Topic: MinAddress : Now remember your addresses easily (Read 6754 times)

I think people who support address reuse are not thinking in way of loss of fungibility and privacy but from the point of view of bitcoin adoption. At present bitcoin adoption is the major issue and preventing address reuse is not user friendly at all specially for new users. In fact if address reuse is not supported as suggested then using bitcoin in most real world scenarios will be almost infeasible. Eg: Generic Case: If a group of people want to send bitcoin to one person like in an event or a shop etc. then the person can display QR code/Minaddress of his bitcoin address where people can easily send, without address reuse this scenario is very difficult with bitcoin. If address reuse is an issue then removing address reuse completely is equally bad, if bitcoin is to be used for other than ecommerce transactions. I think we need to come up with a better solution than simply banning address reuse.

No. Two addresses cannot have same minaddress.  [Ok there is a very very very small chance currently if two address have same 1st block and have the same characters but some in different  case however I am going to update the algo so that Min address is not generated for such addresses preventing any collision ever]

As long as we are pondering useless stuff..

It occurs to me that this could be more compact.

Let's take a random recently-seen address:


This is your min-address format:
4f4d6-1pi9

Instead of block number + firstbits of a block, we can get all the information from the structure of transactions in the blockchain, and then encode it smartly.

We can find the first occurrence of a payment to an address, and then refer to it by block_number->transaction_number->txout_number

We can call this micro-address. It can be the base58 encode of a bitstream-type encoding of the above data:

Most-significant-bit placeholder
1st bit set to 1

block number:

bit 0 - len of block count:
0 - 23 bits
1 - 31 bits

bit 1-24 or bit 1-32:
23 bit length: (blocks 0-7fffff) (blocks 0-524287)
31 bit length: add 00800000 (0-7fffffff + 00800000) (blocks 524288-8912895)

transaction number in block:

bit 0-2: length: number of words + 2 - 3 bits

000: 5 bit length (0-31)
001: 9 bit length (0-511)
010: 13 bit length (0-8191)
...
111: 25 bit length (0-33554431)

vout number:
bit 0-1: length: number of words + 2 - 2 bits

00: 6 bit length (0-63)
01: 10 bit length (0-1023)
10: 14 bit length (0-16383)
11: 18 bit length (0-262143)


for my example address:

block 234822, 0x39546h : 000000000000000006880233f89f572f006fd5dad0d1729d6d81622e8921e15f
transaction #18, 0x11h : fe17ff4c6df314cc708b2bab011a6327b61ffce81b4f7948ca8c6e7d3ee46105
vout #3, 0x02h:  address 1Pi9uP6YMqbvbrQ1b7m6qzAS5ejN7mSwWR

encoding base58(bitstream):
MSB 1:        1
block# bits:  0 00000111001010101000110
trans# bits:  000 10001
vout# bits:   00 00000010

>>> hex(0b1000000111001010101000110000100010000000010)
'0x40e55184402L'

>>> bitcoin.changebase('1000000111001010101000110000100010000000010',2,58)
'329UugoB'


So I get an eight-character micro-address of 329UugoB.

The length here doesn't vary based on how many bitcoin address characters it takes to be unique within a block. It only gets longer after  block 524287 or if there was a huge block and the transaction also had many outs. I'm sure even more optimized encoding could be thought up to minimize the average address lookup bits required.

I am not sure what you mean by "enforce". If you mean "transactions with address re-use are invalid", I have already explained why it won't work.

What you describe is essentially "stealth address". It facilitates no re-use but not enforces it.

A protocol CAN be created to enforce no re-use. It just requires some extra work by the sender and receiver. I haven’t thought it through but it would be based on creating a new public key from another one similar to the way that HD wallets (BIP32) allow the SAFE derivation of child public keys from parent public keys.

Let’s see:
1.   The sender looks up the address he wants to send to. If it is unspent, he sends to it.
2.   If it is spent (and remember we only spend ONCE. The full amount...)
        he can derive the public key from the spending transaction, call it Y.
3.   He creates a new shared secret (Diffie Hellman) between his key and Y.
4.   He uses the shared secret and Y to generate a new public key, Y’, for the recipient and calculates an address from it.
5.   He sends to that new address.

