Brute-forcing Bitcoin private keys

[o_e_l_e_o]

Yeah, not only that but they're really not worth changing over to since they still pin their entire security on a hash function which is no different than bitcoin right now.

The hash function is not the function which is at risk from quantum computers - it is the ECDLP.

They say you only use a private key/public key pair in Lamport once but we all know how that turned out in bitcoin. people reuse their addresses they do it all the time.

Lamport signatures are different, in that you must reveal part of your private key as your signature of any message. They should only ever be used once in their native form, as every additional time you use them makes it easier and easier for an attacker to forge a signature.

Shouldn't we come into an agreement now instead in a stressful period when everybody will scream for the sake of their money?

Such a scenario is still decades away, and so most people won't commit any significant amount of time or brain power to it yet when there are other far more pressing issues. Also, good luck finding consensus; every time it's been brought up in the past there has always been a deep divide between opposing sides.

[mynonce]

From user side, they need to move their coin to "secure address". But from technical side, there are few dilemma such as,
1. Should we freeze UTXO with vulnerable cryptography or let it stolen?
2. Should node/miner reject transaction where the output contain "old address" after "secure address" is available?

Shouldn't we come into an agreement now instead in a stressful period when everybody will scream for the sake of their money? I mean, do we have to wait until it becomes feasible enough to break the secp256k1 or rather gather as nice, calm Smurfs and vote for our decisions?

It would be intersting to create a second Bitcoin testnet and implement these ''secure addresses'' just to test it. So we would have experience and were able to switch faster if needed.

[Epictetus]

In my opinion we have around 150+ millions crypto addresses. And the market cap is 2 trillions USD.
Plus miners are ready to run their machines for any job be it mining or hacking. With Amazon AWS / Google Cloud machines ready to be used by anyone. Personally, I think it is just a question of time. I was thinking about of this issue a long while. The person / groups who will crack an address, they will most likely not announcing it.   

[davidjjones]

Is it possible (theoretically) to Brute-force multi-sig addresses?
As far as I know the only threat to our multi-sig wallets is the risk of being hacked.

[mynonce]

Is it possible (theoretically) to Brute-force multi-sig addresses?
As far as I know the only threat to our multi-sig wallets is the risk of being hacked.

I expect a breakthrough in private key calculation for P2PK addresses in the near future. (Pollard-RHO-method + newer combinations)

In my opinion we have around 150+ millions crypto addresses. And the market cap is 2 trillions USD.
Plus miners are ready to run their machines for any job be it mining or hacking. With Amazon AWS / Google Cloud machines ready to be used by anyone. Personally, I think it is just a question of time. I was thinking about of this issue a long while. The person / groups who will crack an address, they will most likely not announcing it.   

If a person/group can calculate the private key of an address, then it would be best for them to calculate the keys of Patoshi. https://whale-alert.medium.com/the-satoshi-fortune-e49cf73f9a9b These coins (1.1 million BTC) were mined in 2009-2010 and are believed to be mined by Satoshi and are tracked by many. So if they move some of these coins, we will have a worldwide mega alert. But only Satoshi can respond eg. move the other coins to newer addresses. In that case it would be better to transfer Satoshi's coins back. But if there were no reaction of Satoshi, one could transfer more and more. (it depends on how fast Satoshi's keys can be calculated by this person/group)

[o_e_l_e_o]

Plus miners are ready to run their machines for any job be it mining or hacking.

ASICs are built to do a single job. They cannot be repurposed to try to hack bitcoin addresses.

Is it possible (theoretically) to Brute-force multi-sig addresses?
As far as I know the only threat to our multi-sig wallets is the risk of being hacked.

Sure it is.

Legacy addresses are P2PKH, or pay to public key hash, with the public key hash essentially being the address we are all familiar with. When we talk about address collisions or hacks, we mean someone finding another private key which leads to the same public key hash, which would allow them to spend the coins. It doesn't necessarily have to be the exact same private key. There are far many more possible private keys than there are addresses, and so there are multiple private keys which will unlock any specific address.

