follow the link. That's why they said "they don’t actually store the keys, so the quote is misleading", which you responded to with a laugh and nothing else. And that happened many hours before you made this new comment.
I'm not sure that guy really understood what was going on. If he'd followed the links he would've found the code. Or at least a technical description. So why need to play dumb and ask here, while trying to control the discussion?
I don't like that kind of thing. If you're okay with it, alright. But that's not me.
Am I correct in assuming that beyond a certain point, this is basically an existence proof for somebody having a quantum-supreme solution to Shor's Algorithm?
"Here's $400,000 sitting on the table, hope nobody takes it" which triggers an alarm telling us to replace all our old prequantum cryptography.
If anyone developed a solution to integer factorization, I'm sure they would be after larger prices than mere 400k in crypto. A practical application of this puzzle could be to have an estimation of how long it takes to break a public key by conventional means. The moment one of these prices can be claimed in mere months you know it's time to double the size of the Bitcoin public keys.
If you want to prove that somebody has the ability to pick locks in order to protect your valuables, you leave the prize sitting on the kitchen table (at 66 bits of entropy) behind your relatively easy front door lock, not in a secure vault with triple redundant mechanisms. Somebody with the solution is going to be able to claim the money in far, far less computing time than they could claim a larger prize by breaking industry standard prequantum key sizes.
The $400,000 is an inducement for any participant in that engineering effort to break the conspiracy and take the bag. It's effective during the period between the time that a quantum Shor's solver has been achieved for a given algorithm in theory for 256 bits (and in practice for 66 bits), and the time that a practical solution at 256 bits has been implemented.
Let's say a given intelligence agency's quantum computing efforts have Shor working for 16 bit keys in 2025, for 64 bit keys in 2028, for 128 bit keys in 2033, and for 256 bit keys in 2038. Let's say competing intelligence agencies are 1-3 years behind. Let's say we make it to Puzzle 69 over the next four years. Nice.
I don't know how plausible that timeline is either in spacing or accuracy.
Sometime in early 2029, a bunch of people suddenly find that they're eligible for a $400,000 cash prize if they manage to secretly steal a bit of time on a working quantum computer. In 2030, that group of people doubles, and incorporates a new agency with its own security weaknesses. By 2031 we're talking about four separate countries with their own engineers that have managed to achieve the capability to claim that cash prize. Private corporations are somewhere on the horizon. Very soon this becomes an urgent imperative to anyone inclined, because the prize, like cash, disappears the moment that somebody else seizes it.
It's hard to keep conspiracies, particularly with a verifiable open offer of large amounts of highly portable money on the table to the first person to reveal secrets, and a gradually widening circle of access. The gradually expanding circle of access is what ensures we get some kind of alarm LONG before 2038. Keeping that secret to even 2033 requires hundreds of people and four agencies with diverse motivation and values to consistently turn down cash money for years on end in the interest of keeping their quantum capabilities hidden from the world.
Based on the other comments, is that true? The top comment here implied that the puzzle explicitly had a private key with all 0s except for 66 bits, so that lock was definitely weaker than a key with all bits unknown, right?
Why should the analogy consider each key as a different brand of lock? Each key needs to be cracked separately, but you can use the same method for all of them (assuming one finds a general method and not one based on some property that only a subset of the keys has). So it should be akin to locks of the same brand, using different keys to open them. But that, being of the same brand, can be picked in the same way.
Perhaps each key is not a different brand, but given that the puzzle had only 66 known bits, it seems equivalent to knowing what some of the cuts are on a physical key.
I just think maybe public key crypto is not broken so far because there is no motivation for enough people to work on that. What whould one get, without endangering himself, if he breaks integer factorization?
>Or whoever created the puzzles leaking their information.
Or getting hacked. This is super common among people who are known to have high value wallets. Between physical attacks and zero days in everyday software, there's no chance to stay safe when you put that kind of target on your back.
> there's no chance to stay safe when you put that kind of target on your back.
Vitalik Buterin seems to be a counter example here, his net worth peaked around $1.46 billion. He has some interesting writing on how he stays secure. At one point the SHIBA token sent a huge amount of funds to his cold wallet and he details what he did to securely access those funds:
> The funds, he said, were initially in a cold wallet in the form of two numbers written on separate pieces of paper. Buterin said he had to combine the two numbers to get the private key. "One of those numbers was with me; the other number was with my family in Canada," he said. "So I had to call up my family in Canada and tell them to read their number to me."
