What's the probability of vanity pools causing RIPEMD-160 (public key hash) collisions?

Bitcoin addresses are 160-bit numbers. Hence, randomly finding a private key corresponding to an address takes on average 2^160 attempts.

If 4 billion computers work on cracking a key doing 1 billion calculations per second for 15 billion years, they will find a total of 1.8*10^36 keys, so their chance to hit a right one is

(1.8*10^36)/(2^160) = 1.23 * 10^(-12)

which is one in a trillion. And this is only if they intentionally try to crack keys. If they just run normal vanity calculations, it doesn't matter how many keys they go over, as they'll eventually report just one key.

In the future (when the above figures may be slightly less ridicuolous), we might move on to longer key hashes.

So no, there's no risk.

Meni Rosenfeld

Posted 2012-12-12T06:18:20.317

Reputation: 18 542

I meant to describe the risk to a Public Key Hash, which is different than the public key itself. I updated the question. – goodguys_activate – 2012-12-12T14:43:31.990

If I understand it correctly, these calculations are assuming you're trying to get one particular private key, but actually there are LOTS that would be desirable. Of course, the process of actually determining whether a particular key is of value or not may mean twice as much (or more) processing time. – Highly Irregular – 2012-12-12T21:32:21.157

@makerofthings7: The numbers are for finding a collision of the public key hash. – Meni Rosenfeld – 2012-12-13T10:37:50.613

@HighlyIrregular: I think you could make an ASIC that generates addresses and matches them against a hashtable of valuable addresses. Then instead of the chance to find a collision, you'd speak about the expected value obtained from cracked addresses, which is at most 21 million BTC times the probability mentioned above. – Meni Rosenfeld – 2012-12-13T10:39:49.570

I think a small correction to your math may be needed... Bitcoin addresses are based on the 20 byte RIPE-MD part... where the Bitcoin address is based on Base58Check... (The rest is a checksum and a leading network ID) – goodguys_activate – 2012-12-25T08:02:48.863

@makerofthings7: Not sure what your point is. The RipeMD hash is a 20 byte number, meaning 160 bits. The address is a Base58Check encoding of this number (which includes a version byte and a checksum). There are 2^160 valid Bitcoin addresses. Each private key leads to one of them (for all intents and purposes, a random one). – Meni Rosenfeld – 2012-12-25T09:15:28.323

Completely agree, I don't normally think in bits and made a mistake in my own math! Thanks for the education and Merry Christmas / Happy Holidays! – goodguys_activate – 2012-12-25T15:34:21.593

Public key or private key? – Meni Rosenfeld – 2012-12-12T06:37:31.140

Now it is possible to create a vanity address that looks very similar to someone else's vanity address. But that still results in two completely separate private keys. – Stephen Gornick – 2012-12-12T07:30:23.977

@StephenGornick - I intended to say Public Key Hash collision, which is the point of vanity pools. I clarified the question. – goodguys_activate – 2012-12-12T14:42:41.350

@makerofthings7: Another's person public key hash is public, there's no need to derive it, it's already in the open. The problem is with deriving a private key which maps to this public key hash. This has essentially 0 chance of happening unintentionally. As for it happening intentionally, the chance is still negligible as detailed in my answer. – Meni Rosenfeld – 2012-12-13T10:37:04.420

What's the probability of vanity pools causing RIPEMD-160 (public key hash) collisions?

Answers