The same is true of P2SH addresses. There are a much smaller number of script hashes than there are of possible scripts. Any script which hashes to the same value as your multi-sig set up will be able to unlock the coins contained on that address. So technically speaking multi-sig addresses are just as vulnerable as non-multi-sig addresses to an address collision, but since an address collision will not happen before the extinction of the human race, I wouldn't worry too much about it.

[larry_vw_1955]

The same is true of P2SH addresses. There are a much smaller number of script hashes than there are of possible scripts. Any script which hashes to the same value as your multi-sig set up will be able to unlock the coins contained on that address. So technically speaking multi-sig addresses are just as vulnerable as non-multi-sig addresses to an address collision, but since an address collision will not happen before the extinction of the human race, I wouldn't worry too much about it.

I'd say the # of people trying to hack p2sh scripts by finding collissions is a far smaller subset of folks than those trying to hack bitcoin private keys. There probably arern't any at all. It all has to do with the risk:reward ratio.

[pooya87]

If a person/group can calculate the private key of an address, then it would be best for them to calculate the keys of Patoshi. https://whale-alert.medium.com/the-satoshi-fortune-e49cf73f9a9b These coins (1.1 million BTC) were mined in 2009-2010 and are believed to be mined by Satoshi and are tracked by many. So if they move some of these coins, we will have a worldwide mega alert.

That's nonsense. First of all there is no such thing as "Patoshi" or "Satoshi's coins". There are coins that were mined early on and they belong to many different early adopter of bitcoin. There is also lots of keys involved not just one key (at least 22000 for 1.1 million BTC).

Secondly it is not possible to break even a single key let alone lots of them. Not now and not in near future.

And finally a lot of those early block rewards have already been spent and nobody even cared apart from some short lived FUD on social media.
https://blockchair.com/bitcoin/outputs?s=block_id(asc)&q=is_from_coinbase(true),is_spent(true)#f=is_spent,block_id,time,is_from_coinbase

[o_e_l_e_o]

I'd say the # of people trying to hack p2sh scripts by finding collissions is a far smaller subset of folks than those trying to hack bitcoin private keys.

You don't need to "hack" a script to find a P2SH address collision. All you need is a locking script which hashes to the same final address. The locking script could be as simple as a signature from a single private key (i.e. just the same as a standard legacy address). Currently more people are probably trying to find collisions with legacy addresses since as a set legacy address still contain the most amount of value when you consider all the early untouched coins, along with insecure brain wallets generating legacy addresses. Who knows if this will change in the future as segwit addresses become the most common.

It all has to do with the risk:reward ratio.

There is no reward. You will never find an address collision unless the address has been generated in an insecure manner.

[ABCbits]

From user side, they need to move their coin to "secure address". But from technical side, there are few dilemma such as,
1. Should we freeze UTXO with vulnerable cryptography or let it stolen?
2. Should node/miner reject transaction where the output contain "old address" after "secure address" is available?

Shouldn't we come into an agreement now instead in a stressful period when everybody will scream for the sake of their money? I mean, do we have to wait until it becomes feasible enough to break the secp256k1 or rather gather as nice, calm Smurfs and vote for our decisions?

Past discussion (at least on this forum) shows it's difficult to reach agreement, few example
https://bitcointalk.org/index.php?topic=5191219.0
https://bitcointalk.org/index.php?topic=5322061.0
https://bitcointalk.org/index.php?topic=5355246.0

Shouldn't we come into an agreement now instead in a stressful period when everybody will scream for the sake of their money? I mean, do we have to wait until it becomes feasible enough to break the secp256k1 or rather gather as nice, calm Smurfs and vote for our decisions?

It would be intersting to create a second Bitcoin testnet and implement these ''secure addresses'' just to test it. So we would have experience and were able to switch faster if needed.

But i doubt it'll happen anytime soon since quantum computing isn't big concern for now.

[larry_vw_1955]

Yeah, not only that but they're really not worth changing over to since they still pin their entire security on a hash function which is no different than bitcoin right now. They say you only use a private key/public key pair in Lamport once but we all know how that turned out in bitcoin. people reuse their addresses they do it all the time.

And what does the reuse have to do with the security of a hash function?

the weakness isn't in the hash function per se, hopefully NIST will come out with something way more substantial than slapping some hash function on top of some half-assed algorithm for their quantum crypto standard. they sure are taking their TIME!

You don't need to "hack" a script to find a P2SH address collision. All you need is a locking script which hashes to the same final address.

I agree with everything you said! that's kind of what I was trying to say

There is no reward. You will never find an address collision unless the address has been generated in an insecure manner.

I know but if someone is going to be trying to brute force bitcoin private keys using whatever method, it's like you said, they'll want to be focusing on address types that are most in use obviously to "increase their chances". Thus not p2sh address types. Thus legacy addresses.

But i doubt it'll happen anytime soon since quantum computing isn't big concern for now.

Let's revisit that statement every year for the next 3 years!

[BlackHatCoiner]

It all has to do with the risk:reward ratio.

In my experience with life, everything has an effort:reward ratio. In the case of successfully finding an address collision (either P2PKH or P2SH) the effort required isn't a bargain. There are far more chances to solve 8 blocks and get yourself 50 BTC honestly.

At the moment, there's a difficult target of:

Code:

0000000000000000000c69ea0000000000000000000000000000000000000000

Which means there's approximately a 0.00000000000000000010268% chance to solve a block each time you hash.

That's 1 hash out of 974,658,869,395,711,500,974. To find an address collision, it's 1 in 2¹⁶⁰ = 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976.

If a person/group can calculate the private key of an address, then it would be best for them to calculate the keys of Patoshi.

Binance's address contains 288,126 BTC and their public key is - 02a720e54e39b28434a4c55462718b4584db973331a834141b8cad7e52c317f695. So, if you want to upset the market, here's your chance.

the weakness isn't in the hash function per se, hopefully NIST will come out with something way more substantial than slapping some hash function on top of some half-assed algorithm for their quantum crypto standard. they sure are taking their TIME!

I really have some trouble understanding you.

[o_e_l_e_o]

I know but if someone is going to be trying to brute force bitcoin private keys using whatever method, it's like you said, they'll want to be focusing on address types that are most in use obviously to "increase their chances". Thus not p2sh address types. Thus legacy addresses.

Actually, legacy addresses are the least "in use" at the moment, with around 24% (and declining) of outputs being legacy outputs. P2SH accounts for around 39% of outputs, and P2WPKH/P2WSH accounts for 37%. You can see this here: https://transactionfee.info/charts/output-type-distribution-count/. P2SH has remained fairly static around 40% for around 2 years, but with segwit taking an ever larger share away from legacy addresses.

However, as I said above, I suspect most people trying to brute force random keys are focusing on legacy addresses, since legacy addresses still hold the most value once you account for the several million early mined and unmoved coins.

[larry_vw_1955]

I really have some trouble understanding you.

i went off on a slight tangent. but you do have to agree that modern cryptography is kind of messed up in the sense that its mathematical underpinnings put it on a bit of weak footing. example: ecdsa which is why bitcoin is in trouble with quantum computers. so they invent some new shiny algorithm because they **think** it's quantum resistant. but they can't prove it. we're in the same boat again.

[MrSolo]

Thats the reason i sold all my bitcoins. I beleive in cypto tecnology, but sooner or later a Bitcoin Private Key will be stolen by bruteforce and the market will lost its value.

That's the reason I sold all my fiat. I believe in monetary technology, but sooner or later a credit card number will be replicated by bruteforce and the market will lose its value. Incidentally, a 16 digit credit card number has only 10¹⁶ combinations, whereas a bitcoin private key has over 10⁷⁷ combinations. So for every possible credit card number in existence, there are 10 trillion trillion trillion trillion trillion possible private keys.

If you are worried about the security of your bitcoin private key, then you must be utterly terrified about the security of your fiat!