> Buterin said that he entered the numbers into the computer he purchased from Target after putting the two numbers together. "I sent my ETH out by generating a transaction and then on a computer that I bought from Tarjay [Target] for about $300 bucks for just this purpose."
> Before disconnecting the laptop from the internet entirely, Buterin said he downloaded a program to generate QR codes. After generating the Ethereum transaction, he scanned the QR code with his phone, copied it to the laptop, and then put it into etherscan.io/push Tx. Finally, Buterin said he began sending out the tokens.
Vitalik got indirectly pwned by the infamous DAO smart contract hack, but had the social clout to pause/rollback the supposedly decentralised/immutable Blockchain.
Maybe not the best example of cryptographic security.
> ... but had the social clout to pause/rollback the supposedly decentralised/immutable Blockchain
Vitalik (and all DAO ETH hodlers) luckboxed in that the ETHs locked in the DAO, although "stolen", couldn't be withdrawn by the attacker before a few weeks.
There has been zero pause and zero rollback. Most people don't understand that: by chance the stolen funds were inaccessible to the attacker for a few weeks.
What Vitalik did is he forked (soft fork) the ETH blockchain to modify the rules. That soft fork happened before the cooldown period expired, so the attacker never got to access his funds.
Some members of the community said "adding new rules is against the spirit of decentralization, so we keep using the old chain". The old chain was named "Ethereum classic" while the forked chain kept the name "Ethereum".
Vitalik didn't rollback the chain. The entire community agreed that it was the correct thing to do and did it. Thats how consensus mechanisims work. This was easier then because the community was tiny. It would be impossible now.
The proof of this is that some people didn't agree with undoing that transaction. They stayed on the old chain, which is now worthless.
This is such a boring and widely known story now, but it has to come up literally any time someone wants to play crypto tribalisim.
I was going to write a more indirect response by way of analogy, but it got too unwieldy. TL;DR: I was predisposed to taking the position you are advocating for, but this argument is incredibly weak while demonstrating the problem, to the point it made me wonder about my own priors. Shape-shifts from "this was totally fine and normal" to "but totally couldn't do it today" to "and guess what the ppl who didn't want to rollback went to 0" to "boring story" to "crypto tribalism", whatever that has to do with anything in this context.
That's what it means to have two chains. One chain undid the transaction. One did not. Do I really need to explain this? Both things happened because there are 2 chains. Only one of them is worth something but they both exist.
I think you got too spun up by the evil They you usually hear talking about this: whatever you're saying here sounds obvious.
The reason why people got confused with your comment is because ex. you purport it was fine, it can never happen again, and everyone who didn't agree went to 0.
Lot of tensions between those things.
We also understand how one person could have those views and even steelman it into something intellectually consistent. But then the post seems really off because it's sort of a rushed, poor, justification for why you believe something, coupled to bemoaning some sort of unrelated group none of us are privy to.
Yeah, it's strange, the first paragraph seems to just say he didn't roll it back alone, it was a consensus thing, and then the second says actually it wasn't even rolled back because other people kept using the old chain (and somehow this "proves" what was said in the 1st place).
how would anything ever be immutable if people can reassign the symbol/pointer/name?
the DAO hack happened, immutably, no one disputes it. the hashes and blocks and transactions are well-known. so there was a "schism", that explicitly validates the fact that without this large-scale cooperation, without the redefinition of what Ethereum is, it would be still be what is on that other branch. these both provide evidence for the immutably and decentralization.
The version of Ethereum after the hack became known as Ethereum Classic. The Ethereum foundation decided to go with a fork of the chain prior to the hack, and pretty much all the devs and the community followed. The value of Ethereum is entirely derived from what people are willing to pay for it, and community is a big part of that. The version of Ethereum which underwent the attack didn't cease to exist, and people can still use it; it's just called "Ethereum classic" now, whereas people who want to use the version of the chain that didn't suffer from the hack can use that version (generally understood to be "Ethereum".
The fact that there are far fewer users of Ethereum Classic (and the market cap is significantly lower) is a testament to how much people care about the community which chose to follow a different history of the Ethereum network.
Small nitpick. In both chains the attack happened.
But in one chain the whole community decided to disown the attacker by injecting hard coded transactions that would send the Ethers back to their original owners.
It wasn't a rollback in much the same way that UPDATEing a row in an MVCC database doesn't actually overwrite that row, it just creates a new version of it that becomes the version that people tend to care about from that point on.
Is this basically saying he sent all the ETH out of his "account" (presumably to another one that was pre-generated & pre-shared half the private key with his family), so that it just had the Shiba tokens left in it?
