## How long would it take a large computer to crack a private key?

43

13

I am doing a presentation on Bitcoins and I was looking for some calculations to make people feel safe about the private key encryption. Please first answer, how long in bytes the private key is, then how many combinations of numbers it will contain, and then what is the fastest computer or network of supercomputers and how long it would take to crack a private key using that computer. I think the result would be very educational based on my own calculations. Thank you.

Please explain this then. http://directory.io/ These people claim that they have all the private keys ... I guess the're not telling the truth

– None – 2013-12-01T19:30:40.947

They are telling the truth. The same way anyone who can generate the digits of Pi has all the works of literature that will ever be written. – David Schwartz – 2013-12-02T08:20:22.250

http://www.coindesk.com/bitcoin-protocol-hack-joke/ – mikeschuld – 2013-12-30T21:31:09.270

2

This answer on Security Stack Exchange is relevant: http://security.stackexchange.com/a/25392/4647

– Gary Rowe – 2012-12-18T09:29:52.740

29

how long in bytes the private key is

32 bytes, or 256 bits

then how many combinations of numbers it will contain

There are 2^256 different private keys. That's a little larger than a 1 followed by 77 zeroes.

what is the fastest computer or network of supercomputers

At its peak around August 2011, the Bitcoin network was checking 15 trillion sha256 hashes per second. (See http://bitcoin.sipa.be/)

how long it would take to crack a private key using that computer

If we assume it takes the same time to run an ECDSA operation as it takes to check an sha256 hash (it takes much longer), and we use an optimisation that allows us to only need 2^128 ECDSA operations, then the time needed can be calculated:

>>> pow(2,128) / (15 * pow(2,40)) / 3600 / 24 / 365.25 / 1e9 / 1e9
0.6537992112229596


It's 0.65 billion billion years.

That's a very conservative estimate for the time taken to break one single Bitcoin address.

Edit: it was pointed out that computers tend to get exponentially faster over time, according to Moore's Law. Assuming computing speed doubles every year (Moore's law says 2 years, but we'll err on the side of caution), then in 59 years it'll only take 1.13 years. So your coins are safe for the next 60 years without a change to the algorithms used to protect the blockchain. However, I would expect the algorithms to be changed long before it's feasible to break the protection they provide.

5Moore's Law (or similar) would probably bring that number down a bit, but not enough to matter. As long as the answer is some form of "longer than it would take to mine the coins stored at that address" we should be safe :) – David Perry – 2012-02-05T00:00:03.507

6It matters, because people deserve to know how secure their money is. – shoeless joe – 2012-02-07T21:51:58.923

2That's assuming Moore's law can continue for another 6 decades. On the other hand maybe QC is mainstream by then. – Bent Rasmussen – 2012-11-11T09:40:15.750

Great answer. Worth noting that Bitcoin's network cumulative power is now almost 10 fold the value since this answer was written. So it's "only" ~653 million years worth of computation. – nullable – 2018-01-13T09:59:42.903

16

A Bitcoin private key is a random 256-bit number. However, the public key reveals some information about the private key. The best known algorithms for breaking ECDSA require O(sqrt(n)) operations. That means 2^128 operations would be needed to break a Bitcoin account.

The largest ECDSA key broken to date of the type that Bitcoin uses was 112 bits long. A Bitcoin account is more than 4,000 billion billion times harder to break.

The only realistic risk would be quantum computing.

The O(sqrt(n)) attack is the birthday attack, which is possible in every cipher scheme. What "information about the private key" that the public key reveals are you referring to? – dionyziz – 2013-11-14T18:19:11.100

1

@dionyziz I'm not talking about the birthday attack, I'm talking about reversing an ECDSA public key to get the corresponding private key. The "information about the private key" that the public key reveals is the point corresponding to that private key multiplied by the generator. This enables the use of discrete logarithm algorithms like big step, little step.

– David Schwartz – 2013-11-14T19:28:57.637

It should also be noted that even quantum computing is only expected to reduce the time from pow(2,N) to pow(2,N/2) which although significant is not cracking it wide open. See http://en.wikipedia.org/wiki/Key_size

– Gary Rowe – 2012-02-10T09:12:28.543

3@GaryRowe You're wrong. The halving of key length applies to symmetric keys. Most asymmetric ciphers(including ECDSA which is used for bitcoint) can be broken in polynomial time with a quantum computer thanks to Shor's algorithm. To quote that wikipedia article "The general consensus is that these public key algorithms are insecure at any key size if sufficiently large quantum computers capable of running Shor's algorithm become available.". While there are quantum proof signature schemes, they'd probably bloat the blockchain a lot. – CodesInChaos – 2012-02-25T14:14:49.180

1@CodeInChaos Good points all - sorry to have introduced confusion. – Gary Rowe – 2012-02-26T20:34:05.557

well, to be more precise, sqrt(n) * ECDSA operations. And as many addresses are just hashes of the public key, you might need to do sqrt(n) * ECDSA * hashes operations. And the hashes operations are a mix of several hashes functions chained. This linearly increases the complexity in term of integer operations or CPU cycle but by a non-negligible factor (let's say 2^16) – David 天宇 Wong – 2015-11-25T15:21:22.737

3

A Bitcoin private key (ECC key) is an integer between one and about 10^77. This may not seem like much of a selection, but for practical purposes it's essentially infinite. If you could process one trillion private keys per second, it would take more than one million times the age of the universe to count them all. Even worse, just enumerating these keys would consume more than the total energy output of the sun for 32 years. This vast keyspace plays a fundamental role in securing the Bitcoin network.

