DOI: 10.1515/tmmp-2016-0030
Tatra Mt. Math. Publ. 67 (2016), 55–68

SPEED OPTIMIZATIONS
IN BITCOIN KEY RECOVERY ATTACKS
Nicolas Courtois — Guangyan Song — Ryan Castellucci

ABSTRACT. In this paper, we study and give the first detailed benchmarks on
existing implementations of the secp256k1 elliptic curve used by at least hundreds
of thousands of users in Bitcoin and other cryptocurrencies. Our implementation
improves the state of the art by a factor of 2.5 with a focus on the cases, where
side channel attacks are not a concern and a large quantity of RAM is available.
As a result, we are able to scan the Bitcoin blockchain for weak keys faster than
any previous implementation. We also give some examples of passwords which we
have cracked, showing that brain wallets are not secure in practice even for quite
complex passwords.

1. Introduction

Bitcoin is a cryptocurrency, an electronic payment system based on cryptog-

raphy. It was created by S a t o s h i N a k o m o t o 1 in 2008 [12]. In 2009, Bitcoin
was launched as open-source software. Bitcoin is designed to be a fully decen-
tralised peer-to-peer network—self-governing without support from trusted enti-
ties such as banks or governments. Bitcoin transactions are like checks but signed
cryptographically instead of using ink. Transactions are broadcast to the peer-
to-peer network and verified by each node. A public ledger called a “blockchain”
records transactions pseudonymously.
Ownership of bitcoins implies that a user can spend bitcoins associated with
a specific address (equivalent to a bank account). In order to spend the coins,
a payer must digitally sign the transaction using their private key. The signed
transaction is then broadcast to the peer-to-peer network. Everyone on the net-
work can verify the signature that has been sent out. Anyone can spend all the
bitcoin in a bitcoin address as long as they hold the corresponding private key.

c 2016 Mathematical Institute, Slovak Academy of Sciences.

2010 M a t h e m a t i c s S u b j e c t C l a s s i f i c a t i o n: 62K05.
K e y w o r d s: Bitcoin, Elliptic Curve Cryptography, Crypto Currency, Brain Wallet.
1
It is not known whether Satoshi Nakomoto is a real or pseudonym name or if it represents
one person or a group

55
 NICOLAS COURTOIS — GUANGYAN SONG — RYAN CASTELLUCCI

Once the private is lost, the bitcoin network will not recognize any other evidence
of ownership.
Bitcoin uses digital signature to protect the ownership of coins and private
keys are the only way of owning bitcoins. Thus it is very important to look at
the technical details of the digital signature scheme used in bitcoin.
1.1. Structure of the paper
In this paper we study and give the first detailed benchmarks on existing
secp256k1 elliptic curve implementations used in Bitcoin. Section 2 introduces
background knowledge about elliptic curve cryptography and brain wallets. Sec-
tion 3 reviews previous research work in this area. Section 4 gives detailed bench-
mark for existing method and our own implementation. Our implementation
improves the state of the art by a factor of 2.5. Section 5 is the conclusion of
this paper.

2. Background

2.1. Elliptic Curve Cryptography

Elliptic curve cryptography (ECC) was independently proposed by N e a l
K o b l i t z [10] and V i c t o r M i l l e r [11] in 1985. It is a public-key cryp-
tography protocol where each of the participants has a pair of keys. There is
one private key which is kept as a secret by the owner and one public key
which can be shared with anyone. In the past 10+ years ECC has been increas-
ingly used in practise since its inclusion in standards by organisations such as
ISO, IEEE, NIST, NSA etc. Elliptic curves are more efficient and offer smaller
key sizes at the same security as other widely adopted public key cryptography
schemes such as RSA [13].
An Elliptic Curve over finite field Fp where p is a large prime, can be formed
by choosing the variables a and b within the field Fp . The elliptic curve primar-
ily includes all points (x, y) which satisfy the elliptic curve equation modulo p
(where x and y are numbers in Fp ). The equation is typically written in the short
Weierstrass form
y 2 = x3 + ax + b mod p,
where a, b ∈ Fp satisfy 4a3 + 27b2 mod p is not 0, which guarantees x3 + ax + b
contains no repeated factors and then the elliptic curve can be used to form a
group. The elliptic curve contains all points P = (x, y) for x, y ∈ Fp that satisfy
the elliptic curve equation with addition of a special point ∞ known as the point
at infinity2.
2In code implementation, ∞ is normally represented as point (0,0), but not always, as (0,0)
might be on the curve.

