Topic: is my private key compromised with reusing of adresses? (Read 1186 times)

You are right.. had 2^12 in my mind instead of 2^11 

But it may be worth to add that a 12 word seed with 128 bits of entropy is still safe enough because bitcoins 256 bit ECDSA keys have 128 bits of keystrength.
So anything above 128 bit isn't necessary. It mostly just has a psychological aspect.
This, at least, applies to most of the curves. A few seem to offer a lower level of security.

Slight correction... The BIP39 wordlist has 2048 words... And the seeds used by Trezor (and Ledger) are 24 words... Providing 256bits of Entropy.

The general theory however is correct... The search space is MASSIVE... And effectively not able to be brute forced in anything resembling a "reasonable amount of time" (assuming that the process of seed creation was properly random etc)

Here is some math for you:
The size of the dictionary trezor uses is 4096 words.
Since you are using a 12 word seed there are 4096^12 possible combinations, thats roughly 10^43.
Now if you take antpool (as the biggest btc mining pool) with about 1000 PH/s, thats rougly 10^18 combinations per second they could check.
This means antpool would need ~10^25 seconds to crack your seed.. thats roughly 1.000.000.000.000.000.000 years.
This ofcours presumes you are using a randomly generated seed. A brainwallet with more possible combinations is still a lot(!) weaker because human brains are 0 random.



Wallet.dat files are way less secure than a hardware wallet, initialized with a random seed. It doesn't always have to be an attacker.
But bits can flip on your hard drive. And files can get corrupted during almost everything (in windows). Its not always about bruteforcing and cracking.

I don't know what the mathematical details are when it comes to trying to bruteforce a seed that's generated by the algorithm that Trezor uses, but in general, I don't really like the idea of seeds, let alone brainwallets.

Im going to stick with the wallet.dat approach pretty much forever. Achow said that the new HD format for wallet.dat is not at the risk of being bruteforced to generate it or something like that. I guess I can trust him on this so I will move to the new HD wallet when the new Bitcoin Core that updates your old wallet format into HD format is released.

Also be sure to move your coins if you leave a Trezor somewhere and there's a firmware update and you can't no longer access that Trezor. To be frank I don't even trust the idea of leaving your keys in other places that you don't control. Sure, there's a risk that your house burns, but there's also a risk that your keys get stolen... you never know.

If you have a second residence, you could leave it there, but if someone lives there, I wouldn't trust that.

I have read that reddit thread, not sure if I understood the conversation correctly.
When using Trezor with Electrum it no longer is "phoning home"?


thank you 

I like to approach bitcoin and crypto technology with a mindset of absolutes, I'm propably just slightly above average when it comes to technical understanding of things in crypto compared to the mainstream population,
Someone that is a software engineer propably can achieve much deeper understanding of bitcoin and blockchain and feel much more comfortable with their decision makings.

Speaking of paranoia and always being sceptical, I stored a Trezor device at a relatives home just incase my own home burns down, this trezor has the same seed as my cold storage, this was pre 1.5.2 firmware.
So now it pains me to know there is a small % chance my seed & pin is compromised.
Her husband seems like a good persons however I know they like to argue about money... I can see a dystopian future would be that while I was storing the pre 1.5.2 firmware trezor at their place he would have opened it and recovered the seed and then recovered the seed and pin into a new trezor device, since then I have recovered the Trezor but there was a good 3 month period where my pre 1.5.2 trezor was compromised.
when this article surfaced it reminded me of having had stored a pre 1.5.2 trezor at a relatives home....
https://www.wired.com/video/2017/10/hacking-the-trezor-bitcoin-vault/

Ultimately Ive spent too much time memorizing the SEED, and realisticaly speaking I doubt there is a farm of GPU's bruteforcing my Passphrase.....

Ok, understood. I thought you are still running some older version. achow101 is guru and we can trust what he says. Then it's ok.

lol, just realized we went a bit off topic didn't we?  ... from reusing the address up to here    ( but IMO good conversation, learned some new things)

What do you mean outdated software? There's nothing wrong with the old wallet.dat format, you just need to keep making backups as you said. I did read achow101 saying that the new HD format has no negative points. I guess I will just wait, apparently 0.16 will allow you to use HD in an old wallet, im not sure how, I think it will use the HD method for newly generated addresses while keeping the old keys the same, this way you don't need to move your coins to an emtpy wallet to use HD which is annoying and one of the reason im using the old format, I was not looking forward to lose money in fees doing this.

Im using the latest Bitcoin Core, you can use the old wallet.dat from years ago in new versions in case you meant that I was using an old Bitcoin Core version.

Hmm, this is interesting. I was not aware of that ( I'm ledger user ). Thanks for link. Going to read it.
on a side note I do not consider using outdated software safe. But it's your choice.

EDIT: The link above is stuffed with terms above my knowledge but conclusion i took from: it's not security flaw, just some privacy issues solvable by using Trezor together with electrum. 

