laptop-thief

Stealing Bitcoins the Hard(est) Way

It seems to come up every month or two on bitcointalk, IRC or any other place where newbie Bitcoiners congregate. Someone finds out that there are a finite number of Bitcoin addresses that can exist, that the addresses are chosen randomly and that there are no safeguards in place to stop someone from randomly generating the same address as someone else and steal all of the coins at that address. All of the above is true, of course, and it is technically possible to steal someone’s address and run away with their coins, but only in the same sense that it’s possible for one person to get hit by lighting 7 times and survive. Actually, no – even rarer since that’s actually happened and this variety of Bitcoin theft never has.

There is a classic misunderstanding at the heart of this repeated question – more accurately a failure in the way human brains comprehend large numbers. I could write many a blog post on this topic alone, but thankfully Penn & Teller have already done a bang-up job of explaining it in just under two and a half minutes. (warning, NSFW language)

The gist is: our “little monkey brains” as Penn puts it, aren’t very good at understanding really huge numbers, so beyond a certain level we start abstracting into terms like “several” or “a bunch” and never really grasp the number itself – beyond a somewhat higher limit when we get into the billions, trillions – or worse yet, numbers so big they have to be expressed in scientific notation – they just become words. So when I tell you that there are 2^160 possible Bitcoin addresses, unless you’ve got a very specific educational background to overcome these limitations, you probably don’t have any concept of how big that is.

If we express 2^160 in proper scientific notation it’s about 1.46e+48. That’s still way too big for most people to comprehend, even folks who understand the scientific notation. It’s estimated, for example, that there are 10^21 grains of sand on the entire planet, which is about the biggest “everyday” comparison number I could come up with but you’d need 1.46e+27 Earths worth of sand to have a number of sand grains equal to the number of Bitcoin addresses. In other words, if every grain of sand were actually its own entire planet just like Earth with its own 10^21 grains of sand, you’d still come up short. 1.46e+27 is a really big number!

But computers are better at dealing with big numbers than us, we know this. I think there’s another breakdown in understanding here that leads to the perpetuation of this idea: people know computers can handle bigger numbers than they can, but they mostly have no clue what the upper limit is on what a computer can handle and especially have no fundamental knowledge of how a Bitcoin address works.

For the geeks in the house, a Bitcoin address is the RIPEMD160 hash of the SHA256 hash of the public key of a 256-bit ECDSA keypair. For everyone else, just know that there are 2^160 of them and it takes a lot of math for a computer to generate one. But computers are good at math, too, certainly better and faster than we are, so they can do that math really fast, right? Absolutely, but not fast enough. Imagine that a specially-built chip can compute 10^12 addresses per second (1 terahash) – keeping in mind that this theoretical chip is more than 30,000 times more powerful than anything currently in use for similar projects – how long would it take you to look through every single wallet?

The answer to this one is pretty easy – 1.46e+36 seconds or about 4.63e+28 years. Given that the sun will become a red giant and engulf the earth in 7.6e+9 years, that’s not a problem.

Okay, but to be fair you don’t have to search the entire address space, you just have to occasionally get lucky and find one address that matches every once in a while. So how often does that happen? Well as of September 2011 there were about 600,000 addresses carrying a balance. I don’t have more current data offhand but let’s be super optimistic and say that’s increased 100-fold to 60,000,000 addresses. That means that one in every 2.43e+40 addresses has coins in it, so that’s how many, on average, we’ll have to search between “hits.” Now we’re down to 2.43e+28 seconds between hits or 7.71e+20 years between hits – still several orders of magnitude longer than our blue space-marble has to live. If our current 10,057,000 BTC in existence are spread evenly across all 600,000 wallets (they’re not, but work with me) that makes each compromised address worth about 0.17BTC or about $2 at current exchange rates.

Now sure, we could get lucky and hit something within the first year, hell you could hit something with the very first hash you generate, but I think it’s important to understand how unlikely that is. You’ll generate about 1.3e+23 hashes that first year and on average you need 2.43e+40 to find coins.

