By 2140 or later, what will the chance of a collision be?

rico666

legendary

Activity: 1120

Merit: 1037

฿ → ∞

Quote from: calkob on November 04, 2016, 04:47:49 PM

Quote from: DannyHamilton on September 28, 2016, 09:51:26 PM

You clearly weren't paying attention when achow101 said:

Quote from: achow101 on September 28, 2016, 09:04:51 PM

2^160 is an unimaginably huge number.

Lets somehow imagine that every man, woman, and child in the world is running equipment that continuously generates 1 exa-address per second. That includes infants, destitute and homeless poor people, and those laying in their deathbed in the hospitals. EVERY man, woman, and child.

That's 1 X 10¹⁷ addresses per second per person times 7.4 X 10⁹ people = 7.4 X 10²⁶ addresses generated worldwide per second.
...

This is the best post i have ever read, thanks Danny Grin

Yeah - it's similar to these child frightening stories or pictures of the sun and some physics yadda.

Of course I can imagine that for someone who doesn't know that Exa means 10¹⁸ instead 10¹⁷ (hey - it's only one order of magnitude, e.g. 10 years instead of 100 years but who am I to judge), a number like 10⁴⁸ (roughly 2¹⁶⁰) must look pretty unimaginable.

For me, 10⁴⁸ is pretty imaginable. Intuitively I'd say it's the number of atoms of 1% of the Earth. So what?

Rico

calkob

hero member

Activity: 1106

Merit: 521

Quote from: DannyHamilton on September 28, 2016, 09:51:26 PM

Quote from: Decoded on September 28, 2016, 09:27:47 PM

So what if we moved the equivalent of 1 exahash into address generating?

You clearly weren't paying attention when achow101 said:

Quote from: achow101 on September 28, 2016, 09:04:51 PM

2^160 is an unimaginably huge number.

The current world population is about 7.4 X 10⁹

Lets somehow imagine that every man, woman, and child in the world is running equipment that continuously generates 1 exa-address per second. That includes infants, destitute and homeless poor people, and those laying in their deathbed in the hospitals. EVERY man, woman, and child.

That's 1 X 10¹⁷ addresses per second per person times 7.4 X 10⁹ people = 7.4 X 10²⁶ addresses generated worldwide per second.

There are a bit less than 3.16 X 10⁷ seconds in a year.

Lets imagine that these 7.4 X 10⁹ run their equipment continuously 24 hours a day 7 days a week without any interruptions for maintenance for a century (100 years). That's 3.16 X 10⁹ total seconds.

After all that, a total of a bit less than 2.34 X 10³⁶ addresses will have been generated.

That's completely unrealistic imaginary situation is still less than 0.00000000017 % of all the possible addresses.

Additionally, if you split up all the possible bitcoins that could ever exist into only 1 satoshi per address, you would have an absolute maximum of no more than 2.1 X 10¹⁵ addresses that have any value in them at all. Therefore, even if you somehow beat those astronomical odds and found an address collision, you would be more than 1,000,000,000,000,000,000,000 timed more likely to have collided with an empty address than an address that has any bitcoins in it, and if you did collide with an address with any bitcoins, and if you also somehow beat those astronomical odds it would be extremely likely to have only 1 satoshi in it.

I'm doing this math for you and writing these numbers for you, but I'm concerned that you aren't going to understand just how unlikely this is. With odds this small, there isn't any real difference from "impossible". Yes, there are numbers there, but those numbers in the real world are effectively the same as saying it can't happen.

This is the best post i have ever read, thanks Danny Grin

pepethefrog

member

Activity: 120

Merit: 13

Pepe is NOT a hate symbol

Quote from: Decoded on October 20, 2016, 11:33:16 PM

It's not about the chance. If there is a possibility, and if we continue at our current rate, there will be a collision. It's just about when.

Pepe agrees that an infinite number of collisions exist, because the size of the digest of the hash (32 byte) is smaller than all the "infinite" amounts of datasets that can act as input to the hash.
Pepe sees a much bigger problem in keeping track of all the hashes you already tried to actually be able to detect that a collision has been found.
So, next to extremely fast and vast computers you would also need extremely large data storage that can quickly be searched and correlated with the key you are currently generating.

amaclin

legendary

Activity: 1260

Merit: 1019

FYI:
https://bitcointalksearch.org/topic/reward-offered-for-hash-collisions-for-sha1-sha256-ripemd160-and-other-293382

rico666

legendary

Activity: 1120

Merit: 1037

฿ → ∞

Quote from: TransaDox on October 26, 2016, 04:06:59 AM

I think you mean:

Code:

adr1 = ripemd160(sha256(pubkey(rand(2^256-2^160)+2^160)))
  for (a = 0 to 2^160) {
   adr2 = ripemd160(sha256(pubkey(a)))
   if (adr1 == adr2) {
   print "We got ourselves a collision!\n";
   }
  }

Yep. That's what I mean.

Rico

TransaDox

full member

Activity: 219

Merit: 102

Quote from: rico666 on October 26, 2016, 01:13:04 AM

a collision is when

Code:

while(1) {
  for (a = 0 to 2^160) {
   adr1 = ripemd160(sha256(pubkey(a)))
   adr2 = ripemd160(sha256(pubkey(rand(2^256-2^160)+2^160)))
   if (adr1 == adr2) {
   print "We got ourselves a collision!\n";
   }
}
}

I think you mean:

Code:

adr1 = ripemd160(sha256(pubkey(rand(2^256-2^160)+2^160)))
  for (a = 0 to 2^160) {
   adr2 = ripemd160(sha256(pubkey(a)))
   if (adr1 == adr2) {
   print "We got ourselves a collision!\n";
   }
}

rico666

legendary

Activity: 1120

Merit: 1037

฿ → ∞

What I think is important to state:

A collision is not the event when

Code:

while(1) {
  if (rand(2^256) == rand(2^256) {
   print "We got ourselves a re-used private key!\n";
  }
}

a collision is when

Code:

while(1) {
  for (a = 0 to 2^160) {
   adr1 = ripemd160(sha256(pubkey(a)))
   adr2 = ripemd160(sha256(pubkey(rand(2^256-2^160)+2^160)))
   if (adr1 == adr2) {
   print "We got ourselves a collision!\n";
   }
}
}

both is pseudo-code of course, one should not make any conclusions about probabilities of events because "one (the second one) seems to take longer".

Personally, I do not see how faith in bitcoin could be shattered if a collision is found, as - hopefully - everyone knows already that because of the 256->160 bit reduction in address generation there inherently are collisions, namely 2^96 private keys per address.

Even if two private keys do map to one address, the public key will still be different and I do not believe that even if cryptographers should have several examples of collisions they would be able to form a reverse-map attack against bitcoin.

Also the problem with "2 randomly generated private keys (using a working rndgen) ending up as one and the same" can never by proven to have happened, while the collision can.

Rico

DannyHamilton

legendary

Activity: 3528

Merit: 4945

Quote from: Dabs on October 25, 2016, 04:48:46 PM

I'll join the bet. Or, if you like, I can escrow the bet. I'll hold between 1 BTC to 10 BTC (each side contributes 5 BTC each)....

See, herein lies the problem...

Quote from: rico666 on October 25, 2016, 03:51:16 PM

Betting on the destruction of mankind is quite pointless if even one of the betting parties is human.

And betting on the destruction of bitcoin is quite pointless if the parties are using bitcoin as the prize.

If rico666 is correct and he wins the bet (there is a RIPEMD160 collision such that two private keys are shown to result in the same bitcoin address), then faith in bitcoin will be shattered and the amount he will win will be worthless at the time he collects it.

I suspect this is why is stated that the bet would be between $500 and $5000 (instead of stating that the bet would be between 0.7692 BTC and 7.6923 BTC).

Dabs

legendary

Activity: 3416

Merit: 1912

The Concierge of Crypto

I'll join the bet. Or, if you like, I can escrow the bet. I'll hold between 1 BTC to 10 BTC (each side contributes 5 BTC each).... And just so this is all fun, let's make it a multi-sig address. 3 of 6. Each one holds 2 keys, and of those 1 key held by an heir (in case you die in 25 years).

