Pages:
Author

Topic: Address reuse is simpler than alternatives and not always bad - discussion (Read 431 times)

legendary
Activity: 2268
Merit: 18492
That is the same as saying "do you confirm that the blockchain is valid as it should have been?". Software does that, not humans.
Software written by humans, and humans make mistakes. There have been critical bugs in bitcoin, such as the time we printed 92 billion out of thin air, despite the code being review by multiple competent individuals. A fork was needed to fix that particular bug. You will be unable to fork the network to recover your coins should they be stolen from you via a reused k value.

You do choose which wallet software you install, and it's plain dumb to use bad software if you know it's bad.
Obviously, but my point is that often you don't know software is flawed/bugged/vulnerable/whatever until after the incident in question. Assuming that ever piece of software you are using is completely immune to bugs or vulnerabilities is a recipe for disaster.
legendary
Activity: 1344
Merit: 6415
Farewell, Leo
And for every single transaction you make, do you confirm that the k value was generated using RFC 6979 as it should have been?
That is the same as saying "do you confirm that the blockchain is valid as it should have been?". Software does that, not humans. Humans solve the problem, and use computers to implement the solution. If humans have solved the problem with RFC 6979, you don't have to manually check if the k value is the same. The computer does it. (Of course, assuming the software has been reviewed by multiple individuals)

It is not realistic to say "Just don't use such a wallet", just as it is not realistic to say "Just don't get malware" or "Just don't be hacked".
No, it's not the same. You don't get to choose if you get a malware; you get it without consent if you're not cautious. You do choose which wallet software you install, and it's plain dumb to use bad software if you know it's bad.

Not reusing addresses protects you against such eventualities.
If we're about to take this route, usage of software that forces reuse of addresses does protect you from the eventuality of potential vulnerability exploit in more complicated software with master public keys and so on. Is it worth it? Does this discussion have any point at all?
legendary
Activity: 2268
Merit: 18492
If a software reuses k values (which is trivial to verify it does) then you shouldn't be using that software at all.
And for every single transaction you make, do you confirm that the k value was generated using RFC 6979 as it should have been? You confirm that there isn't some unknown bug or vulnerabilities in your wallet which has result in a reused k value or a piece of malware being able to feed a k value to your wallet? I very much doubt it, and even if you personally do, it's safe to say that 99.9999% of bitcoin users don't.

It is not realistic to say "Just don't use such a wallet", just as it is not realistic to say "Just don't get malware" or "Just don't be hacked".

Once such a bug or vulnerability has been discovered, then absolutely move to new software. But it is impossible to know that you shouldn't be using such software before the first time the vulnerability is exploited. Not reusing addresses protects you against such eventualities.
legendary
Activity: 1344
Merit: 6415
Farewell, Leo
More importantly, though, there have been plenty of cases in the past of buggy or vulnerable wallet software reusing k values and leading to coins being stolen.
I don't believe that's a valid argument. If a software reuses k values (which is trivial to verify it does) then you shouldn't be using that software at all. First of all, such vulnerability should make you question the development. I don't trust a developer who doesn't know that reusing a k value is prone to failure. So, you last concern should be reusing addresses, in that case. Secondly, signing the same message (which is also possible to happen), with the same k value (as you assume it reuses k) allows anyone with the signature and the message work out the private keys that were used during signing.

There is also the scenario of if you only ever use a single address, then you have a single point of failure for your entire bitcoin holdings
True, but the same applies for the seed phrase. Again, the only disadvantage, which I agree is major, is privacy related.
legendary
Activity: 2268
Merit: 18492
That's the only downside. There is no other disadvantage in re-using an address, only small advantages.
Not entirely true. Address reuse more easily allows you to be censored, although I suppose you could argue this is simply an extension of poor privacy. More importantly, though, there have been plenty of cases in the past of buggy or vulnerable wallet software reusing k values and leading to coins being stolen. Although all good wallet software will protect against this, it is unwise to consider it an impossible scenario. There is also the scenario of if you only ever use a single address, then you have a single point of failure for your entire bitcoin holdings. Better to spread it around a bit. Smiley
legendary
Activity: 1344
Merit: 6415
Farewell, Leo
@blackhatcoiner you are correct that reuse of addresses sometimes is the best option but for most transactions we can generate addresses quickly and without any effort.
Correct.

The HUGE downside to using addresses is the huge privacy
That's the only downside. There is no other disadvantage in re-using an address, only small advantages.