Then he didn't have to worry about the Shiba related transactions affecting his ETH?
He didn't want to have the signal be that he was happy holding SHIBA and was uncomfortable with that much power & control over SHIBA. So he wanted to be able to transfer his SHIBA out to a hot wallet and then burn most of it and donate the rest, given the amount of money involved he took extra steps like buying a new computer to generate the new keys, airgapping it from the internet while it held the cold wallet keys etc
If you want to enable recovery, you should give ownership of things to smart contracts, which enable things like succession rules and a heatbeat checkin etc.
Public/private keys are not designed to solve that kind of governance problem.
I saw a few places stop accepting cash during covid days but most have started accepting it again. The one place that I frequent that still doesn’t is the haircut store in my town. There are not a lot of options so it’s card or go somewhere that charges almost double.
What's weird to me is that you guys frame it as a bad thing. For me as a European it's the opposite, I'm in trouble if someone doesn't take card. Nobody carries cash any more.
I think pretty much all stores still accept cash, but most people here just never withdraw any. It's pretty much just old people and people buing illegal stuff
What you deem illegal may not be the next day. Being able to do illegal things is actually healthy for a society. Otherwise we already have the technology to stop all crimes world wide. We could force every person to wear a body cam at all times and failure to do so results in life in prison. Done crime solved. But that would not be good no one wants that. But if we did stop every crime imagine how the world would be. Imagine 60 years ago we could stop all crime. Any homosexual would be found and persecuted. Anyone who became a whistleblower would be found a jailed. There are just so many reasons why being able to break the law is fundamental for a society to progress and thrive.
So this is why cash IS a good thing. Sex workers want to do their thing and Johns want to not be instantly called out for using sex workers. The people who long ago realized magic mushrooms work to cure depression want to be be able to get it without being jailed. Now, here in Canada, sex work is protected and magic mushrooms will not get you thrown in jail.
So even though you may deem things illegal, I ask you think of a greater good that cash allows as everything being digital reveals a lot of information that not all people are comfortable their government knowing. Be it homosexuals, depressed people trying illicit treatments, or extremely lonely discarded individuals reaching out to sex workers verses suicide.
Lastly according to a quick google search and a few spots I looked at, most only showing 2022 as latest information, most point of sale transactions in Europe are made with cash not card [1].
[1] https://www.statista.com/statistics/786680/share-of-cash-tra...
Just for the record I don't condemn victimless crimes. I'm fine with willing sex workers and I'm fine with drugs. As far as I'm concerned, alcohol is worse than most illegal drugs, and most of the harm from most illegal drugs comes from their illegal status not the drugs themselves. If it was up to me I'd legalize everything. You want to buy heroin just take a mandatory safety class explaining safe use, then go buy it at the pharmacy. People can get it either way, might as well get clean and taxed stuff. I realize that's probably not entirely realistic but that's my opinion anyway. Especially for lighter stuff, heroin and meth might be the exceptions but again, anyone can buy it whenever so honestly I don't see why they shouldn't be able to do it at a pharmacy.
And in northern Europe, pretty much nobody uses cash. In the rest of Europe, at least the places I've been, pretty much every store accepts card and often other digital payment methods.
I don't doubt your statistics, just stating my experience. I just think it's strange that people prefer cash for legitimate purchases. I definitely want cash to stay around, but these days we can use crypto for illegal stuff anyway do it's not really a big deal.
Cash is superior to crypto for anonymity and most people have it, know how to use it and accept it. Bitcoin and the majority of other coins will leave a permanent trail which can be easily associated to the person due to KYC policies and onchain analysis firms. Sure there are privacy coins like Monero but they aren't trivial to acquire without KYC and to find someone that accepts it. So I'm happy that people still use cash despite not doing anything illegal (or immoral) and mostly making payments with card and instant payments.
Was this refusal of a normal cash transaction, or something silly (unreasonably large transaction/transaction all in one cent coins/transaction which would raise money laundering alarms etc)? Like, if you try to pay 10,000 dollars in cash, or, say, buy a stack of prepaid debit cards with cash, most places are going to be sceptical of that.
a small shopping trip with ordinary items totaling less than thirty dollars, actually. Many places of various kinds in California are not accepting cash today - San Francisco passed local law to require accepting cash as one result.
But touch that $1B+ wallet and suddenly nothing is worth anything... so if I had the capability to silently steal money from the bitcoin blockchain, I would go slow, and in discrete places.