The problem lies when both of you or me get hit by the proverbial bus before 25 years is up. I propose an exact time in the future to the minute. Something like October 25, 2041, 12:01 AM or one minute after midnight of that day.

Or think of something along those lines.

If y'all don't know how to multi-sig, I propose a "simple" escrow where I hold the private key. If I die before 25 years, please come to my funeral, the private key will be on my person (engraved on tungsten, worn around my neck, ... or something.)

Syke

legendary

Activity: 3878

Merit: 1193

Quote from: rico666 on October 25, 2016, 01:37:09 PM

Quote from: Syke on October 21, 2016, 09:28:05 AM

There will never be a collision.

How about a bet?

In case it wasn't clear, I mean a collision of randomly-generated keys. Poorly generated keys like brain wallets are prone to collision.

rico666

legendary

Activity: 1120

Merit: 1037

฿ → ∞

Quote from: DannyHamilton on October 25, 2016, 03:25:11 PM

Ah! So we aren't concerned about 2 people generating the same private key?

Ok then, I'll happily take that bet. How much do you want to put on it, and what timeframe? You'd have a better chance of winning if you bet that all human life on the earth will be destroyed by an asteroid in the next 25 years.

Well - I am not concerned about anything.

I thought about 25y timeframe, because compared with the "There will never be a collision." statement which provoked my reaction, this is very very soon. As for the sum to put on it, let me do some research 1st like what is usual in these "scientific" bets
https://en.wikipedia.org/wiki/David_Levy_(chess_player)#Computer_chess_bet
or rewards for solutions to "problems"
https://en.wikipedia.org/wiki/Paul_Erd%C5%91s#Erd.C5.91s.27_problems

so between $500 and $5000 of todays $?

BTW: Betting on the destruction of mankind is quite pointless if even one of the betting parties is human.

Rico

DannyHamilton

legendary

Activity: 3528

Merit: 4945

Quote from: rico666 on October 25, 2016, 03:17:32 PM

Quote from: ?? on ??

Collisions will occur (and have occurred) when people use random number generators with poor entropy, brain-wallets, or when they use poorly created wallet software.

That's not the definition of a collision.

The definition of a collision is: 2 different private keys will compute into one hash160.

I'm not the youngest anymore, but I'm quite confident we will see such a collision within the next 25 years.

Rico

Ah! So we aren't concerned about 2 people generating the same private key?

Ok then, I'll happily take that bet. How much do you want to put on it, and what timeframe? You'd have a better chance of winning if you bet that all human life on the earth will be destroyed by an asteroid in the next 25 years.

rico666

legendary

Activity: 1120

Merit: 1037

฿ → ∞

Quote from: ?? on ??

Collisions will occur (and have occurred) when people use random number generators with poor entropy, brain-wallets, or when they use poorly created wallet software.

That's not the definition of a collision.

The definition of a collision is: 2 different private keys will compute into one hash160.

I'm not the youngest anymore, but I'm quite confident we will see such a collision within the next 25 years.

Rico

edit: Huh Danny? You teleported away?

Dabs

legendary

Activity: 3416

Merit: 1912

The Concierge of Crypto

Quote from: rico666 on October 25, 2016, 01:37:09 PM

Quote from: Syke on October 21, 2016, 09:28:05 AM

There will never be a collision.

How about a bet?

Rico

I'll take on that bet. However there must be a finite time; or deadline.. The odds are against me, so I'm not willing to wait a hundred years.

rico666

legendary

Activity: 1120

Merit: 1037

฿ → ∞

Quote from: Syke on October 21, 2016, 09:28:05 AM

There will never be a collision.

How about a bet?

Rico

Syke

legendary

Activity: 3878

Merit: 1193

Quote from: Decoded on October 20, 2016, 11:33:16 PM

The thing is that anything can happen. I can call a coin in the air a million times in a row if i'm lucky.

It's not about the chance. If there is a possibility, and if we continue at our current rate, there will be a collision. It's just about when.

That "when" is after the sun swallows the earth, at which point no one will be alive to see the collision. There will never be a collision.

