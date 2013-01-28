(Although, "let the coins vanish" is as valid a plan as any.)
I think there's also a lesson about idiot-proofing APIs. With the benefit of this in hindsight, I might instead return an invalid, non-HTTP response that blows up every major HTTP client internally, so that it's impossible for the API consumer code to happily truck along interpreting a non-200 response body as if it's valid random data.
They're not cracking addresses generated by normal wallets.
I highly doubt they found a collision with a probability of 2^-136, unless they exploited some kind of bad RNG bug (in which case the probability is much higher, of course).
I'm not currently a Bitcoin user, and ambivalent about Bitcoin's virtue, but still hope that this kind of attack turns out to be fruitless and impractical.
Edit: The details are in the URL posted by alphydan; it looks like address reuse does not matter with their method.
edit: Though unrelated to this article, here is a case where address reuse (and software bugs) led to vulnerable wallets: http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-p...
Those are the addresses which are being attacked here.
The bitcoin network does over 3 quintillion (>3,000,000 trillion) hashes a second. So even if they were doing a significantly harder to compute hash -- they're still only a very small part of the computational power the bitcoin network is using.
So it's probably already more effective to attack wallets than join a mining pool.
Assuming that their hashrate was over 3 months (article says nearly a year, but they're also scaling), they had about 300 million hashes per second. Bitcoin had 3 million trillion hashes per second over the same period. So you're talking 1 to 10 billion in raw hashrate, and even with a generous challenge factor, bitcoin is using millions of times more compute power.
There were about 150 thousand bitcoins mined over that period, so 1 in 10 billion of that is 0.000015BTC.
Since they hit 3 in use accounts with the same compute effort, they almost certainly made more BTC attacking wallets with collisions.
If you figure the average active wallet has between 1 and 5 BTC (very high variance), and the wallet hash takes about 100x as long (over estimate), they made 3-15BTC vs 0.015BTC by attacking the network versus mining, or about 200-1000x as much.
Since colliders are themselves unlikely to collide (and thus competition doesn't starve out colliders), the system will only stabilize if 99%+ of miners drop out of the pool or the difficulty in finding a collision raises 1000x.
Given the sunk costs in dedicated mining rigs and that new hashes would be breaking, it seems like parasitic hashing will continue to be an issue.
On the plus side, only a one-in-a-million chance it wipes one of your accounts.
(Of course, a fluke collision with a high value account might create other problems.)
That's not how you make the calculations. The reason the idea was called stupid is because the math doesn't add up. My guess is that these 3 private keys had weaknesses in them. Even the probability that they were found by "luck" is way far off.
Given merge mining is possible, I'd assume with some tweaking side-colliding + mining is possible. So if it was profitable miners would already be doing it.
Google found a SHA-1 collision (160 bit hash, same size but different method) in 9 quintillion hashes (plus some crypto work). The article claims they found a collision against 3 of millions of targets in 3 quadrillion hashes (likely plus some crypto work). Given the birthday paradox, it's not a priori impossible.
Could you explain why you don't believe their attack is mere hash collisions?
OP_1 [compressed pubkey] [0x02, 29 random bytes, 3 byte counter] OP_2 OP_CHECKMULTISIG
A new compressed pubkey must be generated every 2^24 iterations.
You compute a sha256 midstate from the first 64 bytes, then restore and compute over the rest of the script for each subsequent iteration, then ripemd160 the output. Very easy to GPU accelerate.
The slowest part of address generation is the elliptic curve math, and this avoids it entirely for most iterations, only needing to to refresh the public key when the counter rolls over.
The deflation issue is what is really addressed here, where no new coins will be introduced at a given point. Whether new coin arrives or not, is really not an issue. An analogy would be the use of pennies if all the paper money went missing.
This would basically make Bitcoin Keynesian, since coin stored in wallets would now decay with a given probability. So you would have to invest it at least a little to beat the decay (shrinkage) rate.
Then you conflated losing some percentage of your cash assets due to inflation, which can happen even if the money supply does not change, to losing all of your cash assets with some probability. The former encourages investment, while the latter encourages not holding cash at all.
But when you have the private keys, your Bitcoin doesn't "decay". On the contrary, it becomes more scarce, and therefore more valuable.
Once the primary way of gaining bitcoins is hacking wallets, the longer a bitcoin is behind the same private key, the longer that given wallet is a target.
