Cold storage questions

[Bernard Lerring]

Hi there. First post/topic.

I'm about to put coins away in cold storage on a long term, to be forgotten about, basis and have some newbie questions:

1. I understand I can use the bitaddress.org HTML document, copied on a clean USB stick to a live USB version of Linux (Tails) which has never been connected to the web to generate a public address and private key. How do I know that the pair that's generated is unique and hasn't already been generated? What are the mathematical odds of someone coincidentally having the same private key?

2. Is there a "scene" for people using powerful computing technology (high-end GPU's etc.) to generate and test thousands of private keys in the hope that they'll stumble upon some coins?

In short, am I OK to store a couple of coins in a paper document and forget about them for a year or two?

Thanks muchly. I find this site very interesting, even though some of the more mathematical explanations can go over my head.

[1715572827]

1715572827

[jonald_fyookball]

I personally would not use bitaddress.org -- how do you know
they arent logging everything themselves?  Or that your
Computer isn't infected with a virus?

(Unless you are using their opensource javascript code
and running it on an offline computer...in which case it is ok.)

As far as brute-forcing private keys, it has been discussed
many times.  The lowerbound is 2^128, which, if you
could try a trillion trillion private keys a second (which
not even the top supercomputer could), it would take
8.9 million years.

[Bernard Lerring]

I just copied the HTML file over to a non-persistent Tails desktop and opened it in the secure browser (Iceweasel, I think). At no time I was connected to any network and I used the "shred -n" command to get rid of anything I had saved, even though this is redundant since Tails claims to not save any data on shutdown.

i thought the HTML (containing the Javascript generator) was open source and presume it has been audited and inspected by those more knowledgeable than me in Javascript/HTML.

Since I ran and shutdown Tails on a laptop that was at no point connected to a network the bitaddress.org page could not have reported any generated data back to anywhere. However, if there's a purer way of generating a key (which includes user generated random content) in the terminal that would be good to know.

As for the second part of your post, jonald_fyookball, thanks. That puts my mind at rest that my private key has a ridiculously minute chance of being spoofed.

[jonald_fyookball]

You should be fine.  The only danger I can see would be if some virus was running , got your key...and broadcast it again when that computer came online.  Seems quite unlikely if you're using tails.

Also btw, the 128 bit security increases to 160 bits if you're using an unspent address.

[Bernard Lerring]

Yeah, running Tails in non-persistent mode from USB runs an identical live environment every time you boot. It won't save any of your previous session; just boots into a fresh OS every time and does a quick memory wipe on shutdown.

I don't use it for regular browsing, just for doing stuff like this so the chance of any malware getting onto the live USB is extremely unlikely. Possibly an even more secure way would be to burn Tails onto a live CD so that it's write protected and boot from that. I think I'll do it that way in future.

Good to know about the extra security bits on a brand new, unused address too. Thanks.

[jonald_fyookball]

Best practice is not to reuse addresses. 
Security can actually drop to 0 bits if
you reuse an address on a flawed wallet
(A wallet that mistakenly doesn't generate
new random numbers in its elliptic curve
calculations)

This is all stuff I leaned myself on the forum
in the past few months.  So happy to
pass it on. 

[maxrann]

Have you considered using an Electrum seed passphrase instead? It would prevent you from having to re-use the same address and it would allow you to create a "watch-only" wallet with Electrum or with https://coldmonitor.com

[Bernard Lerring]

I already have an electrum wallet for send/receive transactions and wanted to keep the bulk of my coins offline, as it were.

So I've went down the pen and paper route, sending most of my coins to a paper address and keeping copies in different houses (family members with no idea about Bitcoin). I feel that having a couple of private keys stashed that have never been exposed to the internet is a decent strategy and won't touch them for a long time. When that time comes I'll probably import the funds into a wallet.

[jonald_fyookball]

You sound like you're bright enough to handle bitcoin security, which unfortunately at this still early phase of bitcoin, can be a challenge to the average person.  Welcome to the forum!

