Topic: How long to hack an address that is used to send BTC multiple times? (Read 579 times)

it is almost impossible for you to do it, unless you have a computing power more than the total half of all the computing power participating on a particular blockchain.

So I have a miner pointed at nh, and I was planning on using the same adress for my new machine also, because otherwise they don't pay out often enough, and I don't trust sending it to thier online wallet. I'm getting it straight to btc core wallet. Minimum payout is .1 for external wallets. Then I move it to a cold wallet. Are you saying this is not a good way to go? Also, I know it's a little OT, but if I have the core wallet running, open to connections, usually 8 active.... am I running a node? Or do I have to do something else? I couldn't find the answer, I did look. Thanks.

Which is why I am so adamant about it when I get caught up in a conversation with someone that says something like:


The newbies need to understand just how important it is to use a new address for every transaction.  If I don't refute such statements, then many MORE newbies are going to be wishing later that someone had explained the importance of avoiding address re-use, and wishing they hadn't listened to the person that stated that an address should remain fixed.

Additionally, by voting with my dollars (refusing to do business with ANYONE that asks me to re-use an address to send to them), I make a difference in the marketplace helping (forcing) more merchants to learn the importance about protecting their customer's privacy.  Those that behave appropriately gain more business from me (and others like me) and are therefore more successful.  Those that don't behave appropriately suffer a lack of business from me (and others like me) and are therefore less successful until they learn.

What? Why would you pay your phone bill from your cold wallet?

But alright. I get your point. 

Perhaps we could leave it at that: a user could re-use addresses for situations where traceability is explicitly desired - but generally it should not be done.

I really wish someone like you would have told me all that shit when I was a newbie :-)

You are mistaken.

It can equally be true to say that "in the real world, having a fixed invoice number is an advantage from a usability perspective".

Sure its true that the customer doesn't need to keep track of which invoice number ot use when they pay you (since they always use the same one), but it doesn't fit it's purpose (identifying a payment) and is therefore a DISADVANTAGE.


A webpage can easily generate a new address everytime the page refreshes.

Earning money through signatures on a forum is a cancer. it is a perfect example of why you shouldn't be allowed to re-use an address, and why you should refuse to ever engage in any transaction with anyone that ever re-uses an address.


Every well run exchange that I've ever used generates a brand new address for every deposit.


They are utterly useless and stupid.  I never use them.  I expect them to slowly fade away into the pages of history.


I don't think that word means what you seem to think it means.


It's a bad idea regardless.  It reduces privacy, and it is a bad practice.


It's just a bad idea.  It's also bad for privacy, but it shouldn't be done regardless.


Privacy is always important. Even if you are paying your phone bill.  I shouldn't need to announce to the world the total value of bitcoins I have just because you want to pay your phone bill.


Correct.  New address for every transaction.


There's no such thing as "perfect privacy".  They offer arguably "better" privacy, but not perfect.


If you are mailing a payment, you are welcome to re-use a mailing address.

If you are transfering USD (or other local currency) then you are welcome to re-use an account number.

Bitcoin addresses are not mailing addresses, and they are not account numbers. They are a way to identify who sent a payment, when they sent it, and wy they sent it.  In other words, they are an invoice number.


Businesses do NOT call invoice numbers "billing accounts" and invoice numbers DO change.  You may have MANY invoices all associated with the same account, just like a business may have MANY bitcoin addresses all associated with your account.  They account identifier (account number) won't change, but the bitcoin address should (if they are doing it right).


Call it what you want.  That doesn't change the fact that they shouldn't do it, and they are at fault if they do.


That is currently true.  It is possible for users to do a LOT of things that they shouldn't do.  They can publish their private keys if they want.  They can re-use addresses if they want. They can send their bitcoins to random addresses if they want.

The fact that a user CAN do these things, or that they have the "right" to do these things doesn't make ANY of them a good idea.  They should be discouraged from all of these bad concepts.


I'd be pretty happy if Bitcoin ever hard-forked to refuse to accept address re-use.  It's never going to happen, but I can dream.


Idiots can go do whatever they like.  I'm here to help educate people that want to learn and that want to understand.

One thing, though.

It is really bad for privacy. In fact Nullius has a point about the long term thinking. I did re-use addresses in the past and regretted that later.

Every client should pop up a warning about it, to make it clear that this should be avoided unless you really need it for XYZ purpose.

