Birthday Paradox
How many addresses until a collision?
Spoiler: More than you can generate in a lifetime.
What is the Birthday Paradox?
In a room of just 23 people, there's a 50% chance two share a birthday. This counterintuitive probability applies to cryptographic collisions too.
For hash functions, a collision means two different inputs producing the same output. The birthday attack exploits this to find collisions faster than brute force.
Applied to Crypto Addresses
Ethereum addresses are 160 bits (40 hex chars). To have a 50% chance of collision:
sqrt(2^160) = 2^80 addresses
= 1,208,925,819,614,629,174,706,176
At 1 billion addresses/second, this takes 38 million years.
Collision Simulator
Collision Resistance Comparison
| Hash/Address Type | Bits | Possible Values | 50% Collision At | Time @ 1B/sec |
|---|---|---|---|---|
| 8-bit (demo) | 8 | 256 | ~16 | 16 nanoseconds |
| 16-bit (demo) | 16 | 65,536 | ~256 | 256 nanoseconds |
| 32-bit (demo) | 32 | 4.3 billion | ~65,536 | 65 microseconds |
| MD5 | 128 | 3.4 x 10^38 | 2^64 | 584 years |
| Ethereum Address | 160 | 1.46 x 10^48 | 2^80 | 38 million years |
| SHA-256 | 256 | 1.16 x 10^77 | 2^128 | 10^22 years |
| Bitcoin Private Key | 256 | ~2^256 | 2^128 | 10^22 years |
Key Takeaways
Birthday Math
For n-bit hash, expect collision after ~2^(n/2) attempts. This is why 128-bit hashes need 2^64 operations to attack, not 2^128.
160-bit is Safe
Ethereum's 160-bit addresses require 2^80 operations for birthday attack. Current technology can't achieve this - you're safe.
MD5 is Broken
MD5 collisions were found in 2004. Never use MD5 for security. Real collisions have been weaponized (Flame malware).
The Birthday Formula
P(collision) โ 1 - e^(-nยฒ/2H)
n = number of items (hashes generated)
H = total possible values (2^bits)
P โ 50% when n โ 1.177 ร โH
Why Cryptocurrency Addresses Resist Collisions
The birthday paradox is the single most important counterintuitive result in cryptographic hash analysis. Naively, a 160-bit hash like the one used to create an Ethereum address feels overwhelmingly large: 2^160 is roughly 1.46 ร 10^48 possible values. But the math of repeated random sampling tells us that the first collision โ any two distinct inputs producing the same output โ is expected after only about 2^80 attempts. That square-root reduction is the price every cryptographic hash function pays for being deterministic and pseudorandom. It is why modern hash functions are sized so that 2^(n/2) is still computationally infeasible.
For Ethereum, 2^80 work corresponds to roughly 1.21 ร 10^24 hash operations. Running 100 modern GPUs that each compute 1 billion hashes per second, you would still need 38 million years to find a single random collision. That is the gap between "theoretically possible" and "practically impossible." The 256-bit hashes used inside Bitcoin transactions push this gap further: their collision threshold is 2^128, a number that requires energy on the order of an entire star to even approach. This is the reason you can rely on a wallet address generated today still being unique tomorrow, next year, and centuries from now.
Collision vs. Preimage: A Common Confusion
People often conflate two different attacks. A collision is any pair of inputs hashing to the same output โ the attacker does not get to choose which two. A preimage is finding any input that hashes to a specific given output, and a second preimage is finding a different input that matches a specific known input\'s output. Brute-forcing a particular Bitcoin private key is a second-preimage problem with cost 2^160 (for the address hash) or 2^256 (for the private key itself). Collisions, in contrast, only need 2^(n/2) work. That is why cryptographers talk about hash sizes in birthday terms: a "128-bit security level" means you need at least a 256-bit hash so that 2^128 is the collision-finding cost.
For day-to-day cryptocurrency users, the practical implication is clear. Two strangers generating wallets independently will never accidentally land on the same address. The probability of even a single collision across the entire global usage of Bitcoin and Ethereum to date is so close to zero that no statistical model can distinguish it from impossible.
Birthday Paradox & Collision FAQ
What is the birthday paradox in cryptography?
The birthday paradox is the surprising probability result that in a group of 23 people, two share a birthday with about 50% probability โ far fewer than you might expect. Applied to hashes, it means a collision (two inputs producing the same output) is found after roughly 2^(n/2) attempts on an n-bit hash, not 2^n.
Can two people generate the same Bitcoin or Ethereum address?
In theory yes, in practice no. Ethereum addresses are 160 bits, so the birthday-paradox collision threshold is 2^80 โ 10^24 addresses. Generating that many is beyond any current or foreseeable technology. Bitcoin addresses share the same 160-bit hash truncation and the same threshold.
Is Ethereum at risk of an address collision attack?
Not against random attackers. A 160-bit collision requires roughly 2^80 hash operations โ about 1.2 ร 10^24. Even at one trillion hashes per second, finding a collision would take 38 million years. Targeted second-preimage attacks (finding a key for a specific address) are even harder, requiring 2^160 work.
What is the difference between a collision and a preimage attack?
A collision finds any two inputs hashing to the same value (work: 2^(n/2)). A second-preimage attack finds a different input that matches a specific given output (work: 2^n). Brute-forcing a specific Bitcoin private key is a preimage problem, which is far harder than the birthday problem.
Has any cryptocurrency address collision ever been observed?
No publicly recorded random collisions exist. There have been concerns about specific weak vanity-address generators (notably Profanity) where intentional collision-style attacks recovered keys, but those were due to weak entropy, not the hashing being broken.