Bitcoin puzzle #66 was solved: 6.6 BTC (~$400k) withdrawn

Original Article ↗ Hacker News Discussion ↗

Overview of Bitcoin Puzzle #66

  • Bitcoin “puzzles” are specially constructed private keys with reduced entropy (many leading zero bits) funded with BTC as prizes.
  • Puzzle #66 had 66 “unknown bits” (actually 65, since the top bit is fixed) and a 6.6 BTC reward. It was finally brute‑forced after ~2 years, roughly matching the expected 2^66 search.
  • Puzzle #67 (and onwards) are similar, with n unknown bits and n.x BTC rewards; every 5th puzzle has double entropy but a published public key to allow Pollard‑rho style attacks.

How the Puzzle and Attack Work

  • Normal keys are 256‑bit ECC keys (secp256k1). Here, most bits are zero and only a small range needs to be searched.
  • With only an address (hash of a public key), you must brute‑force private keys directly.
  • When a transaction is created, the public key is revealed. Knowing the public key allows discrete‑log algorithms (e.g., Pollard’s rho) that reduce work from 2^n to about 2^(n/2).
  • For the puzzle, once the solver broadcast a transaction, a watcher bot used the now‑known public key plus the low‑entropy structure to recover the private key quickly and submit a higher‑fee, conflicting transaction, effectively stealing the 6.6 BTC.
  • This type of front‑running is specific to reduced‑entropy puzzles; normal 256‑bit keys remain computationally infeasible to brute‑force.

Security and Cryptography Discussion

  • Commenters clarify discrete logarithm problems, elliptic curves, and Pollard’s rho; note that “discrete log” is a family of problems that depends on the specific group.
  • Several see the puzzles as canaries or benchmarks for brute‑force capabilities and potential sub‑exponential or quantum attacks, though others argue real attackers would not reveal such capabilities via a public puzzle.
  • There is debate over whether this constitutes a “puzzle” versus a pure compute race.

Energy Use, Ethics, and Value

  • Strong disagreement over whether this is an interesting cryptographic challenge or a “sick” waste of electricity.
  • Some argue all puzzles are intrinsically “wasteful”; others say this one at least yields information about attack feasibility.
  • Long subthread on whether using “green” energy for mining or cracking is still wasteful, given opportunity costs and grid constraints.

Practicalities: Claiming, Tax, Liquidity

  • Suggestions to avoid front‑running include private mempool submissions or direct deals with mining pools; mining a block yourself is the only fully trustless option.
  • Liquidity for 6.6 BTC is considered trivial on current markets, but off‑ramping can trigger bank and exchange KYC/AML scrutiny.
  • In the US, some suggest puzzle proceeds would likely be reported as “other income” for tax purposes.