Or is it still a bad idea, even then? I am willing to learn, you know...

No matter what you and Nullius say, the fact remains that in the real world, having a fixed address is an advantage from a usability perspective.

Examples: donation addresses, used by the thousands on webpages and signatures. Or exchanges, which use address locking as a security measure. Or address books in each and every client, which would be utterly useless and stupid if you were right.

I do not condone address re-use, but I believe a good crypto should be designed so that security is not compromised when doing it. This related to the technical issue OP is talking about.

Of course for privacy, address re-use is bad. But sometimes you do not need privacy (e.g. paying your phone bill). If you better privacy, use HD wallets which create new addresses automatically. If you want perfect privacy use Monero, Byteball or Spectrecoin - they offer private and public addresses.

But the people I know, real people in the real world, would prefer to send their recurring payments (phone, rent etc.) to the same address. Businesses call such numbers "billing accounts" and they don't change.

I simply oppose the idea of calling address re-use a user fault.

I believe every person has a right to re-use an address or not, it is not up to developers to decide that for them!

Flame me all you want, but don't you whine when idiots flock to (ewwww....) XRP or some other crap. 

No.

But, it appears you may be.


You are quite mistaken about that.

A bitcoin address is intended to be used only once and as a method to identify a payment.  That sounds like an invoice number to me.


I suppose it would be convenient to provide "counterparties" with a fixed invoice number for further use as well, but it doesn't make sense and is really quite silly.


You mean, like an invoice number?  Right.  Exactly.


Most people don't think of invoice numbers as being a nuisance.


Or, you just wait to receive the full amount.


Correct.  Each new address comes with its own new private key.


Perhaps, but it's better than alternative forms of electronic representation of value (such as bank accounts).


Any company that doesn't understand that every address has a separate private key doesn't have good blockchain knowledge and shouldn't be managing their own cryptocurrency decisions.


Not possible.  Each private key has only one address.


It's too much overhead for a company (or individual) to keep track of what addresses they give out for which payments?  Then they probably can't manage money at all.  They probably need to get someone else to manage their money for them.


You can think whatever you like.  It doesn't make it a good idea.

Nonsense.  What DannyHamilton described is not only a well-known “best practice”, but also the actual and longstanding current practice of numerous Bitcoin businesses, both large and small.  Assigning one address per transaction is also the only practical, reliable means of tracking payments and matching payments to transactions; thus, a Bitcoin address works out perfectly as a quasi invoice number—or even an actual invoice number.

I emphasize that this is the common and customary usage.  Forget about discussing your qualifications as a developer:  If you have not seen this as a customer, such reveals that you have rarely if ever used Bitcoin at all.


Years of the real-world experience of actual businesses flatly contradict your supposition.

What happens if a partial payment is received?  Whatever happens according to the payee’s usual handling of partly-paid invoices—that’s what.  Using one address per transaction makes it easier to track and account for partial payments.


With your reference to “(HD)”, you are confusing the BIP 32 seed with a Bitcoin private key.  From a single seed, a BIP 32 HD wallet can generate up to 2,147,483,648 hardened or non-hardened private-key/address pairs per derivation path.  That’s over two billion addresses.

At the current rate of transactions per day, it would take about 25–35 years for the entire Bitcoin network to process 2,147,483,648 transactions.  If you had somehow anachronistically created an HD wallet when Bitcoin was first released in January 2009, and every Bitcoin transaction ever made had been spent to you with a new address for each one, then you would have still only used a fraction of your addresses.

Still worried about running out of addresses in your HD wallet?


So, if Bitcoin does not provide a privacy suit of armour without special measures, you recommend walking around naked?  (Moreover, given some effort and skill, Bitcoin can be plenty private.)


For a lightweight solution, Electrum provides easy merchant features which even the dullest developer should be able to get working and integrate with a shopcart and accounting backend.  It automatically provides a new address for each payment request, and serves up fancy auto-generated payment request pages with QR codes.  For security, it works fine with a cold wallet (no webserver access to funds).  If you can set up a webserver and a basic shopcart package, then you are capable of doing this, too.

Making this work with Core is not exactly rocket science, either.

I don't want to diss you but are you from another planet?

The invoice number? A Bitcoin address is more like a customer ID, which remains fixed!

It would be much more convenient for businesses or individuals, to provide their counterparties with fixed addresses for further use.
 
