Brute-forcing Bitcoin private keys

[MrSolo]

Since 2^256 is likely a number larger than the number an atoms in the known universe, better get to crackin' with that abacus or wait for the advent of quantum computers if/when machines capable of doing this come to exist in our lifetimes.

2²⁵⁶ is not the number of the addresses. Even if you brute force private keys, that are around 2²⁵⁶, you want to find a collision, not necessarily someone's private key. A RIPEMD-160 hash (which is the address decoded) is 160-bits long, which means 2¹⁶⁰. So you're brute forcing this number:

1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976

Since private keys are ~2²⁵⁶ and all possible combinations of addresses 2¹⁶⁰, then you're trying to find one of the ~2⁹⁶ private keys that collide with the same address. So next time you create an address, keep in mind that besides your private key, there are around 79,228,162,514,264,337,593,543,950,335 more.

I never said this was number of addresses. Plenty of tools exist to find collisions, though OP strikes me as the type that would be more interesting in playing the lottery and bashing up something to search https://allprivatekeys.com/ or something.

never heard of this website, but it's proof of exactly what i said which is they found 19321 private keys in 50771 Bitcoin addresses with transactions. just for bitcoin addresses so to people who say it's not possible here is a good proof that it is possible and can be done with a large enough of group with good machines with some luck

[1714105849]

1714105849

[1714105849]

1714105849

[1714105849]

1714105849

[shinohai]

Since 2^256 is likely a number larger than the number an atoms in the known universe, better get to crackin' with that abacus or wait for the advent of quantum computers if/when machines capable of doing this come to exist in our lifetimes.

2²⁵⁶ is not the number of the addresses. Even if you brute force private keys, that are around 2²⁵⁶, you want to find a collision, not necessarily someone's private key. A RIPEMD-160 hash (which is the address decoded) is 160-bits long, which means 2¹⁶⁰. So you're brute forcing this number:

1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976

Since private keys are ~2²⁵⁶ and all possible combinations of addresses 2¹⁶⁰, then you're trying to find one of the ~2⁹⁶ private keys that collide with the same address. So next time you create an address, keep in mind that besides your private key, there are around 79,228,162,514,264,337,593,543,950,335 more.

I never said this was number of addresses. Plenty of tools exist to find collisions, though OP strikes me as the type that would be more interesting in playing the lottery and bashing up something to search https://allprivatekeys.com/ or something.

never heard of this website, but it's proof of exactly what i said which is they found 19321 private keys in 50771 Bitcoin addresses with transactions. just for bitcoin addresses so to people who say it's not possible here is a good proof that it is possible and can be done with a large enough of group with good machines with some luck

The addresses on that site *could* be - as has already been mentioned in this thread - collisions and NOT keys that were simply cracked by brute force ya know. 

[o_e_l_e_o]

never heard of this website, but it's proof of exactly what i said which is they found 19321 private keys in 50771 Bitcoin addresses with transactions.

They did not brute force a single private key, though. What they did was brute force brain wallets, which is something completely different.

Brain wallets take a human entered string - such as a word, phrase, or random characters - and use it as an input to a hash function. The output of the hash function is used as a private key. If you guess the input, then you can work out the private key. Since humans are terrible at being random, terrible at coming up with passwords, and terrible for reusing these passwords, many people reused passwords they used elsewhere as brain wallets, or used a line from a book, a lyric from a song, a movie quote, and so on. All of these are easily guessed.

There are multiple databases of thousands of hacked brain wallets, and there are bots constantly monitoring millions of brain wallet addresses ready to steal any coins which are sent to them. None of this is the same as brute forcing a private key.

[shinohai]

never heard of this website, but it's proof of exactly what i said which is they found 19321 private keys in 50771 Bitcoin addresses with transactions. just for bitcoin addresses so to people who say it's not possible here is a good proof that it is possible and can be done with a large enough of group with good machines with some luck

It's proof that brainwallet and private key chosen by human/generated with weak RNG are vulnerable towards brute-force attack and few other attack (such as dictionary attack for brainwallet).