Im still using the non HD format from the old wallet. In any case, I can't trust hardware that was designed to host bitcoin private keys. Trezor has been caught "phoning home" before:

https://www.reddit.com/r/TREZOR/comments/6yti7p/trezor_bridge_trezordexe_calling_home/

Why would I need any device when I can get an airgapped computer with libreboot on it to deal with private keys?

You know modern versions of Bitcoin Core use a seed as well right?

They just don't provide "access" to it by using a "mnemonic phrase" like most wallets do... although, theoretically, if you extract the seed (which is really just a very large number) from your wallet file, you could probably convert it to a "mnemonic phrase"

So you're sticking with the "non-HD" wallet format and multiple file backups then?


It's actually ludicrously simple... File -> New\Restore -> "standard wallet" -> "Use a hardware device"

You connect your Trezor (unlock it) and Electrum will read the xpub directly from it and recreate a "watching-only" version of your wallet (it even supports the randomised PIN entry system and passphrases for "hidden" wallets)... From this point, you basically use Electrum as you normally would... and when you want to send a transaction out, you need to have the Trezor connected to sign the transaction.

Pretty much the same goes if you want to use a Ledger Nano S...

Electrum with a HW wallet is actually pretty awesome... dynamic or manual fees, coin control, "freeze" addresses, PayToMany etc... backed with the security of a HW wallet.

Two reasons I no more using core:
1) It was not deterministic and i was bored making backups continuously  ... I know now it is but I'm kinda get used to HW wallet and not going to return back to core
2) blockchain size

EDIT: after reviewing my point 1 ... do you realize core is using the same BIP as Trezor (BIP32)?

And HCP is right, Leger together with electrum is pretty powerful tool.

Yes, I obviously mean that you should use the 20 different transactions into 20 different addresses, which is why im looking for an exchange that will let you generate new deposit addresses each time, because for example in poloniex I have had the same deposit address for ages which sucks, and I don't know how to generate one, and im not looking forward to create 20 different accounts with 20 different emails and usernames.

I don't know how you would use Trezor with Electrum, but to answer the other guy, you can use Bitcoin Core as your node with watch-only addresses, and then use Armory in an offline computer to make the transactions. Im still researching how to do this, and I would like to use Bitcoin Core as cold storage wallet too better than Armory because im paranoid to use anything that isn't Bitcoin Core to be honest. I want to stay with the classic wallet.dat format. I don't trust the idea of "seeds" at all.

HW wallet provider/manufacturer has no clue what is your seed ... it's always generated brand new when you start/restart the device. (well, there might be some secret hidden code within the device, but I don't believe it  ... I'm pretty sure it would be already discovered and reported by smart guys here)
But true, nothing is 100%. Not going to lie you. Some major (yet unknown) flaw could exist ... but we can say the very same about BTC protocol.

Must say I'm starting to like your approach ... always sceptical ... good for you.

I think paper wallets became obsolete once HW wallets appeared.

You can simply use your Trezor (or Nano S) with Electrum if you need coin control...


Your idea of sending 20 different transactions is arguably only slightly better privacy-wise than sending 1 transaction... UNLESS you send each of those 20 transactions to a different address. Otherwise, you are effectively linking all 20 transactions anyway by sending to 1 address. Granted, it makes it more difficult to prove that all 20 are actually controlled by one person (ie. You) but the link is still there.

Another option is to send your 20 transactions to a mixer and then combine them all into one outgoing transaction from there.... Or use Monero

Unfortunately Trezor does not have coin control, it has a feature where you can have Account 0, Account 1, Account 2, these accounts have their on public adresses.

Bitcoin Core wallet sounds interesting, but for me propably not good as if my PC gets virus or keylogger I can loose all my bitcoins?
With Trezor or Airgapped bitkey paperwallet is safer I feel like.


pretty much confirmation that it's not possible to reverse engineer the seed or privatekey from my blockchain transaction is relaxing for me to know.

I would think most big bitcoin holders have their coins on paperwallet? My understanding is that Trezor, Ledger, Keepkey are all points of weakness, what happens if the creator of the HW wallet steals youre funds? What happens if there are rogue employees at the HW wallet factory that steal youre BTC.
What happens if there is a weakness found in Trezor that makes the BTC vulnerable (similar to the pre 1.5.2 firmware but online instead of physical hack)

Yes, anybody can see those public addresses and balances but thats all what he can do.
and Yes, those inputs are connected by seed
BUT
You need to understand two things: 1) there is no way to "reverse engineer" the seed from address  2) how much seeds can exist (somewhere I read it's 10⁴³)
Once you realized those things I'm pretty sure you won't be worry anymore.

I would release DannyHamilton on you to explain what are chances somebody gets your seed (he's great in similar explanations). Will try to find some to get you into picture.