All transactions are publicly visible, so everyone would know that it was now possible for someone to take bitcoins from people. Value depends on resale. Why would anyone ever buy a bitcoin or accept payment with them if they can just disappear at any time?
Ah, I read it too fast and missed the theft context regarding Satoshi's wallet. Thanks. Part of me hopes that in the not-too-distant future Satoshi will do a tiny transaction on his wallet just so all the speculation ramps up again and we get another wave of entertainment.
If that's the problem, you just say "this person had lax security" or "their computer was compromised." In the absence of real proof that will be the default expectation anyway.
I think the other factor to consider is that once you try to sell $200B worth of Bitcoin, the value of Bitcoin suddenly drops to near zero (due to supply/demand).
Which is also why all those company market caps you see quoted everywhere are totally ridiculous. A company is not worth the latest price of a small share transaction multiplied by all the outstanding shares.
There's enough depth in the stock market to make company market caps pretty real. If you had a big chunk of a company, you could sell it for close to the trading price. I'd be shocked if you couldn't get half, as a nice round example number.
I would not be shocked if trying to sell $200B in bitcoin gets you far less than half.
Or some other number-theoretic advance that is significantly below exponential time on the particular type of field or curve being used.
The reason that we use elliptic curves these days, or if we must then something like 8k bit keys to get 128 bits of security over finite fields, is that for the old Z^*_q/Z_p setup, such a faster algorithm exists (index calculus).
Someone could in theory find a better calculus that works only for groups with some specific characteristics of Curve25519, for example. No quantum computers needed.
EDIT: we know that no _generic_ faster algorithm exists, that is one independent of the representation of the group involved, for the traditional computing model. But that doesn't exclude algorithms, as I said above, that work for very particular cases.
Most of what I've learnt here was less from books and more from colleagues/seminars and reading research papers.
You can get a brief introduction at https://soatok.blog/2020/04/26/a-furrys-guide-to-digital-sig... (your own choice if you want that open in a tab at work or not, but there's nothing NSFW in the usual sense in there), and then read the details of each scheme in the RFCs. Some of the RFCs even talk about security implications.
"djb" as he is known in the crypto world has a good paper at https://eprint.iacr.org/2024/1265 , it's 68 pages so "almost a book". He also has a lot of resources on his page https://cr.yp.to . Be aware that he is sometimes ... controversial (not racist or anything, just has strong opinions on FIPS and the NSA and has actually taken the US government to court in the past over this). He's the author of Curve25519.
Except that the Bitcoin only has value so long as the cryptography behind it is secure. If it is broken, then the value drops to zero and all your coins are worth nothing.
Well, a time-traveling computer can solve problems of an entirely different (much larger and a strict superset) category than the ones a quantum computer can.
You don't even need to travel far. A second or so is enough to break all cryptography, even the post-quantum one.
Not necessarily, if there's e.g. a trillion keys to try, every tried key as a 1 in 1-trillion chance to be it, so it could be found by chance after just one try.
(disclaimer, I don't know statistics, cryptography, bitcoin or chances)
Yes, but in your example the probability of finding it at the first try would be one in a trillion, which is already so small to be negligible. And 2^66 is much bigger than that.
I think you're mixing up the concept of entropy. The entropy is the measure of randomness in the data and with more entropy, the harder cryptographic schemes are to break. Going back to your comment, the asserted 130 bits of entropy in the key would be harder to break than 65 bits.
I'm also unclear on where you got the 'multiple of 5' bit about. It seems the keys corresponding to numbers divisible by 5 were used in a spend transaction by the puzzle creator. Using those addresses in spend transactions reveals the public key and saves compute that would be wasted hashing. It also enables direct attacks using Pollard's rho (which someone already posted a link for above).
I think the puzzle idea is that, if you could figure out a weakness in the hash, you could claim it faster than the brute force approach. So each prize that's claimed "on schedule" supports the idea that there aren't any widely known shortcuts.
Obviously if you found a shortcut in the hash you might do other things first, but I think that's the idea.
There is a difference between a weakness and complete breakage. You might have a small edge over brute force, but not enough to reverse any public key. This acts like a canary for weaknesses.
some people just want the cred though. their name will be immortal and live through history as being something, or some such nonsense that feeds an ego.
also, if you were the type that thinks bitcoin is lame, this could be a way of undermining the concept to the point that people no longer use it because it's not secure as it was touted
So if someone figures out how to do it, they then effectively have a button that destroys a massive amount of wealth worldwide owned by a pretty specific group of people? That's fascinating, with billions of dollars at stake people would absolutely kill for that, not to mention the governments that use crypto on a macro scale for avoiding sanctions etc. Would probably make a really good thriller.
