Topic: Bitcoin Address Collisions. (Read 3941 times)

You must laugh at yourself too then.

Queue more laughter. Learn how the power function works please.

2^160 is approximately 10^48 (1 with 48 zeroes). If 84 mill addresses are used (lets say 100 mill for ease of computation), that makes the probability of a new randomly generated address to collide with an existing address equal to 1 : 10^40.

Suppose in the distant future every person in the world (lets say there are 10 B people by then) uses 1000 addresses each, for a total of 10^13 addresses. If every person now has the computer power to generate and test 10^13 addresses per second (that is the size of the entire *huge* global supply of active addresses every second by every person), in one day the odds of finding a collision are approximately 1:10^7, which makes the expected time to find one collision 30000 year at this mindbogglingly high generation rate.

I think we're fairly safe.

Just FYI, 2¹⁶⁰ != 2*10¹⁶⁰.

Also, 'random' is a double-edged sword. What you gain by having keys fail to cluster near the far end, you lose by having to check each one.

Indeed. Probably similar to the odds that you'll be able to walk through a wall suddenly because of quantum fluctuations lining up perfectly.

We live in a probabilistic universe. It's not just bitcoin address generation.

Nobody said it it is all clumped one end however as pointed out even w/ 1 trillion ASIC address generation machines, each producing (and checking) 1 trillion addresses per second all running non stop for the next 1000 years AND all Bitcoins are evenly divided into the maximum possible addresses with 1 Satoshi each the odds that any machine will find any collision with  funded address in less than 1% in the next 1,000 years.

Sure all public key cryptography is based on "odds".  You could in theory generate a private key in ONE ATTEMPT that matches the one used by google and produce a fake gmail site which validates SSL properly.  However the odds are vanishingly small.  The same thing applies to Bitcoin address collisions.

The odds of anyone finding any collision via brute force in their lifetime is essentially 0%.

i laugh at people who think they are math experts.

there are 2 (followed by 160 zero) possible combinations.. some of you naively believe that if you start at 1 and count upwards it would take 2(followed by 160 zero's) to find a collision.

this would only be the case if the addresses were made in lets say Hex of all F's..

but in reality ITS RANDOM

the addresses can be ANYWHERE between 1 and 2 (followed by 160 zero's).

meaning its just as likely that a randomiser picked 10 as it would pick 100,000,000,000,000.

with an estimated 84mill addresses being used, there is a chance that one of these 'used' addresses is randomised in the low range.

put simply

its random. they are not all clumped up at the far end of the spectrum.

to add to that depending on the degree (amount of significant figures) were used before hashing and converting, can far reduce the potential 'luck'.

this is why i feel the bitcoin foundation are rightly so in adding the new feature for version 0.9 of bitcoin-QT to not require random addresses per transaction.

Depends on how unrealistic you think Bitcoin will "take off".  The entire planet uses ~$4 trillion USD worth of currency, if we included demand deposits (M1) that number is still only ~$19T.  If Bitcoin replaced all other forms of currency (and demand deposits) on the planet (likely requiring some many wars to force the last of the resistant to bend to the Bitcoin overlord government) 1 Bitcoin would be worth ~$904,000 USD (in 2012 dollars purchasing power) and 1 satoshi would be worth ~0.9 US cents (2012 dollars purchasing power).  I think as unrealistic as this is (and the every address holds only 1 satoshi) we can consider them the theoretical upper bound.

http://www.bullionbullscanada.com/guest-commentary/dollardaze/5640-growth-of-global-money-supply


Even the M3 is only ~$60T.  This is not an apples to apples comparison because it includes non-currency financial accounts but lets say Bitcoin replaces those as well (there is no good reason just giving you the benefit of the doubt).  Even then 1 S would be worth about 3 US cents (2012 dollars purchasing power).  All private wealth on the planet is ~$135T that isn't even remotely close to currency including everything from real estate, to equity in companies, to debt ownership, to tangible goods (cars, planes, fine art, etc).  Still even if for reasons that escape comprehension the Bitcoin money supply was greater than all wealth on the planet we are still talking about 1 Satoshi is ~ 7 US cents.  The idea that a satoshi would ever represent a significant amount of wealth is just silly. 

Or bad RNGs in crappy JS wallet generators or hardware wallets.

Bitcoin cannot represent an amount that small, the maximum number of non-zero outputs is 21e14, and at that point the UTXO size would be about 44 petabytes.

If you want to speculate about tinier amounts inside the Bitcoin system proper, you'd have to hypothesize some hardfork to increase precision. At the same time, even today, with no protocol change you could freely use a 512 bit address (well, assuming you could convince the sending party to write a custom scriptpubkey).

And again: your speed of generation doesn't change the number of valuable utxo that exist; so its still only a linear attack.

This.  Also even if we look at addresses with a trivial amount of funds there is an upper limit at the number of funded addresses @ 2.1x10^15 addresses.  That would be the rediculous scenario of all Bitcoins mined, all of them in a seperate address holding one satoshi each and the attacker owns none of them. 

Still for the sake of argument 2.1x10^15 addresses in use.  Compared to 2^160 (1.5x10^48) it is a negligible number.  Say 5th of november's trillion addresses per second ASIC did exist and say a trillion idiots bought one and they all ran their machines for the next thousand years.  There is still a less than 1% chance that a single collision worth 1 satoshi would occur.

If collissions do occur it won't be because someone brute forces the addresses it will be because of an as of yet undiscovered flaw in ECDSA or one of the hashing algorithms which allow attacks at many dozens of magnitudes faster than brute force.

Assuming Bitcoin takes off, and your salary is 0.000000000000000000000000000000000340 satoshis or an even lower amount, then even 0.50 won't be that bad.

This is just simple math, not "opinion"—  but finding an arbitrary collision isn't relevant, getting two of your own addresses twice accomplishes nothing. You'd need to collide with an address which has been assigned a non-trivial amount of funds... so your trillions per second only gives you a linear speedup.

I am pretty sure that with multisig txes and so on there won't be a problem, however I am sure people will create and optimize ASICs to generate trillions or more addresses per second.

And in my opinion, you don't need to count to ~2^256 to find a collision. Perhaps even less than half of that may be enough for a single one.

Average 100 addresses/day by every person on the planet are likely enough to cover those addresses created automatically by software applications (because average guy is not really going to use that many addresses a day). But that doesn't really matter, because we can't have bitcoins on more than 2.1*10¹⁵ addresses at a time.

Large amounts really should be in one of those addresses that takes multiple private keys to spend.
And don't keep the keys together until you are ready to spend.

have you taken into account how many addresses bots will create

Or, y'know, math.

And assuming we use reliable enthropy source for ECDSA keys generation. If e.g. everybody starts using brain wallets, collisions of type BW against BW are rather possible (actually, those collisions are likely to be not even collisions but just identical private keys, generated from the same passphrase).

Of course, that's assuming ECDSA, SHA256, and RIPEMD-160 aren't broken.

This.  The fact that it is ~0% not 0% is hard for some people to grasp until you realize the odds of many other things people consider safe are many orders of magnitude more likely.  The odds that an asteroid will wipe out civilization as we know it is trillions of times more likely than the odds of a collision.  The odds that you (the person reading this post right now) already has terminal cancer, just doesn't know it year, and thus the risk of losing funds is pretty much academic isn't just trillions of times more likely it is thousands of quintillions of times more likely.  While I can't quantify it I would be willing to say that I am more likely to eat some random red pill given to me by a stranger and wake up in a Matrix pod then see a random collision in my lifetime.

Bitcoin address collisions are the things that could happen, but the chances are extremely small that it's not going to happen in practice and if it does have a party.