To put all these big numbers another way: Bitcoin uses the same sorts of encryption and intractable math problems for its security as most encryption elsewhere in the world. The key space and manner of generation is also similar to many other common encryption-based systems. If Bitcoin were easily compromised because this addressing scheme were a “flaw” or “bug” then so would every single encryption technology you use today. That would mean that your bank account, personal computer, credentials for every web site, cellular communications – basically every device that you assume is hard to eavesdrop on would in fact be dead simple to snoop. An cryptological failure large enough to take down Bitcoin would take down the rest of the world economy and communications infrastructure with it, so personally I wouldn’t be worried about Bitcoin at that point. That means your odds are about 1 in 5.32e+15. Comparatively speaking, your odds of being struck by lightning are about 1 in 280,000, so you’re about 500,000,000,000,000,000,000 times more likely to be struck by lightning than to find an address within the first year. Since that’s also a big number, the odds are equivalent to being struck by lightning about 4.6 times in your lifetime. Now I hear some of you saying “hey that guy up there got struck 7 times” – yeah, and that’s happened once to one person ever. Not to mention, we’re talking about the relative probability of finding a single address in a year’s worth of full-time mining. A single address worth, on average, $2. So there you go, if you’re the luckiest person who has ever lived, you can theoretically earn a maximum of $2 per year stealing wallets – I’m guessing the electricity to run the equipment will cost more.

Far more likely, folks losing their coins are either a) sending coins to bad people or b) getting their wallet.dat file and password stolen via the same mechanisms the unscrupulous have always used to run away with your digital property. To that end, such a “bug” is unlikely to be “fixed” since nothing is really broken. Far better, it would seem, for the developers to spend their time finding ways to prevent the more likely mechanisms of theft.

No tips yet.
Be the first to tip!

Tip With Bitcoin

1JeKD3rVK3JtdyGr74EBqAfVkoPYnm2ZYd

Each post gets its own unique Bitcoin address so by tipping you're not only making my continued efforts possible but telling me what you liked. Vote with your (Bitcoin) wallet!

Share ThisShare on Reddit0Share on Google+17Share on Facebook7Tweet about this on Twitter11
Loading Facebook Comments ...

Comments

    • says

      Yeah, but brain wallets are a whoooole other can of worms. I'm talking about addresses generated at random, the way most standard Bitcoin clients do it, not addresses generated as the hash of a passphrase, which is only as strong as the chosen passphrase.

      • unicornpoo says

        > brain wallets are a whoooole other can of worms.

        Sorry for derailing the discussion. Maybe an essay on attack vectors in cryptography would be a good future topic?

    • says

      Yeah, but brain wallets are a whoooole other can of worms. I'm talking about addresses generated at random, the way most standard Bitcoin clients do it, not addresses generated as the hash of a passphrase, which is only as strong as the chosen passphrase.

      • unicornpoo says

        > brain wallets are a whoooole other can of worms.

        Sorry for derailing the discussion. Maybe an essay on attack vectors in cryptography would be a good future topic?

  1. runeks says

    Good article. But your accuracy decreases towards the end.

    "That means your odds are about 1 in 5.32e+15. Comparatively speaking, your odds of being struck by lightning are about 1 in 280,000, so you're about 500,000,000,000,000,000,000 times more likely to be struck by lightning than to find an address within the first year."

    If the odds of finding an address is 1 in 5e+15 and the odds of being struck by lightning is 1 in 280,000, you are about 18000000000 times more likely to be struck by lightning. You've written a 5 and 20 zeros, which is even more than just 5e+15.

    "Since that's also a big number, the odds are equivalent to being struck by lightning at the moment of your birth and then being continually struck 208 billion times per second until you died at an average age of 80 – ignoring the laws of physics that would seem to prevent lightning striking anything 208 billion times per second of course."

    Watch your probability math here. The chance of getting struck by lightning three times is not 1 in (280,000*3) it's 1 in 280,000^3. So the chance of finding the right address is about the same as getting struck by lightning three times.

    • says

      Fair point, I think I need to rewrite that section when I don't have quite so much cough syrup in me. Sick as a dog today but I saw this crop up yet AGAIN in IRC and figured it needed to be addressed.

