Topic: How to hide public key of Bitcoin Address? (Read 585 times)

That example can be used to refute your post.
Such high computation power to break strong cryptography (at the time) is not easy to come by and is not available to everyone. It is always owned (in secret) by governments and is used for much important matters like state secrets and espionage not to steal bitcoins from a single address after a year of computation! They can press a button to print more money without spending anything.

By the time such capability becomes known, all systems will start migrating to newer and stronger algorithms and by the time the hardware catches up the old algorithms are a thing of the past. Like today that you can break the WWII era encryption on your PC, nobody uses such algorithms.

That's not to mention for the time being the computing power, known or unknown, is not close to be able to sold ECDLP within reasonable timeframe.

In a well-designed cryptographic system like Bitcoin, knowing the public key should not expose any significant vulnerability. In fact, public keys are meant to be just that—public. However, there are some subtle aspects to consider weakness of a known pubkey in regard to quantum computing. Brute-forcing the private key of a known public key with current classical computers is practically impossible due to the sheer amount of computational power required. While classical computers are currently incapable of breaking public-key cryptography like the elliptic curve algorithm used in Bitcoin within a reasonable time frame, future quantum computers might be able to do so. Also, if there's a yet-unknown mathematical vulnerability in the elliptic curve algorithm, having the public key could conceivably make it easier to exploit.

However, if quantum computers that can break elliptic curve cryptography become available, then having your public key exposed would be a significant risk. Note that if quantum computers reach this stage, the entire cryptographic basis for Bitcoin (and many other systems) would need to be reconsidered. But here comes the important part and certainly is most interesting for you:

If the private key was initially generated using a flawed or predictable random number generator, then an attacker who could guess this could more feasibly derive the private key. However, this is more about the vulnerability in key generation than in the public key being known. For your understanding:

knowing the public key of a 64bit private key allows you to brute-force the correct key in within some minutes (=reasonable time)
knowing the public key of a 234bit private key nowadays is secure because with available technology it's not possible to brute-force and find the correct key in a reasonable time.

That being said --> always use a 256 bit key unless there is a good reason to do so

You can hide any scripts which allow an output to be spent, but you cannot hide the public key. As I've said in an earlier post in this thread, a taproot address is simply the tweaked public key in a different encoding.

The whitepaper says keys should be used once only for privacy reasons, not for security reasons.

A quantum computer which takes a year to solve an ECDLP will then be able to take the coins from a single address after one year, not from every vulnerable address.

There are hundreds of reasons your public keys will be exposed. Transactions, signing messages, BIP32, sharing xpubs, light wallets, address reuse, multi-sig or other scripts, the list goes on. No wallet or piece of software handles your public keys as if they are secret information. They are meant to be public, and the security of your coins does not rely on them not being so.

What is the main reason to dont reuse addresses, the exposition of public key?

Interesting subject here, so I decided to post.

I have been studying Bitcoin Taproot addresses and it seems or not because I have read YES and NO that is not possible to hide public key until first transaction because all Taproot addresses expose it naturally (if someone can explain/clarify it, I would appreciate).

I read some comments, about that is not important and pubkeys should be public, bla bla bla...

Satoshi Nakamoto use to say to use the address only one time for max security and there is a reason for that for sure.

Many ppl is speaking that with a quantic attack many bitcoin would be taken and bitcoin would go to zero if someone have enough powerful quantic computer.

I disagree with that, imagine there is a quantic computer that can brake it in 1 year, all addresses already transacted at least 1 year would be exposed, but all the other would be safe and if someone someday have access to a quantic with power to brake bitcoin for sure he will not start to stole every bitcoins he can and make market go down, of course they would be subtil and just make surgical stoles, the type of attacks the owner will complaint and everybody will think he just was hacked by some APP or he is dumb, nobody will believe that it was a quantic attack (same as when in 2nd WW allies made with german Enigma machine, they didn't refute all german steps to don't put on check the important advantage they already have.)

In a time that many ppl is talking about possibility of future quantic attacks for bitcoin, Satoshi already have made the 1st step against quantic attack hiding the public key until first and possible only move if we just move the exchange to a new address.

So, if Taproot addresses always expose the public key, I don't know about you, but I would not use them to save my bitcoins in a cold wallet, maybe for another applications could be good enough, but not for cold wallets.

What you think about it?

OP you may want to ignore this post as it may be a little off topic but it got me thinking,

Supposedly its possible, however I haven't found a great solution. If I do, I'll let you know.
Ive messed with all the mergers/calculators like https://github.com/ThePiachu tools
One of the problems with vanity addresses is that there are 6 derivatives from 1 key.
Finding the others first is a common problem.
I used to wonder though, if each derivative is in fact a new master key to a new set of 6 derivatives
and some type of formula is found to solve for all 6 derived keys from a master key wouldn't this potentially compromise some security?
for example, find an accurate child derivative sum it up somehow for the master sum then the master sum gives access to all the child derivatives?
I've often wondered if this were made possible and each derivative is also a master key with a set of derivatives if crawling this structure would have overlapped another
set of keys in use. (a collision approach?)