[ViewSonic]

I'm about to put my coins away in cold storage on a long term too. You questions and answers to them really helped me

[TierNolan]

This is exactly what Armory was designed to do.  Why re-invent the wheel?

Remember if you make a mistake, you can easily lose everything.

[jonald_fyookball]

Another good idea is to laminate those paper wallets. 

[Bernard Lerring]

I was just thinking about a possible flaw in my system of creating a paper wallet, as detailed above.

Would it be a good idea once I've generated an address (and matching private key) to use my internet PC to search for the address on blockchain.info before depositing my coins into it?

If blockchain.info comes up with a blank for that address does that mean it hasn't been used and I can go ahead and make my deposit?

If it has been used then someone holds a private key for that address and I can go back to my disconnected Tails live OS and simply generate a different address and key pair.

Is my working correct and is it necessary to check the blockchain before depositing?

[Relnarien]

I was just thinking about a possible flaw in my system of creating a paper wallet, as detailed above.

Would it be a good idea once I've generated an address (and matching private key) to use my internet PC to search for the address on blockchain.info before depositing my coins into it?

If blockchain.info comes up with a blank for that address does that mean it hasn't been used and I can go ahead and make my deposit?

If it has been used then someone holds a private key for that address and I can go back to my disconnected Tails live OS and simply generate a different address and key pair.

Is my working correct and is it necessary to check the blockchain before depositing?

It is not necessary to confirm if your Bitcoin address currently has an owner. The chances of a collision of addresses occurring, though continually growing, is still very minute. However, you can always do as you suggested if it will ease your mind. Nothing is wrong with being doubly sure when it comes to security.

Let me tell you why I personally think that checking if a randomly generated address is redundant though, just to give you an added perspective. Theoretically, if collisions on Bitcoin addresses are already occurring at this very moment, then it will be much more frequent as time goes on, and checking the address once would be meaningless since it could just as easily be randomly assigned to another person after you had already transferred your funds into it.

Also, an address with no transactions linked to it could theoretically still be owned by someone who has simply not used it yet. For example, Electrum generates at least 5 addresses when you open it for the first time. A casual Bitcoin user can use just a couple of those but still retain access to the unused addresses.

[Bernard Lerring]

Thanks, I was thinking along the same lines of minute chance too.

In theory though, especially if bitcoin becomes mainstream, is there a way to modify the way bitcoin operates to ensure no collisions: both past and future collisions? Someone out there could be auto-generating hundreds of keys a minute for various reasons. As we all know, there is an abundance of dishonesty on the internet where money is concerned.

I realise from previous posts that even if someone were generating pairs in their hundreds or thousands there would still be a very small collision chance, but it's a chance none the less. I would be pretty gutted even if I lost just one BTC due to a collision. That could be a lot of money in the future, or could be next to nothing. I don't want to get into speculation 

[Relnarien]

Thanks, I was thinking along the same lines of minute chance too.

In theory though, especially if bitcoin becomes mainstream, is there a way to modify the way bitcoin operates to ensure no collisions: both past and future collisions? Someone out there could be auto-generating hundreds of keys a minute for various reasons. As we all know, there is an abundance of dishonesty on the internet where money is concerned.

I realise from previous posts that even if someone were generating pairs in their hundreds or thousands there would still be a very small collision chance, but it's a chance none the less. I would be pretty gutted even if I lost just one BTC due to a collision. That could be a lot of money in the future, or could be next to nothing. I don't want to get into speculation 

The Bitcoin protocol is open source technology that was created with the rationale that any potential problems would be dealt with as hardware and software continue to evolve. The collision dilemma is one that has been discussed by people in the community many times before -- and still -- but the prevailing argument is that it will be relatively far in the future before collisions start becoming a major problem, and that it will have been solved before we come remotely close to that point in time. While that point may be debatable depending on one's personal perspective, the truth is that anyone saying differently yet also committed to making Bitcoin work can simply find a solution on his/her own, rendering the prophecy self-fulfilling.

As for "preventing collisions," that is impossible without completely rewriting the Bitcoin protocol. There are a lot of existing Bitcoin wallets, all open source and all easily modifiable. Meanwhile, the number of Bitcoin addresses is finite and their generation is a deterministic process. It's just one of those things when dealing with open source -- the best we could is to work around it, not against it.