Maybe there is a way to increase privacy for reused address?
There is no point. Generating another address if desired is easy to do. It's just not worth it sometimes like when you need to setup a site, and have little time to make everything work, and you don't care about your privacy of course.
legendary
Activity: 3262
Merit: 16303
Thick-Skinned Gang Leader and Golden Feather 2021
wouldn't it be easy for me to notice another address when I copy paste it?
Of course Smiley But many people are too lazy to verify the address, and malware is still profitable when it's success rate is far under 100%.
See: How to lose your Bitcoins with CTRL-C CTRL-V.
legendary
Activity: 3262
Merit: 1220
Top Crypto Casino
About the clipboard malware where it can replace your address with a fairly similar address, how can they generate such addresses at will, isn't that hard to do?
 - snip -

Vanity addresses are Btc address with certain starting letters that spell out words predefined in advance , basically are personalized Btc addresses that you can create using a dedicated software a nice chunk of your computing power.

Check this thread for more info about Vanity Addresses : https://bitcointalksearch.org/topic/vanitygen-vanity-bitcoin-address-generatorminer-v022-25804
legendary
Activity: 1498
Merit: 4776
Maybe there is a way to increase privacy for reused address?
If you are reusing an address, it only means you have no privacy at all, but you can use a single address while you connect your wallet through Tor which can anonymize your transactions, but anonymity is not the same as privacy. There is much more ways to privacy, like not letting many of your addresses not to link together on blockchain and also in a way central servers will not be able to link your addresses and your IP addresses.
legendary
Activity: 1232
Merit: 1080
@blackhatcoiner you are correct that reuse of addresses sometimes is the best option but for most transactions we can generate addresses quickly and without any effort. The HUGE downside to using addresses is the huge privacy problem which I think should be avoided whenever possible but you are correct sometimes especially when you need to post a address and receive long term support through it (donations) then reusing the address is beneficial.

Maybe there is a way to increase privacy for reused address?
legendary
Activity: 1344
Merit: 6415
Farewell, Leo
It talks exactly about address reuse and an alternative to the current address-per-payment method that's widely adopted.
How's this paper related to address reuse? It first describes what's the current "status quo" of standard for payment request, namely either the address or an invoice. Then, it proposes payment amounts to be identifiers (which I'm not sure how it makes sense), because it finds it more efficient as you say. Then, exchange rate becomes somewhat relevant, and then boom; conclusion.  Tongue
legendary
Activity: 1344
Merit: 6415
Farewell, Leo
Address reuse is sometimes needed. For example, adding a donation address saves time, in comparison with setting up a server software that automatically generates a new one in each request. It's desired if privacy isn't a concern. Another example is signature campaigns. The campaign manager saves a lot of time if he's saved addresses in a spreadsheet and doesn't request a new one each week.

How can the attacker generate an address that looks just like my address?
If he owns a lot of computational power, he can work out every, say, 6 characters possible starting combination. Example:
Code:
1111111...
1111112...
1111113...
[...]
1zzzzzx...
1zzzzzy...
1zzzzzz...
legendary
Activity: 3388
Merit: 6072
Crypto Swap Exchange
The ONLY reason to reuse an address is for simple proof verification and for static publication.
i.e. Dave send money to X here is the always same address and here is the txid and here is something signed by Dave from the sending address.

There are reasons it's done. i.e. signature campaigns, which would just about impossible to do if the participants had to give the manager a new address every week. Mistakes would be made a lot of people would not do it anyway. i.e. just keep swapping between 2 or 3 addresses.

Beyond that every wallet generates a new address every time and that should just be the way it is.

Your security / privacy is up to you if you want to sacrifice some of that for convenience that is your choice.

-Dave
copper member
Activity: 1330
Merit: 899
🖤😏
About the clipboard malware where it can replace your address with a fairly similar address, how can they generate such addresses at will, isn't that hard to do?

The creator of the malware could just include list of Bitcoin address from their wallet to the malware.
Well I know that, but it's the matter of similarity between your address and the atacker's.
For example if I use this address 
Code:
111113DUwES2ZNWSJztA3oBuhzfcdmiaG
all the time, wouldn't it be easy for me to notice another address when I copy paste it? How can the attacker generate an address that looks just like my address? As I said above, it is possible for the hacker to generate look alike address if they have enough time, hence the disadvantage of re-used addresses.
copper member
Activity: 1330
Merit: 899
🖤😏
About the clipboard malware where it can replace your address with a fairly similar address, how can they generate such addresses at will, isn't that hard to do?

However if you are using one address over and over, and if your device is compromised, the attacker then has enough time to somehow generate an address to trick you. This alone could be a disadvantage.
legendary
Activity: 3262
Merit: 16303
Thick-Skinned Gang Leader and Golden Feather 2021
I feel like this is a no-brainer: sometimes address reuse is more convenient, and I use it. In other cases it's not needed, so I use a new address.

