It seems to come up every month or two on bitcointalk, IRC or any other place where newbie Bitcoiners congregate. Someone finds out that there are a finite number of Bitcoin addresses that can exist, that the addresses are chosen randomly and that there are no safeguards in place to stop someone from randomly generating the same address as someone else and steal all of the coins at that address. All of the above is true, of course, and it is technically possible to steal someone’s address and run away with their coins, but only in the same sense that it’s possible for one person to get hit by lighting 7 times and survive. Actually, no – even rarer since that’s actually happened and this variety of Bitcoin theft never has.
There is a classic misunderstanding at the heart of this repeated question – more accurately a failure in the way human brains comprehend large numbers. I could write many a blog post on this topic alone, but thankfully Penn & Teller have already done a bang-up job of explaining it in just under two and a half minutes. (warning, NSFW language)
The gist is: our “little monkey brains” as Penn puts it, aren’t very good at understanding really huge numbers, so beyond a certain level we start abstracting into terms like “several” or “a bunch” and never really grasp the number itself – beyond a somewhat higher limit when we get into the billions, trillions – or worse yet, numbers so big they have to be expressed in scientific notation – they just become words. So when I tell you that there are 2^160 possible Bitcoin addresses, unless you’ve got a very specific educational background to overcome these limitations, you probably don’t have any concept of how big that is.
If we express 2^160 in proper scientific notation it’s about 1.46e+48. That’s still way too big for most people to comprehend, even folks who understand the scientific notation. It’s estimated, for example, that there are 10^21 grains of sand on the entire planet, which is about the biggest “everyday” comparison number I could come up with but you’d need 1.46e+27 Earths worth of sand to have a number of sand grains equal to the number of Bitcoin addresses. In other words, if every grain of sand were actually its own entire planet just like Earth with its own 10^21 grains of sand, you’d still come up short. 1.46e+27 is a really big number!
But computers are better at dealing with big numbers than us, we know this. I think there’s another breakdown in understanding here that leads to the perpetuation of this idea: people know computers can handle bigger numbers than they can, but they mostly have no clue what the upper limit is on what a computer can handle and especially have no fundamental knowledge of how a Bitcoin address works.
For the geeks in the house, a Bitcoin address is the RIPEMD160 hash of the SHA256 hash of the public key of a 256-bit ECDSA keypair. For everyone else, just know that there are 2^160 of them and it takes a lot of math for a computer to generate one. But computers are good at math, too, certainly better and faster than we are, so they can do that math really fast, right? Absolutely, but not fast enough. Imagine that a specially-built chip can compute 10^12 addresses per second (1 terahash) – keeping in mind that this theoretical chip is more than 30,000 times more powerful than anything currently in use for similar projects – how long would it take you to look through every single wallet?
The answer to this one is pretty easy – 1.46e+36 seconds or about 4.63e+28 years. Given that the sun will become a red giant and engulf the earth in 7.6e+9 years, that’s not a problem.
Okay, but to be fair you don’t have to search the entire address space, you just have to occasionally get lucky and find one address that matches every once in a while. So how often does that happen? Well as of September 2011 there were about 600,000 addresses carrying a balance. I don’t have more current data offhand but let’s be super optimistic and say that’s increased 100-fold to 60,000,000 addresses. That means that one in every 2.43e+40 addresses has coins in it, so that’s how many, on average, we’ll have to search between “hits.” Now we’re down to 2.43e+28 seconds between hits or 7.71e+20 years between hits – still several orders of magnitude longer than our blue space-marble has to live. If our current 10,057,000 BTC in existence are spread evenly across all 600,000 wallets (they’re not, but work with me) that makes each compromised address worth about 0.17BTC or about $2 at current exchange rates.
Now sure, we could get lucky and hit something within the first year, hell you could hit something with the very first hash you generate, but I think it’s important to understand how unlikely that is. You’ll generate about 1.3e+23 hashes that first year and on average you need 2.43e+40 to find coins.
To put all these big numbers another way: Bitcoin uses the same sorts of encryption and intractable math problems for its security as most encryption elsewhere in the world. The key space and manner of generation is also similar to many other common encryption-based systems. If Bitcoin were easily compromised because this addressing scheme were a “flaw” or “bug” then so would every single encryption technology you use today. That would mean that your bank account, personal computer, credentials for every web site, cellular communications – basically every device that you assume is hard to eavesdrop on would in fact be dead simple to snoop. An cryptological failure large enough to take down Bitcoin would take down the rest of the world economy and communications infrastructure with it, so personally I wouldn’t be worried about Bitcoin at that point. That means your odds are about 1 in 5.32e+15. Comparatively speaking, your odds of being struck by lightning are about 1 in 280,000, so you’re about 500,000,000,000,000,000,000 times more likely to be struck by lightning than to find an address within the first year. Since that’s also a big number, the odds are equivalent to being struck by lightning about 4.6 times in your lifetime. Now I hear some of you saying “hey that guy up there got struck 7 times” – yeah, and that’s happened once to one person ever. Not to mention, we’re talking about the relative probability of finding a single address in a year’s worth of full-time mining. A single address worth, on average, $2. So there you go, if you’re the luckiest person who has ever lived, you can theoretically earn a maximum of $2 per year stealing wallets – I’m guessing the electricity to run the equipment will cost more.
Far more likely, folks losing their coins are either a) sending coins to bad people or b) getting their wallet.dat file and password stolen via the same mechanisms the unscrupulous have always used to run away with your digital property. To that end, such a “bug” is unlikely to be “fixed” since nothing is really broken. Far better, it would seem, for the developers to spend their time finding ways to prevent the more likely mechanisms of theft.