[Light]

I realise from previous posts that even if someone were generating pairs in their hundreds or thousands there would still be a very small collision chance, but it's a chance none the less. I would be pretty gutted even if I lost just one BTC due to a collision. That could be a lot of money in the future, or could be next to nothing. I don't want to get into speculation 

I wouldn't worry too much about collisions. It sounds scary but you should be more scared you'll die tomorrow and never be able to spend those coins or give them to the people you love. That is far more likely statistically than getting a collision.

Statistically speaking, unless the protocol changes to accommodate more decimal places, only 2.1e14 addresses could contain at least one Satoshi, and that's only if everyone only had one Satoshi. If anyone has more (and pretty much everyone who has any has more than one Satoshi), then there are fewer occupied wallets.

Within the set of 2256 private keys, they only map to 2160 unique wallet addresses. So the question is how does 2160 compare to 2.1e14? One in a million? One in a trillion?
The answer is one in 6.9595 decillion. Since "decillion" isn't a commonly used word, I'll save you the bother of having to look it up: it's a one with 33 zeroes after it.

To put that 6.9595 decillion figure into perspective: The Earth has a diameter of 12,742 kilometers, giving it a surface area just shy of 50 million square kilometers. A square kilometer is 1 million square meters, and a square meter is one million square millimeters, meaning the surface area of the Earth, in millimeters, is just shy of 50 quintillion mm2.

So here's the game we'll play. I've got 140 trillion earth-sized spheres. On one of them, I have randomly selected a single square millimeter as the prize winning spot. Find it, and you'll get to spin the prize wheel to see how much you've won. The prize wheel currently has about 22 million spaces. 21 million of them contain less than a dollar. But you only get to spin the wheel if you can find the secret spot on the secret sphere.

Wanna play?

[Bernard Lerring]

Wow, Light! Mind blown, and satisfied, at the same time. Guess I'll stop worrying about collisions and leave it to those that have a greater understanding of how the system works.

[jonald_fyookball]

Wow, Light! Mind blown, and satisfied, at the same time. Guess I'll stop worrying about collisions and leave it to those that have a greater understanding of how the system works.

Here's another fun way to look at it:

The total number of bitcoin addresses is 2^160.

If the world population was 1 trillion people
(instead of 7 billion), and each person had
1 trillion computers in their basement, and each of those computers
was generating 1 trillion unique bitcoin addresses every
second, it would still take 46,343 years to go through
all the addresses.

 

[Bernard Lerring]

Yeah, but what about Moore's Law? 

Seriously though, jonald_fyookball, that's a good quote if I ever have to explain to a friend how unlikely a collision can be.

[jonald_fyookball]

Moore's law has been more of a general observation (a trend) rather than any kind of
fundamental property.

It can't continue forever.  In fact, it is already running into its inherent limitations.

[DeathAndTaxes]

Wow, Light! Mind blown, and satisfied, at the same time. Guess I'll stop worrying about collisions and leave it to those that have a greater understanding of how the system works.

The idea that security rests of an unlikely event is often a hard concept to accept.  This is because outside of cryptography we often (incorrectly) accept highly unlikely events as "impossible".  That sets mentally sets up a false "it should be in impossible to be secure" requirement.  Even in the material world there is no such thing as an impossible event.  You could right now stand up and walk right through the nearest wall on your first attempt due to Quantum tunneling.  The odds are so remote we just say it is impossible, to avoid explaining that while it is possible it is so improbable that it might as well be impossible.  Still for the sake of the argument, Just because it is "possible" to pass through a wall due to quantum tunneling, would you buy a safe to put inside another larger safe just to protect your gold from the possibility that the burglar will get "lucky" and be able to reach through the outer safe wall by quantum tunneling?  Of course not.  Even the idea seems silly but we somehow with math it seems more of a risk because the exact probability can be computed and we can show that collisions are possible with smaller numbers.