More steep learning curve for anyone that has ever worked with an invoice number.
I like this comparison. Even though I occasionally reuse addresses, I wouldn't ask someone to pay to an address that was used before. The simple reason is that every new address gets a new label, and when it's paid, I know exactly who it was.
hero member
Activity: 2254
Merit: 831
  • fewer keys to protect
It is untrue for deterministic wallets because with them, if you have a master key or seed, you can have many child or grandchild keys from it. So your main task for security is secure your master key or seed. If you lose your master key or seed, you lose that wallet and all keys inside.

Mastering Bitcoin, Wallets
Quote
The second type of wallet is a deterministic wallet, where all the keys are derived from a single master key, known as the seed. All the keys in this type of wallet are related to each other and can be generated again if one has the original seed. There are a number of different key derivation methods used in deterministic wallets. The most commonly used derivation method uses a tree-like structure and is known as a hierarchical deterministic or HD wallet.
See explanatory graphics for HD wallets

When you open your account on a centralized exchange, they will assign one public receiving address for you that is derived from a likely grandchild private key. You don't own that key and your grandchild key belongs to a big wallet owned by that exchange.
legendary
Activity: 3500
Merit: 6205
Farewell LEO, you *will* be missed.
  • no need to advertise new address each time to receive transfer,
[...]
  • fewer keys to protect

OP, did you, by chance, got (or made) this list from one or more old posts about bitcoin?
While you do have a point and in some cases publishing only one address does make sense and has its uses - actually even bitcoin.org has one donation address, hence they're reusing it, the point related to the number of keys, as already said, it's outdated. Now people use HD wallets and only handle one seed; the history has shown that having wallets with a lot of unrelated keys is a recipe for disaster.

There is the disadvantage that a list of transactions is not obscured (in comparison to using a new address for each transaction) - so-called "privacy" issue on the Bitcoin network.

By using correctly multiple addresses, different parties will not know how many bitcoins one has. This is important, there was already at least one case with user complaining here on bitcointalk (some years ago) that somebody know all his bitcoins and now it's threatening him. So it's not something to be as easily dismissed as you do.

I will add that moving to new addresses at least now and then is beneficial also for security, at least in theory. If an address was used in the past with a wallet with bugs and - in a way or another some information was slipped online - using new addresses at least when going to new wallets can easily help one avoid bad surprises.
legendary
Activity: 2324
Merit: 5033
Non-custodial BTC Wallet
To be more precise: owners need to protect private keys and chain codes (and indices in some cases) which are kind of a synonym for "extended private keys" (as in BIP-32). Do these terms fit better?
As already mentioned, all you need to keep is your seed phrase.
To recover your wallet from your seed phrase, you also need to know what derivation path has been used for generating the addresses. Of course, since most wallets uses the common derivation paths, you usually don't need to save the derivation path.
legendary
Activity: 2268
Merit: 18492
Reusing an address encourages a sender to go retrieve the address from a list of addresses somewhere that they are maintaining, significantly increasing the risk that they accidentally retreive the wrong address. If they retrieve the wrong address from their list, it will be a valid address and the wallet software won't stop them from sending to it.
It also encourages sloppy behavior. If you are copying and pasting a brand new address you have never used before, you are far more likely to double check it properly than you are if you are copying an address you've used dozens of times before. "This address has always worked fine before, so I don't need to bother double checking it this time." And then clipboard malware means you send the coins to an attacker.

There are some coins I don't want to be mixed together at all, that is why I have labels for addresses and transactions to make categorization in my wallet, similar like I would do with old style cash wallets.
I prefer using separate wallets entirely to prevent the risk of accidental combination of UTXOs I want to keep separate. Easily done by just incrementing the account number in the derivation path or using multiple different passphrases, meaning you don't have to go through the process of generating and backing up a new seed phrase each time.

To be more precise: owners need to protect private keys and chain codes (and indices in some cases) which are kind of a synonym for "extended private keys" (as in BIP-32). Do these terms fit better?
The terms are more precise, yes, but the advice is still misleading I think. As I mentioned above, I don't think 99% of users should ever be handling raw private keys, as it is completely unnecessary for them to do so and it just opens them up to additional risk. Even fewer users should be handling their chain codes for any reason.

Just back up and protect your seed phrase and be done with it. Everything you ever need (private keys, chain codes, extended keys, etc.) can be derived from that seed phrase.
Pages:
Jump to: