Topic: By 2140 or later, what will the chance of a collision be? (Read 3442 times)

Yeah - it's similar to these child frightening stories or pictures of the sun and some physics yadda.

Of course I can imagine that for someone who doesn't know that Exa means 10¹⁸ instead 10¹⁷ (hey - it's only one order of magnitude, e.g. 10 years instead of 100 years but who am I to judge), a number like 10⁴⁸ (roughly 2¹⁶⁰) must look pretty unimaginable.

For me, 10⁴⁸ is pretty imaginable. Intuitively I'd say it's the number of atoms of 1% of the Earth. So what?



Rico

This is the best post i have ever read, thanks Danny 

Pepe agrees that an infinite number of collisions exist, because the size of the digest of the hash (32 byte) is smaller than all the "infinite" amounts of datasets that can act as input to the hash.
Pepe sees a much bigger problem in keeping track of all the hashes you already tried to actually be able to detect that a collision has been found.
So, next to extremely fast and vast computers you would also need extremely large data storage that can quickly be searched and correlated with the key you are currently generating.

FYI:
https://bitcointalksearch.org/topic/reward-offered-for-hash-collisions-for-sha1-sha256-ripemd160-and-other-293382

Yep. That's what I mean.


Rico

I think you mean:

What I think is important to state:

A collision is not the event when


a collision is when


both is pseudo-code of course, one should not make any conclusions about probabilities of events because "one (the second one) seems to take longer".

Personally, I do not see how faith in bitcoin could be shattered if a collision is found, as - hopefully - everyone knows already that because of the 256->160 bit reduction in address generation there inherently are collisions, namely 2^96 private keys per address.

Even if two private keys do map to one address, the public key will still be different and I do not believe that even if cryptographers should have several examples of collisions they would be able to form a reverse-map attack against bitcoin.

Also the problem with "2 randomly generated private keys (using a working rndgen) ending up as one and the same" can never by proven to have happened, while the collision can.

Rico

See, herein lies the problem...


And betting on the destruction of bitcoin is quite pointless if the parties are using bitcoin as the prize.

If rico666 is correct and he wins the bet (there is a RIPEMD160 collision such that two private keys are shown to result in the same bitcoin address), then faith in bitcoin will be shattered and the amount he will win will be worthless at the time he collects it.

I suspect this is why is stated that the bet would be between $500 and $5000 (instead of stating that the bet would be between 0.7692 BTC and 7.6923 BTC).

I'll join the bet. Or, if you like, I can escrow the bet. I'll hold between 1 BTC to 10 BTC (each side contributes 5 BTC each).... And just so this is all fun, let's make it a multi-sig address. 3 of 6. Each one holds 2 keys, and of those 1 key held by an heir (in case you die in 25 years).

The problem lies when both of you or me get hit by the proverbial bus before 25 years is up. I propose an exact time in the future to the minute. Something like October 25, 2041, 12:01 AM or one minute after midnight of that day.

Or think of something along those lines.

If y'all don't know how to multi-sig, I propose a "simple" escrow where I hold the private key. If I die before 25 years, please come to my funeral, the private key will be on my person (engraved on tungsten, worn around my neck, ... or something.)

In case it wasn't clear, I mean a collision of randomly-generated keys. Poorly generated keys like brain wallets are prone to collision.

Well - I am not concerned about anything.  

I thought about 25y timeframe, because compared with the "There will never be a collision." statement which provoked my reaction, this is very very soon. As for the sum to put on it, let me do some research 1st like what is usual in these "scientific" bets
https://en.wikipedia.org/wiki/David_Levy_(chess_player)#Computer_chess_bet
or rewards for solutions to "problems"
https://en.wikipedia.org/wiki/Paul_Erd%C5%91s#Erd.C5.91s.27_problems

so between $500 and $5000 of todays $?


BTW: Betting on the destruction of mankind is quite pointless if even one of the betting parties is human.


Rico

Ah!  So we aren't concerned about 2 people generating the same private key?

Ok then, I'll happily take that bet.  How much do you want to put on it, and what timeframe?  You'd have a better chance of winning if you bet that all human life on the earth will be destroyed by an asteroid in the next 25 years.

That's not the definition of a collision.

The definition of a collision is: 2 different private keys will compute into one hash160.

I'm not the youngest anymore, but I'm quite confident we will see such a collision within the next 25 years.


Rico

edit: Huh Danny? You teleported away?

I'll take on that bet. However there must be a finite time; or deadline.. The odds are against me, so I'm not willing to wait a hundred years.

How about a bet?


Rico

That "when" is after the sun swallows the earth, at which point no one will be alive to see the collision. There will never be a collision.

As achow101 has pointed out, in the situation being discussed here, there is no difference between a compressed or uncompressed key.  A compressed key that hashes to the same address as an uncompressed key will work perfectly fine to spend the bitcoins associated with that address (and vice versa).

There are many different scripts that can all be used with P2SH, but only 2¹⁶⁰ hashes possible as a result of hashing the script.  It isn't necessary to find "the script" that was used to generate the address in the first place.  It is only necessary to find "a script" that happens to hash to the same value.  If you can do that, then you can use your script to spend the bitcoins that are associated with the address without ever even knowing what the original script was.

Danny is correct, there are only 2^161 possible addresses. This is because there are only two version numbers for Bitcoin addresses. Version 0 are the normal addresses and are used for compressed and uncompressed public key hashes. Then there is Version 5 which is for the hashes of ALL possible redeemscripts for p2sh.

In "English", there is NO chance... If you are a mathematician or a statistician or an actuarial or a theoretical astrophysicist or whatever rocket scientist, yes there is a chance. After the Sun has eaten the Earth in 4 billion years. Heat death of the universe. Or after the grandchildren of your grandchildren are born. Whichever comes last.

Those insurance guys actually gamble against the odds of you not dying to make money on your premiums, that's what they do for a living.


I can count uncompressed addresses, compressed addresses, and those P2SH multi-signature addresses. I think P2SH has a bunch of different possible functions too, not just multi-sig; that just happens to be the most popular usage of addresses that begin with 3.

Collision itself isn't a problem.  Collision with an address that has bitcoins associated with it, or will at some time in the future have bitcoins associated with during a time while first generation of the key is still held, is a problem.  Without that, you'll never even know that a collision has occurred.

Since there won't be more than 2.1*10¹⁵ addresses that have bitcoins associated with them at any given point in time (and will probably always be significantly less than that), the probability of identifying a collision is much MUCH less than Sqrt(keyspace) would imply.

Note that those of us putting forth analogies don't really think that "every man, woman, and child in the world is running equipment that continuously generates 1 exa-address per second".  The point isn't that magnitude of the keyspace is huge, the point is that the amount of that keys that will be used by the year 2140 is extremely small in comparison to such a large number.

Note also that the OP asks about 2¹⁶⁰ addresses, but the total number of actual addresses currently possible is double that (2¹⁶¹) with the addition of P2SH addresses. In the future as additional address types are added, the total number of addresses possible will continue to grow.

Whilst everyone is banging on about how big these numbers are and coming up with all sorts of eloquent calculations and analogies to demonstrate. No one seems to have factored in to those calculations that for a collision, the general probability is over Sqrt(keyspace) and the keyspace diminishes as keys are discovered.

Magnitude of the entire keyspace is a poor proof.

The thing is that anything can happen. I can call a coin in the air a million times in a row if i'm lucky.

It's not about the chance. If there is a possibility, and if we continue at our current rate, there will be a collision. It's just about when.

From wiki https://en.wikipedia.org/wiki/Drop_(unit)


one drop equals 1/96 teaspoon

So 96 = a teaspoon

6 teaspoons =  1 oz

128 oz = 1 gallon.

so 96 x 6 x 128 = 73,728 drops from an eyedropper is a gallon


3,000,000,000,000,000 gallons (11.4-quadrillion liters).  gallons in lake Superior or better yet

352,670,000,000,000,000,000 Gallons in Pacific Ocean (from google)


so 352,670,000,000,000,000 x 73,728 =   2.600165376 E22

or 26,001,653,760,000,000,000,000  drops in the pacific ocean   that is a lot.


now compare  3155760000000000000 to  2 to the 160 or  1.16920130986472E49  and

you get 3.7049753779271E30 to 1 chance

vs 2.600165376E22 to 1  Pacific Ocean  to a drop from an eyedropper

so it is about 140,000,000  harder to do it then to find 1 eyedrop in the Pacific Ocean


To Give an example  in my Life  the craziest long shot I was ever involved with is as follows.

  In 1990  My wife and I purchased a kitchen wall clock.  It was battery  not plug in.  We had owned a plug in wall clock which was the older tech so 2 AA battery driven wall clocks were newer back then.
My wife asked me how long do you think before the batteries run out.  

We lived in an apartment in Astoria ,Queens we wanted to buy a house. So I said  when we get out first house and I hang it up on the wall in the kitchen of the new house it will stop. So  about 2.5 years later.  I pulled the clock out of the box we packed it in and hung it on the wall in the kitchen of our first home.  The clocked stopped.  That is amazing lucky guess that I did.  So a  break  down :
           60 seconds in a minute
       3,600 seconds in an hour
      86,400 seconds in  a day.
31,536,000 seconds in a year
78,840,000 seconds in the time from the predication to the result



So  you would need to find that 1 drop in the Entire Pacific Ocean  then make a prediction like I did the correct second in  a 2.5 year time span   then flip a coin and call it in the air.  So If I live to 2140  (really likely ) I think this op long shot will not happen.

This thread is hillarious. Thanks for the great analogies.

Danny, you amuse me. The poor guy clearly can not comprehend the vastness of these unimaginable numbers. To me, anything with more than 20 or 30 decimal digits is more than big enough, for me, to ignore any "possibility" of anything, anyone else is attempting to do. (Unless it's cracking my password, so I use at least 32 characters.)

OP, wait till you get to the topic of 256 bits. I think someone mentioned that as the "size of the sun". Actually larger. Bruce Schneier said something like that. My favorite quote from him: "brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space."

Someone else also mentioned this as "totally out of reach of Mankind."

Even if you use all the dollars in the World (including the dollars which do not exist, such as accumulated debts) and fry the whole planet in the process, you can barely do 1/1000th of an exhaustive key search on 128-bit keys.

xkcd cartoon comic strip comes to mind. The cheapest and most effective "brute-force" method, to be able to get the "collision" you are looking for, costs less than $5000 USD to $10,000 USD. You hire a mob to stick up the guy who controls the private key you are looking for. This is also known as "rubber-hose cryptanalysis".

There's also the issue of heat dissipation, laws of thermodynamics, planck time units, the speed of light, and other stuff.

So ... it's "impossible", but "there's a chance."

brilliant analogy

No.  It really isn't.  Perhaps this is why you are having difficulty seeing how much bigger one is that the other.
You think they are both "big"numbers so they must both be close in amount.

Here's an analogy that might help you understand the scale.

If you had 1000000000*60*60*24*365.25*100 carbon atoms packed together in a diamond, it would be a 0.000314 carat diamond.  Take a 0.5 carat diamond and smash it into almost 2000 dust particles, and one of those dust particles is 1000000000*60*60*24*365.25*100 carbon atoms.

Now, if you had 2¹⁶⁰ carbon atoms packed together in a diamond, it would have as much mass as the entire Earth.

One of those two numbers is VERY big.  The other one is quite tiny in comparison.

Quantum Computers are not faster at hashing. There are specific algorithms that are known to be able to take advantage of QCs. These algorithms are specifically attacks. None such exist for SHA256 or RIPEMD160. They are not any faster at hashing than classic computers.

Some say that quantum computers will be good at some things, and will be bad at others. What will a quantum computer's performance be on cryptographic hashing, and how do you know?


Yes, but so is 1000000000*60*60*24*365.25*100.

You clearly weren't paying attention when achow101 said:


The current world population is about 7.4 X 10⁹

Lets somehow imagine that every man, woman, and child in the world is running equipment that continuously generates 1 exa-address per second.  That includes infants, destitute and homeless poor people, and those laying in their deathbed in the hospitals.  EVERY man, woman, and child.

That's 1 X 10¹⁸ addresses per second per person times 7.4 X 10⁹ people = 7.4 X 10²⁷ addresses generated worldwide per second.

There are a bit less than 3.16 X 10⁷ seconds in a year.

Lets imagine that these 7.4 X 10⁹ run their equipment continuously 24 hours a day 7 days a week without any interruptions for maintenance for a century (100 years).  That's 3.16 X 10⁹ total seconds.

After all that, a total of a bit less than 2.34 X 10³⁷ addresses will have been generated.

That's completely unrealistic imaginary situation is still less than 0.0000000017 % of all the possible addresses.

Additionally, if you split up all the possible bitcoins that could ever exist into only 1 satoshi per address, you would have an absolute maximum of no more than 2.1 X 10¹⁵ addresses that have any value in them at all.  Therefore, even if you somehow beat those astronomical odds and found an address collision, you would be more than 1,000,000,000,000,000,000,000 timed more likely to have collided with an empty address than an address that has any bitcoins in it, and if you did collide with an address with any bitcoins, and if you also somehow beat those astronomical odds it would be extremely likely to have only 1 satoshi in it.

I'm doing this math for you and writing these numbers for you, but I'm concerned that you aren't going to understand just how unlikely this is.  With odds this small, there isn't any real difference from "impossible".  Yes, there are numbers there, but those numbers in the real world are effectively the same as saying it can't happen.

All that matters really is the hash160. So yes, it is hashing, but it is also generating the private key, getting the public key, and then hashing it with SHA256 and the result with RIPEMD160.

Still would be ridiculously small. You have to do something on the order of 10^40 addresses per day to even get out of the ridiculously huge number of decimal places area.

Ah, okay. If I'm not mistaken, generating addresses is just like hashing - randomly generating addresses until you find one that fits you (or in a regular user's case, the first address generated). That's how vanitygen works, right?

So what if we moved the equivalent of 1 exahash into address generating? This would surely create thousands to hundreds of thousands of addresses per second, greatly increasing the chance of a collision later on?

2^160 is an unimaginably huge number. By 2140, we would have only searched through 3.028392091358222830033411687324789451682831716184306... × 10^-36% of all possible addresses. The odds for a collision are still basically 0.

So currently there's ~500,000 new unique addresses being used in the blockchain each day. If there are 2^160 possible addresses, what will be the chance of a collision in 2140?

Let's factor in major adoption, so maybe bring the average unique addresses a day to 1mil?