Topic: Is reusing addresses safer? (Read 1260 times)

No, why would it be? Why is it something that you think about, if you think that you are in that much danger, then you do not have to use crypto, there is still a huge world of people out there using FIAT and they are doing just fine. Fear is the thin that makes you guys do stupid things and that is how the markets get so up and down, but it makes the rest of us rich, so either way, go for it. But for you, if you are that scared, just do something else.

Danny explained the technical pretty good and clear
and you actually has answered some part of your own question too


and I think the main reason behind using new address for every new transaction
is not about its security but more about anonymity, one of Satoshi Nakamoto intentions when he created bitcoin
you're losing bit by bit your anonymity when re-using the same address for different transactions
by using new address you can stay anonymous and also improve your security
because your bitcoin balance will keep moving to new address
and key-breaker would have no time to catch up with your moving balance
thus I agree with what btctousd81 said here
note: I myself reuse a few addresses too 

Thank you for great explanation! I always thought that my knowledge is enough to explain this things to average Joe.But sometimes this kind of tough questions make me to think deeply

It is MUCH safer.  You can leak one (or more) private keys, and your bitcoins will still be safe.  You can split private keys up among multiple people, so that a single person can't access the bitcoins by them selves.  There are many ways that multisig is safer than single signature addresses.


Spending P2PK outputs (using referring to them in an input) does not require you to provide a pubKey at all.  In a P2PK output, the pubKey is ALREADY SUPPLIED IN THE OUTPUT that is being spent.  The only thing that is supplied in the input when spending it is a signature.  That signature MUST be verifiable with the pubKey that was presented in the output when the output was created.

The hash of the pubKey is not used and carries no meaning in a P2PK transaction. Some block explorer websites might hash that pubKey when they show it to you because the average user doesn't understand how bitcoin works, and expects to see an address, but there is no address or pubKey hash in the actual transaction at all.

Because public key is not known if there were no transactions before, only a hash of the public key is known if it was never used.
Quantum computers use something called Shor's algorithm to quickly find a private key of the certain public key, but there are no quantum computers big enough for it yet and it may never be possible to build such a big quantum computer anyway. However, this is still unimaginably more likely then getting a collision of the two public keys to get a same hash.


I agree. I didn't say it was something to worry about, I simply made a comment that it is a lot more likely then the op's worries.


It really doesn't make any sense to waste real resources for non-real issues. Whether it is 4 times easier or not, it makes absolutely no difference, since it is still not going to happen and we have everything else more to worry about than this.

That is really disappointing. I thought that multiSig is much safer than normal addresses. But it seems it is just the same level of security.  


Thank you for having the patience to explain it.
I have studied bitcoin quite a lot, but never really read about how the input/output scripts validate the spent coins.  Now I understand better, and also realize, that I should read more about the topic.
Really interesting, that spending P2PK inputs only accept the pubkey given previously.
 

MultiSig typically uses P2SH.  In that case it is not necessary to find a private key at all.  All you need to do is find a script that resolves successfully and that hashes to the value in the transaction output. Just choose ANY private key, create a script that includes a nonce and a signature using the private key that you chose.  All you need to do is find the right nonce.  With the typical P2SH, that means each nonce value has a 1 in 2¹⁶⁰ chance of allowing you access.


The difficulty in calculating 4 keys isn't what makes multi-sig "safe". It is assumed that it is not possible to calculate any of the keys, just like it is assumed that it is not possible to create an arbitrary valid script that hashes to a given value.  What increases the security of multi-sig is the fact that you are still secure even if you accidentally (or intentionally) reveal one of your keys.


No.  The coins NEVER "go to a normal hashed bitcoin address".  Regardless of whether you are using P2PK, P2PKH, or P2SH, there are no "coins", and there are no "addresses".  Those are concepts that we humans use to make it easier to talk about the transfer of control over value.  In the actual transaction and blockchain there are only inputs (with input scripts) and outputs (with output scripts). Outputs are assigned a value, and inputs reference outputs that haven't been referenced by any other inputs yet.

• A P2PK script requires you to provide a signature that can be validated with a specific public key.  That's why it is called "pay to public key". Since the output script specifies the public key, and there is only 1 private key for each public key, only that specific private key will work.
• A P2PKH script requires you to provide a public key that results in a specific hash, and then provide a signature that can be validated with the public key you provided. That's why it is called "pay to public key hash". Since there are 2²⁵⁶ possible public keys, and only 2¹⁶⁰ possible hash values, each hash value has on average 2²⁵⁶ / 2¹⁶⁰ = 2⁹⁶ private keys that will work. Only one of those private keys will be known.
• A P2SH script requires you to provide a script that hashes to a specific value and which resolves successfully. That's why it is called "pay to script hash". Since there are 2¹⁶⁰ possible hash values, and 2⁸⁰⁰⁰⁰ potential scripts₍₁₎, each hash value has on average 2⁸⁰⁰⁰⁰ / 2¹⁶⁰ = 2500 possible scripts that will work. Depending on the structure of the script, only a few of those potential scripts will ever be known.

(1) I think I recall that there is a limit on script size of 10,000 bytes.  If I'm incorrect about that, then the P2SH calculation will be incorrect.

