Brute-forcing Bitcoin private keys

[MrSolo]

Hey, i just wanna ask if someone here has tried bruteforcing random bitcoin wallets, i understand that some of you will give me big numbers of how impossible that is, but hear me, there are more than 30.4 million bitcoin wallets with a balance (source:cointelegraph), so by dividing that 2^256 by that number you still get a high number, but by studying the algos that create those wallets and patterns that may exist i think that number will be much lower, add to that if somehow you found thousands of people who are willing to brute force using a good algo for couple of years straight, then what are the chances that you maybe find a wallet with a large balance,

and for people who may say this theory is crazy and not possible i refere you to the guy who actually done just that for couple of years and found private keys of 3 small wallets.
This is like digging for gold and by technology going up i believe oneday it will be possible to brute force about 20-100 wallets each year using some crazy asic machine and a whole industry will be built around just this idea.

this is just a theory of mine which made me curious, would love to hear what you think other than no it's impossible.

[1715035231]

1715035231

[1715035231]

1715035231

[1715035231]

1715035231

[dunfida]

Bruteforcing or finding some collision is imaginable even your entire life wont be enough.  So dont think about it or stressing yourself on trying.

[hatshepsut93]

Hey, i just wanna ask if someone here has tried bruteforcing random bitcoin wallets, i understand that some of you will give me big numbers of how impossible that is, but hear me, there are more than 30.4 million bitcoin wallets with a balance (source:cointelegraph), so by dividing that 2^256 by that number you still get a high number

2^256 is of order 10^77, 30 million divided by it is of order 10^70. It's basically the same complexity for bruteforcing with modern equipment.

but by studying the algos that create those wallets and patterns that may exist i think that number will be much lower, add to that if somehow you found thousands of people who are willing to brute force using a good algo for couple of years straight, then what are the chances that you maybe find a wallet with a large balance,

There are no patterns. Private keys are created with cryptographically secure random number generators, if they were weak, all our communications would be compromised.

and for people who may say this theory is crazy and not possible i refere you to the guy who actually done just that for couple of years and found private keys of 3 small wallets.
This is like digging for gold and by technology going up i believe oneday it will be possible to brute force about 20-100 wallets each year using some crazy asic machine and a whole industry will be built around just this idea.

Some people used some small numbers as their private keys, like 42 or 1337, perhaps as brain wallets, so if you try all keys from the start, you will find them. Big deal.

[ReiMomo]

Lol, brute force is not an easy job, it will guess workload too much in your computer finding a possible combination of password.
Even brute forcing your second password on blockchain.com that you have an email address and your private key will take a long time for you to recover your wallet.

It's pure of wasting your time. I have heard many people try to buy bitcoin files from a wallet.file to brute force but nothings happen.

[TheBeardedBaby]

Hey, i just wanna ask if someone here has tried bruteforcing random bitcoin wallets, i understand that some of you will give me big numbers of how impossible that is, but hear me, there are more than 30.4 million bitcoin wallets with a balance (source:cointelegraph), so by dividing that 2^256 by that number you still get a high number, but by studying the algos that create those wallets and patterns that may exist i think that number will be much lower, add to that if somehow you found thousands of people who are willing to brute force using a good algo for couple of years straight, then what are the chances that you maybe find a wallet with a large balance,

and for people who may say this theory is crazy and not possible i refere you to the guy who actually done just that for couple of years and found private keys of 3 small wallets.
This is like digging for gold and by technology going up i believe oneday it will be possible to brute force about 20-100 wallets each year using some crazy asic machine and a whole industry will be built around just this idea.

this is just a theory of mine which made me curious, would love to hear what you think other than no it's impossible.

Please, post any links about the guy you refer to, because I never heard anyone to bruteforce any wallet except for brainwallets. So you say than in the future people will just bruteforce randome wallets with an alien technology, then anyone who has bitcoin wallet is in danger. If that's ever to happen people will come up with a solution to that problem and make things more coplicated so no one can bruteforce them. I won't be alive to see that tho.

[bigvito19]

You don't brute force them, it will take too long to do. No you can't use an asic machine either.

[shinohai]

>would love to hear what you think other than no it's impossible

Translation: Because math is too hard, tell me some lies to make me feel better about being stupid. 

Since 2^256 is likely a number larger than the number an atoms in the known universe, better get to crackin' with that abacus or wait for the advent of quantum computers if/when machines capable of doing this come to exist in our lifetimes.

[pooya87]

This is like digging for gold

No it is not. When you find gold in earth, that gold doesn't belong to anyone. But if you find a funded private key those coins belong to someone and it is considered robbery to take them.

i believe oneday it will be possible to brute force about 20-100 wallets each year using some crazy asic machine and a whole industry will be built around just this idea.

Every cryptography algorithm has an expiration date when it becomes weak and is no longer used. But long before it reaches that date, it is always replaced by stronger one, we have been doing this replacement for 2 centuries. Keep in mind that a lot of what you do on the internet depends on ECC and similar algorithms, it is not just bitcoin.

[ranochigo]

by studying the algos that create those wallets and patterns that may exist i think that number will be much lower, add to that if somehow you found thousands of people who are willing to brute force using a good algo for couple of years straight, then what are the chances that you maybe find a wallet with a large balance,

The complexity of those would still be fairly high, unless a weak RNG is used which could possibly lower the keyspace due to it's non-random generation. That's what some of the bruteforcing projects are attempting to do by getting these weak keys.

and for people who may say this theory is crazy and not possible i refere you to the guy who actually done just that for couple of years and found private keys of 3 small wallets.

Possibly weak keys.

This is like digging for gold and by technology going up i believe oneday it will be possible to brute force about 20-100 wallets each year using some crazy asic machine and a whole industry will be built around just this idea.

this is just a theory of mine which made me curious, would love to hear what you think other than no it's impossible.

Current ASIC cannot be used to generate addresses but it should be fairly simple to do so as well. Other than the speed (which we have established that it would have to generate addresses extremely quickly), you'll have to compare the addresses generated to those addresses that currently have any Bitcoins which could present itself as a slight bottleneck depending on the way it gets designed.

[NotATether]

Brute forcing works by hashing a bunch of generated public keys into RIPEMD160 and as such the difficulty of brute forcing P2PKH/P2WPKH is only 160 bits since this is now reduced to comparing RIPEMD160 hashes against that of the target address.

The old-school P2PK addresses are much harder to brute force since those are actually 256 bits long and aren't hashed.

[odolvlobo]

The old-school P2PK addresses are much harder to brute force since those are actually 256 bits long and aren't hashed.

That's an odd thing to say because you don't need the hashing steps when brute forcing public keys, which means it is faster.

[BlackHatCoiner]

Since 2^256 is likely a number larger than the number an atoms in the known universe, better get to crackin' with that abacus or wait for the advent of quantum computers if/when machines capable of doing this come to exist in our lifetimes.

2²⁵⁶ is not the number of the addresses. Even if you brute force private keys, that are around 2²⁵⁶, you want to find a collision, not necessarily someone's private key. A RIPEMD-160 hash (which is the address decoded) is 160-bits long, which means 2¹⁶⁰. So you're brute forcing this number:

1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976

Since private keys are ~2²⁵⁶ and all possible combinations of addresses 2¹⁶⁰, then you're trying to find one of the ~2⁹⁶ private keys that collide with the same address. So next time you create an address, keep in mind that besides your private key, there are around 79,228,162,514,264,337,593,543,950,335 more.

[casperBGD]

Since 2^256 is likely a number larger than the number an atoms in the known universe, better get to crackin' with that abacus or wait for the advent of quantum computers if/when machines capable of doing this come to exist in our lifetimes.

2²⁵⁶ is not the number of the addresses. Even if you brute force private keys, that are around 2²⁵⁶, you want to find a collision, not necessarily someone's private key. A RIPEMD-160 hash (which is the address decoded) is 160-bits long, which means 2¹⁶⁰. So you're brute forcing this number:

1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976

Since private keys are ~2²⁵⁶ and all possible combinations of addresses 2¹⁶⁰, then you're trying to find one of the ~2⁹⁶ private keys that collide with the same address. So next time you create an address, keep in mind that besides your private key, there are around 79,228,162,514,264,337,593,543,950,335 more.

did not understood this well?
do you want to say that beside private key that I am holding for my address there is around this number private keys that will resolve into my address or something else? if that is a fact, I really did not know that, but that does not seems as a good thing, is it?

[NotATether]

The old-school P2PK addresses are much harder to brute force since those are actually 256 bits long and aren't hashed.

That's an odd thing to say because you don't need the hashing steps when brute forcing public keys, which means it is faster.

You are right about each individual key being searched faster but look at it this way:

When you are trying to find the private key of an address, each private key you randomly generate has to be turned into a public key, and then hashed, to check if it matches the address. There are only 2^160 possible RIPEMD160 values and multiple public keys having the same hash is a non-issue because of the enormous size of 2^160.

Whereas if I only have a public key and I want to find the private key of that, there are two ways I could do it:

- Don't compute any hashes, turn all the private keys generated into public keys and compare those directly. This forces me to search the entire 256-bit space because without hashing I can't tell which public keys have the same hash160 and therefore same base58 address
- Or I could compute the hash of the the target public key and also all the pubkeys ai generate which makes the problem no different from finding a public key from an address.

So I may be searching each pubkey faster, but I'm also needlessly searching pubkeys that have the same address.

[BlackHatCoiner]

do you want to say that beside private key that I am holding for my address there is around this number private keys that will resolve into my address or something else?

Yes.

if that is a fact, I really did not know that, but that does not seems as a good thing, is it?

It depends on what you mean "as a good thing". Brute forcing 2¹⁶⁰ is an insanely huge number. Even if 2²⁵⁶ is of course 2⁹⁶ times 2¹⁶⁰, which is even bigger, it is crazy to think that you can find one of those 2⁹⁶. So saying that 2¹⁶⁰ is less secure than 2²⁵⁶ is like saying that it's safer to keep your money on Pluto, rather than Jupiter. Both are far away, there is no point on calculating distances.

[lidibibi]

It requires a lot of resources. I doubt it can be successful. Maybe lucky...

[MrSolo]

Well as i can see that many of the replies are about how hard it is, i do understand that, let me give you an example of bitaddress.org which was used by many people back in the day to buy bitcoin, what are the chances that someone made a wallet and transfered some bitcoins to it and forgot about it, i can refere you to this https://www.reddit.com/r/Bitcoin/comments/1rli5i/if_someone_cracks_bitaddressorgs_number_generator/

but again maybe the fact that there are +30million wallets without hearing about one wallet collision is proof of how impossible it is. and my point with this topic is that people who say 2^256 and discounting the amount of wallets that are out there with a balance so you're not targeting one wallet but +40mill and growing amount of wallets. maybe oneday it will be billions of wallets. so with technology going up and the chances of brute-force getting higher with every year not lower.

[ranochigo]

Well as i can see that many of the replies are about how hard it is, i do understand that, let me give you an example of bitaddress.org which was used by many people back in the day to buy bitcoin, what are the chances that someone made a wallet and transfered some bitcoins to it and forgot about it, i can refere you to this https://www.reddit.com/r/Bitcoin/comments/1rli5i/if_someone_cracks_bitaddressorgs_number_generator/

Then you are exploiting potentially flawed PRNG which has been done and is completely feasible. Bitaddress uses randomness from different sources which would make it harder as you'll have to replicate both the tracked mouse movement as well as the randomness that was generated when the user enters the page.

These attacks can only work if they are using predictable variables as an entropy source. If and only if you can find a pattern in that generation, then you can reduce the search space significantly. Under no circumstances should any wallet be generating using flawed PRNG. Brainwallet stealing works similar to the above as humans are generally terrible at producing anything with sufficient entropy.

[shinohai]

Since 2^256 is likely a number larger than the number an atoms in the known universe, better get to crackin' with that abacus or wait for the advent of quantum computers if/when machines capable of doing this come to exist in our lifetimes.

2²⁵⁶ is not the number of the addresses. Even if you brute force private keys, that are around 2²⁵⁶, you want to find a collision, not necessarily someone's private key. A RIPEMD-160 hash (which is the address decoded) is 160-bits long, which means 2¹⁶⁰. So you're brute forcing this number:

1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976

Since private keys are ~2²⁵⁶ and all possible combinations of addresses 2¹⁶⁰, then you're trying to find one of the ~2⁹⁶ private keys that collide with the same address. So next time you create an address, keep in mind that besides your private key, there are around 79,228,162,514,264,337,593,543,950,335 more.

I never said this was number of addresses. Plenty of tools exist to find collisions, though OP strikes me as the type that would be more interesting in playing the lottery and bashing up something to search https://allprivatekeys.com/ or something.

[o_e_l_e_o]

and my point with this topic is that people who say 2^256 and discounting the amount of wallets that are out there with a balance so you're not targeting one wallet but +40mill and growing amount of wallets. maybe oneday it will be billions of wallets.

It still doesn't matter. You are failing to comprehend the sheer size of the numbers we are talking about here.

2¹⁶⁰ is the collision space for finding a private key which matches to a specific address. This is the equivalent of trying to pick one single specific atom out of all the atoms in the entire world.

Now let's consider your "billions of wallets" situation. Let's use water as an example, and instead of "billions", let's ramp it up to 8 billion billion - enough for every person in the world to have a billion addresses. 8 billion billion molecules of water, divided by Avogadro's constant, multiplied the molar mass of water, gives 0.0002 milliliters of water. That's about 0.5% of the volume of a single drop of water. Let's spread all the molecules in that 1/200th of a single drop of water around and inside the entire planet. How likely is it going to be to find one?

You can ramp this example up by many more orders of magnitude before you approach something that is even remotely within the realms of possibilities.

[MrSolo]

Since 2^256 is likely a number larger than the number an atoms in the known universe, better get to crackin' with that abacus or wait for the advent of quantum computers if/when machines capable of doing this come to exist in our lifetimes.

2²⁵⁶ is not the number of the addresses. Even if you brute force private keys, that are around 2²⁵⁶, you want to find a collision, not necessarily someone's private key. A RIPEMD-160 hash (which is the address decoded) is 160-bits long, which means 2¹⁶⁰. So you're brute forcing this number:

1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976

Since private keys are ~2²⁵⁶ and all possible combinations of addresses 2¹⁶⁰, then you're trying to find one of the ~2⁹⁶ private keys that collide with the same address. So next time you create an address, keep in mind that besides your private key, there are around 79,228,162,514,264,337,593,543,950,335 more.

I never said this was number of addresses. Plenty of tools exist to find collisions, though OP strikes me as the type that would be more interesting in playing the lottery and bashing up something to search https://allprivatekeys.com/ or something.

never heard of this website, but it's proof of exactly what i said which is they found 19321 private keys in 50771 Bitcoin addresses with transactions. just for bitcoin addresses so to people who say it's not possible here is a good proof that it is possible and can be done with a large enough of group with good machines with some luck

[shinohai]

Since 2^256 is likely a number larger than the number an atoms in the known universe, better get to crackin' with that abacus or wait for the advent of quantum computers if/when machines capable of doing this come to exist in our lifetimes.

2²⁵⁶ is not the number of the addresses. Even if you brute force private keys, that are around 2²⁵⁶, you want to find a collision, not necessarily someone's private key. A RIPEMD-160 hash (which is the address decoded) is 160-bits long, which means 2¹⁶⁰. So you're brute forcing this number:

1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976

Since private keys are ~2²⁵⁶ and all possible combinations of addresses 2¹⁶⁰, then you're trying to find one of the ~2⁹⁶ private keys that collide with the same address. So next time you create an address, keep in mind that besides your private key, there are around 79,228,162,514,264,337,593,543,950,335 more.

I never said this was number of addresses. Plenty of tools exist to find collisions, though OP strikes me as the type that would be more interesting in playing the lottery and bashing up something to search https://allprivatekeys.com/ or something.

never heard of this website, but it's proof of exactly what i said which is they found 19321 private keys in 50771 Bitcoin addresses with transactions. just for bitcoin addresses so to people who say it's not possible here is a good proof that it is possible and can be done with a large enough of group with good machines with some luck

The addresses on that site *could* be - as has already been mentioned in this thread - collisions and NOT keys that were simply cracked by brute force ya know. 

[o_e_l_e_o]

never heard of this website, but it's proof of exactly what i said which is they found 19321 private keys in 50771 Bitcoin addresses with transactions.

They did not brute force a single private key, though. What they did was brute force brain wallets, which is something completely different.

Brain wallets take a human entered string - such as a word, phrase, or random characters - and use it as an input to a hash function. The output of the hash function is used as a private key. If you guess the input, then you can work out the private key. Since humans are terrible at being random, terrible at coming up with passwords, and terrible for reusing these passwords, many people reused passwords they used elsewhere as brain wallets, or used a line from a book, a lyric from a song, a movie quote, and so on. All of these are easily guessed.

There are multiple databases of thousands of hacked brain wallets, and there are bots constantly monitoring millions of brain wallet addresses ready to steal any coins which are sent to them. None of this is the same as brute forcing a private key.

[shinohai]

never heard of this website, but it's proof of exactly what i said which is they found 19321 private keys in 50771 Bitcoin addresses with transactions. just for bitcoin addresses so to people who say it's not possible here is a good proof that it is possible and can be done with a large enough of group with good machines with some luck

It's proof that brainwallet and private key chosen by human/generated with weak RNG are vulnerable towards brute-force attack and few other attack (such as dictionary attack for brainwallet).

Precisely this. OP may find http://www.loper-os.org/bad-at-entropy/manmach.html interesting if he wishes to see just how bad humans are at entropy.

[NotATether]

Bitaddress uses randomness from different sources which would make it harder as you'll have to replicate both the tracked mouse movement as well as the randomness that was generated when the user enters the page.

These attacks can only work if they are using predictable variables as an entropy source. If and only if you can find a pattern in that generation, then you can reduce the search space significantly.

I'd argue that people should not be using PRNGs seeded with cryptographically secure entropy to make private keys especially on browsers in particular (which is the only method they have, they got no CSRNGs) because you're relying on the webpage to supply a good-enough entropy. Mouse and keyboard input that's made during (not before) entropy gathering can also be tracked within the browser and webpage itself so all it takes is a malicious addon that tracks such movement and they can re-derive the entropy. When a PRNG is used this also allows them to make the private key too.

[ranochigo]

I'd argue that people should not be using PRNGs seeded with cryptographically secure entropy to make private keys especially on browsers in particular (which is the only method they have, they got no CSRNGs) because you're relying on the webpage to supply a good-enough entropy. Mouse and keyboard input that's made during (not before) entropy gathering can also be tracked within the browser and webpage itself so all it takes is a malicious addon that tracks such movement and they can re-derive the entropy. When a PRNG is used this also allows them to make the private key too.

The script itself is secure enough and provides sufficient randomness from any bruteforcing attack and that is the main point of the topic. I think we have to eliminate any malicious party that could intentionally modify the entropy sources to make it less random... Running a phishing site with a pre-defined seed is sufficient for this. Malicious add-ons and stuff like that shouldn't matter because the webpage isn't designed to run on a compromised computer.

As for the randomness, I've done a quick pass over their entropy collection[1]. I think the way the entropy is generated is sufficiently random, barring any possible interference externally.

[1] https://github.com/pointbiz/bitaddress.org/blob/72aefc03e0d150c52780294927d95262b711f602/src/securerandom.js

[manuelgranjacarbo]

Hi. Having reading that.

1 - Theorically any wallet can be found with brute force.
2- With todays hardware technology is imposible to find a private key.

Thats the reason i sold all my bitcoins. I beleive in cypto tecnology, but sooner or later a Bitcoin Private Key will be stolen by bruteforce and the market will lost its value.

Kind Regards

[garlonicon]

Thats the reason i sold all my bitcoins. I beleive in cypto tecnology, but sooner or later a Bitcoin Private Key will be stolen by bruteforce and the market will lost its value.

And you sold them for some government-issued money that are probably less protected than Bitcoins, right? Maybe you don't know, but algorithms like RSA and ECDSA are also used outside Bitcoin. Also note that in general the whole cryptography you have today is based on big numbers, no matter is it Bitcoin, some bank account with HTTPS website or your credit card with some RFID chip (where you also have public key cryptography). The only solution we have today is based on very similar algorithms and the only solution after many years is just "use bigger numbers". You can clearly see that by looking at hash function sizes, elliptic curve point sizes, and so on.

[mynonce]

...
2- With todays hardware technology is imposible to find a private key. ... I beleive in cypto tecnology, but sooner or later a Bitcoin Private Key will be stolen by bruteforce and the market will lost its value.

If that happens, we will switch to a stronger ECC. For example from 256 bit to 512 bit.

[BlackHatCoiner]

1 - Theorically any wallet can be found with brute force.

Theoretically, it is entirely possible to earn billions of dollars from continuous winnings in the lottery. Practically, if you ever try that, besides loss of lots of money, you'll realize that you're losing your time.

2- With todays hardware technology is imposible to find a private key.

You can find a private key by generating a random number. To find a private key for a specific address is what is currently considered infeasible.

Thats the reason i sold all my bitcoins. I beleive in cypto tecnology, but sooner or later a Bitcoin Private Key will be stolen by bruteforce and the market will lost its value.

Despite the forces of the universe, we, humans, use consensus to solve this kind of problems.

[ABCbits]

Thats the reason i sold all my bitcoins. I beleive in cypto tecnology, but sooner or later a Bitcoin Private Key will be stolen by bruteforce and the market will lost its value.

Your statement also apply to any cryptography which only deemed secure for some time. For example, NIST disallow SHA-1 usage in 2013 which is 18 years after SHA-1 is published.

...
2- With todays hardware technology is imposible to find a private key. ... I beleive in cypto tecnology, but sooner or later a Bitcoin Private Key will be stolen by bruteforce and the market will lost its value.

If that happens, we will switch to a stronger ECC. For example from 256 bit to 512 bit.

It's more likely we will switch to different cryptography though, which likely to be quantum resistant while remain compact in size.

[pooya87]

If that happens, we will switch to a stronger ECC. For example from 256 bit to 512 bit.

It's more likely we will switch to different cryptography though, which likely to be quantum resistant while remain compact in size.

Exactly. Anything that could break ECC, for example a solution for ECDLP that takes reasonable time, won't be solved by increasing the size. It would only postpone the issues by a very short amount of time. In other words if 256-bit curve using ECC were to be considered weak it will only be a matter of time before 512-bit ones are considered weak.

Take your SHA1 example. It is not weak because of its size (160-bit) although that plays a small role. But it is weak because of its weak algorithm which means even if we extended the version one Secure Hash Algorithm to be 256-bit it still would be weak. Instead we use an entirely different algorithm (ie. version 2).

[mynonce]

It's more likely we will switch to different cryptography though, which likely to be quantum resistant while remain compact in size.

Instead we use an entirely different algorithm (ie. version 2).

Do we also have a plan how we will switch the old addresses to the secure addresses? Transfer the coins?

Let's assume these guys Pollard's kangaroo ECDLP solver have a very very fast computer and can calculate ECC private keys in the 2^256 range and demonstrate it and reassure us. How would we proceed?

[pooya87]

Do we also have a plan how we will switch the old addresses to the secure addresses? Transfer the coins?

Let's assume these guys Pollard's kangaroo ECDLP solver have a very very fast computer and can calculate ECC private keys in the 2^256 range and demonstrate it and reassure us. How would we proceed?

I assume we proceed the same way any other soon-to-be-obsolete cryptography algorithm is usually replaced.

- It starts with hardware starting to catch up and algorithms becoming faster while both still be a some years away from actually breaking anything.
- The next step is finding a replacement algorithm and implementing it.
- Then I suppose it depends on the new algorithm. For example if we still use the same secp256k1 curve then it could possibly be done using a soft fork where we only replace ECDSA while nobody would have to move their coins. But if the curve is also changed then we need a transition period with a hard fork when people have to move their coins to outputs created using the new algorithm.

[larry_vw_1955]

I assume we proceed the same way any other soon-to-be-obsolete cryptography algorithm is usually replaced.

- It starts with hardware starting to catch up and algorithms becoming faster while both still be a some years away from actually breaking anything.
- The next step is finding a replacement algorithm and implementing it.

And what algorithm is that exactly? They always talk  like one exists but I havent seen it yet.

- Then I suppose it depends on the new algorithm. For example if we still use the same secp256k1 curve then it could possibly be done using a soft fork where we only replace ECDSA while nobody would have to move their coins.

What algorithm is quantum resistant that works with secp256k1 and exactly how it works that is kind of a mystery, dont you think?

But if the curve is also changed then we need a transition period with a hard fork when people have to move their coins to outputs created using the new algorithm.

maybe the network could automatically move everyone's coins that way "no one gets left behind" otherwise satoshi might find out one day he's broke.

[pooya87]

And what algorithm is that exactly? They always talk  like one exists but I havent seen it yet.

What algorithm is quantum resistant that works with secp256k1 and exactly how it works that is kind of a mystery, dont you think?

It is not such a mystery, you can find a bunch of quantum resistant algorithms if you do a quick google search and I know there has been some small discussions among bitcoin developers in the past too. I can't give you algorithm names because I haven't done any research in that space but others more informed than I can respond here.

maybe the network could automatically move everyone's coins that way "no one gets left behind" otherwise satoshi might find out one day he's broke.

Only if bitcoin were centralized which it isn't!

[o_e_l_e_o]

Thats the reason i sold all my bitcoins. I beleive in cypto tecnology, but sooner or later a Bitcoin Private Key will be stolen by bruteforce and the market will lost its value.

That's the reason I sold all my fiat. I believe in monetary technology, but sooner or later a credit card number will be replicated by bruteforce and the market will lose its value. Incidentally, a 16 digit credit card number has only 10¹⁶ combinations, whereas a bitcoin private key has over 10⁷⁷ combinations. So for every possible credit card number in existence, there are 10 trillion trillion trillion trillion trillion possible private keys.

If you are worried about the security of your bitcoin private key, then you must be utterly terrified about the security of your fiat!

And what algorithm is that exactly? They always talk  like one exists but I havent seen it yet.

I'm also not an expert on the subject, however the one most commonly talked about at the moment is Lamport signatures, but probably only because they are the most developed. They have a couple of disadvantages, however, most notably their size, which effectively precludes them being used in their current form. There is plenty of researching going on in this area though, so I suspect the algorithm we eventually fork to is one which is still very early on in its development.

[ABCbits]

Do we also have a plan how we will switch the old addresses to the secure addresses? Transfer the coins?

Let's assume these guys Pollard's kangaroo ECDLP solver have a very very fast computer and can calculate ECC private keys in the 2^256 range and demonstrate it and reassure us. How would we proceed?

From user side, they need to move their coin to "secure address". But from technical side, there are few dilemma such as,
1. Should we freeze UTXO with vulnerable cryptography or let it stolen?
2. Should node/miner reject transaction where the output contain "old address" after "secure address" is available?

And what algorithm is that exactly? They always talk  like one exists but I havent seen it yet.

I'm also not an expert on the subject, however the one most commonly talked about at the moment is Lamport signatures, but probably only because they are the most developed. They have a couple of disadvantages, however, most notably their size, which effectively precludes them being used in their current form. There is plenty of researching going on in this area though, so I suspect the algorithm we eventually fork to is one which is still very early on in its development.

Lattice-based and Multivariate-based cryptography also frequently mentioned.

[larry_vw_1955]

And what algorithm is that exactly? They always talk  like one exists but I havent seen it yet.

I'm also not an expert on the subject, however the one most commonly talked about at the moment is Lamport signatures, but probably only because they are the most developed. They have a couple of disadvantages, however, most notably their size, which effectively precludes them being used in their current form.

Yeah, not only that but they're really not worth changing over to since they still pin their entire security on a hash function which is no different than bitcoin right now. They say you only use a private key/public key pair in Lamport once but we all know how that turned out in bitcoin. people reuse their addresses they do it all the time.

Lattice-based and Multivariate-based cryptography also frequently mentioned.

I would think one of these two. although after glancing at them i do have my reservations. but i guess it's better than what we have right now with regards to quantum computers.

[BlackHatCoiner]

From user side, they need to move their coin to "secure address". But from technical side, there are few dilemma such as,
1. Should we freeze UTXO with vulnerable cryptography or let it stolen?
2. Should node/miner reject transaction where the output contain "old address" after "secure address" is available?

Shouldn't we come into an agreement now instead in a stressful period when everybody will scream for the sake of their money? I mean, do we have to wait until it becomes feasible enough to break the secp256k1 or rather gather as nice, calm Smurfs and vote for our decisions?

Yeah, not only that but they're really not worth changing over to since they still pin their entire security on a hash function which is no different than bitcoin right now. They say you only use a private key/public key pair in Lamport once but we all know how that turned out in bitcoin. people reuse their addresses they do it all the time.

And what does the reuse have to do with the security of a hash function?

[o_e_l_e_o]

Yeah, not only that but they're really not worth changing over to since they still pin their entire security on a hash function which is no different than bitcoin right now.

The hash function is not the function which is at risk from quantum computers - it is the ECDLP.

They say you only use a private key/public key pair in Lamport once but we all know how that turned out in bitcoin. people reuse their addresses they do it all the time.

Lamport signatures are different, in that you must reveal part of your private key as your signature of any message. They should only ever be used once in their native form, as every additional time you use them makes it easier and easier for an attacker to forge a signature.

Shouldn't we come into an agreement now instead in a stressful period when everybody will scream for the sake of their money?

Such a scenario is still decades away, and so most people won't commit any significant amount of time or brain power to it yet when there are other far more pressing issues. Also, good luck finding consensus; every time it's been brought up in the past there has always been a deep divide between opposing sides.

[mynonce]

From user side, they need to move their coin to "secure address". But from technical side, there are few dilemma such as,
1. Should we freeze UTXO with vulnerable cryptography or let it stolen?
2. Should node/miner reject transaction where the output contain "old address" after "secure address" is available?

Shouldn't we come into an agreement now instead in a stressful period when everybody will scream for the sake of their money? I mean, do we have to wait until it becomes feasible enough to break the secp256k1 or rather gather as nice, calm Smurfs and vote for our decisions?

It would be intersting to create a second Bitcoin testnet and implement these ''secure addresses'' just to test it. So we would have experience and were able to switch faster if needed.

[Epictetus]

In my opinion we have around 150+ millions crypto addresses. And the market cap is 2 trillions USD.
Plus miners are ready to run their machines for any job be it mining or hacking. With Amazon AWS / Google Cloud machines ready to be used by anyone. Personally, I think it is just a question of time. I was thinking about of this issue a long while. The person / groups who will crack an address, they will most likely not announcing it.   

[davidjjones]

Is it possible (theoretically) to Brute-force multi-sig addresses?
As far as I know the only threat to our multi-sig wallets is the risk of being hacked.

[mynonce]

Is it possible (theoretically) to Brute-force multi-sig addresses?
As far as I know the only threat to our multi-sig wallets is the risk of being hacked.

I expect a breakthrough in private key calculation for P2PK addresses in the near future. (Pollard-RHO-method + newer combinations)

In my opinion we have around 150+ millions crypto addresses. And the market cap is 2 trillions USD.
Plus miners are ready to run their machines for any job be it mining or hacking. With Amazon AWS / Google Cloud machines ready to be used by anyone. Personally, I think it is just a question of time. I was thinking about of this issue a long while. The person / groups who will crack an address, they will most likely not announcing it.   

If a person/group can calculate the private key of an address, then it would be best for them to calculate the keys of Patoshi. https://whale-alert.medium.com/the-satoshi-fortune-e49cf73f9a9b These coins (1.1 million BTC) were mined in 2009-2010 and are believed to be mined by Satoshi and are tracked by many. So if they move some of these coins, we will have a worldwide mega alert. But only Satoshi can respond eg. move the other coins to newer addresses. In that case it would be better to transfer Satoshi's coins back. But if there were no reaction of Satoshi, one could transfer more and more. (it depends on how fast Satoshi's keys can be calculated by this person/group)

[o_e_l_e_o]

Plus miners are ready to run their machines for any job be it mining or hacking.

ASICs are built to do a single job. They cannot be repurposed to try to hack bitcoin addresses.

Is it possible (theoretically) to Brute-force multi-sig addresses?
As far as I know the only threat to our multi-sig wallets is the risk of being hacked.

Sure it is.

Legacy addresses are P2PKH, or pay to public key hash, with the public key hash essentially being the address we are all familiar with. When we talk about address collisions or hacks, we mean someone finding another private key which leads to the same public key hash, which would allow them to spend the coins. It doesn't necessarily have to be the exact same private key. There are far many more possible private keys than there are addresses, and so there are multiple private keys which will unlock any specific address.

The same is true of P2SH addresses. There are a much smaller number of script hashes than there are of possible scripts. Any script which hashes to the same value as your multi-sig set up will be able to unlock the coins contained on that address. So technically speaking multi-sig addresses are just as vulnerable as non-multi-sig addresses to an address collision, but since an address collision will not happen before the extinction of the human race, I wouldn't worry too much about it.

[larry_vw_1955]

The same is true of P2SH addresses. There are a much smaller number of script hashes than there are of possible scripts. Any script which hashes to the same value as your multi-sig set up will be able to unlock the coins contained on that address. So technically speaking multi-sig addresses are just as vulnerable as non-multi-sig addresses to an address collision, but since an address collision will not happen before the extinction of the human race, I wouldn't worry too much about it.

I'd say the # of people trying to hack p2sh scripts by finding collissions is a far smaller subset of folks than those trying to hack bitcoin private keys. There probably arern't any at all. It all has to do with the risk:reward ratio.

[pooya87]

If a person/group can calculate the private key of an address, then it would be best for them to calculate the keys of Patoshi. https://whale-alert.medium.com/the-satoshi-fortune-e49cf73f9a9b These coins (1.1 million BTC) were mined in 2009-2010 and are believed to be mined by Satoshi and are tracked by many. So if they move some of these coins, we will have a worldwide mega alert.

That's nonsense. First of all there is no such thing as "Patoshi" or "Satoshi's coins". There are coins that were mined early on and they belong to many different early adopter of bitcoin. There is also lots of keys involved not just one key (at least 22000 for 1.1 million BTC).

Secondly it is not possible to break even a single key let alone lots of them. Not now and not in near future.

And finally a lot of those early block rewards have already been spent and nobody even cared apart from some short lived FUD on social media.
https://blockchair.com/bitcoin/outputs?s=block_id(asc)&q=is_from_coinbase(true),is_spent(true)#f=is_spent,block_id,time,is_from_coinbase

[o_e_l_e_o]

I'd say the # of people trying to hack p2sh scripts by finding collissions is a far smaller subset of folks than those trying to hack bitcoin private keys.

You don't need to "hack" a script to find a P2SH address collision. All you need is a locking script which hashes to the same final address. The locking script could be as simple as a signature from a single private key (i.e. just the same as a standard legacy address). Currently more people are probably trying to find collisions with legacy addresses since as a set legacy address still contain the most amount of value when you consider all the early untouched coins, along with insecure brain wallets generating legacy addresses. Who knows if this will change in the future as segwit addresses become the most common.

It all has to do with the risk:reward ratio.

There is no reward. You will never find an address collision unless the address has been generated in an insecure manner.

[ABCbits]

From user side, they need to move their coin to "secure address". But from technical side, there are few dilemma such as,
1. Should we freeze UTXO with vulnerable cryptography or let it stolen?
2. Should node/miner reject transaction where the output contain "old address" after "secure address" is available?

Shouldn't we come into an agreement now instead in a stressful period when everybody will scream for the sake of their money? I mean, do we have to wait until it becomes feasible enough to break the secp256k1 or rather gather as nice, calm Smurfs and vote for our decisions?

Past discussion (at least on this forum) shows it's difficult to reach agreement, few example
https://bitcointalk.org/index.php?topic=5191219.0
https://bitcointalk.org/index.php?topic=5322061.0
https://bitcointalk.org/index.php?topic=5355246.0

Shouldn't we come into an agreement now instead in a stressful period when everybody will scream for the sake of their money? I mean, do we have to wait until it becomes feasible enough to break the secp256k1 or rather gather as nice, calm Smurfs and vote for our decisions?

It would be intersting to create a second Bitcoin testnet and implement these ''secure addresses'' just to test it. So we would have experience and were able to switch faster if needed.

But i doubt it'll happen anytime soon since quantum computing isn't big concern for now.

[larry_vw_1955]

Yeah, not only that but they're really not worth changing over to since they still pin their entire security on a hash function which is no different than bitcoin right now. They say you only use a private key/public key pair in Lamport once but we all know how that turned out in bitcoin. people reuse their addresses they do it all the time.

And what does the reuse have to do with the security of a hash function?

the weakness isn't in the hash function per se, hopefully NIST will come out with something way more substantial than slapping some hash function on top of some half-assed algorithm for their quantum crypto standard. they sure are taking their TIME!

You don't need to "hack" a script to find a P2SH address collision. All you need is a locking script which hashes to the same final address.

I agree with everything you said! that's kind of what I was trying to say

There is no reward. You will never find an address collision unless the address has been generated in an insecure manner.

I know but if someone is going to be trying to brute force bitcoin private keys using whatever method, it's like you said, they'll want to be focusing on address types that are most in use obviously to "increase their chances". Thus not p2sh address types. Thus legacy addresses.

But i doubt it'll happen anytime soon since quantum computing isn't big concern for now.

Let's revisit that statement every year for the next 3 years!

[BlackHatCoiner]

It all has to do with the risk:reward ratio.

In my experience with life, everything has an effort:reward ratio. In the case of successfully finding an address collision (either P2PKH or P2SH) the effort required isn't a bargain. There are far more chances to solve 8 blocks and get yourself 50 BTC honestly.

At the moment, there's a difficult target of:

Code:

0000000000000000000c69ea0000000000000000000000000000000000000000

Which means there's approximately a 0.00000000000000000010268% chance to solve a block each time you hash.

That's 1 hash out of 974,658,869,395,711,500,974. To find an address collision, it's 1 in 2¹⁶⁰ = 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976.

If a person/group can calculate the private key of an address, then it would be best for them to calculate the keys of Patoshi.

Binance's address contains 288,126 BTC and their public key is - 02a720e54e39b28434a4c55462718b4584db973331a834141b8cad7e52c317f695. So, if you want to upset the market, here's your chance.

the weakness isn't in the hash function per se, hopefully NIST will come out with something way more substantial than slapping some hash function on top of some half-assed algorithm for their quantum crypto standard. they sure are taking their TIME!

I really have some trouble understanding you.

[o_e_l_e_o]

I know but if someone is going to be trying to brute force bitcoin private keys using whatever method, it's like you said, they'll want to be focusing on address types that are most in use obviously to "increase their chances". Thus not p2sh address types. Thus legacy addresses.

