Topic: Address reuse is simpler than alternatives and not always bad - discussion (Read 432 times)

Software written by humans, and humans make mistakes. There have been critical bugs in bitcoin, such as the time we printed 92 billion out of thin air, despite the code being review by multiple competent individuals. A fork was needed to fix that particular bug. You will be unable to fork the network to recover your coins should they be stolen from you via a reused k value.

Obviously, but my point is that often you don't know software is flawed/bugged/vulnerable/whatever until after the incident in question. Assuming that ever piece of software you are using is completely immune to bugs or vulnerabilities is a recipe for disaster.

That is the same as saying "do you confirm that the blockchain is valid as it should have been?". Software does that, not humans. Humans solve the problem, and use computers to implement the solution. If humans have solved the problem with RFC 6979, you don't have to manually check if the k value is the same. The computer does it. (Of course, assuming the software has been reviewed by multiple individuals)

No, it's not the same. You don't get to choose if you get a malware; you get it without consent if you're not cautious. You do choose which wallet software you install, and it's plain dumb to use bad software if you know it's bad.

If we're about to take this route, usage of software that forces reuse of addresses does protect you from the eventuality of potential vulnerability exploit in more complicated software with master public keys and so on. Is it worth it? Does this discussion have any point at all?

And for every single transaction you make, do you confirm that the k value was generated using RFC 6979 as it should have been? You confirm that there isn't some unknown bug or vulnerabilities in your wallet which has result in a reused k value or a piece of malware being able to feed a k value to your wallet? I very much doubt it, and even if you personally do, it's safe to say that 99.9999% of bitcoin users don't.

It is not realistic to say "Just don't use such a wallet", just as it is not realistic to say "Just don't get malware" or "Just don't be hacked".

Once such a bug or vulnerability has been discovered, then absolutely move to new software. But it is impossible to know that you shouldn't be using such software before the first time the vulnerability is exploited. Not reusing addresses protects you against such eventualities.

I don't believe that's a valid argument. If a software reuses k values (which is trivial to verify it does) then you shouldn't be using that software at all. First of all, such vulnerability should make you question the development. I don't trust a developer who doesn't know that reusing a k value is prone to failure. So, you last concern should be reusing addresses, in that case. Secondly, signing the same message (which is also possible to happen), with the same k value (as you assume it reuses k) allows anyone with the signature and the message work out the private keys that were used during signing.

True, but the same applies for the seed phrase. Again, the only disadvantage, which I agree is major, is privacy related.

Not entirely true. Address reuse more easily allows you to be censored, although I suppose you could argue this is simply an extension of poor privacy. More importantly, though, there have been plenty of cases in the past of buggy or vulnerable wallet software reusing k values and leading to coins being stolen. Although all good wallet software will protect against this, it is unwise to consider it an impossible scenario. There is also the scenario of if you only ever use a single address, then you have a single point of failure for your entire bitcoin holdings. Better to spread it around a bit.

Correct.

That's the only downside. There is no other disadvantage in re-using an address, only small advantages.

There is no point. Generating another address if desired is easy to do. It's just not worth it sometimes like when you need to setup a site, and have little time to make everything work, and you don't care about your privacy of course.

Of course But many people are too lazy to verify the address, and malware is still profitable when it's success rate is far under 100%.
See: How to lose your Bitcoins with CTRL-C CTRL-V.

Vanity addresses are Btc address with certain starting letters that spell out words predefined in advance , basically are personalized Btc addresses that you can create using a dedicated software a nice chunk of your computing power.

Check this thread for more info about Vanity Addresses : https://bitcointalksearch.org/topic/vanitygen-vanity-bitcoin-address-generatorminer-v022-25804

If you are reusing an address, it only means you have no privacy at all, but you can use a single address while you connect your wallet through Tor which can anonymize your transactions, but anonymity is not the same as privacy. There is much more ways to privacy, like not letting many of your addresses not to link together on blockchain and also in a way central servers will not be able to link your addresses and your IP addresses.

@blackhatcoiner you are correct that reuse of addresses sometimes is the best option but for most transactions we can generate addresses quickly and without any effort. The HUGE downside to using addresses is the huge privacy problem which I think should be avoided whenever possible but you are correct sometimes especially when you need to post a address and receive long term support through it (donations) then reusing the address is beneficial.

Maybe there is a way to increase privacy for reused address?

