Isn't the output of SHA256 *slightly* too big to use for a private key?

[deepceleron]

if the private key must not be 0 how comes the address Armory generates from a an all-0 private key has a balance? bug in armory?
https://blockchain.info/address/16QaFeudRUt8NYy2yzjm3BMvG4xBbAsBFM

The reason that particular Bitcoin address has a balance is that someone sent it bitcoins. You can send money to any Bitcoin address provided it numerically has a hash160 and valid checksum. You can even send if the address was just made up and there is no private key that can spend the money.

The reason that particular Bitcoin address still has a balance is that it was created with an invalid private key; it cannot be spent with the private key 0x000̅0. If client software uses the raw output of a 256 bit hash or allows any user-input key without checking validity, it is basically allowing people to lose their money. Even if the chance is extremely low, not checking the RNG or brainwallet hash for valid range is irresponsible.

[blub]

so basically there are ripemd Hashes with  no corresponding private key?
So the probabilty of an addres collision is greater than the often cited 1/2^160?
Is there any information about how many hashes have no corresponding private keys?

[BurtW]

On average every Bitcoin address has about 2^(256-160)= 2⁹⁶ possible key pairs.

It would be very interesting to prove or disprove the following:

Every possible valid Bitcoin address has at least one corresponding valid key pair.

[maaku]

so basically there are ripemd Hashes with  no corresponding private key?
So the probabilty of an addres collision is greater than the often cited 1/2^160?
Is there any information about how many hashes have no corresponding private keys?

If ripemd160 works the way we think it does, every possible address has many, many private keys. The fortunate snag is that it would take longer than the lifetime of the universe to find one, if you started looking with today's technology (no quantum computer, no computronium the size of galaxies, no violations of the laws of thermodynamics, etc.). So what you're really asking is, how many (used?) addresses are there where the private (or public) key is not known? That's merely a reflection of our state of knowledge, and therefore a much less interesting question.

[Meni Rosenfeld]

Within the context of Pub = Priv * G, what is Pub if Priv is zero?  It looks to be undefined to me.

Elliptic curves form a group under point addition. As such they have an additive identity, which is the point at infinity. 0 * G is the identity of this group.

[BurtW]

Within the context of Pub = Priv * G, what is Pub if Priv is zero?  It looks to be undefined to me.

Elliptic curves form a group under point addition. As such they have an additive identity, which is the point at infinity. 0 * G is the identity of this group.

Thanks!  ([re]learn something new every day)

So I corrected my post above and have a new question/comment regarding these posts:  

if the private key must not be 0 how comes the address Armory generates from a all 0 private key has a balance? bug in armory?
https://blockchain.info/de/address/16QaFeudRUt8NYy2yzjm3BMvG4xBbAsBFM

So if the private key 0 give us the Zero point on the curve Zero = 0 * G then 16QaFeudRUt8NYy2yzjm3BMvG4xBbAsBFM is just the Bitcoin address calculated from the Zero point.

BUT, there are many other valid points that will hash to the same address, therefore:

so basically there are ripemd Hashes with  no corresponding private key?
So the probabilty of an addres collision is greater than the often cited 1/2^160?
Is there any information about how many hashes have no corresponding private keys?

is not true.  Besides the private key 0 there are many other valid private keys that will produce the address 16QaFeudRUt8NYy2yzjm3BMvG4xBbAsBFM, right?  

[maaku]

Yes, we think. Any such proof would depend on the properties of ripemd160(sha256), which are not themselves proven. But that's a mostly academic point.

[Meni Rosenfeld]

Within the context of Pub = Priv * G, what is Pub if Priv is zero?  It looks to be undefined to me.

Elliptic curves form a group under point addition. As such they have an additive identity, which is the point at infinity. 0 * G is the identity of this group.

Thanks!  ([re]learn something new every day)

So I corrected my post above and have a new question/comment regarding these posts:  

if the private key must not be 0 how comes the address Armory generates from a all 0 private key has a balance? bug in armory?
https://blockchain.info/de/address/16QaFeudRUt8NYy2yzjm3BMvG4xBbAsBFM

So if the private key 0 give us the Zero point on the curve Zero = 0 * G then 16QaFeudRUt8NYy2yzjm3BMvG4xBbAsBFM is just the Bitcoin address calculated from the Zero point.

I'll point out that I understand EC on real numbers better than on a finite field. I'm not sure exactly how the point at infinity would be represented and how it applies to our situation.

[chriswilmer]

Within the context of Pub = Priv * G, what is Pub if Priv is zero?  It looks to be undefined to me.

Elliptic curves form a group under point addition. As such they have an additive identity, which is the point at infinity. 0 * G is the identity of this group.

Thanks!  ([re]learn something new every day)

So I corrected my post above and have a new question/comment regarding these posts:  

if the private key must not be 0 how comes the address Armory generates from a all 0 private key has a balance? bug in armory?
https://blockchain.info/de/address/16QaFeudRUt8NYy2yzjm3BMvG4xBbAsBFM

So if the private key 0 give us the Zero point on the curve Zero = 0 * G then 16QaFeudRUt8NYy2yzjm3BMvG4xBbAsBFM is just the Bitcoin address calculated from the Zero point.

I'll point out that I understand EC on real numbers better than on a finite field. I'm not sure exactly how the point at infinity would be represented and how it applies to our situation.

It's just treated as a special case. There is no representation other than "it is the zero point"

It's like if you had an object that could be a number between 1 and 10 or a car. Your programming logic would be:

If a == "a car" { print "there is a car" }
else
 if a < 5 { something }
 if a < 10 {something else}