Bitcoin Forum

How many Kilojoule will it take to calculate the private key from the public key?
Is must be possible only with a lot of efford?

Simple version:  it can't be done.  Not with a computer, not with a bunch of really fast "next gen" processors, not with a dyson sphere and a planetary sized super computer which operates at the thermodynamic limit until our star burns out.

I think this sums it up the best.

http://www.schneier.com/blog/archives/2009/09/the_doghouse_cr.html

start guessing  ;D

LOL
a threadkiller answer

Does having the public key even give you any information at all other than "nope, that's not the correct answer"?

Edit: also, to answer your question OP, never.

In classical computing knowing the public key removes the need to perform the address computation still given the amount of time/energy needed it is a negligible improvement (i.e. "only" need the energy output of 19 supernovas not 20 :) ).


Having the public key is important in some quantum computing attacks so either Satoshi was really lucky (on a lot of things) or he is a time traveler from the future.  Not re-using an address after you spend from it, means the public key is never publicly known.  That provides a level of quantum resistance for cold storage addresses.

in-fact the amount of energy required is quite a calculable problem.  The problem lies in the answer, where the energy is greater than all the energy in the universe.

At least four. Probably more.

I've been around IT long enough to know that predictions are the funnies for the next generation!

Going on the history of cryptography, an algorithm has a lifespan of about 40 years before brute force is practical, so I would say that if you lose your private key, you are in for a good new year in 2050 or so! ;)

The history of technology-assisted cryptography is really short. I wouldn't bet on the 40 year cycle becoming any kind of rule of thumb.

Lets at least keep the terminology correct.  A brute force on a 256 bit key is impossible by the thermodynamic limit.  It is impossible today, it will be impossible in fourty years, and in all likelihood baring some as of yet completely undiscovered energy breakthrough will still be impossible in 40,000 years. It isn't that we haven't yet built fast enough computers it is that even a perfect computer would take more energy than is available in our solar system.  If someone sent a 256 bit private key on a spaceship to the nearest star system it would take less energy to simply go retrieve it, then it would to try an brute force it.

Now it is possible that ECDSA has a cryptographic flaw, and in the coming years/decades this flaw will be discovered which will allow attacks FASTER THAN brute force attacks which render ECDSA vulnerable.  However even if that happens a brute force attack on 256 bit keys will still be impossible.  It is also possible no viable attack on ECDSA will be discovered in our lifetime.

Fermat's Last Theorem took a while to be proven, about 358 years. Start cracking a private key now, and let me know your progress in 3 centuries. Don't forget to save often.

My employees always complain about the occasional power failure that causes them to lose a day's work. I've since gotten UPS devices, but those things also fail after a couple of years and need replacements.

All right smart people. Now how about if we consider the block chain. So we are not crunching for a specific address but we are crunching for ANY address in the block chain. What is the probability for that to happen?

Still safe enough for you?

Yeah, for me anyway. The likelihood of finding a key at random is as likely as being struck by lightning while taking a crap every year for 17 years in a row (https://bitcointalk.org/index.php?topic=104461.msg1315279#msg1315279).

Also relevant:
https://i.imgur.com/drn3j.jpg

1.21 Jiggawatts!

depends on whether you've got a quantum computer or not ;D

also depends on how you're attacking the discrete logarithm problem. brute forcing the private key would take an enormous amount of energy.

i have heard of tricks to attack RSA keys but the trick doesn't apply to ECDSA.

The point I was trying to make is that technology moves the goalposts.  In 40 years time, cracking a 256 will be possible due to some other technological breakthrough such as a 256 hash rainbow table having been invented or because paralleled processing would have reached silly proportions. This will mean that you won't have to break the laws of physics to get your answer. 

The major downside of many of these predictions is that they always deal with the problem head on, and you don't tend to solve problems head on!

More importantly, the core element of bitcoin is not reliant on the crypto algorithm it uses - that can be changed  - and as such, future coins will still be safe as these new ways of cracking codes are discovered.

I don't think that's entirely correct. Because the private key is also hashed with RIPEMD160, the security of finding a private key that matches a public key is actually only 160 bits, not 256 bits. So, for someone trying a brute force attack against a private key, they have a much lower target because there are 2^96 private keys that correspond to each public key. However, given the assumptions in the linked article, the amount of energy is still ridiculous, something like all the energy that the earth gets from the sun continuously for an entire year just to go through those values. My calculations may be a little bit off though.

Instead of 10,000,000,000 years, it goes down an order of magnitude to 1,000,000,000 years. Still not worth it. Those star sized computers are most likely parallel 10,000,000 cores, each running at 10,000 gigahertz and they still can't store 256 hash rainbow tables.

It's a lot easier to threaten a living person with physical violence (or torture) to get them to give up their private key. It's even easier to just bug their house or computer to get their entire wallet.

I just saw in the wiki it says:"If you were to intentionally try to make a collision, it would currently take 2^107 times longer to generate a colliding Bitcoin address than to generate a block"
So if it would take +- 30 megajoule to generate a block than one could say it will take 4,867778305×10³³ megajoule to create a collision.