If Infinity= 0
Infinity x Infinity= 0
Infinity/6^6= 0

Even if, everything's still all good however collision possibilities still increase. (I think?  )

edit, just to be clear as far as I know or anyone does, It's not possible to determine the master private key from a derived private key or address. The relationship between the master private key and the derived private keys is one-way. This is a speculation of what if.

  
 I found this a while back while researching BTC pay servers.

https://finbuzzactu.files.wordpress.com/2017/06/blockchain-programming-in-csharp.pdf

The phrase "public key" as it's called vividly express that it's something that necessarily need not be hidden, else it should not have been called public key but something away far from it. If we're been charged for every new address produced for transaction order than transaction fee then I'll have understood your reasons for wanting to re-using same address.  Perhaps you should focus energy on keeping your private keys safe cause your assets depends on it than public keys.

Maybe you haven't revealed your real intention to what you seek and why.

We don't hide it. It's simply that you can lock coins behind some script types without revealing it, but it is revealed after you unlock those script type. Concealing it brings no additional privacy since the only thing an attacker with your public key can work out is your address, which is public knowledge already.

The privacy gain here comes from not being able to tell if the address is multi-sig or single-sig, not from obfuscating the individual public keys. And indeed, taproot addresses are simply an encoding of the (tweaked) public key, so any time you receive to a taproot address your public key is already exposed.

In my understanding, this is not possible, in my few years in cryptocurrency I have never seen a pubic key hidden in every transaction done by enthusiasts here in the crypto space.

    And I also don't understand why you want your public key hidden? The only thing I know that is really hidden and cannot be shown is the seed phrase words and password, that's all but not the public key.

Bitcoins are not sent FROM addresses.  This is a fundamental misunderstanding of how bitcoin works. Continuing down this path while trying to understand Bitcoin at a technical level is only going to cause you more confusion.


Do not re-use addresses.  If you want to re-use an address, then either make sure that you use software that will allow you to simultaneously spend ALL unspent outputs that were created from that address in a single transaction, OR accept that you will be giving up a bit of privacy because you chose to re-use an address.

Addresses are NOT account numbers.  Bitcoin is not a bank account.  Think of an address like an invoice number.  It's something that you give to someone else so that you can keep track of the payment that they make to you.  You wouldn't typically re-use an invoice number, so don't re-use an address.

maybe OP is concerned about public key because he did read about cracking tools that rely on pubkey (like kangaroo or BSGS) ?

Using multi-sig in one machine makes little sense. Multi-sig provides extra security, provided that transactions are signed in multiple devices. 

Important to mention that an attacker needs the two other public keys as well, in contrast with single-sig, wherein just having the private key is enough to move the money.

Now i am not having a hard time understanding how secure bitcoin is But it wouldn't hurt to know more about cryptography in general. Does it? and it's a technical sub forum.
Also like you ask there's no harm if public key in known. So why to hide it? I know this BUT it wouldn't hurt to conceal it for privacy reasons does it?
See if the bitcoin devs didn't care about it they wouldn't introduce Taproot which essentially enables multi-sig wallet to conceal their pub keys and aggregate them into 1 key and no one can find out the real pub keys which is great IMO and helps in privacy. Even no one can find out if it's the multi-sig tx or single sig

Right the public keys will be revealed in each transaction as said above and there is no fear in it at all so I don't see anything to hide in it.They are derived from one way hash function under which you can generate public key from private keys but the reverse is not at all possible.

So @OP you don't need to worry about public key hiding and the only thing you should focus on is keeping your seed phrases secret if you are using non custodial wallets so be safe in that case.

As said by @LoyceV also you should burner address that once you have utilised it for the task or submitted it somewhere use different address from it which will help you more.

The chance of you messing up the multisig, and losing access to your funds, is much larger than the chance of someone finding your cold wallet's private key. The latter is just not going to happen (unless you make a mistake), the former can easily happen.

From your topics, you seem to have a hard time understanding how secure Bitcoin is. Maybe you should spend some time trying to brute-force the private key to a funded address, to convince yourself it's not going to happen.

With using a multi-signature wallet, you may increase your security, but I recommend you use it if it's really required.
Multi-signature addresses are usually used when a transaction should be signed by multiple parties.
If you generate a single-signature wallet on an air-gapped device and keep your keys safe, it's secure enough.


Whether you use a single-signature address or a multi-signature address, that's impossible.


It depends.
If the address is a 3 of 3 multi-signature address, all the three private keys would be required.
If the address is a 1 of 3 multi-signature address, a single private key would be enough.


Yes. Each of private keys used for generating the multi-signature address can be used for generating a single-signature address individually.

Got it. Thanks for the explanation
So basically using multi-Sig cold wallet on airgapped machine provides the ultimate security?
I was thinking what if someone generate the same private key as my address in case of single address (which is very very unlikely) but using multi-sig makes this impossible,yes?
If an address is multi sig of say 3 address then attacker has to find 3 private keys correct?
Also bitcoin send to individual address which generate multi-Sig can also be spent individually right?

