By 2140 or later, what will the chance of a collision be?

[Decoded]

So currently there's ~500,000 new unique addresses being used in the blockchain each day. If there are 2^160 possible addresses, what will be the chance of a collision in 2140?

Let's factor in major adoption, so maybe bring the average unique addresses a day to 1mil?

[1713540549]

1713540549

[achow101]

2^160 is an unimaginably huge number. By 2140, we would have only searched through 3.028392091358222830033411687324789451682831716184306... × 10^-36% of all possible addresses. The odds for a collision are still basically 0.

[Decoded]

2^160 is an unimaginably huge number. By 2140, we would have only searched through 3.028392091358222830033411687324789451682831716184306... × 10^-36% of all possible addresses. The odds for a collision are still basically 0.

Ah, okay. If I'm not mistaken, generating addresses is just like hashing - randomly generating addresses until you find one that fits you (or in a regular user's case, the first address generated). That's how vanitygen works, right?

So what if we moved the equivalent of 1 exahash into address generating? This would surely create thousands to hundreds of thousands of addresses per second, greatly increasing the chance of a collision later on?

[achow101]

Ah, okay. If I'm not mistaken, generating addresses is just like hashing - randomly generating addresses until you find one that fits you (or in a regular user's case, the first address generated). That's how vanitygen works, right?

All that matters really is the hash160. So yes, it is hashing, but it is also generating the private key, getting the public key, and then hashing it with SHA256 and the result with RIPEMD160.

So what if we moved the equivalent of 1 exahash into address generating? This would surely create thousands to hundreds of thousands of addresses per second, greatly increasing the chance of a collision later on?

Still would be ridiculously small. You have to do something on the order of 10^40 addresses per day to even get out of the ridiculously huge number of decimal places area.

[DannyHamilton]

So what if we moved the equivalent of 1 exahash into address generating?

You clearly weren't paying attention when achow101 said:

2^160 is an unimaginably huge number.

The current world population is about 7.4 X 10⁹

Lets somehow imagine that every man, woman, and child in the world is running equipment that continuously generates 1 exa-address per second.  That includes infants, destitute and homeless poor people, and those laying in their deathbed in the hospitals.  EVERY man, woman, and child.

That's 1 X 10¹⁸ addresses per second per person times 7.4 X 10⁹ people = 7.4 X 10²⁷ addresses generated worldwide per second.

There are a bit less than 3.16 X 10⁷ seconds in a year.

Lets imagine that these 7.4 X 10⁹ run their equipment continuously 24 hours a day 7 days a week without any interruptions for maintenance for a century (100 years).  That's 3.16 X 10⁹ total seconds.

After all that, a total of a bit less than 2.34 X 10³⁷ addresses will have been generated.

That's completely unrealistic imaginary situation is still less than 0.0000000017 % of all the possible addresses.

Additionally, if you split up all the possible bitcoins that could ever exist into only 1 satoshi per address, you would have an absolute maximum of no more than 2.1 X 10¹⁵ addresses that have any value in them at all.  Therefore, even if you somehow beat those astronomical odds and found an address collision, you would be more than 1,000,000,000,000,000,000,000 timed more likely to have collided with an empty address than an address that has any bitcoins in it, and if you did collide with an address with any bitcoins, and if you also somehow beat those astronomical odds it would be extremely likely to have only 1 satoshi in it.

I'm doing this math for you and writing these numbers for you, but I'm concerned that you aren't going to understand just how unlikely this is.  With odds this small, there isn't any real difference from "impossible".  Yes, there are numbers there, but those numbers in the real world are effectively the same as saying it can't happen.

[Decoded]

Some say that quantum computers will be good at some things, and will be bad at others. What will a quantum computer's performance be on cryptographic hashing, and how do you know?

You clearly weren't paying attention when achow101 said:

2^160 is an unimaginably huge number.

Yes, but so is 1000000000*60*60*24*365.25*100.