How's this paper related to address reuse? It first describes what's the current "status quo" of standard for payment request, namely either the address or an invoice. Then, it proposes payment amounts to be identifiers (which I'm not sure how it makes sense), because it finds it more efficient as you say. Then, exchange rate becomes somewhat relevant, and then boom; conclusion. 

Address reuse is sometimes needed. For example, adding a donation address saves time, in comparison with setting up a server software that automatically generates a new one in each request. It's desired if privacy isn't a concern. Another example is signature campaigns. The campaign manager saves a lot of time if he's saved addresses in a spreadsheet and doesn't request a new one each week.

If he owns a lot of computational power, he can work out every, say, 6 characters possible starting combination. Example:

The ONLY reason to reuse an address is for simple proof verification and for static publication.
i.e. Dave send money to X here is the always same address and here is the txid and here is something signed by Dave from the sending address.

There are reasons it's done. i.e. signature campaigns, which would just about impossible to do if the participants had to give the manager a new address every week. Mistakes would be made a lot of people would not do it anyway. i.e. just keep swapping between 2 or 3 addresses.

Beyond that every wallet generates a new address every time and that should just be the way it is.

Your security / privacy is up to you if you want to sacrifice some of that for convenience that is your choice.

-Dave

Well I know that, but it's the matter of similarity between your address and the atacker's.
For example if I use this address  all the time, wouldn't it be easy for me to notice another address when I copy paste it? How can the attacker generate an address that looks just like my address? As I said above, it is possible for the hacker to generate look alike address if they have enough time, hence the disadvantage of re-used addresses.

About the clipboard malware where it can replace your address with a fairly similar address, how can they generate such addresses at will, isn't that hard to do?

However if you are using one address over and over, and if your device is compromised, the attacker then has enough time to somehow generate an address to trick you. This alone could be a disadvantage.

I feel like this is a no-brainer: sometimes address reuse is more convenient, and I use it. In other cases it's not needed, so I use a new address.

I like this comparison. Even though I occasionally reuse addresses, I wouldn't ask someone to pay to an address that was used before. The simple reason is that every new address gets a new label, and when it's paid, I know exactly who it was.

It is untrue for deterministic wallets because with them, if you have a master key or seed, you can have many child or grandchild keys from it. So your main task for security is secure your master key or seed. If you lose your master key or seed, you lose that wallet and all keys inside.

Mastering Bitcoin, Wallets
See explanatory graphics for HD wallets

When you open your account on a centralized exchange, they will assign one public receiving address for you that is derived from a likely grandchild private key. You don't own that key and your grandchild key belongs to a big wallet owned by that exchange.

OP, did you, by chance, got (or made) this list from one or more old posts about bitcoin?
While you do have a point and in some cases publishing only one address does make sense and has its uses - actually even bitcoin.org has one donation address, hence they're reusing it, the point related to the number of keys, as already said, it's outdated. Now people use HD wallets and only handle one seed; the history has shown that having wallets with a lot of unrelated keys is a recipe for disaster.


By using correctly multiple addresses, different parties will not know how many bitcoins one has. This is important, there was already at least one case with user complaining here on bitcointalk (some years ago) that somebody know all his bitcoins and now it's threatening him. So it's not something to be as easily dismissed as you do.

I will add that moving to new addresses at least now and then is beneficial also for security, at least in theory. If an address was used in the past with a wallet with bugs and - in a way or another some information was slipped online - using new addresses at least when going to new wallets can easily help one avoid bad surprises.

As already mentioned, all you need to keep is your seed phrase.
To recover your wallet from your seed phrase, you also need to know what derivation path has been used for generating the addresses. Of course, since most wallets uses the common derivation paths, you usually don't need to save the derivation path.

It also encourages sloppy behavior. If you are copying and pasting a brand new address you have never used before, you are far more likely to double check it properly than you are if you are copying an address you've used dozens of times before. "This address has always worked fine before, so I don't need to bother double checking it this time." And then clipboard malware means you send the coins to an attacker.

I prefer using separate wallets entirely to prevent the risk of accidental combination of UTXOs I want to keep separate. Easily done by just incrementing the account number in the derivation path or using multiple different passphrases, meaning you don't have to go through the process of generating and backing up a new seed phrase each time.

The terms are more precise, yes, but the advice is still misleading I think. As I mentioned above, I don't think 99% of users should ever be handling raw private keys, as it is completely unnecessary for them to do so and it just opens them up to additional risk. Even fewer users should be handling their chain codes for any reason.

Just back up and protect your seed phrase and be done with it. Everything you ever need (private keys, chain codes, extended keys, etc.) can be derived from that seed phrase.

To be more precise: owners need to protect private keys and chain codes (and indices in some cases) which are kind of a synonym for "extended private keys" (as in BIP-32). Do these terms fit better?

Change address is important to control your privacy levels.
Change
Address reuse

Blockchain explorers can identify your transactions as self-transfers, address reused or combine your inputs in same wallet.

https://blockstream.info/tx/13ae94ae542b118cc913ac0290c1b4ae82ed999fe7737b2c8043731a923b6d6a
https://blockchair.com/bitcoin/transaction/13ae94ae542b118cc913ac0290c1b4ae82ed999fe7737b2c8043731a923b6d6a

They can trace your transaction and gives its privacy score. You can pick some random transactions on blockchain explorers and use two block explorers (blockchair.com and Blockstream.info to check its privacy.

I think this is the main one. Commonly used for recurring payments such as in signature or avatar campaigns on this very forum.

Since they should verify before sending, I don't think this really applies. Same as when using IBANs, where you should double-check it before sending funds.

This is not really true ever since HD wallets and seed phrases are a thing. Nobody really uses and backs up individual private keys anymore. When we say 'not your keys', we usually mean 'not your seed phrase' or 'not your seed phrases'.

---

I have reused addresses (campaign payments), however I'm aware of those UTXOs and take my own precautions to make sure I still keep my privacy. It's not nearly as newbie-friendly as just using new addresses every time (since you seem to suggest that it's newbie-friendly to reuse.. I'd actually beg to differ).

I don't see much advantage of reusing same address, unless this is your only public donation address, or you are using it to receive payments from same client/company.
Address management is very important for privacy and with modern bitcoin wallets you only need to have one seed phrase to keep safe, and that can generate as many public addresses as you want.
There are some coins I don't want to be mixed together at all, that is why I have labels for addresses and transactions to make categorization in my wallet, similar like I would do with old style cash wallets.
One-for-all address is big no go for me, but people can do whatever they want.

This is a disadvantage, not an advantage.  By "advertising" a new address each time to receive a transfer, I can know exactly who sent me a payment, and why just by looking at the address it was sent to.  If I reuse an address, I can't distinguish one payment from another.


I disagree.  An address has a checksum built into it. So, if a sender makes a mistake typing it, then the mistake will be immediately identified by any reasonable wallet software and they will be unable to send to the wrong address.  Reusing an address encourages a sender to go retrieve the address from a list of addresses somewhere that they are maintaining, significantly increasing the risk that they accidentally retreive the wrong address. If they retrieve the wrong address from their list, it will be a valid address and the wallet software won't stop them from sending to it.


More steep learning curve for anyone that has ever worked with an invoice number.


It's just as difficult to protect a single key as it is to protect a thousand keys. Furthermore, if you use a new address each time, then there it doesn't matter if a key is somehow accidentally leaked once the funds that were received at that address have been spent. And, to top it all off, if you fail to protect a single key of a reused address, you'll lose ALL of your funds, if you fail to protect a single key of a non-reused address, you'll only lose that single payment, and still retain control of all your other funds.


That depends a bit on your specific use case.  For most users, it isn't any simpler or more complitcated.  You just run your wallet software, and teel your sender what address to sent to.


Actually, it increases the risk of a phishing attack.  If I re-use an address, then a phishing attack can create an address that looks similar to my "usual address".  Since my friends will be conditioned to expect that particular address, they are MUCH more likely not to notice the small difference. On the other hand, if I use a new address every time, my friends and I are far more likely to put verification processes in place.


Why would a sender need to store or keep addresses?  They are useless once they've been used. There is nothing for them to choose". I'll send them a new one for the next payment.


I disagree.  The difficulty of protecting a single key is exactly the same as the difficulty of protecting multiple keys.

I have not backed up the vast majority of my private keys, only my seed phrases. I haven't even looked at the vast majority of my private keys. There is no need to, and indeed, exporting and handling raw private keys is an unnecessary risk for the vast majority of bitcoin users. If you are using a BIP39 or other HD wallet, then all you need to back up is your seed phrase.

You are confusing individual private keys with extended private keys. Individual private keys are used to generate addresses. Extended private keys are used to generate child private keys.

If someone compromises an individual private key, then they compromise that address only.
If someone compromises an extended private key, then they compromise that address and all child addresses. They cannot compromise sibling or parent addresses without additional information.

Disagree if BIP-32 is considered. There is the specification of child private key derivation from a parent one (which doesn't have to be a master key): "(...) knowing an extended private key allows reconstruction of all descendant private keys (...)". QED.

That's correct for that particular case of master private key. It doesn't say anything about the need to protect child private keys.

I think it is not true. See the example of the extended private key: xprv9wTYmMFdV23N2TdNG573QoEsfRrWKQgWeibmLntzniatZvR9BmLnvSxqu53Kw1UmYPxLgboyZQa XwTCg8MSY3H2EU4pWcQDnRnrVA1xe8fs Can't anybody determine what the next private key in the chain is? I look forward to responses. I expect that there will be the same answers.

I mean a decision not to use a private key anymore (as a result of it being compromised for example).

If your seed phrase is kept safely, then all your private keys are safe as well. You are not going to keep each of your private keys in a separate location. All you need to keep is your seed phrase.


If a private key is compromised, it has nothing to do with other private keys.
If your seed phrase is compromised, all your private keys are compromised.


What do you mean by "revoking a private key"? I don't understand this.

I realized it lately and decided to use only one address in public which is one of the address I am using recently in review campaigns. It helps me to break connection with the private addresses I have although I am a regular user of mixer. Nothing is going to my private wallet without touching a mixer and nothing is coming out from my private wallet without touching the mixer again.

A sender will always are at the risk to input a wrong address unless they are maintaining an address book or such things. They could be a victim of copy paste clipboard malwares and easily send the payments to a scammer.

You basically need more learning than just using a random address from your wallet. It requires coin management.

A HD wallet can have as many address as you want. You only need to protect the seed phrase.

Disagree. It would be too simple to protect just seed phrase. In reality and by definition, all private keys (master + child ones) together with the seed phrase need protection. Seed may make backup easier while it does not replace the need for protection of private keys. It is important distinction. If a private key is compromised then all its child keys (and even parent keys in some cases) are compromised too. It's not viable to revoke a private key without revoking all its child keys. Is it incorrect?

This is fair point, especially for small organization/individual who accept Bitcoin as donation option.


I get your point. But the sender could just re-check latest Bitcoin address mentioned by receiver.



Mostly irrelevant due to HD wallet where user only need to backup recovery phrase/words or master private key (also called xprv). And on practice, they need to protect their device and wallet file instead.

You definitely have a point: those advantages that you enumerated make address reuse a very attractive option, especially for those afraid of "steep learning curves." But for those who wish to learn how to use tools, other, more privacy-friendly, options exist, and they have got exactly the same advantages: static payment address, fewer keys to protect, and less risk on the sender and receiver side.

Just to name a few:

1) BTCPayServer
2) https://paynym.is/
3) Silent Payments

For privacy, do not reuse an address unless there is a need to reuse it, like to be using an address to receive payment of salary. If you give customers an address, some will still make mistake if clipboard malware if their device is infected, it is good to check and recheck the address you are sending coin to before you click on the send icon.

You do not have to protect keys as seed phrase can do that for you and generate all the keys, we are no more in the era of nondeterministic wallet, HD wallets are recommended because of the seed phrase that are easier as backup. What you should backup and protect is your seed phrase.

Never mind me. I see all you wrote to be unnecessary.

Let's discuss various perspectives on reusing Bitcoin address, share experiences, opinions, find differences from alternatives, weigh pros and cons, define and exmplify situations in which reusing an address is the best option.

I think that there are some advantages of resuing an address:

• no need to advertise new address each time to receive transfer,
• less risk of mistake on sender side,
• less steep learning curve (e.g. for IBAN users),
• fewer keys to protect

just to name a few.

Advertisement an address is simpler vs maintenance of a system that advertises many unique ones. Also, a reused ("catch-all") address gives an opportunity to mititagate some of phishing attacks because other sources (trusted ones, e.g. friends, self-made or external directory) could validate an address. Moreover, storing and keeping many addresses is more complex for a sender (imagine choosing the best/valid address among hundreds of them pertaining to a recipient). Lastly, protection is simpler for one private key than many of them (even if they are generated in a deterministic way like BIP-32 or BIP-39).

There is the disadvantage that a list of transactions is not obscured (in comparison to using a new address for each transaction) - so-called "privacy" issue on the Bitcoin network.