To get technical, even a collision isn't even sufficient to steal coins.  A collision involves any two random values from the set of possible values.  For Bitcoin, the overwhelming majority of the keyspace will never be used, so even in the (so unlikely as to be considered impossible) event that there is a collision, it is most likely to involve a pair of keys that have never been nor ever will be funded.  For your coins to be compromised would require a preimage attack which is even less likely.  Unless the divisibility is increased there can never be more than 2.1 quadrillion funded addresses (21M * 1E8).  2.1 quadrillion funded addresses gives the highest probability but it also means the smallest payoff, as under that scenario all addresses would contain only a single satoshi.

None of this is Bitcoin specific.  You could in theory bang on your keyboard and by random chance produce a private key which corresponds to the public key in use right now for google's SSL cert.  You could also arm and launch a nuclear warhead, or spoof a bank atm's authentication by the same near but not zero probability.   If you say "impossible" I have learned you get thirty responses saying it can be done so the word is "infeasible".  It is infeasible to brute force a random key using classical computing which has 128 bit security/strength.

[jonald_fyookball]

A hash collision is much more likely to happen than a monkey randomly typing the complete
text of Hamlet on a typewriter on the first try, which is a probability of 1 to 3.4 × 10^183,946 against.

http://en.wikipedia.org/wiki/Infinite_monkey_theorem

[Peter R]

Is there anything that is actually impossible (P=0)?

If you don't count abstract math and logic (e.g., 1+1 != 2) then I think everything is possible.  Physics would say that moving through time in a way that violates causality is impossible, but I think you could argue that that breaks abstract logic at the same time so it doesn't count.  Some physicists would say that it is impossible to get from Point A to Point B faster than the speed of light, but even this is debatable with convincing evidence of quantum non-locality.  

I think it would make sense for anything to be possible because I think it makes sense that the universe itself is universal (i.e., Turing complete).

[jonald_fyookball]

yep, everything is possible (unless its impossible). lol.

[cp1]

Is there anything that is actually impossible (P=0)?

If you don't count abstract math and logic (e.g., 1+1 != 2) then I think everything is possible.  Physics would say that moving through time in a way that violates causality is impossible, but I think you could argue that that breaks abstract logic at the same time so it doesn't count.  Some physicists would say that it is impossible to get from Point A to Point B faster than the speed of light, but even this is debatable with convincing evidence of quantum non-locality.  

I think it would make sense for anything to be possible because I think it makes sense that the universe itself is universal (i.e., Turing complete).

It's impossible to violate the laws of thermodynamics.

[Peter R]

Is there anything that is actually impossible (P=0)?

If you don't count abstract math and logic (e.g., 1+1 != 2) then I think everything is possible.  Physics would say that moving through time in a way that violates causality is impossible, but I think you could argue that that breaks abstract logic at the same time so it doesn't count.  Some physicists would say that it is impossible to get from Point A to Point B faster than the speed of light, but even this is debatable with convincing evidence of quantum non-locality.  

I think it would make sense for anything to be possible because I think it makes sense that the universe itself is universal (i.e., Turing complete).

It's impossible to violate the laws of thermodynamics.

It is definitely possible for events in nature to violate the the 2nd law of thermodynamics.  In fact, it's not even a law, it's just a bold statement about probability.  The vast majority of physicists would agree.  

The idea that entropy never decreases is just another way of saying that things that are infeasible don't actually happen.  If you video record someone playing pool and breaking the racked balls with the cue ball, and then if you play the video backwards and apply Newton's laws to each collision, you'll see that the physics was valid both moving forward in time and moving backwards in time.  The backwards event never happens (all the balls converging to a perfect triangle), however, because it is is statistically extremely unlikely.  

Everything that can happen moving forward in time can happen in reverse too (uncracking an egg for instance), but it never does because the probability of all the atoms moving in exactly the right way is like 10^-892709498239489023849028309482904820384920.

[DeathAndTaxes]

It's impossible to violate the laws of thermodynamics.

Unless the "law" is incorrect and our understanding of the universe is incomplete.   At one time we believed it was impossible to sail around the world because it was flat.

[jonald_fyookball]

What's interesting about the infinite monkey theorum is the "almost surely" probability.

Given infinite time, a monkey will almost surely type out hamlet, but
there is no absolute guarantee of it ever happening.

Same thing with cracking an egg in reverse.

However the small the chances of it happening, it is almost surely
going to happen with enough eons of time, but there's nothing
compelling it to necessarily do so.

These concepts can become a brain-twister.

[cp1]

As long as the total entropy of the universe doesn't decrease, an egg can re-assemble itself all it wants and the 2nd law won't be violated.

[Peter R]

As long as the total entropy of the universe doesn't decrease, an egg can re-assemble itself all it wants and the 2nd law won't be violated.

Right, so the probability of the egg-uncracking event is non-zero.  So what is an event that you could describe and that we can imagine playing out in physical reality but that has identically zero probability of occurring?  

The answer can't something like "the sum of the force acting on a particle doesn't equal it's mass times acceleration" because all the laws of physics are abstract models that describes nature--they aren't nature itself.  Newton's second law is always true for the same reason that 1+1 = 2 is always true.  

[jonald_fyookball]

As long as the total entropy of the universe doesn't decrease, an egg can re-assemble itself all it wants and the 2nd law won't be violated.

Right, so the probability of the egg-uncracking event is non-zero.  So what is an event that you could describe and that we can imagine playing out in physical reality but that has identically zero probability of occurring?  

Perhaps time travel.

[cp1]

Me living to be one billion years old?

[jonald_fyookball]

Me living to be one billion years old?

No, I think my answer is more what Peter is looking for.

You could theoretically live to be a billion years old because
some cell generation technology (biological immortality)
could be invented without contradicting
the laws of physics and perhaps you won't have
any fatal accidents in the next billion years.  

However unlikely this may be, it
doesn't fit Peter's request of

actually impossible (P=0)?

But, we can imagine time travel, yet it may be
actually impossible outside of our imagination.

[Peter R]

Me living to be one billion years old?

No, I think my answer is more what Peter is looking for.

You could theoretically live to be a billion years old because
some cell generation technology (biological immortality)
could be invented without contradicting
the laws of physics and perhaps you won't have
any fatal accidents in the next billion years.  

However unlikely this may be, it
doesn't fit Peter's request of

actually impossible (P=0)?

But, we can imagine time travel, yet it may be
actually impossible outside of our imagination.

I think time travel is probably the best answer, but I still don't think it works.  The reason I don't think it works is because we can only imagine time travel if we abandon logic (we abandon causality, or sequence).  So I think my argument holds: If you don't count abstract math and logic (e.g., 1+1 != 2) then I think any event has non-zero probability.  

Will everything that has non-zero probability eventually happen?  I think it depends on how many bits of resolution time has.  We know time exists on scales as large as the age of the universe (~14 billion years = 4.4 x 10¹⁷ s) to as small as the the Planck time (5.4 × 10⁻⁴⁴ s).  So we know time has at least log₂(4.4 x 10¹⁷ / 5.4 × 10⁻⁴⁴) = 202 bits of resolution (less than a bitcoin private key).  For a monkey to type out Hamlet at P = 10^-183,946 means we need at least log₂(10^183,946) = 611000 bits.  Which means that for this to actuallly happen, we need to be enormously closer to the beginning of time than we are to the end.  I'm not sure that's reasonable.  


So time has perhaps 202 bits.  We can do the same calculation for space:

   log₂(radius_of_universe / Planck_length) = log₂(5.7x10^25 m / 1.6x10^-35 m) = 204 bits

Since we have 3 spatial dimensions, I think it would be reasonable to say that the universe has at least 202 + 3 x 204 ~= 800 bits of resolution.  

Therefore, I think any event that has a probability significantly less than 2^-800 = 10^-240 is most certainly impossible.  

In other words, even if every particle in the universe was a monkey and ever increment of time was a keyboard press, those monkeys never type out Hamlet!

[sgk]

Hi there. First post/topic.

I'm about to put coins away in cold storage on a long term, to be forgotten about, basis and have some newbie questions:

1. I understand I can use the bitaddress.org HTML document, copied on a clean USB stick to a live USB version of Linux (Tails) which has never been connected to the web to generate a public address and private key. How do I know that the pair that's generated is unique and hasn't already been generated? What are the mathematical odds of someone coincidentally having the same private key?

2. Is there a "scene" for people using powerful computing technology (high-end GPU's etc.) to generate and test thousands of private keys in the hope that they'll stumble upon some coins?

In short, am I OK to store a couple of coins in a paper document and forget about them for a year or two?

Thanks muchly. I find this site very interesting, even though some of the more mathematical explanations can go over my head.

These are the mathematical odds:
https://bitcointalk.org/index.php?topic=587371.msg6434251#msg6434251

[jonald_fyookball]

Since we have 3 spatial dimensions, I think it would be reasonable to say that the universe has 202 + 3 x 204 ~= 800 bits of resolution.  

Therefore, I think any event that has a probability significantly less than 2^-800 = 10^-240 is most certainly impossible.  
 

i think the universe (or multiverse) has to be infinite in space and time.

[Peter R]

Since we have 3 spatial dimensions, I think it would be reasonable to say that the universe has 202 + 3 x 204 ~= 800 bits of resolution.  

Therefore, I think any event that has a probability significantly less than 2^-800 = 10^-240 is most certainly impossible.  

i think the universe (or multiverse) has to be infinite in space and time.

It is an open question in physics so either opinion is valid; perhaps one day we will know.  All we know now is that the concept of time makes sense from a scale as small as the Planck time to a scale as large as the estimated age of the universe (~200 bits of resolution). 

Personally, I think "infinity" is an abstraction and cannot exist in physical reality.  I think this would also mean that all the physical constants are actually rational numbers.

[jonald_fyookball]

Since we have 3 spatial dimensions, I think it would be reasonable to say that the universe has 202 + 3 x 204 ~= 800 bits of resolution.  

Therefore, I think any event that has a probability significantly less than 2^-800 = 10^-240 is most certainly impossible.  

i think the universe (or multiverse) has to be infinite in space and time.

It is an open question in physics so either opinion is valid; perhaps one day we will know.  All we know now is that the concept of time makes sense from a scale as small as the Planck time to a scale as large as the estimated age of the universe (~200 bits of resolution). 

Personally, I think "infinity" is an abstraction and cannot exist in physical reality.  I think this would also mean that all the physical constants are actually rational numbers.

Agree that either opinion is valid. 

For me, I just cannot imagine some arbitrary border of which there is nothing beyond, nor can I imagine time can "stop" one day, or that there was a starting point where nothing existed before and suddenly existence was born one day. 

[Peter R]

Since we have 3 spatial dimensions, I think it would be reasonable to say that the universe has 202 + 3 x 204 ~= 800 bits of resolution.  

Therefore, I think any event that has a probability significantly less than 2^-800 = 10^-240 is most certainly impossible.  

i think the universe (or multiverse) has to be infinite in space and time.

It is an open question in physics so either opinion is valid; perhaps one day we will know.  All we know now is that the concept of time makes sense from a scale as small as the Planck time to a scale as large as the estimated age of the universe (~200 bits of resolution). 

Personally, I think "infinity" is an abstraction and cannot exist in physical reality.  I think this would also mean that all the physical constants are actually rational numbers.

Agree that either opinion is valid. 

For me, I just cannot imagine some arbitrary border of which there is nothing beyond, nor can I imagine time can "stop" one day, or that there was a starting point where nothing existed before and suddenly existence was born one day. 

Neither can I.  I don't think it is possible from inside the system where our rules of logic apply (1+1=2, causality, sequence).  But if you truly have nothing then perhaps you don't have logic either.  And if you don't have logic then nothing can be something….and then my brain starts to hurt...


Anyways, this thread has diverged far away from its original scope!  I think we've confirmed once again that bitcoin addresses are definitely safe against brute force attacks LOL.   

[jonald_fyookball]

logic works great within the scientific "realm" but it has limitations too, and cannot really deal with the more non-linear aspects of existence.