My theory: The wealth would probably effectively transfer to holders of other currencies. You aren’t really destroying wealth by destroying currency; the supply of stuff is still available. Just now the demand for it from crypto-holders is gone, so it’d get cheaper for USD-holders.
Electricity net controllers here are pretty happy when I boil some ocean on a sunny day. In fact at times they give me money for it. And then I can donate sats to indie content creators using podcasting 2.0 features.
But I think you are one of those people that threw out that baby with the bath water long ago.
It’s certainly growing. We have many issues here where solar panel are turned off at peak hours. People get less and less money for delivering power to the net, and indeed sometimes have to pay to do so. This will only increase.
Optimization and efficiency are sometimes underappreciated puzzles. We know that the air contains nitrogen for example but without the wild efficiency of the Haber process, most of us would likely be dead right now.
Custom silicon and all kinds of related optimizations were likely used to successfully brute-force this number.
Curious to know because I've never looked into this stuff: doesn't the _public_ key have to be available anyway so you can send the coins to the address in the first place and have that recorded on the ledger?
A wallet address (where money is sent to) is the public key hashed. This money can than be spent with a transaction containing both the signature and the public key.
This is one of the reasons it is advised never to reuse an address. After using it once, your private key may still be private but your public key is exposed, reducing security.
Once you have the private key, you would submit a transaction with that private key and authorize a transaction to a public key that you control, and doesn't have part of the private key available.
You don't need the public key, and IIRC most algorithms allow you to derive the public key from the private key, though I'm not sure that's the case with Bitcoin. I have vague memories that there are algorithms where this is not that case, but it's been a while.
If you have a normal ECDSA private key, you get only one public key. However, there are ways to get a 1-to-many scheme, and similar ideas are used in U2F (yubikey or similar) systems.
The basic idea is you pick one private key that's a sequence of 256 bits or so, call this k. When you need a keypair, you compute H(k, tag) to get another bitstring, then turn that into an ECDSA private key (minding the bear traps here) and that then has a single public key.
For example in U2F, the key derivation is H(k, domain, ...) where k is the secret baked into the USB token, domain is the domain you're logging in to (this is the part that protects against phishing, among other things) and further protocol-specific information.
New to this puzzle! Do you have a more detailed resource to the puzzle? Is it basically brute forcing based on all public keys available on the Bitcoin blockchain? Could this be considered stealing?
The point of the puzzle is indeed to brute force some private keys (not public keys), but not all, as 2^256 is computationally impossible. The private keys that have been discovered so far have obviously many zeros in them, so in practice you are never going to accidentally steal from a legitimate address with actually 256 bits of entropy.
The creator of the puzzle is anonymous and never came forward (to my knowledge). The point of the puzzle is (1) to be a fun game, and (2) to be a publicly observable way of measuring current brute forcing capabilities.
First, a question: is there something similar for other blockchains? And, a clarification, when I said public keys I referred to public keys that match an unknown private key but I understand now (am I correct?) that this puzzle is purely brute forcing private keys with a lot of zeroes and then matching with the addresses in the blockchain (which would be a function from the public key).
I don't know if other blockchains have these puzzles. You are correct thas this puzzle is brute forcing private keys with a bunch of zeroes, from which a public key can be calculated.
My take on this [0] is that Bitcoin price was growing exponentially with demand, or more exactly with the expected future demand. Cryptocurrency always have had a lot of speculation behind them, not unlike any startup, and that is OK.
As shown by the graph [0], adoption slowed down after 2016 when BTC blocks got consistently full and transaction fees rose to $50 and more. I believe if BTC had scaled to support more transactions the price would be much higher today, as Bitcoin would likely be used as a means of payment across the Internet and in many physical stores at well.
Discussions regarding the decentralization of larger blocks aside, something that is not clear to many people is that scaling a blockchain to handle more transactions doesn't mean a linear increase in energy use. In the case of BTC its Proof-of-Work algorithm operates over the root of the last block's Merkle tree, which is a hash of all the transactions in the block. Being a fixed-size hash it doesn't matter if the block contains 1,000, 1 million or 1 billion transactions. Arguably a more popular Bitcoin would be more valuable and therefore would attract more miners, increasing its energy consumption, but that just reinforces my original point.
I think you're describing Bitcoin Cash, but AFAIK it's worth less than original BTC. What you're not considering is the brand value of BTC being the first and most famous crypto currency.
