ECC private key generation collision

Question

I am generating ECC private keys. however I noticed that since ECC private key is just a BigInteger. e.g. spec256k1 says private key is anywhere between [0~2^256-1].

my question is, if everyone is using Random(32) to generate a 32bytes private key, there is not likely but still possible situation that 2 people could generate the same private key. therefore also same public key.

so if this happens on blockchain like Bitcoin or Etheruem, does that mean those 2 people are in theory sharing the same account? or wallet address?

maybe I am missing some details here. Please guide me.

Edit:

thanks for everyone's answer here.

the reason why I was asking this is because first I wonder if there is any protection against collision in the system. however, if there is, and you are told you had a collision, that basically means you figured out someone else's private key...

second reason is, I was considering generating a long(64bits) and then cast into BigInteger(32bytes) to be the private key. however, that will have a much higher collision chance due to the fact that I will only have a private key space of 2^64.

Answer 1

Assume that there are $2^{50}$ keys out there. Then calculating one of these keys by chance is $2^{50} \over 2^{255}$ for each calculation or a chance of one in $2^{205}$. Now say that you generate $2^{64}$ keys then you'd still only have a chance of one out of $2^{91}$ of hitting the right key.

Note that making sure that you hit a key would however require $2^{50}$ tests, and knowledge of $2^{50}$ operations by the public key of course. To test a single key the situation is significantly worse, the chance of finding it after $2^{64}$ tries is only one out of $2^{191}$.

Chances of hitting the right key increase somewhat if you make sure you make sure that you don't generate the same key again. For instance you could start at a specific value and then simply test each following value. But that won't increase your chances by much and the calculation is too hairy to do here.

This is always what cryptography relies on: that you cannot just guess the private key. There is no cryptosystem to protect against that. And there doesn't need to be because the chance of generating a matching private key is negligible.

And think about it, I could guess the value of a coin as well. There is no protection against that either.

---

Note that a chance of one in $2^{91}$ is one in 2475880078570760549798248448 or one in 2 octillion 475 septillion 880 sextillion 78 quintillion 570 quadrillion 760 trillion 549 billion 798 million 248 thousand 448 (using the short scale).

Answer 2

It's worse than that. There can be a collision even using different private keys.

Each (standard) Bitcoin transaction to you is sent to a 160-bit hash of your public key (a.k.a., your address). Anyone who owns a public key that has same hash will be able to spend your coins. So that's a 80 bits of security, since only half of the keyspace has to be searched, on average, before a match is found [EDIT: a 50% probability of finding match between two previously searched keys, not necessarily ones on the blockchain. See comments.]

The Bitcoin blockchain has ~30 million (25 bits of) public key hashes available to be spent right now. To find a match for any of them, this drops your search space by 25 bits down to 135 bits, leaving 67.5 bits of security "overall".

If two different public keys produce the same hash, and both sign for the same UTXO at the same time, it would be up to the miner to choose which one makes it in.

Another bit or so of security is lost because the public keys are hashed twice to make the address, so it's possible for the first hash to be different yet produce a matching second hash.