1Chuck Norris told Satoshi Nakomoto what to do. – Sentinel – 2019-05-13T10:38:20.557

7Chuck Norris has counted to infinity, twice. – shoeless joe – 2016-10-09T00:13:46.313

0

2^256 = 1.1x10^77 = number of key combinations

2^128 = 3.4x10^38 = the average number of guesses needed

According to this website: http://en.wikipedia.org/wiki/TOP500, the fastest supercomputer is the K computer which has 10.51 petaflops.

A petaflop is 10^15 FLOPS, floating point instructions per second.

So far so good, but I need to know how many FLOPS are needed per guess?

[I will venture a guess:]

Between 1,000 and 10,000 FLOPS (or integer equivalents) per guess.

10.51x10^15 ops/second / 1000 to 10000 ops/guess) = 10.51x10^12 to 10.51x10^11 guess/second.

3.4x10^38 guesses/crack / 10.51x10^12 guess/second = 3.2x10^25 seconds.

3.2x10^25 seconds / 60 seconds/minute / 60 minutes/hour / 24 hours/day / 365.25 days/year = 1.01x10^18 years

1.01x10^18 years / 1x10^9 / 1x10^9 = 1.014 to 10.014 billion billion years.

So the computers on the Bitcoin network are twice as fast as the single largest laboratory computer.

number of key combinations = 2^256; average number of guesses needed = 2^256 / 2 = 2^256 * 2^-1 = 2^255, nobody noticed ? Well, it does not change the billion (of billion) years needed.. – xtof pernod – 2013-11-03T16:34:08.753

5There are exactly 0 FLOPs required to try a combination, as a FLOP is a floating-point operation, and EC math only requires integer operations. – Pieter Wuille – 2012-02-07T23:21:26.533

There has never been a computer that I have worked on that couldn't do integer math. So I would assume that the South Korean K computer can do it also. – shoeless joe – 2012-02-17T18:52:02.153

3Yes, but the proportion between speed of integer and floating point operations differs significantly between hardware. Given a certain distribution of hardware types that constitute Bitcoin's mining power, you can give an estimate, but the answer to the question "how many FLOPS are needed per guess", the answer is certainly 0. – Pieter Wuille – 2012-02-18T00:28:15.300

0

There is a vanitygen utility (check out exploitagency's version which is improved fork of samr7's version) which can give you the estimates how long it takes to find the private key for the given pattern (see: vg_output_timing_console()). Some special cases (like repeated characters) are more difficult than the other.

The difficult of finding a vanity address depends on its exact structure (leading letters and numbers) and how likely such an output is given the algorithms involved, which can consist of several pivots where the difficulty suddenly changes. bitcoin wiki

Here is the table which can be found at bitcoin wiki page which provides estimate times for cracking private keys for the given address patterns:

The example table below shows how an increasingly complex vanity affects the difficulty and average time required to find a match only for that vanity, let alone the full address, for a machine capable of looking through 1 million keys per second.

Using vanitygen you might think that you would be able to find the private key for a given address. In practice, this is considered impossible.

### Practical example

Let's create the following unspendable bitcoin address:

$unspendable.py 23456789A123456789A12345678 mainnet: 123456789A123456789A12345678Yr8Dxi  Then using vanitygen I can calculate the performance on my machine (>240 Kkey/s): $ vanitygen -q -k -o/dev/null 1
[241.29 Kkey/s][total 2880199][Found 11618]


Note: Above was tested on MacBook Pro (2.3GHz Intel Core i7, 16GB 1600MHz DDR3).

Furthermore, it can calculate the estimated time when looking for specific patterns, e.g.