Precisely this. OP may find http://www.loper-os.org/bad-at-entropy/manmach.html interesting if he wishes to see just how bad humans are at entropy.

[NotATether]

Bitaddress uses randomness from different sources which would make it harder as you'll have to replicate both the tracked mouse movement as well as the randomness that was generated when the user enters the page.

These attacks can only work if they are using predictable variables as an entropy source. If and only if you can find a pattern in that generation, then you can reduce the search space significantly.

I'd argue that people should not be using PRNGs seeded with cryptographically secure entropy to make private keys especially on browsers in particular (which is the only method they have, they got no CSRNGs) because you're relying on the webpage to supply a good-enough entropy. Mouse and keyboard input that's made during (not before) entropy gathering can also be tracked within the browser and webpage itself so all it takes is a malicious addon that tracks such movement and they can re-derive the entropy. When a PRNG is used this also allows them to make the private key too.

[ranochigo]

I'd argue that people should not be using PRNGs seeded with cryptographically secure entropy to make private keys especially on browsers in particular (which is the only method they have, they got no CSRNGs) because you're relying on the webpage to supply a good-enough entropy. Mouse and keyboard input that's made during (not before) entropy gathering can also be tracked within the browser and webpage itself so all it takes is a malicious addon that tracks such movement and they can re-derive the entropy. When a PRNG is used this also allows them to make the private key too.

The script itself is secure enough and provides sufficient randomness from any bruteforcing attack and that is the main point of the topic. I think we have to eliminate any malicious party that could intentionally modify the entropy sources to make it less random... Running a phishing site with a pre-defined seed is sufficient for this. Malicious add-ons and stuff like that shouldn't matter because the webpage isn't designed to run on a compromised computer.

As for the randomness, I've done a quick pass over their entropy collection[1]. I think the way the entropy is generated is sufficiently random, barring any possible interference externally.

[1] https://github.com/pointbiz/bitaddress.org/blob/72aefc03e0d150c52780294927d95262b711f602/src/securerandom.js

[manuelgranjacarbo]

Hi. Having reading that.

1 - Theorically any wallet can be found with brute force.
2- With todays hardware technology is imposible to find a private key.

Thats the reason i sold all my bitcoins. I beleive in cypto tecnology, but sooner or later a Bitcoin Private Key will be stolen by bruteforce and the market will lost its value.

Kind Regards

[garlonicon]

Thats the reason i sold all my bitcoins. I beleive in cypto tecnology, but sooner or later a Bitcoin Private Key will be stolen by bruteforce and the market will lost its value.

And you sold them for some government-issued money that are probably less protected than Bitcoins, right? Maybe you don't know, but algorithms like RSA and ECDSA are also used outside Bitcoin. Also note that in general the whole cryptography you have today is based on big numbers, no matter is it Bitcoin, some bank account with HTTPS website or your credit card with some RFID chip (where you also have public key cryptography). The only solution we have today is based on very similar algorithms and the only solution after many years is just "use bigger numbers". You can clearly see that by looking at hash function sizes, elliptic curve point sizes, and so on.

[mynonce]

...
2- With todays hardware technology is imposible to find a private key. ... I beleive in cypto tecnology, but sooner or later a Bitcoin Private Key will be stolen by bruteforce and the market will lost its value.

If that happens, we will switch to a stronger ECC. For example from 256 bit to 512 bit.

[BlackHatCoiner]

1 - Theorically any wallet can be found with brute force.

Theoretically, it is entirely possible to earn billions of dollars from continuous winnings in the lottery. Practically, if you ever try that, besides loss of lots of money, you'll realize that you're losing your time.

2- With todays hardware technology is imposible to find a private key.

You can find a private key by generating a random number. To find a private key for a specific address is what is currently considered infeasible.

Thats the reason i sold all my bitcoins. I beleive in cypto tecnology, but sooner or later a Bitcoin Private Key will be stolen by bruteforce and the market will lost its value.