I agree with part of what you say but not with the implication. Yes, Bitcoin Cash [0] is the Bitcoin that chose to scale on-chain. The split happened in 2017 and since then it has decreased in price both compared to BTC and USD.
What I strongly disagree with is that a Bitcoin with bigger blocks and hence larger transaction capacity is inherently less valuable. That is an unfair comparison because Bitcoin Cash, when the split happened in Aug 2017, could have been recognized as Bitcoin by the ecosystem, but it wasn't, and Bitcoin Core retained the BTC ticker. Because of that Bitcoin Cash had to start adoption from the beginning, losing Bitcoin's established network effects.
My original argument was that if Bitcoin had increased its blocksize before 2016 as Satoshi Nakamoto originally intended [1], then the Bitcoin Cash split wouldn't have happened, Bitcoin adoption would have continued growing (remember that back in the day big players like Microsoft, Dell, Steam and Newegg started accepting Bitcoin payments) and miners would progressively see more of their rewards coming from transaction fees and less from the block rewards.
This last point is one of the big problems with BTC right now: the network security will decrease in the face of dwindling block rewards unless transaction fees rise. I argue that Bitcoin was always supposed to scale in number of transactions, so the aggregate of transaction fees, even if individually inexpensive (roughly 1 cent), would become larger than the block reward. In other words: the block reward was just an economic incentive to kick-start the Bitcoin network, to attract miners that would secure it, but the transaction volume was meant to keep increasing to replace it.
I didn't say that having larger blocks makes a crypocurrency hinerently less valuable, my point was that it's not enough to obtain the widespread adoption and the consequent increase in value you were talking about. But I also see your point on having those improvements baked in BTC at the right moment vs having a new crypocurrency. But afaik Ethereum is able to handle many more payments than BTC (not sure if transaction fees are reasonable though) and is one of the most popular crypocurrencies. But still, my impression is that it's adoption as actual currency to pay for goods is similar to BTC, despite these improvements.
In my opinion there are two main issues that prevent crypocurrencies from being actually used as currency:
1. How many transactions per seconds can be handled
2. Their extremely high volatility compared to fiat currency
While blockchains can scale to fix point 1, point 2 is driven by forces outside the technology.
Blockchain scalability while keeping decentralization is now a solved problem, you can research how sharding is implemented in cryptocurrencies such as XTZ or EGLD, or read this rationale [0] for terabyte blocks in Bitcoin Cash. Why do blockchains such as BTC or ETH refuse to scale on-chain then? That's a separate debate, but I believe there are vested interests in them not scaling.
Regarding volatility I agree that it's currently an issue, but not an insurmountable problem in my opinion:
1. Payment gateways can offer automatic asset conversion to minimize volatility risk for payment takers. This means I could pay in whichever cryptocurrency the payment gateway would take and the receiver would get whatever currency they have set up in their account. They might want to keep some currencies and convert others, so the payment gateway could offer an option to decide that, and in which amounts (e.g. "keep 10% of each BTC payment, convert the rest to USD").
2. Price volatility should reduce as a cryptocurrency is more widely used. In the alternate universe where BTC scaled to be larger than all credit card networks combined its price could be more stable than many fiat currencies.
Yes, but computer performance also goes up exponentially - especially when GPUs and ASICs were built and optimized for the maths needed for crypto - so in a sense they're keeping up. In theory.
Bitcoin puzzles are private keys with just a few unknown bits so that anyone can bruteforce them to collect a reward. Puzzle 66 contained 66 unknown bits and had 6.6 BTC deposited into it by the initial puzzle creator. The private key was 0x000000000000000000000000000000000000000000000002832ed74f2b5e35ee or 256 bits with mostly zeroes but 66 random ones.
The next Bitcoin puzzle, #67, has 67 unknown bits, and contains 6.7 BTC up for grabs: https://www.blockchain.com/explorer/addresses/btc/1BY8GQbnue...
The previous puzzle by order of difficulty was #64 (not #65, because see below) and was solved on 9/9/2022, so about 2 years ago. In other words, it took about 2 years of compute time to run the 2^66 bruteforcing task.
Puzzles that are multiple of 5 (#65 or #70) are special: they have twice more entropy. So that private key #65 doesn't have 65-bit of entropy but 130-bit of entropy. And the creator of the puzzle intentionally published their public key on the blockchain. When you know the public key, brutetforcing the n-bit private key only requires 2^(n/2) work. So puzzle #65 with a 130-bit key actually require bruteforcing up to only 2^65 keys.