How long until bots can profitably guess private keys?

[Triffin]

the simplest best answer is cold storage.
authorization is irrelevant if a hacker got into your machine.

=====

If your 'bolded' assertion is true then crypto will remain a side show
and never attain mass adoption ..

For "SMS one time pass" to be defeated the 'hacker' would have
had to either break into my home and/or steal my cell phone and
my computer .. I'll accept that 'risk' for the minor hassle of
having to take a phone call and enter a one time password prior
to withdrawing my coins .. Better that than discovering that
"Ooops someone hacked my wallet and my coins are gone"

Triff .. 

[franckuestein]

I'm unsure who made this image but I always like it to help illustrate the security of a 256 bit private key.

Aaaaand Topic closed!
Thanks for sharing that info!

[Quokka]

the simplest best answer is cold storage.
authorization is irrelevant if a hacker got into your machine.

=====

If your 'bolded' assertion is true then crypto will remain a side show
and never attain mass adoption ..

For "SMS one time pass" to be defeated the 'hacker' would have
had to either break into my home and/or steal my cell phone and
my computer .. I'll accept that 'risk' for the minor hassle of
having to take a phone call and enter a one time password prior
to withdrawing my coins .. Better that than discovering that
"Ooops someone hacked my wallet and my coins are gone"

Triff .. 

Even if, say, Bitcoin QT started requiring SMS verification before it submitted a transaction, it wouldn't stop an attacker who had your key from creating a transaction without SMS verification. I don't see how the entire decentralized Bitcoin network would implement SMS verification. So even if, hypothetically, transactions were to require some value that could only be generated by specific cell phones (And I have no clue how that'd work aside from maybe storing a second private key on the phone) it'd basically just be a 2 of 2 transaction with the second key being this SMS key.

[Triffin]

I'll try again ..

First, I don't pretend to understand the 'technical' aspects of crypto at all ..

I do know that all the wallet security features are exclusively
focused on foiling access to one's wallet ..

Judging by the number of threads on this board that deal with "theft of coins" ..
foiling access is clearly not enough ..
People are fallible, they're going to use weak passwords and employ sloppy procedures ..
I think you'd have to assume that wallets will be hacked/compromised at some point ..
Therefore, there must be some additional security feature/procedure etc etc
in order to authorize a withdrawal ..


That's all ..

The average user has got to feel that the wallet ( hot or cold ) is secure and utilitarian ..
It's got to be as intuitive as online banking and online trading ..

Just sayin ..

Triff ..

[Quokka]

I'll try again ..

First, I don't pretend to understand the 'technical' aspects of crypto at all ..

I do know that all the wallet security features are exclusively
focused on foiling access to one's wallet ..

Judging by the number of threads on this board that deal with "theft
of coins" .. foiling access is clearly not enough .. There must be some
additional security feature/procedure etc etc in order to authorize a withdrawal ..

That's all ..

The average user has got to feel that the wallet ( hot or cold ) is secure and utilitarian ..
It's got to be as intuitive as online banking and online trading ..

Just sayin ..

Triff ..

That's a perfectly valid concern. It's just that Bitcoin is such a vastly different system than the likes of PayPal or similar electronic payment methods that the same security features can't be applied.

[jonald_fyookball]

There must be some
additional security feature/procedure etc etc in order to authorize a withdrawal ..
 

There is.  It's called encryption.  You can set a strong password on your wallet file itself.

[Triffin]

There must be some
additional security feature/procedure etc etc in order to authorize a withdrawal ..
 

There is.  It's called encryption.  You can set a strong password on your wallet file itself.

Ok .. So my main risk would be a 'keylogger' ?? or not ??

Triff ..

[nutildah]

So in general it seems people are pretty smug about the security of the private key, but if quantum computing technology is ever successfully applied to solving this problem, you might be singing a different tune in 20 years or so.

Granted thats my minimum time estimation, but all of these mathematically-derived estimations rely on a classic-modeled rate of technological advancement. If something came along that was to throw this paradigm out the window you may have to change your estimation a few orders of magnitude lower.

[DeathAndTaxes]

So in general it seems people are pretty smug about the security of the private key, but if quantum computing technology is ever successfully applied to solving this problem, you might be singing a different tune in 20 years or so.

Satoshi is from the future and he already considered that.   Seriously though the pubkey is not know until funds are spent.  If you are not reusing addresses an attacker even one with a Quantum Computer would have no PubKey to implement Shor's algorithm against.  There is no known quantum algorithm which can be used against hashing functions other than Grover's algorithm and that only reduces the complexity from 2^160 to 2^80.  By the time that becomes a risk the hash digest can be increased.  Using 512 bit hashes for example would be more secure against Quantum Computers than 160 bit ones are against classical computing today.

all of these mathematically-derived estimations rely on a classic-modeled rate of technological advancement.

You are right they do assume classical computing but not based on technological advancement.  Instead they are the limits of what is possible with classical computing.   It is very likely the human race will never achieve that level of efficiency.  It isn't probable but it is used as an upper bound.  On any more realistic scenario the numbers would be even larger.  Simply put if a perfect classical computer using all the energy of a star can't in the next 5 billion years count to 2^256 then any lesser classical computer can't do it either.

[Triffin]

Perhaps I'm approaching this security issue from  the wrong angle

Let's assume that the typical crypto adopter has a wallet on either

1) his cell phone
2) his personal computer/tablet
3) has a brain wallet

Forget the various 'attack vectors' that a hacker has at his disposal ..
What ( if any ) procedure/feature/technique could be employed to
defeat an unauthorized withdrawal/theft ?? Is there a solution
applicable to all wallet types or would each wallet type require its own
unique security procedure/feature/technique ??