      To all who actually read the comments, my math in this section is wrong, disregard it but know that my conclusion that you aren't getting your address brute-forced still stands (just not as strongly – it might happen before the sun dies out, but definitely not before you do). I will fix as soon as I trust myself to do math again :(

  2. runeks says

    Good article. But your accuracy decreases towards the end.

    "That means your odds are about 1 in 5.32e+15. Comparatively speaking, your odds of being struck by lightning are about 1 in 280,000, so you're about 500,000,000,000,000,000,000 times more likely to be struck by lightning than to find an address within the first year."

    If the odds of finding an address is 1 in 5e+15 and the odds of being struck by lightning is 1 in 280,000, you are about 18000000000 times more likely to be struck by lightning. You've written a 5 and 20 zeros, which is even more than just 5e+15.

    "Since that's also a big number, the odds are equivalent to being struck by lightning at the moment of your birth and then being continually struck 208 billion times per second until you died at an average age of 80 – ignoring the laws of physics that would seem to prevent lightning striking anything 208 billion times per second of course."

    Watch your probability math here. The chance of getting struck by lightning three times is not 1 in (280,000*3) it's 1 in 280,000^3. So the chance of finding the right address is about the same as getting struck by lightning three times.

    • says

      Fair point, I think I need to rewrite that section when I don't have quite so much cough syrup in me. Sick as a dog today but I saw this crop up yet AGAIN in IRC and figured it needed to be addressed.

      To all who actually read the comments, my math in this section is wrong, disregard it but know that my conclusion that you aren't getting your address brute-forced still stands (just not as strongly – it might happen before the sun dies out, but definitely not before you do). I will fix as soon as I trust myself to do math again :(

  3. eric says

    An observation I like to make is that 21000000/(TOTAL NUMBER OF POSSIBLE ADDRESSES) is always going to be really really small and that's the expected value of making an address in search of free satoshis.

    • says

      Good point, that’s probably a better metric with easier math than a lot of what I did up there. 21,000,000/2^160 is the ultimate idealistic number, since it assumes that no coins have ever been lost and all coins have been generated – neither of which are true, but both of which do present the best-case scenario for the attacker. In that case, each hash is worth about 1.4e-41 and requiring almost 7e+32 hashes per 0.00000001 BTC gained. OUCH.

      It’s probably also important to note that, aside from ASICs, the equipment that would be useful for brute-forcing addresses would also be quite good for mining, which by the above math will almost certainly be much more profitable. The system is explicitly designed to reward playing nicely.

  4. eric says

    An observation I like to make is that 21000000/(TOTAL NUMBER OF POSSIBLE ADDRESSES) is always going to be really really small and that's the expected value of making an address in search of free satoshis.

    • says

      Good point, that’s probably a better metric with easier math than a lot of what I did up there. 21,000,000/2^160 is the ultimate idealistic number, since it assumes that no coins have ever been lost and all coins have been generated – neither of which are true, but both of which do present the best-case scenario for the attacker. In that case, each hash is worth about 1.4e-41 and requiring almost 7e+32 hashes per 0.00000001 BTC gained. OUCH.

      It’s probably also important to note that, aside from ASICs, the equipment that would be useful for brute-forcing addresses would also be quite good for mining, which by the above math will almost certainly be much more profitable. The system is explicitly designed to reward playing nicely.

  5. says

    Very interesting article and thank you for clearing it up

    It does leave the issue that there is a chance that some day, maybe someone might end up possibly generating a new address which has many hundreds or thousands of bitcoin stored in..

    I cant believe that there is really no safeguard to stop this happening

  6. says

    Very interesting article and thank you for clearing it up

    It does leave the issue that there is a chance that some day, maybe someone might end up possibly generating a new address which has many hundreds or thousands of bitcoin stored in..

    I cant believe that there is really no safeguard to stop this happening

  7. Nick says

    Thank you for this excellent article. I'm not good in math, I even have problems to count the eggs in my fridge. But with your explanation you have clarified many questions about bitcoin safety for me. Thank you very much and keep on blogging!

  8. Nick says

    Thank you for this excellent article. I'm not good in math, I even have problems to count the eggs in my fridge. But with your explanation you have clarified many questions about bitcoin safety for me. Thank you very much and keep on blogging!

Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *