How long until bots can profitably guess private keys?

[Lauda]

I'm unsure who made this image but I always like it to help illustrate the security of a 256 bit private key.

Aaaaand Topic closed!
Thanks for sharing that info!

As soon as I've read the title and topic, I've waited for someone to link this image.
What more do you people need? Whoever made this was certainly a small fellow.
In other words, no matter what advancement is made in technology in the next 100 years, there is no way for anyone to brute force 256bit keys.

[Soros Shorts]

I heard somewhere that brainwallets were actually easier to crack than long strings of letters, numbers, and symbols because the computer just tests every word in the dictionary against each other in sentences.   Obviously cracking either would take a long time, but this makes logical sense.

That's assuming that the hashing function used to convert the passphrase to the private key is well known. You could always iimplement your own function, or if using some public brainwallet site you could pre-hash your passphrase using some simple but obscure hashing function.

[smooth]

If I understand it correctly it would literally take years to get even one private key. Even so it is wise to move your coins from time to time. A moving target is much harder to hit.

If the threat is brute forcing a private key this is not correct. A "moving target" is exactly as easy to hit as a stationary one. You likely increase your exposure to other threats such as malware by moving the coins around. Keeping them untouched in cold storage is safer.

[nutildah]

As soon as I've read the title and topic, I've waited for someone to link this image.
What more do you people need? Whoever made this was certainly a small fellow.
In other words, no matter what advancement is made in technology in the next 100 years, there is no way for anyone to brute force 256bit keys.

There also was no way to harness electricity, until there was.

[nutildah]

If I understand it correctly it would literally take years to get even one private key. Even so it is wise to move your coins from time to time. A moving target is much harder to hit.

If the threat is brute forcing a private key this is not correct. A "moving target" is exactly as easy to hit as a stationary one.

Wouldn't they go after well-funded bitcoin addresses first? I would be hammering away at Satoshi's original address first, and then go after the XCP Burn address second.

If you move the bitcoin around then the list changes and the botmaster might be working off of outdated lists.

[bluemountain]

Here is a good site to play with password and time to brute force it.
https://www.grc.com/haystack.htm

28.23 trillion trillion trillion centuries (Assuming one hundred trillion guesses per second)

We are fine 

LOL

I don't think it is really possible to reasonably calculate a private key based on the public key.

[smooth]

If I understand it correctly it would literally take years to get even one private key. Even so it is wise to move your coins from time to time. A moving target is much harder to hit.

If the threat is brute forcing a private key this is not correct. A "moving target" is exactly as easy to hit as a stationary one.

Wouldn't they go after well-funded bitcoin addresses first? I would be hammering away at Satoshi's original address first, and then go after the XCP Burn address second.

If you move the bitcoin around then the list changes and the botmaster might be working off of outdated lists.

If you assume the ability to actually exhaust the key space (as in cosmological time scales), then sure, you (very) slightly improve your situation by creating a new key.

But if you are talking about someone taking shots in the dark at your key and hoping to get lucky (which is all that can be done in practice if the keys are drawn from the entire key space), moving it doesn't help you. It is just a likely that you move right into the path of the bullet than move out of the path.

[fbueller]

The biggest number factored
so far was "143", so elliptic curve cryptography
used in Bitcoin is secure.

Factoring is RSA, not elliptic curves.

[jonald_fyookball]

The biggest number factored
so far was "143", so elliptic curve cryptography
used in Bitcoin is secure.

Factoring is RSA, not elliptic curves.

Yes, didn't mean to imply that.
Point is still valid:   there's no
quantum speed up for public key cryptography, right?

[jonald_fyookball]

I heard somewhere that brainwallets were actually easier to crack than long strings of letters, numbers, and symbols because the computer just tests every word in the dictionary against each other in sentences.   Obviously cracking either would take a long time, but this makes logical sense.

Doesn't exactly work that way.  It depends on how many words vs. how many letters.
If you choose 10 words from a 1000 word dictionary, thats 1000^10 combinations.
If you choose 10 letters from a 62 character alphanumberic set, that's 62^10,
which is a smaller number.

