What if bitcoin addresses can be hacked

[pieppiep]

Culculations how much faster the hardware needs to be to proof I can't just crack a bitcoin address :

I've found at https://en.bitcoin.it/wiki/Technical_background_of_Bitcoin_addresses how an address is calculated.
To generate a specific address that already has bitcoins I need to calculate at average 2^160 keys.

At http://www.bitcointrading.com/forum/bitcoin-software/vanitygen-vanity-bitcoin-address-generator-%28v0-17%29/ how quick addresses can be generated.
The fastest graphics card for this has a rate of 23.5 Mkeys/second.

So lets round the generating speed to the nearest 2^x speed, we get 2^24 keys/second.
On average we need 2^160 / 2^24 = 2^136 seconds, or more understandeble human language, more time than the universe exists.

If I want to be able to crack an address in less than a day, for example a little over 18 hours (to get a nice 2^x seconds), I have 2^16 seconds to do it so I need to be 2^136 / 2^16 = 2^120 times faster than with the current hardware.

If I take into account that at the moment hardware still get 2 times faster each 1.5 yeah, I need to wait 180 years for hardware capable of breaking a bitcoins address within one day.
So technically it is not (yet) possible to do this kind of thing.

My actual question
What if someone or something is able to do this kind of calculations, and thus can spent every coin mined today, or is just very very very lucky and finds someone elses keys without hacking into other computers.
Will it be legal to spend the coins?

[1713540828]

1713540828

[1713540828]

1713540828

[1713540828]

1713540828

[1713540828]

1713540828

[Math Man]

Finding someone's private key to take their bitcoins is hacking with the intent of theft.

[hamdi]

second this!

[Jutarul]

If I take into account that at the moment hardware still get 2 times faster each 1.5 yeah, I need to wait 180 years for hardware capable of breaking a bitcoins address within one day.

There are physical limits to computational power. One, which we already experience a lot, is the lack of power scaling. We already hit the limits. Thus any doubling of transistors usually doubles the energy requirements. I don't think conventional computers will ever be able to crack bitcoin keys.
However, DNA based computers may. They are much more parallel and have a better power efficiency.

[MoonShadow]

In addition to the present impracticality of brute forcing key collisions, Bitcoin's internal design is modular and is thus capable of swapping in an alternative crypto algo and later deprecating the existing one without a hiccup.  In fact, the current method of block hashing (just as an example) requires the use of SHA256 (secure hasing algorithum 256 bit) twice to produce a validatable block hash.  One of these two algos are likely to be replaced with another similar algo yet to be created, without removing the second use of SHA256.  This results in strengthing of the blockchain brute force security without the risk of accidentally exposing it temporarily during the transition to another algo.  Very likely, the second instance of SHA256 will not be replaced until yet another, better, algo is developed or SHA256 is shown to have a flaw.

In a similar manner, wallet.dat keys are created using elliptic curve public/private cryptography; but once a better algo is developed in the future, both the present form of creating addresses and the new form of creating addresses could coexist for a time, permitting users to migrate over time.  Eventually, once the present (older) algo is no longer considered safe enough for the common hardware available, the old transactions long unspent on the blockchain using the old algo would likely only be "lost" coins, and thus be salvage by natural law.  I.E. ten years after the new algo came online there are still hundreds of old transactions on the blockchain decades old, those who can brute force those private keys first get to move them to a new algo address of their own.  In the long run, even bitcoins are never lost.

EDIT:  This modularity was an orginal design consideration.  Present bitcoin address all begin with a [ 1 ] for this reason, (testnet coin addresses all begin with a letter, IIRC) and thus future address algos can identify the algo used to produce them by the leading character.  Yes, this too was on purpose.  Satoshi was a far thinking genius.

[pieppiep]

Finding someone's private key to take their bitcoins is hacking with the intent of theft.

I didn't think of this simple answer, thanks!

In addition to the present impracticality of brute forcing key collisions, Bitcoin's internal design is modular and is thus capable of swapping in an alternative crypto algo and later deprecating the existing one without a hiccup.  In fact, the current method of block hashing (just as an example) requires the use of SHA256 (secure hasing algorithum 256 bit) twice to produce a validatable block hash.  One of these two algos are likely to be replaced with another similar algo yet to be created, without removing the second use of SHA256.  This results in strengthing of the blockchain brute force security without the risk of accidentally exposing it temporarily during the transition to another algo.  Very likely, the second instance of SHA256 will not be replaced until yet another, better, algo is developed or SHA256 is shown to have a flaw.

