If you draw randomly (with replacement) from N numbers, you'll need to draw approximately sqrt(N) times until the probability of a collision (drawing the same number again) rises to 1/2.
For example, if you generate random keys with 128 bits, then after generating 2^64 keys you have a good (50%) chance that you've reused a key.
We are, of course, more interested in much smaller probabilities of collision, and that's why I wrote about this some time ago, giving the derivation, and the actual formula for those who just want the answer.
It's been submitted and discussed before, with some interesting comments.
Sadly, I am still getting pushback from others at my company who are either not convinced by the math or for whom any such analysis doesn't matter. "Yes, but there is still a chance of getting a duplicate, so I don't think this can be safe."
It feels a bit insane - how do you choose your secret private Bitcoin wallet key? Easy, just pick one randomly! Oh no, but someone else could pick the same key. Sure, but the probably is so vanishingly small, we really really really don't have to worry about it...
It is a bit hard to wrap your head around it, but the maths is solid (assuming, of course, that you have a good source of randomness).
Also shameless plug: https://blog.rinatussenov.com/collision-probability-and-birt...