“Banker usury lie people fight hope union citizen lead triumph horizon yellow.” That’s the end result of some hard fine work by Pboy, the artist, and Antoine Ferron, a receiver of 0.28 BTC, worth circa $1,150, in reward for solving a bitcoin puzzle hidden in an art fresco.
The fuller version of the above image has sort of gone viral at least in the media which has reproduced it in many articles as a symbolic representation of the yellow vests movement.
The solver of the puzzle has given a full account in French. It is published under a Commons License, so we reproduce a rough translation of it under the same license for this article. Ferron now takes over:
“First of all, Marina and I would like to thank Pascal Boyart for the achievement of this challenge, Alistair Milne for the financial support, as well as all the people who contributed to this project. Beyond the artistic work, it’s a great collective project that has helped popularize bitcoin.
I was not alone in this search. Marina, the woman who shares my life, encouraged, motivated, supported… during this week, and it was a precious help for the discovery of this puzzle.
We went on Monday evening to see this fresco, which is already an artistic success. As an expert and passionate for bitcoin, I could not miss this work because we are lucky to live a few kilometers.
Marina thought about patterns in the colored lines of the background, but I was skeptical about the coding. One of the first things, the most visible thing hidden in black on black, was the text: SEED 12 WORDS . It was thus necessary to find 12 words and probably to enter them in a wallet BIP39-44 to have the keys and to recover the bitcoins. So we start from a 128-bit entropy to find. You have to find twelve words and that equals exactly 128 bits (if the checksum is used).
I then saw with the reflection of a lamppost a text written to the right of Marianne’s head. We then found all the texts around Marianne’s head. With the torch of smartphones, we could see the texts. We thought it might be a fluorescent ink.
With various image processing we could read the texts. We understood that the 2nd was in base64 and the third in French alphabet (26 letters).
Quickly, I decoded the words on the left, which are just encoded in base64: drive, triumph. The basic tests32 on the words above did not help.
From there, we were certain that the words all came from the French BIP39 list, and not from English as usual. Moreover the words seemed to have a direct link with the elements painted in the fresco. We looked for candidates like history, yellow, guide, social… but it was far too many possibilities all that. It still indicates that the words are in this list of 2048 words, the words are between 5 and 8 letters long. It should be noted that even knowing the 12 words but without their order, it is still 500 million possible combinations. So if in addition it misses words, it’s thousands of billions.
By contacting the email address of the artist listed on the bottom right, he provided a number, a key and seeing that the data was really random, it looked like a modern cypher. The key given, 03012009 , is the launch date of Bitcoin and the Genesis block. We thought about what block data could fit in this puzzle. I also tried various AES encryption web services. I was lucky enough to come across aesencryption.net which gave two new words: horizon, yellow. I contacted the developer of this site to understand how to reproduce locally on my side. This service is done in PHP, and the data sources do not exactly match what is put in the server. After his answer with the details, I was able to reproduce AES decryption with openssl. The initialization vector in ASCII “12345678b0z2345n” is not standard, and one had to have the chance to find this web site to be able to decode this part. The linux script that decodes this message is online here.
The top looked like substitutions of letters. It was therefore probably a César or Vigenère code, the two “historical” and classic codes. Caesar is also a Vigenère with a single letter in key. The search for Caesar did not yield anything because one only tested the first three letters, “ATQ”, and it turns out that it was actually “ATO”.
As I am developing a program to manage cold wallets, which calculates keys from mnemonic, at this stage I have developed for this puzzle a command line that calculates dozens of possible addresses for a given mnemonic. Because even if BIP39 + 44 are clear on what to do to calculate an address, depending on the portfolio used there may be differences. This program calculates eight possible addresses for bitaddress (sha2) , bitcoin core (m / 0 ‘/ 0’ / 0 and hardened) , blockchain info (m / 44 ‘/ 0’ / 0 ‘/ 0), Multibit (m / 0 ‘/ 0/0 ), BIP39 + 44 compliant (m / 44’ / 0 ‘/ 0’ / 0/0 ), … We did not know what kind of wallet had been used by the artist, but we should not to miss a solution.
I returned to the fresco on the evening of January 9th with a blue led torch, thinking that other inscriptions were hidden in the same way. I did not find anything like it. But sorts of blocks, barcodes, aligned features caught my attention in the heart of the work. I took lots of photos to analyze warm and PC.
Six areas were quickly identified, indicating that the remaining six words were encoded with these aligned color bars. Counting 12, 16 bars, it was quickly understood that the coding consisted of two bars for each letter.
In parallel, after having tried many things, we could decipher the two words with the code Caesar above the head of Marianne, with the keys “g” and “h” we get: union and citizen.
For the color code, there were four bright and crisp areas and two less crisp areas, probably with a modified, “pastelized” color palette. We proceeded as with crosswords, a possibility of word for a block, corresponds to some letters for the other words. With regex hits in the list of 2048 French words, I came across four words that was 100% compatible with each other, a letter equals a unique color code: banker, usury, lie and hope.
There remained only two words left. And we were pretty sure he only had six letters each. That’s 499 words left, so 250,000 combinations. This if we know the order of words, otherwise there are many more possible combinations.
I then made brute force scan scripts , initially calculating 6 mnemonics per second with 8 derived addresses each. I modified the program and its library to rely on coincurve for the computation of the public keys (multiplication of the point generator by elliptic curve), which is a wrapper for the library C libsecp256k1. Thus the scan programs were able to search twelve times faster, to reach 75 mnemonics per second for a CPU core. This is more than 500 calculated addresses per second. I paralleled 2 or 3 cores and we had scan routines that looked for more than 1000 addresses per second. It was therefore easy to test 200,000 mnemonic combinations, corresponding to 1.5 million addresses every hour.
I put aside the checksum check. It is only 4 bits for 12 words, 1 out of 16 combinations is valid. And since the author chose the words, there was nothing to indicate that he used the BIP39 checksum in the seed calculation.
The main difficulty for these programs was to go very quickly to design them, that these calculations take the least possible time to rake wide in scans, and being relatively sure of their accuracy in their calculations, because it was not necessary make mistakes so you do not miss the solution. A kind of focused expectations for a computer program: designed quickly, quickly and efficiently, without bug or error.
As we went along, we made a shortened list of 50 words of six letters or more, either related to the topic of the fresco, or sticking with letter positions which were safer than others, and also a list of possible combinations of word order. The order was not totally random, with the groups found, two by two, per block per zone, ten possible orders were selected. This makes a total of 500,000 possible combinations. A matter of hours if our assumptions were the right ones.
The result is the mnemonic of twelve words, valid in checksum: “banker usury lie people fight hope union citizen lead triumph yellow horizon” with a completely standard BIP32 derivation path with BIP44 = m / 44 ‘/ 0’ / 0 ‘/ 0/0.
We had a lot of fun during this research, and we were able to discover new areas. These challenges always require a mixture of theory, imagination and practice to find solutions. Marina even discovered a new passion, the LOL command line.”