The 66-Bit Puzzle has Been Solved!
12.5k sats \ 15 comments \ @nullcount 13 Sep bitcoin
Many years ago, back when BTC was worth every little, an anonymous user created 160 "puzzles" on the Bitcoin timechain. Each puzzle is simply an amount of BTC which is locked by an address that was generated with a purposefully low-entropy private key.
The anon user published the list of 160 bitcoin addresses along with the amount of entropy used in the private key for each address. Address #1 only used 1 bit of entropy so the private key for Address #1 was literally either 2^0 or 2^1 (000..001 or 000...002). Needless to say, the first dozen puzzles were solved almost instantly. However, each puzzle is twice as difficult to "crack" as the previous one.
Over the years, the remaining puzzle addresses have received additional deposits from people looking to "sweeten the reward".
Yesterday, this transaction entered the mempool: https://mempool.space/tx/8c8ec6b3511c62500ea9b3a1c30ca937e15d251b55d30290a2a6da2f1124f3fb
It spends from the 66-bit puzzle address: 13zb1hQbWVsc2S7ZTZnP2G4undNNpdh5so
This tx (accidentally) revealed the script pubkey of the address to everyone watching the mempool. This was a big mistake.
Since these addresses are known to be generated with low entropy, it only takes a few seconds/mins to brute force the private key if you already know the public key.
This caused the tx to be RBF'd by "bots" who were monitoring the mempool for spends of these puzzle addresses.
This tool was likely used by the bots: https://github.com/JeanLucPons/Kangaroo
The bots managed to recreate the exact same private key from this accidentally revealed public key in just a few mins, meanwhile it took years and many Megawatts of compute to find the private key from just the address.
It appears most of the 6.6 BTC reward locked by the 66-bit key (we can't really call it a private key anymore) was redeemed by these bots.
It also possible that something nefarious happened (like a puzzle pool operator tried to make it look like bots stole the TX, when, really it was all a coverup to steal the reward from the pool participants).
This "theft" of the 66-bit puzzle reward highlights another use-case for "private" tx-inclusion services offered by large mining pools. If the finder of the 66-bit key had sent their TX direct to a miner, then maybe it could have been fully redeemed (assuming the miner didn't try to steal it also).
Anyways, its a good lesson in the importance of using strong entropy. The completion of these puzzles is also a reminder that compute is getting faster and cheaper every year, and Bitcoin relies on compute being expensive to enforce its property rights.
Warning: If you're thinking of joining one of the pools "cracking" these puzzles, consider your risks! Most of these pools are fully trusted and not auditable. You're spending real resources (GPUs and electricity) for a chance to be granted a reward by a trusted pool operator. There's also a ton of technical risk, even if your pool manages to crack the next puzzle, there are many factors that can lead to no payout for you!
Source: https://btcpuzzle.info
write
preview
related posts
31 sats \ 1 reply \ @ChrisS 13 Sep
Great post. What would be the correct way to spend this bitcoin so as not to reveal the scriptpubkey in the mempool.
reply
1 sat \ 0 replies \ @nullcount OP 13 Sep
As I understand it, its a limitation of the old address format which needs to reveal the scriptpubkey in order to spend. Normally, this isn't a huge concern because most keys use strong entropy so its not so easy to recreate private key from scriptpubkey.
So the preferred way to redeem the reward is to have it secretly mined by a mining pool without even going thru the mempools.
reply
10 sats \ 0 replies \ @DarthCoin 13 Sep
reply
10 sats \ 1 reply \ @hasherstacker 13 Sep
However, each puzzle is twice as difficult to "crack" as the previous one.
reply
0 sats \ 0 replies \ @nullcount OP 13 Sep
The bots managed to recreate the exact same private key...
reply
10 sats \ 2 replies \ @go 13 Sep
This gamified decryption could be an excellent example used to illustrate how 256 bit encryption is so secure
reply
131 sats \ 1 reply \ @nullcount OP 13 Sep
Fun fact: bitcoin doesn't use any encryption!
reply
0 sats \ 0 replies \ @go 13 Sep
🤩
reply
0 sats \ 0 replies \ @Satoshi__Nakamoto 14 Sep
Impressive
reply
0 sats \ 2 replies \ @Satosora 13 Sep
I was just looking at this puzzle the other day. I thought it would be years before it was solved. 67 has almost the same difficulty, right?
reply
20 sats \ 1 reply \ @nullcount OP 14 Sep
66bit puzzle was a key between 2^65 and 2^66. The actual key was (in decimal notation) 46,346,217,550,346,335,726
The 67bit puzzle is a key between 2^66 and 2^67. So puzzle 67 has twice the number of keys to search as 66. Puzzle 67 has 6.7BTC currently. It might be "easier" than 66bit depending on how quickly GPUs advance in the coming years
Disclaimer, this whole thing could be a scam. But the rabbit hole goes deep!
reply
0 sats \ 0 replies \ @Satosora 14 Sep
Yeah, I heard someone poached it or something because of releasing the key? Some amateur mistake? I dont know all the details yet, I am sure the rabbit hole is deep.
reply
0 sats \ 1 reply \ @nullcount OP 13 Sep
someone sent a message to the 66-bit address using vanity addresses: https://mempool.space/tx/75212bc4690e100438398b3bf30a2066e4861b36dc961c485925641e8de762d4
reply
0 sats \ 0 replies \ @random_ 13 Sep
Cryptic
reply
0 sats \ 0 replies \ @OT 13 Sep
deleted by author
reply