56
 SPEED OPTIMIZATIONS IN BITCOIN KEY RECOVERY ATTACKS

The elliptic curve used in Bitcoin is called secp256k1. Secp256k1 curve is

proposed in C e r t i c o m [7] in addition to NIST curve for 256 bits prime. It is
defined over prime field Fp , where
p = 2256 − 232 − 29 − 28 − 27 − 26 − 24 − 1.
The curve equation E is y 2 = x3 + ax + b, where a = 0 and b = 7.

2.1.1. Key Pair Generation

An elliptic curve key pair is associated with a particular set of valid domain
parameters [9]. Let E be an elliptic curve defined over a finite field Fp . Let P
be a point in E(Fp ), and suppose that P has prime order n. Then the cyclic
subgroup of E(Fp ) generated by P is
P  = {∞, P, 2P, 3P, . . . , (n − 1)P }.
The prime p, the equation of the elliptic curve E, the point P and its order n
are the public domain parameters. A private key is an integer d that is selected
uniformly at random from the interval [1, n − 1], and the corresponding public
key Q = dP .

Algorithm 1 Key pair generation [9]

Input: Domain parameters D = (p, E, P, n).
Output: Public key Q, private key d.
1: Select d ∈R [1, n − 1].
2: Compute Q = dP .
3: Return (Q, d).

Note that the process of computing a private key d given public key Q is
exactly the elliptic curve discrete logarithm problem (ECDLP). Hence it is very
important to choose a set of domain parameters so that the ECDLP is hard
to solve. In addition the number d should be random in the sense that it
should have large entropy AND there should be no way to distinguish a source
which produces these values from a source which generates them uniformly at
random. In particular the min-entropy should also be high and there should be
no efficient guessing strategy of any sort.

2.2. Brain Wallet

A Bitcoin wallet is a collection of Bitcoin addresses and stores the correspond-
ing keys for those addresses. Bitcoin wallets come in different forms, including
desktop software, mobile apps, online services, hardware, smart card and paper.

57
 NICOLAS COURTOIS — GUANGYAN SONG — RYAN CASTELLUCCI

As we discussed earlier in Section 2.1.1, the private key is a number which

we presume to be totally random. Normally the private key will be a long hex
string which is very hard for a person to remember and store safely. No matter
what form of wallet you are using, there always exists a chance that you might
lose your wallet in a cybersecurity breach.
Brain wallets are another solution, which do not need the users to keep any-
thing in safe and still be able to recover their private key. Instead of storing the
private key and protecting it, one can store it in a human mind. A brain wal-
let creates private key from a (typically) human chosen password or a passphrase,
using the SHA-256 hash algorithm and converts it into a 256-bit number.
As SHA-256 is deterministic method, users can always use the same password
to recreate their private key. Note that since brain wallets use the hash directly
as the private key, the security of storing private keys now depends only on how
unpredictable the passwords are.

Figure 1. Brain wallet generated by password “password”.

3. Related Work

We are not the first to try to crack Bitcoin brain wallets, some hackers have
been there before. Many victims have found their money stolen and posted it in
forums. The first ethical/research brain wallet cracker was announced publicly in
a recent hacking conference DEF CON 23 (Aug 2015). R y a n C a s t e l l u c c i , a
whitehat hacker presented his research on cracking brain wallets, and also pub-
lished his software [6]. Ryan’s attack was done on an Intel i7 PC with 4 physical
cores and 8 logical cores due to Hyper-Threading. The attack speed can reach
approximately 16,250 password per second on each thread and he had cracked
more than 18,000 brain wallet addresses.
The software R y a n has published uses an existing open source secp256k1
bitcoin elliptic curve implementation mainly written by P i e t e r W u i l l e ,

58
 SPEED OPTIMIZATIONS IN BITCOIN KEY RECOVERY ATTACKS

one of Bitcoin core developers. This implementation is widely used in Bitcoin

clients and is considered the current best in terms of code level optimisation
(detailed benchmarks are given in Table 2).
Later V a s e k, B o n n e a u, K e i t h, C a s t e l l u c c i and M o o r e published
their cybercrime analysis results on brain wallets addresses cracked using Ryan’s
software implementation in FC 2016 [15]. Their work was more focused on brain
wallets usage measurements and did not try to improve the speed of the attack.

4. Special designed point multiplication method for attack

The process of cracking Bitcoin brain wallets is to repeatedly generate pub-

lic keys using guessed passwords. Key generation method as we described in
Section 2.1.1, is to compute Q = dP. Here d is a SHA256 hash of the gen-
erated password, P is a fixed point which is the base point G for secp256k1.
We first benchmark the current best implementation, libsecp256k1. All bench-
mark results are running on an Intel i7-3520m 2.9 GHz laptop (win8 x 64).
The time cost for computing one public key given a random private key
takes: 47.2 µs.

4.1. Fixed point multiplication methods

The most basic and naive method for point multiplication Q = kP with
an unknown point P is double-and-add method [9]. The idea is to use binary
representation for k:
k = k0 + 2k1 + 22 k2 + · · · + 2m km ,
where [k0 . . . km ] ∈ {0, 1} and m is the length of k, in bitcoin elliptic curve,
m = 256.

Algorithm 2 double-and-add method for point multiplication for input points

P not known in advance. [9]
INPUT: k = (km , . . . , k1 , k0 )2 , P ∈ E(Fq ).
OUTPUT: kP .
1: Q := infinity
2: for i from 0 to m do
3: if ki = 1 then Q := Q + P (using point addition)
4: P := 2P (using point doubling)
5: end for
6: return Q

59
 NICOLAS COURTOIS — GUANGYAN SONG — RYAN CASTELLUCCI

The expected number of ones in the binary representation of k is approxi-

mately m m
2 , so double-and-add method will need 2 + mD computations in total.
However, if the point P is fixed and some storage is available, then the point
multiplication operation Q = kP can be accelerated by pre-computing some
data that depends only on P . For example if the points 2P, 22 P, . . . , 2m−1 P
are pre-computed, then the double-and-add method (algorithm 2) has expected
running time ( m 2 )A, and all doublings are eliminated.
In [3] the authors introduced a new method for fixed point multiplication.
The pre-computing step stores every multiple 2i P . Let (Kd−1 , . . . ,
K1 , K0 )2w be
the base-2w representation of k, where d = [m/w], and let Qj = i:Ki =j 2wi P
for each j, 1 ≤ j ≤ 2w − 1, Then
w w
d1
 2 −1  2 −1
wi wi
kP = Ki (2 P ) = (j 2 P) = jQj
i=0 j=1 i:Ki =j j=1
= Q2w −1 + (Q2w −1 + Q2w −2 ) + · · ·
+ (Q2w −1 + Q2w −2 + · · · + Q1 ).
By reviewing the literature and checking some other existing methods in [9]
we noticed they are all memory friendly implementations which do not take a
lot of memory space for precomputation. However, we are working on a different
task and aim to repeatedly run point multiplication method for great many
times. We have implemented an extreme version of window method which will
take much more precomputation space than methods introduced in [9].
In our implementation, the precomputation step will compute Pj = jP, where
1 ≤ j ≤ 2w − 1, then for each Pj we compute Pi,j = 2wi Pj , which will cost 2w − 1
times more memory space than [3], [9], but expected running time for each point
multiplication is reduced down to approximately (d − 1)A.

Algorithm 3 Our windowed method with larger precomputation table

Input: Window width w, d = [m/w], k = (Kd−1 , . . . , K1 , K0 )2w .
Output: kP .
1: Precompute Pi,j = 2wi jP, 0 ≤ i ≤ d − 1 and 1 ≤ j ≤ 2w − 1
2: A ← infinity
3: for i from 0 to d − 1 do
4: A ← A + Pi,j where j = Ki
5: end for
6: return A

We have implemented a code that can take any window width w. Results
and corresponding memory usages based on different window size are shown
in Table 1.

60
 SPEED OPTIMIZATIONS IN BITCOIN KEY RECOVERY ATTACKS

Table 1. Time cost for different window width w, point addition method
secp256k1 library [14] secp256k1 gej add ge.

w=4 w=8 w=12 w=16 w=20

d 64 32 22 16 13
# of additions 63 31 21 15 12
memory 81.92 KB 655.36 KB 7.21 MB 83.89 MB 1.09 GB
time cost 46.36 µs 22.76 µs 15.35 µs 11.23 µs 9.23 µs

Table 2. Benchmarking openssl and MPIR library for field multiplication,

square and modular inverse in affine coordinate.

multiplication mod p square mod p mod inverse

MPIR 0.07 µs 0.15 µs 0.13 µs 0.15 µs 1.8 µs
openssl 0.08 µs 0.43 µs 0.06 µs 0.43 µs 18.0 µs
secp256k1 0.049 µs 0.039 µs 1.1 µs

4.2. Point representation

Representing a point as an affine coordinate P (x, y) on an elliptic curve
over Fp , the field operations required for one EC point addition are: two multi-
plications, one square and one modular inverse (for short, 2M+1S+1I). Modu-
lar inverse is more expensive operation compared to multiplication and square.
We list our benchmarks using different packages in C to demonstrate the differ-
ence for modular inverse computation compared to multiplication and square.
The packages we have benchmarked are: openssl-1.0.2a (released in March 2015)
and mpir-2.5.2 (released in October 2012), and Pieter Wuille’s implementation
on Github [14] 3 .
The results are shown in Table 2. The benchmarking shows modular inverse
is much more expensive than multiplication and squaring. It is also important
to notice, for MPIR big number library, the square operation is more expen-
sive than multiplication, and for openssl library, 1 square = 0.75 multiplication.
As modular inverse is more expensive than multiplication, it may be advanta-
geous to represent points using other coordinates.

3with the following configuration:

USE NUM GMP USE FIELD 10x26 USE FIELD INV NUM USE SCALAR 8x32
USE SCALAR INV BUILTIN

61
 NICOLAS COURTOIS — GUANGYAN SONG — RYAN CASTELLUCCI

4.2.1. Projective coordinates

For elliptic curve over Fp , where the curve equation is y 2 = x3 + ax + b. The
standard projective coordinates represent elliptic curve points as (X : Y : Z),
Z = 0, correspond to the affine point ( X Y
Z , Z ). The projective equation of the
elliptic curve is
Y 2 Z = X 3 + aXZ 2 + bZ 3.
The point at infinity ∞ corresponds to (0 : 1 : 0), where the negative of
(X : Y : Z) is (X : −Y : Z).

4.2.2. Jacobian coordinates

Elliptic curve points in Jacobian coordinates are represented in the following
format (X : Y : Z), Z = 0, which corresponds to the affine point ( ZX2 , ZX3 ).
The projective equation of the elliptic curve is
Y 2 = X 3 + aXZ 4 + bZ 6.
The point at infinity ∞ corresponds to (1 : 1 : 0), while the negative of
(X : Y : Z) is (X : −Y : Z).
The field operations needed for point addition and doubling are shown in
Table 3. We see that Jacobian coordinates yield the fastest point doubling, while
mixed Jacobian-affine coordinates yield the fastest point addition.
Table 3. Operation counts for point addition and doubling. A = affine,
P = standard projective, J = Jacobian [5, 9].

Doubling General addition Mixed coordinates*

2A → A 1I,2M,2S A+A → A 1I,2M,1S J+A → J 8M,3S
2P → P 7M,3S P+P → P 12M,2S
2J → J 4M,4S J+J → J 12M,4S
* Here mixed coordinates means Jacobian-Affine mixed coordinates

We refer the reader to [9], [5] for other detailed equations in different coordi-
nates. Here we only interested in point addition functions using mixed coordi-
nates.

4.2.3. Secp256k1 point addition formulas

In the latest version, secp256k1 point addition formulas are based on [4] which in-
troduced strongly unified addition formulas for standard projective coordinates.
Bitcoin developers implemented a mixed coordinate formula (Jacobian-Affine)
version based on [4].

62
 SPEED OPTIMIZATIONS IN BITCOIN KEY RECOVERY ATTACKS

Let P = (X1 : Y1 : Z1 ) be a Jacobian projective point on elliptic curve

y = x3 + ax + b, and Q = (X2 : Y2 : 1) be another point on the curve, suppose
2

that P = ±Q, P + Q = (X3 : Y3 : Z3 ) is computed by the following equations:

X3 = 4(K 2 − H),
Y3 = 4 R(3H − 2K 2 ) − G2 ,
  (1)
Z3 = 2F Z1 ,
where
A = Z12 , B = Z1 · A, C = X2 · A, D = Y2 · B,
E = X1 + C, F = Y1 + D, G = F 2, H = E · G,
I = E 2, J = X1 · C, K = I − J.

4.2.4. Bernstein-Lange point addition formulas

In [2], B e r n s t e i n introduced the following method which takes 7M+4S using

Jacobian-Affine coordinate, the explicit formulas are given as follows [1]
X3 = r2 − J − 2V,
Y3 = r · (V − X3 ) − 2Y1 · J, (2)

Z3 = (Z1 + H)2 − Z12 − H 2 ,

where
U 2 = X2 · Z12 , S2 = Y2 · Z13 , H = U 2 − X1 ,
I = 4H 2, J = H · I, r = 2(S2 − Y1 ), V = X1 · I.

4.3. Detailed field operation benchmarks

From the results of table 2 we saw that Wuille’s secp256k1 library [14] has
much faster field multiplication and square speed than openssl and mpir library.
Wuille’s field implementation is optimised based on the special prime used in
secp256k1 curve. Libsecp256k1 has 5x52 and 10x26 field implementations for 64
bits and 32 bits integers 4. Here we use the 10x26 representation and each 256 bit
value is represented as a 32 bit integer array with size of 10. We refer readers to
file field 10x26 impl.h in libsecp256k1 for more details. Libsecp256k1 already im-
plemented the equation from [1], [9] in method secp256k1 gej add ge var, which
uses 8 multiplications, 3 squares, 1 multiply integer, 6 additions and 5 negations.
Equation 1 is implemented in another method called secp256k1 gej add ge, which
uses 7 multiplications, 5 squares and 5 multiply integer, 7 additions, 3 negations
and 6 fe cmov operations. We have implemented equation 2 which takes 7 mul-
tiplications, 4 squares, 4 multiply integer, 9 additions and 8 negations.

4Depends on whether compiler and target support 64 bit integers.

63
 NICOLAS COURTOIS — GUANGYAN SONG — RYAN CASTELLUCCI

It is important to notice the squaring and multiplication differences we dis-

cussed in Table 2. In [1] B e r n s t e i n listed the best operation counts based
on different assumptions: S = 0 M, S = 0.2 M, S= 0.67 M, S=0.8 M and S=1 M.
In [8], the author showed that the ratio S/M is almost independent of the field of
definition and of the implementation, and can be reasonably taken equal to 0.8.
Our benchmark results is very similar to S = 0.8 M. In [1], other field operations
are considered as 0 M, in Table 4 our benchmark results shows field addition and
other operations have approximately 0.1 M cost.

Table 4. Field operation counts and benchmark results.

#Mul #Square #add/neg/*int #fe cmov Total cost

1M ≈ 0.8 M ≈ 0.1 M ≈ 0.2 M
secp256k1 gej
add ge 7 5 15 6 ≈ 0.681 µs
secp256k1 gej
add ge var 8 3 12 0 ≈ 0.562 µs
7M + 4S code 7 4 21 0 ≈ 0.594 µs

The secp256k1 gej add ge method which is also the default method for key
generation, uses 6 secp256k1 fe cmov operations which has a cost approximately
0.2 M. The rationale for writing code in this way is stated by W u i l l e in the
following comment:
“This formula has the benefit of being the same for both addition of distinct
points and doubling” [14]
The purpose of making addition and doubling using the same function is
to prevent side channel attacks, as point doubling is otherwise much cheaper
than point addition. Our experiments are done based on the benchmark results
of S/M ratio with specified machine setting (earlier in Section 4) and specific
library configuration (footnote in Section 4.2). Different operating systems or
library configurations lead to different results. One should choose between our
code and secp256k1 gej add ge method. Detailed benchmark results are given
in Table 5.
The code published as part of DEF CON attack on github in August 2015 [6]
uses a faster version of secp256k1 library5, and the results are marked as “ * ”
in Table 5. Our best result using 1.09 GB precomputation memory gives
≈ 2.5 times speed up for key generation process than the current known
best attack.
5
Also written by P i e t e r W u i l l e one year ago, this version is performance focused and
using 8M+3S.

