Topic: Is it possible to generate the same adress twice? (Read 5719 times)

Both very good ones. I wonder if there's a market for a calender with daily "generating the same Bitcoin address twice is as likely as ______" ...

OK but wouldn't it be fairly simple to have an automatic check within all the clients and a simple prompt ..
 'this key pair already exits please try again'

It's been done. People just get tired of quoting the same stuff a few thousand times.  Yes, this same question gets asked again, and again, and again, and again, and again, and again, and again, and again, and again, and again, and again, and again, and again, and again, and again, and again, and again, and again, and again, and again, and again, and again, and again, and again, etc.

Here:


Or if you prefer:

I would be funny if someone was taking the time to pair the possibility of a collision with facts like "winning a lottery 100 times in a row".
Not just saying something flashy but actually calculating the possibilities of both events.

Ok, new data, will recalc everything:

• probability of getting struck by lightning in any given year: 1/280000.
• probability of taking a shit at any given point in time: 1/(60*24) = 1/1440 (assuming you take a crap every day and the actual process takes 1 minute)
• probability of getting struck by lightning while taking a crap in any given year: 1/(280000*1440) = 1/1.47E11 = 2.48E-9
• probability of taking a crap while being in a situation where being struck by lightning can actually occur = 1/1440 = 0.25 = 1.74E-4
• probability of finding a collision: 1E-65
• getting hit by lightning while taking a crap for how many years in a row is equally probable as finding a collision: log(1E-65) / log(1.74E-4) = 17.3

is my math roughly correct now?

If so, I can say: "Finding a collision is about as likely as being struck by lightning while taking a crap every year for 17 years in a row".

One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information. To record a single bit by changing the state of a system requires an amount of energy no less than kT, where T is the absolute temperature of the system and k is the Boltzman constant. (Stick with me; the physics lesson is almost over.)

Given that k = 1.38×10^-16 erg/°Kelvin, and that the ambient temperature of the universe is 3.2°Kelvin, an ideal computer running at 3.2°K would consume 4.4×10^-16 ergs every time it set or cleared a bit. To run a computer any colder than the cosmic background radiation would require extra energy to run a heat pump.

Now, the annual energy output of our sun is about 1.21×10⁴¹ ergs. This is enough to power about 2.7×10⁵⁶ single bit changes on our ideal computer; enough state changes to put a 187-bit counter through all its values. If we built a Dyson sphere around the sun and captured all its energy for 32 years, without any loss, we could power a computer to count up to 2¹⁹². Of course, it wouldn't have the energy left over to perform any useful calculations with this counter.

But that's just one star, and a measly one at that. A typical supernova releases something like 10⁵¹ ergs. (About a hundred times as much energy would be released in the form of neutrinos, but let them go for now.) If all of this energy could be channeled into a single orgy of computation, a 219-bit counter could be cycled through all of its states.

These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.

Danny I'm always learning from you.

Yeah I screwed up my conversion. Perhaps too much caffeine today.

In fact, that number would be close to 4^41. So 42 digits.

Bitcoin Addresses are 256 digits

No just no

Then you get Deja-vu again.
Then you know something has been changed.. in the Matrix.

"Due to the incredibly small chance of this happening naturally, this event probably represents a fundamental flaw in the way Bitcoin addresses are generated. Sell all your coins and warn your close friends, then notify Gavin Andresen."

Well significantly longer.

A perfect computer, that is one that operates at the thermodynamic limit in absolute zero, using all the available energy of our sun can't count to 2^256 in the next 4 billion years before our sun burns out.  Yes we are talking far future science fiction, like using all the matter in our solar system to construct a star system sized super computer and the dyson sphere around the sun to power it.

This is just counting 0, 1, 2, 3, .... 2^256.  It isn't based on any current or future (Moore's law) computing power but the thermodynamic limit which is the efficiency limit of any cryptographic system.  Per linked article below you would need to capture the entire output of a supernova to has sufficient energy to count to 2^216 so given a sufficient number of perfect computers and the ability to capture without any loss the energy output of a super nova if you found and used roughly 1 trillion super novas one could count through all possible values o to 2^256.

I think Bruce Schneier says it best


http://www.schneier.com/blog/archives/2009/09/the_doghouse_cr.html

DISCLAIMER (as people have taken this out of context before):
ECDSA like all public key cryptographic systems rely on certain mathematical properties to remain secure.  ECDSA relies on the fact that finding a discrete logarithm of an elliptic curve element with respect to a publicly known base point is computationally infeasible.  This is known as the discrete logarithm problem.   A common misnomer is that ECDSA relies on factoring large numbers but that applies to other systems like RSA which are not used in Bitcoin.  This principal has so far remained true and as such no faster than brute force attack exists at the current time.  Likewise a brute force attack while possible is infeasible due to the energy requirements of a 256 bit keyspace.  However like all public key cryptography, it is possible that ECDSA will eventually be compromised due to a flaw in its design or underlying principal allowing faster than brute force attacks.  Depending on the severity of the compromise it *may* be possible in the future to find a private key from a public key in a reasonable amount of time/energy.    The above cite is only based on brute force attack against a 256 bit private key like what would occur by computers randomly generating keys that happen to be one which is already in use.  Of course if ECDSA becomes degraded the Bitcoin protocol could be extended to use new more secure address types and smart users would migrate their funds to more secure addresses.  In the event of such a compromise (or quantum computing attack) Bitcoin provides a secondary layer of security by making the address a hash of the public key.  The public key is not known until funds are spent.  If one does not reuse addresses there is no known public key to attack against.

It would be better if it said "Bingo!  You've found someone else's address -- transferring all their funds now"

Everyone it seems in agreement. Yes its possible but no, it's so unlikely there is no need to worry about it.

OK but wouldn't it be fairly simple to have an automatic check within all the clients and a simple prompt ..
 'this key pair already exits please try again'

Getting Deja-vu on this topic but its nice to rehash once in a while. 

You can email the salt to yourself (and others) in plaintext.   The point of the salt is to prevent an attacker for just doing an attack against all possible keys using a dictionary.  If an attacker learns your salt then he can employ a dictionary or brute force attack against your private key however at that point you are no weaker than if you used no salt.

Possible but improbable.  That can be kind of disconcerting to people but understand this same "issue" existing in all public key cryptography.  For example I could just happen to create a private key that would allow me to impersonate your bank's SSL cert.  I could just happen to create a PGP private key which unlocks someone else encrypted messages.

It is possible but so improbable as to be considered essentially zero.

This calculation is based on Boltzmann's constant which is classical physics.  Not sure if quantum effects quantum computing can theoretically do better.