[achow101]

Some say that quantum computers will be good at some things, and will be bad at others. What will a quantum computer's performance be on cryptographic hashing, and how do you know?

Quantum Computers are not faster at hashing. There are specific algorithms that are known to be able to take advantage of QCs. These algorithms are specifically attacks. None such exist for SHA256 or RIPEMD160. They are not any faster at hashing than classic computers.

[DannyHamilton]

You clearly weren't paying attention when achow101 said:

2^160 is an unimaginably huge number.

Yes, but so is 1000000000*60*60*24*365.25*100.

No.  It really isn't.  Perhaps this is why you are having difficulty seeing how much bigger one is that the other.
You think they are both "big"numbers so they must both be close in amount.

Here's an analogy that might help you understand the scale.

If you had 1000000000*60*60*24*365.25*100 carbon atoms packed together in a diamond, it would be a 0.000314 carat diamond.  Take a 0.5 carat diamond and smash it into almost 2000 dust particles, and one of those dust particles is 1000000000*60*60*24*365.25*100 carbon atoms.

Now, if you had 2¹⁶⁰ carbon atoms packed together in a diamond, it would have as much mass as the entire Earth.

One of those two numbers is VERY big.  The other one is quite tiny in comparison.

[piotr_n]

Here's an analogy that might help you understand the scale.

If you had 1000000000*60*60*24*365.25*100 carbon atoms packed together in a diamond, it would be a 0.000314 carat diamond.  Take a 0.5 carat diamond and smash it into almost 2000 dust particles, and one of those dust particles is 1000000000*60*60*24*365.25*100 carbon atoms.

Now, if you had 2¹⁶⁰ carbon atoms packed together in a diamond, it would have as much mass as the entire Earth.

brilliant analogy

[Dabs]

Danny, you amuse me. The poor guy clearly can not comprehend the vastness of these unimaginable numbers. To me, anything with more than 20 or 30 decimal digits is more than big enough, for me, to ignore any "possibility" of anything, anyone else is attempting to do. (Unless it's cracking my password, so I use at least 32 characters.)

OP, wait till you get to the topic of 256 bits. I think someone mentioned that as the "size of the sun". Actually larger. Bruce Schneier said something like that. My favorite quote from him: "brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space."

Someone else also mentioned this as "totally out of reach of Mankind."

Even if you use all the dollars in the World (including the dollars which do not exist, such as accumulated debts) and fry the whole planet in the process, you can barely do 1/1000th of an exhaustive key search on 128-bit keys.

xkcd cartoon comic strip comes to mind. The cheapest and most effective "brute-force" method, to be able to get the "collision" you are looking for, costs less than $5000 USD to $10,000 USD. You hire a mob to stick up the guy who controls the private key you are looking for. This is also known as "rubber-hose cryptanalysis".

There's also the issue of heat dissipation, laws of thermodynamics, planck time units, the speed of light, and other stuff.

So ... it's "impossible", but "there's a chance."

[dreamer81]

This thread is hillarious. Thanks for the great analogies.

[philipma1957]

From wiki https://en.wikipedia.org/wiki/Drop_(unit)


one drop equals 1/96 teaspoon

So 96 = a teaspoon

6 teaspoons =  1 oz

128 oz = 1 gallon.

so 96 x 6 x 128 = 73,728 drops from an eyedropper is a gallon


3,000,000,000,000,000 gallons (11.4-quadrillion liters).  gallons in lake Superior or better yet

352,670,000,000,000,000,000 Gallons in Pacific Ocean (from google)


so 352,670,000,000,000,000 x 73,728 =   2.600165376 E22

or 26,001,653,760,000,000,000,000  drops in the pacific ocean   that is a lot.


now compare  3155760000000000000 to  2 to the 160 or  1.16920130986472E49  and

you get 3.7049753779271E30 to 1 chance

vs 2.600165376E22 to 1  Pacific Ocean  to a drop from an eyedropper

so it is about 140,000,000  harder to do it then to find 1 eyedrop in the Pacific Ocean


To Give an example  in my Life  the craziest long shot I was ever involved with is as follows.

  In 1990  My wife and I purchased a kitchen wall clock.  It was battery  not plug in.  We had owned a plug in wall clock which was the older tech so 2 AA battery driven wall clocks were newer back then.
My wife asked me how long do you think before the batteries run out.  

We lived in an apartment in Astoria ,Queens we wanted to buy a house. So I said  when we get out first house and I hang it up on the wall in the kitchen of the new house it will stop. So  about 2.5 years later.  I pulled the clock out of the box we packed it in and hung it on the wall in the kitchen of our first home.  The clocked stopped.  That is amazing lucky guess that I did.  So a  break  down :
           60 seconds in a minute
       3,600 seconds in an hour
      86,400 seconds in  a day.
31,536,000 seconds in a year
78,840,000 seconds in the time from the predication to the result



So  you would need to find that 1 drop in the Entire Pacific Ocean  then make a prediction like I did the correct second in  a 2.5 year time span   then flip a coin and call it in the air.  So If I live to 2140  (really likely ) I think this op long shot will not happen.

[Decoded]

From wiki https://en.wikipedia.org/wiki/Drop_(unit)


one drop equals 1/96 teaspoon

So 96 = a teaspoon

6 teaspoons =  1 oz

128 oz = 1 gallon.

so 96 x 6 x 128 = 73,728 drops from an eyedropper is a gallon


3,000,000,000,000,000 gallons (11.4-quadrillion liters).  gallons in lake Superior or better yet

352,670,000,000,000,000,000 Gallons in Pacific Ocean (from google)


so 352,670,000,000,000,000 x 73,728 =   2.600165376 E22

or 26,001,653,760,000,000,000,000  drops in the pacific ocean   that is a lot.


now compare  3155760000000000000 to  2 to the 160 or  1.16920130986472E49  and

you get 3.7049753779271E30 to 1 chance

vs 2.600165376E22 to 1  Pacific Ocean  to a drop from an eyedropper

so it is about 140,000,000  harder to do it then to find 1 eyedrop in the Pacific Ocean


To Give an example  in my Life  the craziest long shot I was ever involved with is as follows.

  In 1990  My wife and I purchased a kitchen wall clock.  It was battery  not plug in.  We had owned a plug in wall clock which was the older tech so 2 AA battery driven wall clocks were newer back then.
My wife asked me how long do you think before the batteries run out.  

We lived in an apartment in Astoria ,Queens we wanted to buy a house. So I said  when we get out first house and I hang it up on the wall in the kitchen of the new house it will stop. So  about 2.5 years later.  I pulled the clock out of the box we packed it in and hung it on the wall in the kitchen of our first home.  The clocked stopped.  That is amazing lucky guess that I did.  So a  break  down :
           60 seconds in a minute
       3,600 seconds in an hour
      86,400 seconds in  a day.
31,536,000 seconds in a year
78,840,000 seconds in the time from the predication to the result



So  you would need to find that 1 drop in the Entire Pacific Ocean  then make a prediction like I did the correct second in  a 2.5 year time span   then flip a coin and call it in the air.  So If I live to 2140  (really likely ) I think this op long shot will not happen.

The thing is that anything can happen. I can call a coin in the air a million times in a row if i'm lucky.

It's not about the chance. If there is a possibility, and if we continue at our current rate, there will be a collision. It's just about when.

[TransaDox]

Whilst everyone is banging on about how big these numbers are and coming up with all sorts of eloquent calculations and analogies to demonstrate. No one seems to have factored in to those calculations that for a collision, the general probability is over Sqrt(keyspace) and the keyspace diminishes as keys are discovered.

Magnitude of the entire keyspace is a poor proof.