64
 SPEED OPTIMIZATIONS IN BITCOIN KEY RECOVERY ATTACKS

Table 5. Time cost for different window width w for EC key generation.

w=4 w=8 w=12 w=16 w=20

d 64 32 22 16 13
# of additions 63 31 21 15 12
precomputation
81.92 KB 655.36 KB 7.21 MB 83.89 MB 1.09 GB
memory
secp256k1 gej
45.85 µs 22.16 µs 15.35 µs 11.23 µs 9.23 µs
add ge
secp256k1 gej
37.37 µs* 17.86 µs 12.21 µs 8.89 µs 7.16 µs
add ge var
7M + 4S code 39.01 µs 18.79 µs 12.77 µs 9.23 µs 7.48 µs
Jacobian to Affine ≈ 10 µs
Benchmark on ≈ 42 K guesses/sec (single thread)
my laptop on i7-3520m 2.9 GHz CPU
≈ 130 K guesses/sec
DEF CON Attack**
on i7-2600 3.2 GHz CPU
Our improved
≈ 315 K guesses/sec
DEF CON Attack
* The main results reported DEF CON attack [6] are equivalent to these 37.37 µs.
** These are reported by Ryan Castellucci running his DEF CON code,which are then
compared to our improved code on 8 threads with linux gcc compiler.

In theory the best point addition method is 7M+4S introduced in [2]. However
in practice, when field multiplication and square are well optimised, other field
operations (such as addition, negation) become more significant than theoretical
value, see Table 4. Our results show that for our laptop specification, 8M+3S
method is overall better than 7M+4S.
In order to compare the results with DEF CON attack, we also benchmark our
implementation against the DEF CON software release on Amazon server. Ex-
periments are done on an m4.4xlarge Amazon EC2 instance6. Results are shown
in Table 6. The results confirm a 2.5 times improvement. Note that when run-
ning on Amazon EC2 (Intel Haswell CPU), the theoretical best method (7M+4S)
performs a little bit better than 8M+3S.
Based on the current price for Amazon EC2 service, we observe the following
cost for implementing such brain wallet attack: 17.9 billion passwords check per
US dollar; 55.86 dollars to check a trillion passwords. We have found more than
6
https://aws.amazon.com/ec2/instance-types/

65
 NICOLAS COURTOIS — GUANGYAN SONG — RYAN CASTELLUCCI

Table 6. Benchmark with DEF CON results on Amazon EC2 instance.

passwords
processes
per second
brainflayer
16 219,460
(DEF CON)
win size 20
16 533,196
8M+3S
win size 24
16 556,294
8M+3S
win size 24
16 558,449
7M+4S

18,000 passwords using this tool. Some sample passwords, including some quite
difficult ones are listed in Appendix A.

5. Conclusion

In this paper we have analysed and improved the state of the art on the im-
plementation of the secp256k1 elliptic curve and similar curves. We provide the
first benchmarks on existing implementations and provide a faster implementa-
tion for specific applications where private keys are not manipulated or there
exist other protections against side channel attacks (e.g., physical and electro-
magnetic isolation) and when larger amounts of RAM are available. For example
we are able to examine passwords in brain wallets 2.5 times faster than the state
of the art implementation presented at DEF CON few months earlier. We have
released our source code.
As an example application of this research, we have been able to crack thou-
sands of passwords including some quite difficult ones. Our research demon-
strates again that brain wallets are not secure and no one should use them.

REFERENCES

[1] BERNSTEIN, D. J.—LANGE, T.: Explicit-formulas database, 2007,

https://hyperelliptic.org/EFD/
[2] BERNSTEIN, D. J.—LANGE, T.: Faster addition and doubling on elliptic curves,
in: Advances in cryptology–ASIACRYPT ’07, Lecture Notes in Comput. Sci., Vol. 4833,
Springer-Verlag, Berlin, 2007, pp. 29–50.
[3] BRICKELL, E. F.—GORDON, D. M.—MCCURLEY, K. S.—WILSON, D. B.: Fast expo-
nentiation with precomputation, in: Advances in Cryptology-EUROCRYPT ’92, Springer-
-Verlag, Berlin, 1993, pp. 200–207.