Despite the forces of the universe, we, humans, use consensus to solve this kind of problems.

[ABCbits]

Thats the reason i sold all my bitcoins. I beleive in cypto tecnology, but sooner or later a Bitcoin Private Key will be stolen by bruteforce and the market will lost its value.

Your statement also apply to any cryptography which only deemed secure for some time. For example, NIST disallow SHA-1 usage in 2013 which is 18 years after SHA-1 is published.

...
2- With todays hardware technology is imposible to find a private key. ... I beleive in cypto tecnology, but sooner or later a Bitcoin Private Key will be stolen by bruteforce and the market will lost its value.

If that happens, we will switch to a stronger ECC. For example from 256 bit to 512 bit.

It's more likely we will switch to different cryptography though, which likely to be quantum resistant while remain compact in size.

[pooya87]

If that happens, we will switch to a stronger ECC. For example from 256 bit to 512 bit.

It's more likely we will switch to different cryptography though, which likely to be quantum resistant while remain compact in size.

Exactly. Anything that could break ECC, for example a solution for ECDLP that takes reasonable time, won't be solved by increasing the size. It would only postpone the issues by a very short amount of time. In other words if 256-bit curve using ECC were to be considered weak it will only be a matter of time before 512-bit ones are considered weak.

Take your SHA1 example. It is not weak because of its size (160-bit) although that plays a small role. But it is weak because of its weak algorithm which means even if we extended the version one Secure Hash Algorithm to be 256-bit it still would be weak. Instead we use an entirely different algorithm (ie. version 2).

[mynonce]

It's more likely we will switch to different cryptography though, which likely to be quantum resistant while remain compact in size.

Instead we use an entirely different algorithm (ie. version 2).

Do we also have a plan how we will switch the old addresses to the secure addresses? Transfer the coins?

Let's assume these guys Pollard's kangaroo ECDLP solver have a very very fast computer and can calculate ECC private keys in the 2^256 range and demonstrate it and reassure us. How would we proceed?

[pooya87]

Do we also have a plan how we will switch the old addresses to the secure addresses? Transfer the coins?

Let's assume these guys Pollard's kangaroo ECDLP solver have a very very fast computer and can calculate ECC private keys in the 2^256 range and demonstrate it and reassure us. How would we proceed?

I assume we proceed the same way any other soon-to-be-obsolete cryptography algorithm is usually replaced.

- It starts with hardware starting to catch up and algorithms becoming faster while both still be a some years away from actually breaking anything.
- The next step is finding a replacement algorithm and implementing it.
- Then I suppose it depends on the new algorithm. For example if we still use the same secp256k1 curve then it could possibly be done using a soft fork where we only replace ECDSA while nobody would have to move their coins. But if the curve is also changed then we need a transition period with a hard fork when people have to move their coins to outputs created using the new algorithm.

[larry_vw_1955]

I assume we proceed the same way any other soon-to-be-obsolete cryptography algorithm is usually replaced.

- It starts with hardware starting to catch up and algorithms becoming faster while both still be a some years away from actually breaking anything.
- The next step is finding a replacement algorithm and implementing it.

And what algorithm is that exactly? They always talk  like one exists but I havent seen it yet.

- Then I suppose it depends on the new algorithm. For example if we still use the same secp256k1 curve then it could possibly be done using a soft fork where we only replace ECDSA while nobody would have to move their coins.

What algorithm is quantum resistant that works with secp256k1 and exactly how it works that is kind of a mystery, dont you think?

But if the curve is also changed then we need a transition period with a hard fork when people have to move their coins to outputs created using the new algorithm.

maybe the network could automatically move everyone's coins that way "no one gets left behind" otherwise satoshi might find out one day he's broke.

[pooya87]

And what algorithm is that exactly? They always talk  like one exists but I havent seen it yet.

What algorithm is quantum resistant that works with secp256k1 and exactly how it works that is kind of a mystery, dont you think?