Triff ..

[jonald_fyookball]

Perhaps I'm approaching this security issue from  the wrong angle

Let's assume that the typical crypto adopter has a wallet on either

1) his cell phone
2) his personal computer/tablet
3) has a brain wallet

Forget the various 'attack vectors' that a hacker has at his disposal ..
What ( if any ) procedure/feature/technique could be employed to
defeat an unauthorized withdrawal/theft ?? Is there a solution
applicable to all wallet types or would each wallet type require its own
unique security procedure/feature/technique ??

Triff ..

You seem to be slightly confused about the whole security thing.

The primary security mechanism in Bitcoin are cryptographic keys.
(Private keys).  Without knowing the private key, a hacker cannot
steal your funds.  So that's one layer.

The next layer, is:  how secure is your private key?  If the hacker
can get it (with a keylogger, etc), then he just penetrated the
primary layer.  So that's why you need to make sure the hacker
doesn't get the private key.

Wallet encyption adds another layer by wrapping the whole
wallet behind a password protected wall.  And yes,
one of your main concerns at that point is keyloggers.

Usually there is a trade off between security and convenience.
You keep some spending money on your online machine
with good anti-virus and encrypted wallet... or in reputable
online service (Coinbase,etc) with 2FA.... and the rest of
your savings you store offline so a hacker cannot get at
your keys.

Hope that makes sense.

[nwfella]

My guess would be never.

[beetcoin]

all this campaigning and information about cold storage, and yet still so many people are unaware of it and its advantages. i don't get it, if you're dealing with a lot of money, don't you want to be diligent in protecting your assets?

[marcotheminer]

Here is a good site to play with password and time to brute force it.
https://www.grc.com/haystack.htm

28.23 trillion trillion trillion centuries (Assuming one hundred trillion guesses per second)

We are fine 

Even with the most powerful computer the size of the sun and using its energy it would take millions of years I think according to this infographic. I cant find it tho but its impossible or close to at least. Youre safe!

[Skinnkavaj]

256 bit random keys where the PubKey is not known to the attacker?  Oh that would be shortly after never.

You should add billions, or at least millions of years.

Always you guys reassuring me of the security of bitcoin in every thread like this.
I love reading posts from both of you.

[AliceWonder]

1. Because quantum computers don't exist yet beyond very crude prototypes.

I would update that to "general purpose quantum computers" before some noob comes flying in with a DWAVE headline.

Yes, my company Butternut Labs has just developed Application Specific Quantum Computers that should crack several bitcoin addresses a day.

Want one? Send us lots of money now and about a month after our competition has delivered enough of their product to make ours obsolete, we'll ship.

[charlieSeen]

My guess would be never.

This is probably one of the more accurate answers here.

It is not difficult to "guess" a private key as long as you are not trying to find a private key to a specific public address, as this is how a bitcoin address is created.

When you are trying to determine the private keys associated with a specific address, the chances of that happening ever are essentially zero.

[AliceWonder]

Guys ..

I must have read 100 threads in the last year that say the same thing ..

"Ooops someone hacked/cracked my wallet and stole my BTC"

Followed by lengthy discussions about 'brute force' attacks and
mathematical probabilities etc etc ..
Bottom line .. once someone has access to your wallet .. the deed is done ..
Your 'coins' are gone ..

There MUST be a security step from WITHIN the wallet to 'authorize' a withdrawal before it occurs
Why not "SMS one time pass" or something similar ??
I'm not a programmer or tech person myself so have no idea how difficult this is to do ..
But it must be done ..

Triff ..
 

the simplest best answer is cold storage.  authorization is irrelevant if a hacker got into your machine.

Cold storage does not defend against a brain wallet guess though.

[hhanh00]

All jokes set aside, these calculations assume that the only viable algorithm is brute force. One of the primary advantage of elliptic curve
cryptography is the relative short key size. A 256 bit EC key is roughly equivalent to a 3000 bit RSA key because there aren't very good
algorithms for solving the discrete log problem whereas prime factorization has much better algorithms.
However, bit coins addresses are protected by a few cryptos. If one never reuses an address, the only occurrences of it in the block chain will be when it receives coins and when it is drained. Once it's drained, there is nothing to steal. Before it is used, the block chain only has the address and not the public key. The address is a hash of the public key. So to steal the coins, one has to reverse the RIPEMD-160 hash function to get the SHA-256 of the public key. Then reverse the SHA-256 to get the public key and then crack the ECC to get the private key.

If the address is reused, the public key will appear in the block chain because when coins are spent from an address, the transaction shows the public key and a signature. It eliminates the need to reverse RIPEMD and SHA. The 'only' problem remains the ECDSA.

ECDSA has a weakness if it is poorly implemented. To sign a message, a random number should be chosen and it should not be reused  otherwise it is very easy to get the private key. Sony PS3 was hacked because the developers used a constant and a few earlier bitcoin clients had bugs and were also reusing that number. It led to the theft of a lot of bitcoins.

Finally, there is the risk of using a not really random key. If the key is the SHA of "I love cheesecake" it will probably be found quickly by bots that try simple sentences.

[keithers]

I heard somewhere that brainwallets were actually easier to crack than long strings of letters, numbers, and symbols because the computer just tests every word in the dictionary against each other in sentences.   Obviously cracking either would take a long time, but this makes logical sense.