I do not think reusing addresses is a big risk. The elliptic curve crypto that bitcoin uses is still considered safe. And as  it is a public key crypto, the public key can be safely published.

The 3rd, 5th and 6th richest Bitcoin addresses are nice and brave enough to risk all their coins by reusing their addresses and publishing their public keys.

16rCmCmbuWDhPjWTrpQGaU3EPdZF7MTdUk	91,203 BTC ($400,535,695 USD)
18rnfoQgGo1HqvVQaAN4QnxjYE7Sez9eca	70,000 BTC ($307,418,600 USD)
1HQ3Go3ggs8pFnXuHVHRytPCq5fGG8Hbhx	69,370 BTC ($304,652,297 USD)

There is $1000.000.000 betting that ECDSA will not be broken anytime soon.

Whenever ECDSA will be broken some of these addresses will probably be emptied. Interesting to see when it will happen.

Anyway. If you have less than 1000BTC in your address I think you do not need to worry. You would not be an interesting target...
 

That is interesting. It would be easy to get more security by doing the extra check.

If I understand correctly that also means that multiSig addresses are not as safe than advertised. If you have a 4/5 multiSig address, the attacker could treat it as a normal segWit address and ignore your 4 required keys. He would "only" need to find one private key, that would hash to the same address as your multiSig address.
And then he can spend your coins. (Yep, I know it is still almost impossible, but a lot easier than finding your 4 keys) 

Do you mean P2SH ?
P2PK Pays to public key, but the coins go to a normal hashed bitcoin address.

Dont worry about the address as their is no limit in creating address and even if you want you can use the same address. Electrum is a good desktop wallet and you wont get any problem.

I've recently started using electrum and I have got everything up and running but I have one concern. When I go to the receiving tab I see a bunch of receiving addresses but those are limited. So if you advise pro always using a diffrent address I will eventually run out of address to use. How will I be able to fix this when I have used each address at least once?

i am using Bitcoin Core  in command line., but never used it to send funds.,
i use my js script to send tx.

does the old behaviour of  Bitcoin Core changed ? so no more need to backup wallet after each tx ?

thanks

You reduce your own privacy AND the privacy of everyone that you transact with when you re-use addresses.  Have a little respect for others and stop re-using addresses.



Use Hierarchical Deterministic (HD) wallet such as Electrum or Bitcoin Core.
Create a backup of your seed words once.
Use a new address for every transaction.

You will no longer need to "back up private key/wallet of new change address after each tx".

i dont get this, why it is security risk ?

if private key is unknown then it does not matter , if address has 1 tx or 1000 tx.

and i read quantum computers does not works like that. so they wont help to calculate/break private key of specific address.

any references  ?

to op.

people say to use new address, is to make it difficult to track the owner of bitcoins.
that is why default bitcoin cliets sends change to new address, instead of the sender addres.,

but imho, if you dont have anything to hide, then using same addresses is fine.
i manage 2 addresss and they have multiple tx on them, its much easier to manage/handle 2 private keys instead of backing up private key/wallet of new change address after each tx.

if i am wrong, please enlighten me, i am still learnning.

There is a lot bigger security risk to reuse your address then for someone to find a key with the same address, since quantum computers should be able to find a private key for any public key very quickly while they are not good at trying out hashes. There is no quantum computers that are close to being big enough for this job yet, and making bigger quantum chips gets exponentially harder so it might be impossible, but it is still more likely then to find a collision.

So don't reuse addresses, since it is insecure anyway and then you won't have this issue either, since this issue is negligible compared to the quantum one, that is also extremely small on it's own.

Yes.


The blockchain doesn't check anything.  The blockchain is just data that has been stored.

Full Nodes check transactions and blocks.  Full Nodes do not check to see what keys have been used in the past.


No.  The payment scripts only require a valid signature. As long as the signature is valid and the public key hashes to the correct value, it doesn't matter which public key is used.


Not by enough to matter.


It isn't going to happen.


Correct.

There are 2²⁵⁶ private keys, so you have a 1 in 2²⁵⁶ chance of finding a specific private key.

However, since there are 2¹⁶⁰ possible addresses, you have a 1 in 2¹⁶⁰ chance of finding a usable private key.


If you want to make sure that a specific private key is needed, then you cant use P2PKH addresses.  You can use a P2PK address instead, but I'm not aware of any wallets that have a user interface that is designed for that.  You'll probably need to write your own software to do that.

For each bitcoin address, there exists about 2^96=79228162514264337593543950336 private keys, that generate the same address.

And any of those private keys can be used to send coins from that address.

My question is: If one key has already been used to send from an address, can the other private keys still be used to send from the same address?

Or does the blockchain check what private key has already been used, and accept only the payments signed with that private key?

Accepting only the key that has already been used, would increase security. Since it is much more difficult to find 1 key than any of 2^96 keys.
(both cases are of course extremely unlikely, but the second case is still 2^96 times more likely)

If only one private key is valid, then an address, that has a send action is safer than an address that does not have a send action. And reusing an address is the safest choice. (at-least before quantum computers)

How is it? The wiki is not clear about this.