• to find first 5 characters out of 26-35 (few seconds):

$vanitygen -q -k -o/dev/null 12345 [698.17 Kkey/s][total 8192][Prob 0.2%][50% in 4.5s]  • 6 first characters out of 26-35 (few minutes): $ vanitygen -q -k -o/dev/null 123456
[701.39 Kkey/s][total 51712][Prob 0.0%][50% in 4.3min]

• 7 characters out of 26-35 (few hours):

$vanitygen -q -k -o/dev/null 1234567 [471.87 Kkey/s][total 8192][Prob 0.0%][50% in 6.3h]  • 8 characters out of 26-35 (few weeks): $ vanitygen -q -k -o/dev/null 12345678
[658.82 Kkey/s][total 2548480][Prob 0.0%][50% in 10.8d]

• 9 characters out of 26-35 (few years):

$vanitygen -q -k -o/dev/null 123456789 [572.50 Kkey/s][total 1631744][Prob 0.0%][50% in 2.0y]  • 10 characters out of 26-35 (a century): $ vanitygen -q -k -o/dev/null 123456789A
[630.48 Kkey/s][total 118528][Prob 0.0%][50% in 104.2y]

• 11 characters out of 26-35 (few millennia)

$vanitygen -q -k -o/dev/null 123456789A1 [579.78 Kkey/s][total 17348352][Prob 0.0%][50% in 6571.6y]  • 12 characters out of 26-35 (hundreds of millennia): vanitygen -q -k -o/dev/null 123456789A12 [751.61 Kkey/s][total 6720512][Prob 0.0%][50% in 294013.9y]  • 13 characters out of 26-35 (thousands of millennia, few million of years): $ vanitygen -q -k -o/dev/null 123456789A123
[666.93 Kkey/s][total 3886080][Prob 0.0%][50% in 1.921802e+07y]

• 14 characters out of 26-35 (billion of years):

$vanitygen -q -k -o/dev/null 123456789A1234 [817.44 Kkey/s][total 3994880][Prob 0.0%][50% in 9.094109e+08y]  • 15 characters out of 26-35 (50 billion of years): $ vanitygen -q -k -o/dev/null 123456789A12345
[784.31 Kkey/s][total 4633856][Prob 0.0%][50% in 5.497420e+10y]

• ... 28 characters (decillion of years if you're lucky)

\$ vanitygen -q -k -o/dev/null 123456789A123456789A12345678
[910.34 Kkey/s][total 2723072][Prob 0.0%][50% in 3.981113e+33y]


It's worth to note, that the above-generated address has 34 bytes, but the first character is just the network identifier (for bitcoin it's usually 1 or 3), and the last 4 bytes is just a checksum. For more details about the address, see this bitcoin wiki page.

### Keysearch Rates

For sure keysearch rate can be increased by using a better GPU or multiple of CPUs (see: -t), but still, the estimates can be huge.

For example, here is the table of keysearch rates at bitcoin wiki page:

And here are few reports from users for different GPUs:

• i7 8700K - ~3Mkey/c
• GTX 980TI (v1.42) - ~73Mh
• GTX 1050ti - ~23 Mkey/c
• GTX 1070 - ~50Mhkey/s
• GTX 1080ti - ~108 Mkey/c

Source: List of supported GPU's (GH-46).

-1

The only realistic risk would be quantum computing.

Or the discovery of a bug or flaw in the BTC software algorithms. Then cracking could be a matter of seconds, depending on the type of the flaw.

1Hello and welcome to the StackExchange. Are you sure you didn't want to make this a comment on some other answer, rather than a self-contained answer by itself? – ThePiachu – 2013-10-29T00:59:13.510

@ThePiachu, thanks. As you might know, new users can not post comments, just answers. The moderator is welcome to fix this. (I can comment my own answers only) – David Balažic – 2013-10-29T13:13:36.423

Oh, you are a moderator. I just noticed. :-) – David Balažic – 2013-10-31T15:22:00.713

-2

The fastest computer is 150 Petraflops FPC per sec not 10 ... Try and keep up with the times (NV Link and Volta HCP Cards on IBM power processors) ... you can read or watch more at team green's website or the 2015 Conference vids on U tube. Since the general answer seems to be based on 10 Petraflops as the worlds fastest computer ... You should be clearly able to see how quickly the FPC per sec can change , The Department of Energy is planning a 300P system already based on the same technology.

The point Is that your bitcoin folks telling you how secure it is based on 10P already have the basic math wrong by 15-30 times because they evidently don't know as much as they think. The improvements are not dependent on Moore's Law either , the recent advancements and present limitations have to do with an entirely different Law which is what NV Link solved as best it could and improved computing time so well , This is just today's example of how their theory of a billion billion years is already wrong by a factor of 15-30 and will continue to become wrong each year at a much higher rate than they assume. In 30 years or less bitcoin at it's present level will be easily cracked by anyone who has 40 to 50,000 dollars to spend (in todays money) or can use any number of University or Corporate Supercomputers.

Anyone who actually believes that 50 year old technology is going to keep something digitally secure 50 years later is frankly not the kind of person you should be paying ANY attention to at all ... Does that mean bitcoin is dangerous today ? Not really but if the same folks are in charge of it's security in 30 years, are the same clueless people that are on here right now it will be.

NVLink is a technology for enabling faster and more energy-efficient communication between nodes in a supercomputer. Neither of those are really a concern if you're building a distributed key-cracker. – Nick ODell – 2015-05-21T17:47:46.080