No proof of funds held by trezor. Just pure speculation based on how popular trezor is. I'm sure anybody with higher balance has HW wallet and there are 3 popular HW wallets ( keepkey, ledger, trezor). 

I never used Trezor or anything that creates a wallet throught a seed. Does it have something called "Coin Control"?

One of the main reasons Bitcoin Core is the best wallet out there is that it has maximun control over inputs and outputs. So If you recieved for example 20 transactions of 0.05 each for a total of 1 BTC, and each of these were received in 20 different addresses, and you wanted to send that 1 BTC at once, like you said, someone could see that you own all of these 20 addresses. This is of course bad for privacy, so with Coin Control feature you could select the inputs and send them separately. Of course, this sucks because you must send 20 times 0.05, paying a fee each time, but there's nothing else you could do that I know of. This is the known problem of Bitcoin's lack of fungibility, which hopefully gets fixed somehow some day.

but If I send a large BTC transaction then everyone can see ALL my public adresses right?
so my SEED has 1btc, these are on 20 public adresses, I send 1btc to someone, BOOM now anyone can see on blockchain and know the 20 inputs all belong to one person.

because the inputs are my public adresses.

Edit---> What I'm saying it doesn't matter even if not reusing adresses, bcs the inputs are all connected to same seed

do you have proof that 20-30% of all bitcoins are in Trezor devices, sounds high to me.

Wow, that's pretty long talk about nothing. I would say you lack the basic principles how this works.
Seems to me you are pretty paranoic but OK. I just say don't worry.

There is nothing wrong about using address repeatedly (only privacy issues .... if you publish 1st address and then send tx together with funds from other address anybody can assume you are the owner of both addresses ... but that's all).

If anybody founds a way how to break/bruteforce the BIP-0032 (trezor seed generation) I guess a major part (maybe 20-30%) of all existing BTCs going to be compromised and will be dumped asap. Completely ruining the BTC price and making your issue minor.

If you have done all of the transactions you mentioned in your post using your TREZOR you have nothing to worry about.  The Trezor never reveals any private keys to any computer/device its connected to.  Let me however clarify.  Security - my definition is that no person can take your coins because they have no access to ANY private keys if the transactions were done through your Trezor.  Privacy - my definition - is another story.  If you have coins sent by numerous folks to the same address then it might be possible to find out WHO you are.  People not skilled in networking don't usually do a good job of covering their tracks.  For a vast majority of folks they could care less if someone knows who is behind the BTC address.  What ALL are concerned about is that nobody can move your coins but YOU.  The Trezor has you covered unless you did something really careless not discussed in your post above.  Hope this makes sense.  If you still have questions please come back and ask.

I have a Trezor hardware wallet that I unfortunately have reused same legacy adresses multiple times.

What I mean is I have recieved BTC multiple times to same legacy adresses, infact I have atleast 2-3 adresses if not more that have recieved btc more than once, also I have sent BTC and I think infact couple of these reused adresses where in the same TX hash, so they shared input in a bitcoin transaction.

Example 1: public legacy adress 1ABCDEFGH has recieved 3 times 0.10 btc, 1ABCDEFGH now has 0.30 btc

public legacy adress 1JKLMNOPQ has recieved 5 times 0.20 btc, 1JKLMNOPQ now has 1.0 btc

Making a 0.50 BTC payment, both 1ABCDEFGH & 1JKLMNOPQ are in the inputs of the TX hash, outputs have the 0.50 BTC that I sent and 0.70 BTC that trezor has sent to a new legacy public adress connected to my Trezor / privatekey

Now I learned that this might compromise the privat key as it might be possible to "decipher / hack" the private key, they have now also been signed multiple times?

in this case the private key is same as 24 word seed to recover bitcoins incase of trezor failure?

Example 2: Legacy adress 1ABCDEFGH has recieved 20 inputs between 0.01btc and 0.03btc, it also has recieved 3 larger inputs of 1 BTC each, now it has 3.4 BTC total, 0.4btc from 20 small transactions, and 3.0 BTC from 3 large transactions.

for simplicity lets say Legacy adress 1JKLMNOPQ has similar transactions, so 3.4 BTC from 20small transactions and 3 large transactions.

lets say there also is a third Legacy adress similar to above, so these 3 Legacy adresses have a total of around 70 transactions and around 10 BTC, now I send 9 BTC so all 3 legacy adresses are shown in the blockchain as inputs and a attacker now knows these have same private key, is some malicious hacker going to be able to figure out my private key and steal the remaining 1 BTC and any other BTC/LTC that is connected to the SEED or private key assuming there are more BTC or LTC on other Legacy adresses connected to the private key / SEED   

Edit ---> would adding a simple passphrase to the trezor and then move all this coins to the new passphrase protected trezor be secure, or would this simple passphrase easily be bruteforced by a malicious attacker? So I need to create new 24 word seed / private key?