"New address for each payment" is a logic bomb

[Come-from-Beyond]

As u know, each time u make a payment Satoshi's client generates a new address to send change to. He (or someone else) also advised to create a new address each time someone needs to receive a payment (for anonymity reason). Entropy of an address is 160 bits (due to RIPEMD-160 "compression"). Applying Birthday Paradox we get that when 2^80 addresses are created we will, likely, get a collision. This is not critical, coz "older" address will be empty, probably. But this can be used in black PR against Bitcoin. An adversary (who is generating addresses non-stop) will be able to show 2 different public keys with the same address. Media will be happy to publish articles with "Bitcoin completely broken" title...

[SgtSpike]

I think the math works out that there's more Bitcoin addresses than there are atoms in the universe.  Basically, it's been talked about many times, and it's nothing to worry about.

[Come-from-Beyond]

I think the math works out that there's more Bitcoin addresses than there are atoms in the universe.  Basically, it's been talked about many times, and it's nothing to worry about.

U r talking about a case when u need to create a collision for one special address. Read http://en.wikipedia.org/wiki/Birthday_problem plz.

[SgtSpike]

I think the math works out that there's more Bitcoin addresses than there are atoms in the universe.  Basically, it's been talked about many times, and it's nothing to worry about.

U r talking about a case when u need to create a collision for one special address. Read http://en.wikipedia.org/wiki/Birthday_problem plz.

But still, even if someone is generating billions of addresses a second for millions of years, the statistical odds are extremely low they would find a collision even under those circumstances.  I'm not a math whiz or I'd show you the proof, but I know the calculations have been done many times before, and always check out.

[marcotheminer]

I think the math works out that there's more Bitcoin addresses than there are atoms in the universe.  Basically, it's been talked about many times, and it's nothing to worry about.

True, BUT there is still the possibility of a collision!

[Come-from-Beyond]

But still, even if someone is generating billions of addresses a second for millions of years, the statistical odds are extremely low they would find a collision even under those circumstances.  I'm not a math whiz or I'd show you the proof, but I know the calculations have been done many times before, and always check out.

U can generate addresses much faster coz u don't need to know the private key. Pick any set of bytes and say it's a public key. 2^80 is not a big number.

Edit:
2^80 == (2^10)^8 ~ 1000^8 == 10^24.
And now look at the hash rate of Bitcoin network.

[JoelKatz]

U can generate addresses much faster coz u don't need to know the private key. Pick any set of bytes and say it's a public key. 2^80 is not a big number.

If you don't know the private key, then there's no attack. But even so ..

Edit:
2^80 == (2^10)^8 ~ 1000^8 == 10^24.
And now look at the hash rate of Bitcoin network.

Okay, it's 7 years with the full hashing power of all Bitcoin mining. And all such an attacker would have is an account that he himself had compromised. He'd be a long way from compromising anyone else's account.

[Come-from-Beyond]

It's a PR attack. An attacker can even invest freshly printed millions dollars.

[JoelKatz]

It's a PR attack.

You can launch a 51% attack just by expending more effort than all miners expend. Worrying about a PR attack that requires you to expend hundreds of times that effort is senseless.

[Come-from-Beyond]

It's a PR attack.

You can launch a 51% attack just by expending more effort than all miners expend. Worrying about a PR attack that requires you to expend hundreds of times that effort is senseless.

Maybe. As time passes probability of 51% attack goes to zero, while probability of collision attack goes to 100%.

[JoelKatz]

Maybe. As time passes probability of 51% attack goes to zero, while probability of collision attack goes to 100%.

We all know that Bitcoin will have to evolve or face technical obsolescence. We have no way to know *today* what changes will be correct in the future though. Bitcoin still uses a near optimum set of tradeoffs for today's technology because those decisions were made just a few years ago.

Bring this up again in about eight years.

[darkmule]

Media will be happy to publish articles with "Bitcoin completely broken" title...

They wouldn't be the first completely moronic, uninformed media attention Bitcoin has survived. 

I'm not sure we should make technical decisions based on the moronic, uninformed opinions of, well, morons.  Seems the current system is inevitably going to lead to some measurable problems, while the alternative leads to a nearly unmeasurable chance of a problem.  Also, if that completely breaks Bitcoin, then the mere existence of brain wallets using bad passphrases is much more of a worry.

[Kouye]

I agree that public address should be a 256bit hash, too.
Why do we care about the size of the public base58 address, anyways?

It's either copied/pasted or QR-code-scanned, I'm pretty sure nobody ever typed-in an address char by char using a keyboard.
So why take the risk of restraining the 256 bit key pairs to fit in a collision-more-likely 160 bit public address?

[Come-from-Beyond]

So why take the risk of restraining the 256 bit key pairs to fit in a collision-more-likely 160 bit public address?

For security reason. If NSA knows how to reverse SHA-256, it may not know how to do the same with RIPEMD-160.

[Kouye]

So why take the risk of restraining the 256 bit key pairs to fit in a collision-more-likely 160 bit public address?

For security reason. If NSA knows how to reverse SHA-256, it may not know how to do the same with RIPEMD-160.

I can understand and agree with that, but there are other hash functions, it seems...
I'm not an expert at all, but after a quick search BLAKE2s came up, for example?

[Come-from-Beyond]

I'm not an expert at all, but after a quick search BLAKE2s came up, for example?

Did BLAKE2 exist when Satoshi was coding Bitcoin? Also RIPEMD-160 wasn't "sponsored" by the US govt, was it?

[Kouye]

Did BLAKE2 exist when Satoshi was coding Bitcoin? Also RIPEMD-160 wasn't "sponsored" by the US govt, was it?

Maybe not, but the base58 RIPEMD-160 hash was mainly used to reduce public address size, as far as I'm aware, which looks like a bad choice to me.
From what I read, progressively replacing the RIPE hash with a stronger non-sponsored one while maintaining backward compatibility would not be impossible.
So why not change now ?

[DeathAndTaxes]

I agree that public address should be a 256bit hash, too.

Why?

256 bit ECDSA only provides 128 bit security

160 bit pubkey hash provides 160 bit security.

What would making the pubkeyhash larger accomplish other than bloating the blockchain?

[Come-from-Beyond]

160 bit pubkey hash provides 160 bit security.

R u sure? I was thinking that 160-bit hash provides 80-bit security.

[cscape]

U can generate addresses much faster coz u don't need to know the private key. Pick any set of bytes and say it's a public key. 2^80 is not a big number.

Edit:
2^80 == (2^10)^8 ~ 1000^8 == 10^24.
And now look at the hash rate of Bitcoin network.

Of course, when a normal miner checks a hash, it starts by checking the top 32 bits are zero, which is a trivial operation. Checking for a collision with a growing database of up to 2^80 previous hashes is a lot more effort.