How long until bots can profitably guess private keys?

[Yakamoto]

Here is the database of all bitcoin addresses and private keys
http://directory.io

Good luck finding an address with fund  

This is brilliant. I haven't actually tested one to see if they work, but you should add a "search" function to this!

I'm more-so against this. This would make it too easy to steal back coins, and it would pretty much just wreck the Bitcoin ecosystem all together.

I think that this could create HUGE disruptions already, and I start to worry more and more as people begin to use this.

Isn't this just a giant database that you can use to steal coins with?

[DeathAndTaxes]

I can even type in directory.io/904625697166532776746648320380374280100293470930272690489102837043110636675 and it will give me new keys, just like every other page.

Each page has ~60 private keys.  904625697166532776746648320380374280100293470930272690489102837043110636675 * 60 = 2^256 = all possible keypairs.

The website is just a calculator.  It appears to have all private keys.  Your calculator can display large numbers when requested it doesn't mean it needs to store every number that exists.  Private keys are just large numbers.  It is just starting at a specific number (60* page number) and generating the next 60 keys in sequence.

Lets say for a second they did compute and store all those keys, it would require ~7 x 10^78 bytes of storage space.  The NSA recently built an exabyte scale datacenter for $1.5 billion.  An exabyte is one million 1TB drives.  It would take 8x10^60 datacenters like the NSA facility to store all those records.  Do you think they might just be playing a joke on you?

[hhanh00]

And yet, they got ~1.8 BTC in donations.

[Yakamoto]

I can even type in directory.io/904625697166532776746648320380374280100293470930272690489102837043110636675 and it will give me new keys, just like every other page.

Each page has ~60 private keys.  So 904625697166532776746648320380374280100293470930272690489102837043110636675 is ~= 2^256.  It is just a calculator (for those bad at math) to appear like they have all private keys.  Your calculator can display large numbers.  Does that mean it stores every single possible number inside the calculator or does it perform large numbers.  Private keys are just large numbers.

Lets say for a second they did compute all those keys.  That would be ~7 x 10^78 bytes to store all possible keys.  The NSA recently built an exabyte scale datacenter for $1.5 billion.  An exabyte is one million 1TB drives.  It would take 8x10^60 datacenters to store that many records and it would use more matter than our entire planet and consume more power than what is used by the entire human race.  Do you think they might just be playing a joke on you?

Ugh, I am such a fool...

Thanks for showing me how much of an idiot I was being, probably didn't get enough sleep last night...

Yeah I'm a moron, I get it. Didn't think anything through and fell right for it...

[DeathAndTaxes]

Didn't think anything through and fell right for it...

Don't feel bad you aren't the first and you won't be the last.  For your penance you can explain it to the next 10 people who get alarmed by the threat of this website.

There is a similar website which is down now: http://ismyprivatekeystolen.com/

It asks the user for their private key so they can search to see if it has been stolen.  Luckily it is a just a PSA which then warns the user about providing private keys to unstrusted websites.  They used this site for inspiration: http://ismycreditcardstolen.com/

[BADecker]

Anything is possible. If the bots can guess one private key, they won't be able to guess a second one for untold ages.

If technology somehow increases to make it possible for bots to start guessing keys on a regular basis, the same technology will be applied to the encryption, making it harder than ever for the bots to guess a key.

[jonald_fyookball]

What is unclear to me now, though, is why is this different from just receiving a single transaction
with multiple inputs (for example dust gathered from a wallet and sent out).

In both cases you have multiple inputs, so why is it a problem if they were sent in separate transactions vs together?

I may misunderstand the question but all that matter is multiple unique messages (sub txns) being signed with the same key and same k.  If that happens the k value can be recovered and from the k value the private key.   It doesn't matter if this occurs in a single txn (spending multiple outputs) or multiple txns (each spending one output).  If either k is unique or the key is unique there it is infeasible to recover k.  Obviously k "should" be unique and if it is there is no risk of reusing an address (at least not due to k exploit).  If however you were unlucky and used a wallet with the flawed android PRNG you would still be safe if each key only had a single input to spend.

You did misunderstand the question, but that's
only because my thinking was so confused to begin with.

I got the answer I was looking for.

Somehow I thought that getting 2 inputs to the same
address would be the same exact thing, whether or
not they were from different transactions.

I see they are not... 2 inputs can be separate and
each signed for when they are inputs, but when
combined into a single output, it now is just 1 input
again for the next address to sign for.

[e4xit]

snip
There is a similar website which is down now: http://ismyprivatekeystolen.com/

It asks the user for their private key so they can search to see if it has been stolen.  Luckily it is a just a PSA which then warns the user about providing private keys to unstrusted websites.  They used this site for inspiration: http://ismycreditcardstolen.com/
snip

Holy shit that is a good one! Not seen that one before.

[nutildah]

If technology somehow increases to make it possible for bots to start guessing keys on a regular basis, the same technology will be applied to the encryption, making it harder than ever for the bots to guess a key.

Yep, in the back of my mind I was thinking this but was more or less just playing devil's advocate the whole time.

It will also be interesting to see if quantum computers can be used to speed up the mining process, but I'm not holding my breath.

[nutildah]

Just for fun, this is an address of a brainwallet hacker:

1brain7kAZxPagLt2HRLxqyc3VgGSa1GR

https://bitcointalk.org/index.php?topic=347828.0

He's pretty good at it.