In a similar manner, wallet.dat keys are created using elliptic curve public/private cryptography; but once a better algo is developed in the future, both the present form of creating addresses and the new form of creating addresses could coexist for a time, permitting users to migrate over time.  Eventually, once the present (older) algo is no longer considered safe enough for the common hardware available, the old transactions long unspent on the blockchain using the old algo would likely only be "lost" coins, and thus be salvage by natural law.  I.E. ten years after the new algo came online there are still hundreds of old transactions on the blockchain decades old, those who can brute force those private keys first get to move them to a new algo address of their own.  In the long run, even bitcoins are never lost.

EDIT:  This modularity was an orginal design consideration.  Present bitcoin address all begin with a [ 1 ] for this reason, (testnet coin addresses all begin with a letter, IIRC) and thus future address algos can identify the algo used to produce them by the leading character.  Yes, this too was on purpose.  Satoshi was a far thinking genius.

If it would be legal to salvage old coins after a change in the key algorithm, when will it be legal?
If for example, I save some coins on a wallet on an old usbstick for when I retire, why would it be legal for someone to salvage those keys.
So, legal after 10 years? or 100 years?

Another thing I just thought about, how can you ever find out who got you keys with the anonymity of bitcoin.

[vokain]

...

EDIT:  This modularity was an orginal design consideration.  Present bitcoin address all begin with a [ 1 ] for this reason, (testnet coin addresses all begin with a letter, IIRC) and thus future address algos can identify the algo used to produce them by the leading character.  Yes, this too was on purpose.  Satoshi was a far thinking genius.

This is fascinating, I was looking through the Bitcoin Paper and was wondering where someone could find more information like you had.

[MoonShadow]

Finding someone's private key to take their bitcoins is hacking with the intent of theft.

I didn't think of this simple answer, thanks!

In addition to the present impracticality of brute forcing key collisions, Bitcoin's internal design is modular and is thus capable of swapping in an alternative crypto algo and later deprecating the existing one without a hiccup.  In fact, the current method of block hashing (just as an example) requires the use of SHA256 (secure hasing algorithum 256 bit) twice to produce a validatable block hash.  One of these two algos are likely to be replaced with another similar algo yet to be created, without removing the second use of SHA256.  This results in strengthing of the blockchain brute force security without the risk of accidentally exposing it temporarily during the transition to another algo.  Very likely, the second instance of SHA256 will not be replaced until yet another, better, algo is developed or SHA256 is shown to have a flaw.

In a similar manner, wallet.dat keys are created using elliptic curve public/private cryptography; but once a better algo is developed in the future, both the present form of creating addresses and the new form of creating addresses could coexist for a time, permitting users to migrate over time.  Eventually, once the present (older) algo is no longer considered safe enough for the common hardware available, the old transactions long unspent on the blockchain using the old algo would likely only be "lost" coins, and thus be salvage by natural law.  I.E. ten years after the new algo came online there are still hundreds of old transactions on the blockchain decades old, those who can brute force those private keys first get to move them to a new algo address of their own.  In the long run, even bitcoins are never lost.

EDIT:  This modularity was an orginal design consideration.  Present bitcoin address all begin with a [ 1 ] for this reason, (testnet coin addresses all begin with a letter, IIRC) and thus future address algos can identify the algo used to produce them by the leading character.  Yes, this too was on purpose.  Satoshi was a far thinking genius.

If it would be legal to salvage old coins after a change in the key algorithm, when will it be legal?
If for example, I save some coins on a wallet on an old usbstick for when I retire, why would it be legal for someone to salvage those keys.
So, legal after 10 years? or 100 years?

Another thing I just thought about, how can you ever find out who got you keys with the anonymity of bitcoin.

Legality in the context of the Bitcoin system is differnet than legality in greater society.  Whether or not it was legal, from the perspectives of the bitcoin network design, if it's possible it will happen.  But don't jump to the conclusion that this will ever be a risk within the lifetimes of our grandchildren.  This is sometihng for furute generations to solve.

[MoonShadow]

...

EDIT:  This modularity was an orginal design consideration.  Present bitcoin address all begin with a [ 1 ] for this reason, (testnet coin addresses all begin with a letter, IIRC) and thus future address algos can identify the algo used to produce them by the leading character.  Yes, this too was on purpose.  Satoshi was a far thinking genius.

This is fascinating, I was looking through the Bitcoin Paper and was wondering where someone could find more information like you had.

The bitcoin white paper is really just a technical primer, and does not cover some of the more subtle details of the network.  Most of this info I've gleaned from resources & forum members over the past couple years, many of whom are the actual developers.  I don't recall from whom I received this particular piece of data.

An additional little tibit, with regard to the brute force defensive security of the blockchain, is "checkpointing".  Basicly, this is a hardcoded list of hash values for particular blocks that are included with the official (and likely the others) client, which is added to with each minor release.  The list cannot be altered except at the source code, and when a fresh client is "bootstrapping" it will check this list as it encounters each of those blocks from the network, in addition to not considering itself up-to-date unless both the peers it's connected to AND the last of the checkpoints on it's list has been encountered.  What this does is it prohibits a malicious set of peers from colluding to feed a new client a completely false blockchain (for what gain to the attackers,  I don't know) without the fresh client knowing something was wrong, for even if an attacker were capable of finding a single hash for a fake block (perhaps granting the attacker an arbitrary amount of bitcoins, in the view of the client being attacked, even if temporarily) the odds of being able to do such a thing for all of the blocks on the checkpoint list (and still not get made on the interconnecting weave of transaction connections and other security measures regarding actual transaction data integrity) goes up exponentially.  No attack vector has even been demonstrated in this fashion, but the sheer level of difficulty that this checkpoint list adds to the issue all but promises that it never will.  And authors of alternative clients can use completely differnet checkpoint lists, further complicating the issue as the complexity of the blockchain grows.  For that matter, a developer could completely randomize the checkpoint list for each minor release, so the attacker would 1) have to know both the exact checkpoint list included in that release and 2) be able to fake substitutable blocks on the fly while 3) preventing the client under attack from makng even one connection to an honest node with a complete copy of the real blockchain.

[odolvlobo]

As long as it is more profitable to mine BTC than it is to find private keys, then there is no incentive to find private keys.

[mrb]

Culculations how much faster the hardware needs to be to proof I can't just crack a bitcoin address :

I've found at https://en.bitcoin.it/wiki/Technical_background_of_Bitcoin_addresses how an address is calculated.
To generate a specific address that already has bitcoins I need to calculate at average 2^160 keys.

At http://www.bitcointrading.com/forum/bitcoin-software/vanitygen-vanity-bitcoin-address-generator-%28v0-17%29/ how quick addresses can be generated.
The fastest graphics card for this has a rate of 23.5 Mkeys/second.

So lets round the generating speed to the nearest 2^x speed, we get 2^24 keys/second.
On average we need 2^160 / 2^24 = 2^136 seconds, or more understandeble human language, more time than the universe exists.

If I want to be able to crack an address in less than a day, for example a little over 18 hours (to get a nice 2^x seconds), I have 2^16 seconds to do it so I need to be 2^136 / 2^16 = 2^120 times faster than with the current hardware.

If I take into account that at the moment hardware still get 2 times faster each 1.5 yeah, I need to wait 180 years for hardware capable of breaking a bitcoins address within one day.
So technically it is not (yet) possible to do this kind of thing.

My actual question
What if someone or something is able to do this kind of calculations, and thus can spent every coin mined today, or is just very very very lucky and finds someone elses keys without hacking into other computers.
Will it be legal to spend the coins?

This topic comes every once in a while.

If someone can calculate key collisions quickly, then he can also calculate SHA256() quickly (or cryptographically break it), as this hash function is used to calculate Bitcoin addresses. But if he can calculate SHA256() quickly, he can also mine quickly, as mining is based on SHA256().

Therefore, what do you think is more profitable: running a GPU for "more time than the universe exists" to perhaps collide with a single address, or running it to mine and earn Bitcoins every day?

Obviously, address collision is computationally a non-issue.