Yes, in a way it improves privacy. It also gives you the option to have different branches that could spend the output but only use and reveal one of them when spending it.
It is still not possible to know how many or which public keys were used to get the aggregated public key though, so it is irreversible.

That address is a multi-signature address and for generating that, you need all the three public keys.

In a m of n multi-signature address, there are n private keys and n public keys and you need m of the private keys to spend fund from that.
The address in question is 2 of 3 multi-signature. So, there are 3 public keys and 3 private keys and for spending fund from it, 2 of private keys are required.

Ok so these 3 public keys you mentioned actually belongs to these address
02707f8c41a9ce80bd85c335ce37617388fe8fd5c7b6079f730fc8b7159867cb3e      -     17eHCSk6dL8naLmCUwUbHHWjykAsJGadoP
02f61a255027b492203f04396474e032e759367ad32cdb1b317074e216718f9b53   -    1KAXSrx2mcYSmyeS2YU442UH66EASTBoSK
02ae11e6f80d33717c8dffcbd4e480b95f82f9fe7478cb166beebddd5b062c9f96       -    1ADCkNGrDGVBEadFvQ2gMkXSZnfdNST3PJ


What is the public key of actual address that i mentioned in OP which is the address 3BJKWL5ipkVe2bjkRSt6ZNbVWQaRrEFjMs ?

---

Specifically regarding this feature, i want to ask that so this bascially helps in privacy right?
Say we aggregate 3 pub keys into 1 then it can be reversed too? I mean you can reverse this to find individual 3 pub keys back?
https://river.com/learn/what-are-schnorr-signatures/

No. It's not really hard.
As mentioned by jackg, you should use the redeem script to get the public keys.

I didn't know how it can be done. I just made a search and found out it's really easy.
Click here to see one of the transactions made from the address you referred to in the OP.
See the input with the index number 135. The sigscript includes 3 hex data. The last one is the redeem script.

Redeem script:

For getting the public keys, all you need to do is to decode the redeem script using coinb.in tool.
The three public keys used for generating the address in question are as follows.

Bitcoin scripts are essentially smart contracts. Each time you create a transaction you are providing an "unlocking script" that provides required data and commands that can "unlock" the coins that are available on the blockchain. This script can be a simple signature + public key or a more complex one that contains conditions (branches), timelocks, hash operations alongside public keys and signatures, etc.

Lower tx weight hence lower fee.
Help increase block capacity (improve scaling).
Faster verification time for full nodes.
Avoid malleability problems.
Access to new features introduced in newer address types such as public key aggregation in Schnorr signatures.

Why do you want to hide the public key?
You're looking in the wrong direction for a solution, the real solution is to not reuse the same address.

For what it's worth: I'm reusing certain addresses too, because it's convenient.

So this redeem script is same as public key?
I mean for multi-sig wallet it's harder to find public key if there's output transactions?

---

If all 3 address's types reveals public key when you send bitcoins then what's the additional advantage of using newer btc address types say Taproot one's (except the lower fees benefit) ?

Correct but even if you didn't have to include the public key alongside the signature in your transactions, the public key could still be derived from the ECDSA signature that you had provided. In fact this is how signing messages work, you only provide the address + message + signature and in order to verify that message others could easily derive your public key and perform the verification.
That is how ECDSA and asymmetric cryptography work.

None of your examples hide the public key and there's no way of doing that without using a different coin.


It seems they make up the redeem script and can be unscramble that way..

From https://en.bitcoin.it/wiki/BIP_0067#Specification:

You get (after sorting)


Which is a redeem script

Yes, your public key is always revealed. Since nodes need your public key for verifying your transaction, you have to reveal it.


The address in question is a multi-signature address and has been generated using three different public keys.
I don't know how, but it should be possible to derive all the three public keys from data of a transaction made from that address.


I don't see any reason for hiding the public key and I said above, you have to reveal your public key whenever you make a transaction.

I know revealing public key is safe. I know that but still i have few questions.
So currently BTC has 3 Address formats as follows
1. Legacy Address (begins with 1... a.k.a P2PKH )
2. Non-Native Segwit Address (begins with 3... a.k.a P2SH )
3. Segwit Address (begins with bc1... a.k.a P2WPKH)

Questions
1.) I know 100% that when you send bitcoins from legacy Address (P2PKH) then your public key gets revealed in transaction signature So this is also true in case of other Address formats (P2SH and P2WPKH) ?

2.) I see Some Addresses do not reveal the public key even if they have spent their bitcoins like this address here - https://www.blockchain.com/btc/address/3BJKWL5ipkVe2bjkRSt6ZNbVWQaRrEFjMs     So How can this be possible?

3.) How can i hide my public key while still Re-using the same address for spending? I suppose it's possible because the address i mentioned in question 2 is able to achieve that.