Birthday Paradox
How many addresses until a collision?
Spoiler: More than you can generate in a lifetime.
What is the Birthday Paradox?
In a room of just 23 people, there's a 50% chance two share a birthday. This counterintuitive probability applies to cryptographic collisions too.
For hash functions, a collision means two different inputs producing the same output. The birthday attack exploits this to find collisions faster than brute force.
Applied to Crypto Addresses
Ethereum addresses are 160 bits (40 hex chars). To have a 50% chance of collision:
sqrt(2^160) = 2^80 addresses
= 1,208,925,819,614,629,174,706,176
At 1 billion addresses/second, this takes 38 million years.
Collision Simulator
Collision Resistance Comparison
| Hash/Address Type | Bits | Possible Values | 50% Collision At | Time @ 1B/sec |
|---|---|---|---|---|
| 8-bit (demo) | 8 | 256 | ~16 | 16 nanoseconds |
| 16-bit (demo) | 16 | 65,536 | ~256 | 256 nanoseconds |
| 32-bit (demo) | 32 | 4.3 billion | ~65,536 | 65 microseconds |
| MD5 | 128 | 3.4 x 10^38 | 2^64 | 584 years |
| Ethereum Address | 160 | 1.46 x 10^48 | 2^80 | 38 million years |
| SHA-256 | 256 | 1.16 x 10^77 | 2^128 | 10^22 years |
| Bitcoin Private Key | 256 | ~2^256 | 2^128 | 10^22 years |
Key Takeaways
Birthday Math
For n-bit hash, expect collision after ~2^(n/2) attempts. This is why 128-bit hashes need 2^64 operations to attack, not 2^128.
160-bit is Safe
Ethereum's 160-bit addresses require 2^80 operations for birthday attack. Current technology can't achieve this - you're safe.
MD5 is Broken
MD5 collisions were found in 2004. Never use MD5 for security. Real collisions have been weaponized (Flame malware).
The Birthday Formula
P(collision) โ 1 - e^(-nยฒ/2H)
n = number of items (hashes generated)
H = total possible values (2^bits)
P โ 50% when n โ 1.177 ร โH