Otherwise a new one would have to be created everytime someone sends you a payment. What a nuisance! And imagine this is done automatically, and a partial payment is received: CHAOS, CONFUSION and MAYHEM!

For privacy you would need a new private key (HD) every time anyways. But if you want privacy, BTC is not the right crypto.

I guess a company with good blockchain knowledge could try and create 1 private key per customer, then issuing a different address on that key for each invoice. But for the average company/individual that is way too much overhead.

So yes I do think address re-use should be fully supported.

The security of exposed Bitcoin public keys is just fine for general usage.  They cannot be hacked.  Answer to the thread’s subject line:  “A million billion trillion zillion years.”  But there is a different, unrelated reason to avoid address reuse:  Privacy.  Avoiding address reuse gives you a modicum of privacy.  That at least makes Chainalysis work for their pay.  Re-using addresses makes transaction linkage trivial, child’s play.

A public key is called a “public key”, because it is secure when exposed in public.  I publish my PGP public keys (and if I didn’t, PGP would be useless).  I am not worried about that.  Each and every time you connect to an https website secured by TLS, the server’s public key is exposed to you—and your symmetric session key is derived from a key-agreement process based on the hardness of the same DLP as is the fundamental basis of most widely-used public-key cryptography other than RSA.  I am not worried about that, either!  Likewise, I am not worried about the security of my Bitcoin public keys.

---

Those concerned about bad randomness causing leaked secret key bits need to read RFC 6979:


I argue that even mentioning public-key security in the context of address reuse is a terrible disservice to Bitcoin.  To anybody who do not understand the nuanced technical discussion, it FUDs Bitcoin security for no good reason.  In ordinary circumstances, there is one, and only one excellent reason to avoid address reuse:  Making transaction linking less easy.

I call myself “paranoid”; and there is only one use case in which I would be concerned about exposing the public key:  Long-term storage of funds for decades.  Yes, in that case, I want the extra security of reducing my attack surface to the Hash160.  That will guard against unforeseen cryptanalytic breakthroughs, hypothetical quantum computers, ECDSA-cracking unicorns, the arrival of superintelligent space aliens on Earth, etc.  So if I make a cold-storage address for my grandkids’ inheritance, I will keep the public key secret, and sleep 3.1337% more quietly at night.  I am just that paranoid.

N.b. that using a new address for every transaction does not by itself provide good privacy.  Blockchain analysis heuristics can link transactions with high reliability, even if addresses are not reused.  It is only the most basic privacy measure, as well as being the prerequisite for all better privacy measures.  For this reason alone, avoiding address reuse is very important.

---

This must be emphasized at every opportunity.  When you use a Segwit address, you are helping the network by using less of a globally shared resource for your transactions; in BIP 141 terms, your transactions have less “weight”.  Fees are calculated by weight.  Therefore, when you use a Segwit address, you get a huge discount on fees.

---

The aptly-named “bitfools” appears to be trolling with voluminous spew of patent nonsense.  Newbies, don’t believe anything he says.  Just ignore.  It is all 100% incorrect.  Sheer idiocy.

Let me run this question as an answer. Say you gen a private key and public address pair, then you keep generating addresses for a long time with that public-key.

What happens is that each address is just a I*PubKey ( where I is the i'th address you generated from that mother public-key )  that is hashed, so the more you use that same pubkey to generate addresses you increase probability that I will hit your address with my pub-key guess box, everytime you use the same public-key to gen an address its a dart on the wall, an the more darts on the wall the higher probability that I will hit that dart.

It's easy to guess private-keys, and its easy to make a public-key from them, and then its super easy to generate 10k addresses from that public-key and test them all in a second,


... Its not easy to take a public-key and make a private-address, but the more addresses you generate the easier it is for me to guess your private key.

For me I have all the addresses known on BTC on my wall, thus I'm not likely in all history of universe to hit your address, unless you have lots of them for me to 'sticky' on my wall.

The problem here is majority are using these 3rd party wallet packages on the internet that place the fee's,

I use the Bitcoin-CLI (cmd line) to do my transaction, I set my feed schedule to zero, and I rarely see fee's, thus I know it can be done,


IMHO its just the day-traders that are generating 1,000's of 0.0001 BTC trades a day complaining about 0.002 BTC fee's, the problem is people just don't take the time  to learn the software, its all there testnet, to learn, and minimal fees that are selectable by the user, but people choose to use these fancy GUI platforms that set the fee's and most likely give the user a hair-cut to boot.

Conversation here is about 'loss' in BTC, most loss occurs at the exchange or wallet, from malicious or sloppy software, and the fee's is just another example, they just don't care, but if you did care you would learn to set the fee schedule yourself.

If you keep our private-keys off the exchanges or away from wallet-software, if you keep your keeps on a closed system, running your own node, I don't see how you could lose money, unless you did it on purpose, the bitcoind&bitcoin-cli software seem pretty solid, but I gather from the comments on these forums that 99% of the users are just putting their private-keys into the hands of third  party's.

That's not really true, its easy to harvest all used addresses in history, easy-peasy

Then you create bloom filter and mark all seen addresses, and then decide how you want to attack btc, either by was of generating deterimistic keys, or brute-intelligent force forward by big-step/baby-step, ...

When you have all the addresses its just like having the public keys, for all the private-key guesses no matter your ALGO, you simple generate a pubkey and then generate say 8192 addresses for every pubkey and check the bloom-table if one of those addresses are  hot

U can also hash all the X values from ecdsa into a hash-table and use that to correspond to known addresses,

Then you can watch R values on the block chain, and look for patterns to make a guess to the private-key

It really blows me away how the majority here always say "that can't be done", oh but they have a caveat that a real smart math guy will solve the discrete-log problem tomorrow and sweep all the coin, thus they know it can be done

People who have studied SECP256k1(ECDSA) long enough see the patterns,

But getting back to your question, the public-key isn't required, its easy use a DISCRETE-LOG algo to run through private-keys generated and then super easy to test the priv-key with a function that uses a bloom-table on all known addresses with balance, right now there are +3 million of  the puppys

IMHO the founders are scared to death, but the majority are just bots who repeat the mantra u know "BITCOIN is Safe", nothing is safe in life, not walking across the street.

I can say this targeting a PRISTINE address is not easy, but I think that throwing lots of shit on the wall using intelligent ideas from the discrete-log papers, and then testing your X's that come back with public-key hash tests which are super easy, is all doable

WRT to that mathematician who solves the discrete-log problem, IMHO most mathematicians are too pure to stoop to the low level of 'hacking' to resolve this problem, so it probably will not be solved by your math guy, it will be solved by a teenager in Burma, using a low tech chrome-book running crouton

Nothing is SAFE, never its always been this way,

But the above said, BTC is amazing in its general safety, I think the majority will always be safe,

Lastly, studying this stuff, actually improves your knowledge and ability to protect your own coins,

IMHO the NSA created BITCOIN, They're just watching and waiting to see who & how breaks this stuff first, like DES, or SHA, or anything that comes out of NSA, they always have a backdoor, never seen otherwise, thus in a way BTC is real nice way to have everybody on earth hitting their code and then they can keep one step ahead of the best hackers on earth, ...

Unfortunately, Shor's is stronger than just quadratic speedup: in the case of secp256k1 it transforms the roughly 2²⁵⁶ into roughly 256³. This writeup: https://arxiv.org/abs/quant-ph/0012084 while a bit technical, details what's going on under the hood, and how breaking RSA (integer factorization) and ECDSA (discrete logarithm) are just special cases of a more general principle.

Of course, the quantum computer to implement this will not be built for at least another decade, so we can relax for the time being…

Yes, thank you. Both provide quadratic speedup so I forget which is which. QC is not my field, I just see a lot of obvious misinfo and FUD on this forum and feel the urge to try to set the record straight as best I can.

I think you're mixing up Shor's with Grover's.

https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Quantum_computing_attacks

My reply was to what ranochigo wrote:


I imported my private key to Electrum.  When I spend BTC, any remaining BTC gets sent back to my original address.  In effect, Electrum is reusing my BTC address as its default behavior for an imported private key.  To move my remaining BTC to a new address would require a second transaction, which would incur a transaction fee (about $25 USD to $30 USD based on today's rate?).

I don't understand what you are saying here.

Why would using a new address for the change from your transaction have any effect at all on the transaction fees or the transaction time?

To reduce fees, you may want to consider moving your bitcoins to a SegWit address.

Shor's algorithm only provides quadratic speedup. That means that the approx. 256 bits of security of secp256k1 becomes approx 128 bits of security in a world of readily-available, at-scale quantum computing. I wouldn't call 2¹²⁸ brute-forceable "in a reasonable amount of time."