It is not such a mystery, you can find a bunch of quantum resistant algorithms if you do a quick google search and I know there has been some small discussions among bitcoin developers in the past too. I can't give you algorithm names because I haven't done any research in that space but others more informed than I can respond here.

maybe the network could automatically move everyone's coins that way "no one gets left behind" otherwise satoshi might find out one day he's broke.

Only if bitcoin were centralized which it isn't!

[o_e_l_e_o]

Thats the reason i sold all my bitcoins. I beleive in cypto tecnology, but sooner or later a Bitcoin Private Key will be stolen by bruteforce and the market will lost its value.

That's the reason I sold all my fiat. I believe in monetary technology, but sooner or later a credit card number will be replicated by bruteforce and the market will lose its value. Incidentally, a 16 digit credit card number has only 10¹⁶ combinations, whereas a bitcoin private key has over 10⁷⁷ combinations. So for every possible credit card number in existence, there are 10 trillion trillion trillion trillion trillion possible private keys.

If you are worried about the security of your bitcoin private key, then you must be utterly terrified about the security of your fiat!

And what algorithm is that exactly? They always talk  like one exists but I havent seen it yet.

I'm also not an expert on the subject, however the one most commonly talked about at the moment is Lamport signatures, but probably only because they are the most developed. They have a couple of disadvantages, however, most notably their size, which effectively precludes them being used in their current form. There is plenty of researching going on in this area though, so I suspect the algorithm we eventually fork to is one which is still very early on in its development.

[ABCbits]

Do we also have a plan how we will switch the old addresses to the secure addresses? Transfer the coins?

Let's assume these guys Pollard's kangaroo ECDLP solver have a very very fast computer and can calculate ECC private keys in the 2^256 range and demonstrate it and reassure us. How would we proceed?

From user side, they need to move their coin to "secure address". But from technical side, there are few dilemma such as,
1. Should we freeze UTXO with vulnerable cryptography or let it stolen?
2. Should node/miner reject transaction where the output contain "old address" after "secure address" is available?

And what algorithm is that exactly? They always talk  like one exists but I havent seen it yet.

I'm also not an expert on the subject, however the one most commonly talked about at the moment is Lamport signatures, but probably only because they are the most developed. They have a couple of disadvantages, however, most notably their size, which effectively precludes them being used in their current form. There is plenty of researching going on in this area though, so I suspect the algorithm we eventually fork to is one which is still very early on in its development.

Lattice-based and Multivariate-based cryptography also frequently mentioned.

[larry_vw_1955]

And what algorithm is that exactly? They always talk  like one exists but I havent seen it yet.

I'm also not an expert on the subject, however the one most commonly talked about at the moment is Lamport signatures, but probably only because they are the most developed. They have a couple of disadvantages, however, most notably their size, which effectively precludes them being used in their current form.

Yeah, not only that but they're really not worth changing over to since they still pin their entire security on a hash function which is no different than bitcoin right now. They say you only use a private key/public key pair in Lamport once but we all know how that turned out in bitcoin. people reuse their addresses they do it all the time.

Lattice-based and Multivariate-based cryptography also frequently mentioned.

I would think one of these two. although after glancing at them i do have my reservations. but i guess it's better than what we have right now with regards to quantum computers.

[BlackHatCoiner]

From user side, they need to move their coin to "secure address". But from technical side, there are few dilemma such as,
1. Should we freeze UTXO with vulnerable cryptography or let it stolen?
2. Should node/miner reject transaction where the output contain "old address" after "secure address" is available?

Shouldn't we come into an agreement now instead in a stressful period when everybody will scream for the sake of their money? I mean, do we have to wait until it becomes feasible enough to break the secp256k1 or rather gather as nice, calm Smurfs and vote for our decisions?

Yeah, not only that but they're really not worth changing over to since they still pin their entire security on a hash function which is no different than bitcoin right now. They say you only use a private key/public key pair in Lamport once but we all know how that turned out in bitcoin. people reuse their addresses they do it all the time.

And what does the reuse have to do with the security of a hash function?