[Lauda]

This drawing is misleading because it applies to brute forcing a key. If you have a safe with 6 digits, a thief would not try to try every combination. He will use your birthday, your wife's birth day, etc first. If that doesn't work, he would drill a hole and peek through the lock tumblers. Basically, no one questions the breadth of the key space - but there might be backdoors to ECC or bugs in its implementation.

That's like brute forcing with a few parameters. You try something relevant from my life, when all that fails you start trying random numbers.
How exactly is someone going to guess my private key if they know my birthday?

[bitllionaire]

I think that will be difficult in the near future

[R2D221]

If computers can break private keys consistently, then Bitcoin would not be the only thing affected. With such power, one could hack anything, get all the encrypted information of any kind (not just money is encrypted, you know), and basically rule the world if they like.

[hhanh00]

This drawing is misleading because it applies to brute forcing a key. If you have a safe with 6 digits, a thief would not try to try every combination. He will use your birthday, your wife's birth day, etc first. If that doesn't work, he would drill a hole and peek through the lock tumblers. Basically, no one questions the breadth of the key space - but there might be backdoors to ECC or bugs in its implementation.

That's like brute forcing with a few parameters. You try something relevant from my life, when all that fails you start trying random numbers.
How exactly is someone going to guess my private key if they know my birthday?

Some people use brainwallets that are derived from their birthday or other data that they find easy to remember.

[nutildah]

This drawing is misleading because it applies to brute forcing a key. If you have a safe with 6 digits, a thief would not try to try every combination. He will use your birthday, your wife's birth day, etc first. If that doesn't work, he would drill a hole and peek through the lock tumblers. Basically, no one questions the breadth of the key space - but there might be backdoors to ECC or bugs in its implementation.

That's like brute forcing with a few parameters. You try something relevant from my life, when all that fails you start trying random numbers.
How exactly is someone going to guess my private key if they know my birthday?

Some people use brainwallets that are derived from their birthday or other data that they find easy to remember.

Earlier today I tried the experiment of seeing how long it would take a bot to hack a simple brainwallet (too simple) pass phrase. The word I used was "fart" and the deposit was swooped up literally IMMEDIATELY. As in, the same second!

The bot paid a fee of 0.00001 BTC and has been pretty successful. You can see it hacked "password" on 7/11, "aaaaa" on 7/16 and again on 7/22.

I know there's a relationship between the length of a pass phrase and the time it takes to crack it but I still thought <1 sec hacktime was pretty remarkable.

[Sheldor333]

Well when quantum computers come along we will be in trouble, but that will not happen all at once, and not everyone will be able to buy a quantum computer. Bitcoin will have to be updated to compensate for that, and after that it should be safe, but things like brain wallets won't unless you have used something that doesn't exist online, even then there might be a possibility you are not safe it will still depend how smart the attacker is.

[The00Dustin]

Earlier today I tried the experiment of seeing how long it would take a bot to hack a simple brainwallet (too simple) pass phrase. The word I used was "fart" and the deposit was swooped up literally IMMEDIATELY. As in, the same second!

The bot paid a fee of 0.00001 BTC and has been pretty successful. You can see it hacked "password" on 7/11, "aaaaa" on 7/16 and again on 7/22.

I know there's a relationship between the length of a pass phrase and the time it takes to crack it but I still thought <1 sec hacktime was pretty remarkable.

I'm not sure why I'm explaining this since your previous post in this very same thread was a link to a thread that probably explains the same, but the brain wallets you refer to were probably "hacked" before the deposits were ever made and then monitored.  A bot is used to monitor those addresses and immediately redirect funds, but it isn't really "hacking" addresses that have funds, it is generating addresses based on parameters and then monitoring them for deposits.  This is no different than setting up a regular wallet with a bot to redirect all deposits except that the regular wallet derived without parameters is unlikely to have collisions while the wallet derived from simple dictionary passwords is very likely to have exact matches.

[Baitty]

It's so unlikely that we might as well not even talk about it people could have a shot at the dark by changing some numbers/letters but there is no fool proof system of guessing private keys and never will be.

[amaclin]

Earlier today I tried the experiment of seeing how long it would take a bot to hack a simple brainwallet (too simple) pass phrase. The word I used was "fart" and the deposit was swooped up literally IMMEDIATELY. As in, the same second!

The bot paid a fee of 0.00001 BTC and has been pretty successful. You can see it hacked "password" on 7/11, "aaaaa" on 7/16 and again on 7/22.

I know there's a relationship between the length of a pass phrase and the time it takes to crack it but I still thought <1 sec hacktime was pretty remarkable.

Thank you.

[nutildah]

I'm not sure why I'm explaining this since your previous post in this very same thread was a link to a thread that probably explains the same,

I'm not sure why I have to explain to you it doesn't.

but the brain wallets you refer to were probably "hacked" before the deposits were ever made and then monitored.  A bot is used to monitor those addresses and immediately redirect funds, but it isn't really "hacking" addresses that have funds, it is generating addresses based on parameters and then monitoring them for deposits.  This is no different than setting up a regular wallet with a bot to redirect all deposits except that the regular wallet derived without parameters is unlikely to have collisions while the wallet derived from simple dictionary passwords is very likely to have exact matches.

OK thanks for the clarification. It is good to know the difference. But the end result is the same: a user thinks they are generating their own, private address and they're not and their funds get stolen.