Actually, legacy addresses are the least "in use" at the moment, with around 24% (and declining) of outputs being legacy outputs. P2SH accounts for around 39% of outputs, and P2WPKH/P2WSH accounts for 37%. You can see this here: https://transactionfee.info/charts/output-type-distribution-count/. P2SH has remained fairly static around 40% for around 2 years, but with segwit taking an ever larger share away from legacy addresses.

However, as I said above, I suspect most people trying to brute force random keys are focusing on legacy addresses, since legacy addresses still hold the most value once you account for the several million early mined and unmoved coins.

[larry_vw_1955]

I really have some trouble understanding you.

i went off on a slight tangent. but you do have to agree that modern cryptography is kind of messed up in the sense that its mathematical underpinnings put it on a bit of weak footing. example: ecdsa which is why bitcoin is in trouble with quantum computers. so they invent some new shiny algorithm because they **think** it's quantum resistant. but they can't prove it. we're in the same boat again.

[MrSolo]

Thats the reason i sold all my bitcoins. I beleive in cypto tecnology, but sooner or later a Bitcoin Private Key will be stolen by bruteforce and the market will lost its value.

That's the reason I sold all my fiat. I believe in monetary technology, but sooner or later a credit card number will be replicated by bruteforce and the market will lose its value. Incidentally, a 16 digit credit card number has only 10¹⁶ combinations, whereas a bitcoin private key has over 10⁷⁷ combinations. So for every possible credit card number in existence, there are 10 trillion trillion trillion trillion trillion possible private keys.

If you are worried about the security of your bitcoin private key, then you must be utterly terrified about the security of your fiat!

And what algorithm is that exactly? They always talk  like one exists but I havent seen it yet.

I'm also not an expert on the subject, however the one most commonly talked about at the moment is Lamport signatures, but probably only because they are the most developed. They have a couple of disadvantages, however, most notably their size, which effectively precludes them being used in their current form. There is plenty of researching going on in this area though, so I suspect the algorithm we eventually fork to is one which is still very early on in its development.

The biggest difference between Credit cards and Bitcoin is that you can bruteforce Bitcoin offline, which you can't do with credit cards that need to go through cc processing companies that will block you immidiatly

[MrSolo]

Plus miners are ready to run their machines for any job be it mining or hacking.

ASICs are built to do a single job. They cannot be repurposed to try to hack bitcoin addresses.

Couldn't that mean that if they make ASIC machines that are built to hack wallets, and what if it becomes a trend to hack bitcoin wallets and millions of people start doing it, and companies start creating very optimized hardware that their only purpose is to brute-force wallets randomly

[larry_vw_1955]

Couldn't that mean that if they make ASIC machines that are built to hack wallets, and what if it becomes a trend to hack bitcoin wallets and millions of people start doing it, and companies start creating very optimized hardware that their only purpose is to brute-force wallets randomly

the simple answer to that is, if there was a market for such hardware it would already be in existence. actually there is a market for that. in fact I have one myself. it's called an electrical heater. I turn it on and it warms up the room. it does cost money to run though. maybe like 500 watts. it doesnt have any other beneift though other than warming the room.

[PrimeNumber7]

Plus miners are ready to run their machines for any job be it mining or hacking.

ASICs are built to do a single job. They cannot be repurposed to try to hack bitcoin addresses.

Couldn't that mean that if they make ASIC machines that are built to hack wallets, and what if it becomes a trend to hack bitcoin wallets and millions of people start doing it, and companies start creating very optimized hardware that their only purpose is to brute-force wallets randomly

There are multiple mathematical functions necessary to go from private key to "bitcoin address", so no, it would probably not be possible. It may *theoretically* be possible to create an ASIC to go from private key to public key, although there would not be a market for this type of ASIC because for all intents and purposes, the chances of one of these (non-existant) devices of ever finding a previously used private/public key paid is for all intents and purposes zero.

Brute forcing is very easy to code, however it is very computationally expensive. If you want any real chance of finding an already used private key, you will need to create an algorithm that is more efficient than brute force. However if you can do this, you will have broken secp256k1.

[o_e_l_e_o]

The biggest difference between Credit cards and Bitcoin is that you can bruteforce Bitcoin offline, which you can't do with credit cards that need to go through cc processing companies that will block you immidiatly

Sure, so change the analogy to any of the other things which could be brute forced endlessly without being blocked or limited, such as picking the lock to your house, breaking in to a safe, finding the correct code for the keyless ignition on your car, etc. The point remains that bitcoin security is exponentially higher than the security of most other things that you don't thing twice about.

Couldn't that mean that if they make ASIC machines that are built to hack wallets, and what if it becomes a trend to hack bitcoin wallets and millions of people start doing it, and companies start creating very optimized hardware that their only purpose is to brute-force wallets randomly

No. Even if you assume there are 1 billion funded addresses to collide with, and you ran 1 billion hypothetical devices each capable of searching 1 trillion addresses per second with no overlapping work, it would still take longer than the age of the universe to find a single collision.

[Pmalek]

Couldn't that mean that if they make ASIC machines that are built to hack wallets, and what if it becomes a trend to hack bitcoin wallets and millions of people start doing it, and companies start creating very optimized hardware that their only purpose is to brute-force wallets randomly

Let's say that becomes a possibility in the distant future, why would people participate in that? For the money? What do you think would happen to Bitcoin in that case? You would see a bear market and drop in value that we haven't experienced before. Unless a fast fix was found, it would be the end of Bitcoin as we know it. I don't see why Bitcoin enthusiasts would coordinate their efforts in destroying something in such a way.