And what algorithm is that exactly? They always talk  like one exists but I havent seen it yet.

I'm also not an expert on the subject, however the one most commonly talked about at the moment is Lamport signatures, but probably only because they are the most developed. They have a couple of disadvantages, however, most notably their size, which effectively precludes them being used in their current form. There is plenty of researching going on in this area though, so I suspect the algorithm we eventually fork to is one which is still very early on in its development.

The biggest difference between Credit cards and Bitcoin is that you can bruteforce Bitcoin offline, which you can't do with credit cards that need to go through cc processing companies that will block you immidiatly

[MrSolo]

Plus miners are ready to run their machines for any job be it mining or hacking.

ASICs are built to do a single job. They cannot be repurposed to try to hack bitcoin addresses.

Couldn't that mean that if they make ASIC machines that are built to hack wallets, and what if it becomes a trend to hack bitcoin wallets and millions of people start doing it, and companies start creating very optimized hardware that their only purpose is to brute-force wallets randomly

[larry_vw_1955]

Couldn't that mean that if they make ASIC machines that are built to hack wallets, and what if it becomes a trend to hack bitcoin wallets and millions of people start doing it, and companies start creating very optimized hardware that their only purpose is to brute-force wallets randomly

the simple answer to that is, if there was a market for such hardware it would already be in existence. actually there is a market for that. in fact I have one myself. it's called an electrical heater. I turn it on and it warms up the room. it does cost money to run though. maybe like 500 watts. it doesnt have any other beneift though other than warming the room.

[PrimeNumber7]

Plus miners are ready to run their machines for any job be it mining or hacking.

ASICs are built to do a single job. They cannot be repurposed to try to hack bitcoin addresses.

Couldn't that mean that if they make ASIC machines that are built to hack wallets, and what if it becomes a trend to hack bitcoin wallets and millions of people start doing it, and companies start creating very optimized hardware that their only purpose is to brute-force wallets randomly

There are multiple mathematical functions necessary to go from private key to "bitcoin address", so no, it would probably not be possible. It may *theoretically* be possible to create an ASIC to go from private key to public key, although there would not be a market for this type of ASIC because for all intents and purposes, the chances of one of these (non-existant) devices of ever finding a previously used private/public key paid is for all intents and purposes zero.

Brute forcing is very easy to code, however it is very computationally expensive. If you want any real chance of finding an already used private key, you will need to create an algorithm that is more efficient than brute force. However if you can do this, you will have broken secp256k1.

[o_e_l_e_o]

The biggest difference between Credit cards and Bitcoin is that you can bruteforce Bitcoin offline, which you can't do with credit cards that need to go through cc processing companies that will block you immidiatly

Sure, so change the analogy to any of the other things which could be brute forced endlessly without being blocked or limited, such as picking the lock to your house, breaking in to a safe, finding the correct code for the keyless ignition on your car, etc. The point remains that bitcoin security is exponentially higher than the security of most other things that you don't thing twice about.

Couldn't that mean that if they make ASIC machines that are built to hack wallets, and what if it becomes a trend to hack bitcoin wallets and millions of people start doing it, and companies start creating very optimized hardware that their only purpose is to brute-force wallets randomly

No. Even if you assume there are 1 billion funded addresses to collide with, and you ran 1 billion hypothetical devices each capable of searching 1 trillion addresses per second with no overlapping work, it would still take longer than the age of the universe to find a single collision.

[Pmalek]

Couldn't that mean that if they make ASIC machines that are built to hack wallets, and what if it becomes a trend to hack bitcoin wallets and millions of people start doing it, and companies start creating very optimized hardware that their only purpose is to brute-force wallets randomly

Let's say that becomes a possibility in the distant future, why would people participate in that? For the money? What do you think would happen to Bitcoin in that case? You would see a bear market and drop in value that we haven't experienced before. Unless a fast fix was found, it would be the end of Bitcoin as we know it. I don't see why Bitcoin enthusiasts would coordinate their efforts in destroying something in such a way.