DannyHamilton

legendary

Activity: 3528

Merit: 4945

Quote from: Dabs on October 21, 2016, 08:42:03 AM

I can count uncompressed addresses, compressed addresses, and those P2SH multi-signature addresses. I think P2SH has a bunch of different possible functions too, not just multi-sig; that just happens to be the most popular usage of addresses that begin with 3.

As achow101 has pointed out, in the situation being discussed here, there is no difference between a compressed or uncompressed key. A compressed key that hashes to the same address as an uncompressed key will work perfectly fine to spend the bitcoins associated with that address (and vice versa).

There are many different scripts that can all be used with P2SH, but only 2¹⁶⁰ hashes possible as a result of hashing the script. It isn't necessary to find "the script" that was used to generate the address in the first place. It is only necessary to find "a script" that happens to hash to the same value. If you can do that, then you can use your script to spend the bitcoins that are associated with the address without ever even knowing what the original script was.

achow101

staff

Activity: 3458

Merit: 6793

Just writing some code

Quote from: Dabs on October 21, 2016, 08:42:03 AM

I can count uncompressed addresses, compressed addresses, and those P2SH multi-signature addresses. I think P2SH has a bunch of different possible functions too, not just multi-sig; that just happens to be the most popular usage of addresses that begin with 3.

Danny is correct, there are only 2^161 possible addresses. This is because there are only two version numbers for Bitcoin addresses. Version 0 are the normal addresses and are used for compressed and uncompressed public key hashes. Then there is Version 5 which is for the hashes of ALL possible redeemscripts for p2sh.

Dabs

legendary

Activity: 3416

Merit: 1912

The Concierge of Crypto

Quote from: Decoded on October 20, 2016, 11:33:16 PM

The thing is that anything can happen. I can call a coin in the air a million times in a row if i'm lucky.

It's not about the chance. If there is a possibility, and if we continue at our current rate, there will be a collision. It's just about when.

In "English", there is NO chance... If you are a mathematician or a statistician or an actuarial or a theoretical astrophysicist or whatever rocket scientist, yes there is a chance. After the Sun has eaten the Earth in 4 billion years. Heat death of the universe. Or after the grandchildren of your grandchildren are born. Whichever comes last.

Those insurance guys actually gamble against the odds of you not dying to make money on your premiums, that's what they do for a living.

Quote from: DannyHamilton on October 21, 2016, 06:56:12 AM

Note also that the OP asks about 2¹⁶⁰ addresses, but the total number of actual addresses currently possible is double that (2¹⁶¹) with the addition of P2SH addresses. In the future as additional address types are added, the total number of addresses possible will continue to grow.

I can count uncompressed addresses, compressed addresses, and those P2SH multi-signature addresses. I think P2SH has a bunch of different possible functions too, not just multi-sig; that just happens to be the most popular usage of addresses that begin with 3.

DannyHamilton

legendary

Activity: 3528

Merit: 4945

Quote from: TransaDox on October 21, 2016, 04:29:38 AM

No one seems to have factored in to those calculations that for a collision, the general probability is over Sqrt(keyspace) and the keyspace diminishes as keys are discovered.

Magnitude of the entire keyspace is a poor proof.

Collision itself isn't a problem. Collision with an address that has bitcoins associated with it, or will at some time in the future have bitcoins associated with during a time while first generation of the key is still held, is a problem. Without that, you'll never even know that a collision has occurred.

Since there won't be more than 2.1*10¹⁵ addresses that have bitcoins associated with them at any given point in time (and will probably always be significantly less than that), the probability of identifying a collision is much MUCH less than Sqrt(keyspace) would imply.

Note that those of us putting forth analogies don't really think that "every man, woman, and child in the world is running equipment that continuously generates 1 exa-address per second". The point isn't that magnitude of the keyspace is huge, the point is that the amount of that keys that will be used by the year 2140 is extremely small in comparison to such a large number.

Note also that the OP asks about 2¹⁶⁰ addresses, but the total number of actual addresses currently possible is double that (2¹⁶¹) with the addition of P2SH addresses. In the future as additional address types are added, the total number of addresses possible will continue to grow.

Topic: By 2140 or later, what will the chance of a collision be? (Read 3445 times)