66
 SPEED OPTIMIZATIONS IN BITCOIN KEY RECOVERY ATTACKS

[4] BRIER, E.—JOYE, M.: Weierstraß elliptic curves and side-channel attacks, in: In-
ternational Workshop on Public Key Cryptography—PKC ’02, Springer-Verlag, 2002,
pp. 335–345.
[5] BROWN, M.—HANKERSON, D.—LÓPEZ, J.—MENEZES, A.: Software implementa-
tion of the NIST elliptic curves over prime fields, in: Proceedings of the 2001 Confer-
ence on Topics in Cryptology: The Cryptographer’s Track at RSA, April 08–12, 2001,
CT-RSA ’01, London, UK; Lecture Notes in Comput. Sci., Vol. 2020, Springer-Verlag,
2001. pp.250–265.
[6] CASTELLUCCI, R.: Cracking cryptocurrency brainwallets,
https://www.defcon.org/html/defcon-23/dc-23-index.html
[7] CERTICOM RESEARCH: Sec 2: Recommended elliptic curve domain parameters,
in: Proceeding of Standards for Efficient Cryptography, Version 1, 2000.
www.secg.org/SEC2-Ver-1.0.pdf
[8] COHEN, H.—MIYAJI, A.—ONO, T.: Efficient elliptic curve exponentiation using mixed
coordinates, in: Advances in Cryptology, ASIACRYPT ’98 (Beijing), Lecture Notes in
Comput. Sci., Vol. 1514, Springer-Verlag, Berlin, 1998, pp. 51–65.
[9] HANKERSON, D. —MENEZES,A . J. —VANSTONE, S.: Guide to Elliptic Curve Cryp-
tography, Springer Science & Business Media, 2006.
[10] KOBLITZ, N.: Elliptic curve cryptosystems, Mathematics of computation, 48 (1987),
no.177, 203–209.
[11] MILLER, V. S.: Use of elliptic curves in cryptography, in: Proc. Advances in Cryptology–
–CRYPTO ’85 (Santa Barbara, Calif., 1985), Lecture Notes in Comput. Sci., Vol. 218,
Springer-Verlag, Berlin, 1986, 417–426.
[12] NAKAMOTO, S.: Bitcoin: A peer-to-peer electronic cash system,
https://bitcoin.org/bitcoin.pdf, 2008.
[13] RIVEST, R. L.—SHAMIR, A.—ADLEMAN, L.: A method for obtaining digital signatures
and public-key cryptosystems, Commun. ACM 21 (1978), no. 2, 120–126.
[14] WUILLE, P.: bitcoin secp256k1 library, version 2015/08/11,
https://github.com/bitcoin/secp256k1
[15] VASEK, M.—BONNEAU, J.—KEITH, C.—CASTELLUCCI, R.—MOORE, T.: The
Bitcoin brain drain: A short paper on the use and abuse of Bitcoin brain wallets,
Financial Cryptography and Data Security, Lecture Notes in Comput. Sci., Springer-
-Verlag, Berlin, 2016.

Appendix A. Cracked Password Samples

More than 100 new passwords never discovered before were found (using
our open source tool) by UCL M.Sc. Information Security students during our
“code breaking competition” run as a part of GA18 Cryptanalysis course in
March 2016. These students are I a s o n P a p a p a n a g i o t a k i s- B o u s y ,
I l y a s A z e e m , J e o n g h y u k P a r k , E l l e r y S m i t h, W e i x i u T a n and
W e i S h a o.

67
 NICOLAS COURTOIS — GUANGYAN SONG — RYAN CASTELLUCCI

(1) say hello to my little friend (9) {1summer2leo3phoebe

(2) to be or not to be (10) 0racle9i
(3) Walk Into This Room (11) andreas antonopoulos
(4) party like it’s 1999 (12) Arnold Schwarzenegger
(5) yohohoandabottleofrum (13) blablablablablablabla
(6) dudewheresmycar (14) for the longest time
(7) dajiahao (15) captain spaulding
(8) hankou

Received December 2, 2016 Department of Computer Science

University College London
Gower Street
London
WC1E 6BT
UNITED KINGDOM

Department of Optimization
Satalia (NPComplete Ltd)
97 Tottenham Court Rd
London
W1T 4TP
UNITED KINGDOM

Department of Computer Science

University College London
Gower Street
London
WC1E 6BT
UNITED KINGDOM

White Ops
11 8th Avenue
New York
NY 10011
USA
E-mail : [email protected]
[email protected]
[email protected]

68