[DannyHamilton]

No one seems to have factored in to those calculations that for a collision, the general probability is over Sqrt(keyspace) and the keyspace diminishes as keys are discovered.

Magnitude of the entire keyspace is a poor proof.

Collision itself isn't a problem.  Collision with an address that has bitcoins associated with it, or will at some time in the future have bitcoins associated with during a time while first generation of the key is still held, is a problem.  Without that, you'll never even know that a collision has occurred.

Since there won't be more than 2.1*10¹⁵ addresses that have bitcoins associated with them at any given point in time (and will probably always be significantly less than that), the probability of identifying a collision is much MUCH less than Sqrt(keyspace) would imply.

Note that those of us putting forth analogies don't really think that "every man, woman, and child in the world is running equipment that continuously generates 1 exa-address per second".  The point isn't that magnitude of the keyspace is huge, the point is that the amount of that keys that will be used by the year 2140 is extremely small in comparison to such a large number.

Note also that the OP asks about 2¹⁶⁰ addresses, but the total number of actual addresses currently possible is double that (2¹⁶¹) with the addition of P2SH addresses. In the future as additional address types are added, the total number of addresses possible will continue to grow.

[Dabs]

The thing is that anything can happen. I can call a coin in the air a million times in a row if i'm lucky.

It's not about the chance. If there is a possibility, and if we continue at our current rate, there will be a collision. It's just about when.

In "English", there is NO chance... If you are a mathematician or a statistician or an actuarial or a theoretical astrophysicist or whatever rocket scientist, yes there is a chance. After the Sun has eaten the Earth in 4 billion years. Heat death of the universe. Or after the grandchildren of your grandchildren are born. Whichever comes last.

Those insurance guys actually gamble against the odds of you not dying to make money on your premiums, that's what they do for a living.

Note also that the OP asks about 2¹⁶⁰ addresses, but the total number of actual addresses currently possible is double that (2¹⁶¹) with the addition of P2SH addresses. In the future as additional address types are added, the total number of addresses possible will continue to grow.

I can count uncompressed addresses, compressed addresses, and those P2SH multi-signature addresses. I think P2SH has a bunch of different possible functions too, not just multi-sig; that just happens to be the most popular usage of addresses that begin with 3.

[achow101]

I can count uncompressed addresses, compressed addresses, and those P2SH multi-signature addresses. I think P2SH has a bunch of different possible functions too, not just multi-sig; that just happens to be the most popular usage of addresses that begin with 3.

Danny is correct, there are only 2^161 possible addresses. This is because there are only two version numbers for Bitcoin addresses. Version 0 are the normal addresses and are used for compressed and uncompressed public key hashes. Then there is Version 5 which is for the hashes of ALL possible redeemscripts for p2sh.

[DannyHamilton]

I can count uncompressed addresses, compressed addresses, and those P2SH multi-signature addresses. I think P2SH has a bunch of different possible functions too, not just multi-sig; that just happens to be the most popular usage of addresses that begin with 3.

As achow101 has pointed out, in the situation being discussed here, there is no difference between a compressed or uncompressed key.  A compressed key that hashes to the same address as an uncompressed key will work perfectly fine to spend the bitcoins associated with that address (and vice versa).

There are many different scripts that can all be used with P2SH, but only 2¹⁶⁰ hashes possible as a result of hashing the script.  It isn't necessary to find "the script" that was used to generate the address in the first place.  It is only necessary to find "a script" that happens to hash to the same value.  If you can do that, then you can use your script to spend the bitcoins that are associated with the address without ever even knowing what the original script was.

[Syke]

The thing is that anything can happen. I can call a coin in the air a million times in a row if i'm lucky.

It's not about the chance. If there is a possibility, and if we continue at our current rate, there will be a collision. It's just about when.

That "when" is after the sun swallows the earth, at which point no one will be alive to see the collision. There will never be a collision.

[rico666]

There will never be a collision.

How about a bet?


Rico