[doubleredrolex]

We will have to rethink a lot of online security after quantum computers come out. Everything is going to need to use 2FA at the very least

[AGD]

Why not simply take a 200$ gun and force somebody to reveal their private key. Even if you do this with a random person you are more likely to hit the Jackpot than with any other possible brute force attack.

[hhanh00]

I'm unsure who made this image but I always like it to help illustrate the security of a 256 bit private key.

Aaaaand Topic closed!
Thanks for sharing that info!

As soon as I've read the title and topic, I've waited for someone to link this image.
What more do you people need? Whoever made this was certainly a small fellow.
In other words, no matter what advancement is made in technology in the next 100 years, there is no way for anyone to brute force 256bit keys.

This drawing is misleading because it applies to brute forcing a key. If you have a safe with 6 digits, a thief would not try to try every combination. He will use your birthday, your wife's birth day, etc first. If that doesn't work, he would drill a hole and peek through the lock tumblers. Basically, no one questions the breadth of the key space - but there might be backdoors to ECC or bugs in its implementation.

[hhanh00]

The biggest number factored
so far was "143", so elliptic curve cryptography
used in Bitcoin is secure.

Factoring is RSA, not elliptic curves.

Shor's algorithm has two parts. The quantum part finds the period and would run much faster than on a regular computer.

http://en.wikipedia.org/wiki/Shor%27s_algorithm#Discrete_logarithms

Edit: Adding reference to wikipedia.

[SomeBoy]

OK, newbie here but please bear with me because I'm sure many people reading this thread would like to ask this same question but are afraid to look noob. You keep saying not to reuse addresses and keep balances on new addresses. Now as I understand it, in order to send coins to any address the network needs to be made aware of it by means of a transaction which will be forever recorded on the blockchain with the public keys of the addresses. So what's the point in tranferring the coins to a new address if its public key is going to be made public by the transaction anyway, even if the address owner only made that single transaction using that address?

[hhanh00]

Actually the transaction only shows the public key of the address you are sending the coins from. That's why some coins are likely lost forever because they were sent to an address which is unlikely to be associated with a public/private key pair.
They are named something like "1DontSendBitCoinsHere"...

[sandykho47]

I think bot can guess private keys, but in very long time (you will dead before the bot success guess private keys)

Maybe you can guess private keys, if you have a lot of Quantum computer
Some news about quantum computer :
http://www.extremetech.com/computing/173898-the-nsa-is-building-a-quantum-computer-to-crack-encryption
http://www.pcworld.com/article/2094380/ibm-questions-the-performance-of-dwaves-quantum-computer.html

[hhanh00]

We are so far away from a working quantum computer. The best that was done was with 4 qubits. You'll need thousands to break ECC 256. But the research is ongoing so maybe one day it will be feasible.
The computer from dwave is highly suspicious. It hasn't demonstrated anything that can't be done on a classical computer with the same speed. It doesn't show state superposition which is the fundamental part of any quantum algorithm.
It may solve some problems faster than classical computers but we don't know which ones.
Unfortunately, there is a lot of fubar associated with quantum computers because they sound very cool...

In any case, there are drop-in crypto methods that are quantum computer resistant. The worst case is that a hard fork will happen and bitcoin will continue with a new algo.

[barbarousrelic]

Until the sun rises in the west and sets in the east. Until the rivers run dry, and the mountains blow in the wind like leaves. Then bots will profitably guess private keys.

[DeathAndTaxes]

OK, newbie here but please bear with me because I'm sure many people reading this thread would like to ask this same question but are afraid to look noob. You keep saying not to reuse addresses and keep balances on new addresses. Now as I understand it, in order to send coins to any address the network needs to be made aware of it by means of a transaction which will be forever recorded on the blockchain with the public keys of the addresses. So what's the point in tranferring the coins to a new address if its public key is going to be made public by the transaction anyway, even if the address owner only made that single transaction using that address?

Addresses aren't public keys.  Addresses are public key hashes (or script hashes).   Hashing functions are one way.   Knowing the hash doesn't allow anyone to know the key.  When you spend the coins you reveal the key and other nodes verify it hashes to the pubkeyhash in the output you are spending.