The recipient can check every transaction to see whether it is his:
1.   He knows the sender’s public key (it was a spending transaction for the sender).
2.   He calculates the shared secret. This allows him to recreate BOTH his new public key and his new private key.
3.   He can spend the coins at a later time.

In all of this, what’s important is that ONLY the sender and receiver know the shared secret. Also the shared secret is unique to each transaction by the assumption of only one spend, hence only one use of the transmitter’s public key.

This is all a lot of work and probably could be made more efficient.

Finally, if you don’t want people sending more than once to your address, publish a RECEIVING public key that remains constant long term. It is never sent-to but is used in generating all the shared secrets the senders will need.

Thanks so much for the informative discussion.  I now have a general understanding of the argument which connects address reuse to fungibility.   The steps are that (1) address reuse weakens privacy, (2) weakened privacy can lead to a fractured network because miners and users may decide not to interact with certain addresses.  I'm (still) not convinced, but I appreciate the discussion.  I'm going to check out the threads that BurtW linked us to.

Commenting here on the argument as I understand it, it seems there are some weaknesses on (1) and (2).  On (1), can't I reuse an address many many times in an anonymous fashion?  That is, it may be that address reuse might aid a private detective in figuring out the personal details of a particular user, but it also might be that it doesn't help at all or that the private detective fails to identify the user despite their address resuse.  Say a particulare mining node connected through TOR keeps sending mined bitcoins to an address 1bitcoinanon...  What do we know about 1bitcoinanon....beyond the fact that presumably this is the same person reusing an address?  In fact, it could be a group of people sharing an address (maybe they sent the address and private key to each other via ssl email).  Can't you imagine all sorts of such scenarios?

On (2), I want to present the opposite sort of rebutal than I did for (1).  That is, can't users start to whitelist/blacklist each other without knowing personal details?

To summarize, I understand the argument as this linear chain:

address resuse helps people discover each others details-->people who know each others details can dispute personaly-->personal disputes can lead to a fractured/less fungible bitcoin network

But for me:

 + I question whether address resuse necessarily leads to discovery of details and
 + I suggest that people may dispute without knowing personal details.

Cheers!

Do you know the implication of your wish? That means miners and full nodes have to keep ALL transaction record FOREVER because they have to make sure the addresses in a new block have never been used before.

Agreed - I do like his idea a lot.

This has become one of my favorite theads.  So nice and peaceful.  I am sorry that we have gone somewhat off the main topic of the MinAddress proposal and web site but on the bright side we are keeping this MinAddress thread active and well bumped.

Yes, I think that stealth addresses are a huge part of the solution and should fix the whole static address for charities, billboards, and even tipping addresses in your signature here on bitcointalk.org issues.  We need full and widespread adoption of stealth addresses as soon as is safely possible.

BTW Peter is one of my favorite people in the whole world.  Not only for his work on stealth addresses but because of this post:

https://bitcointalksearch.org/topic/rfc-aethereum-a-turing-complete-coin-distributed-as-per-bitcoins-blockchain-563925

where he (hopefully) singled handedly wiped out all past, current and future shit/crap/junk/scam/pump-and-dump alt coins that do not implement his (or a similar) method of initial alt coin distribution.  His proposal will hopefully clean up the cesspool of alt coins once and for all.  I am not holding my breath but I am cautiously optimistic.

Again the "fungibility" issue doesn't really come into it unless we start talking about *choose your favourite colour* lists.

I hadn't noticed Luke's proposal before and maybe it isn't a bad idea - but you don't think something like "stealth" is actually a *better solution* all around?

Here is the thread:

https://bitcointalk.org/index.php?topic=334316.0;all

Luke made a modest proposal:  in order to gently move everyone away from address reuse lets make it a bit more costly (in time not BTC).  In other words you can reuse addresses but your transaction confirmations will take a bit longer.  As far as the opinions of the "general Bitcoin public" on this issue check out the poll in this thread.

My first response in this thread:


One of my later responses shows my change of heart and will give you some good posts to read:


And yes, this entire Luke Jr thread is a gold mine for seeing my change of heart, good posts on the issue, and good links to other threads on the same subject.

One final note on blockchain.info:  On the one hand they are by far the single worst source of address reuse in the Bitcoin system given that their wallet encourages address reuse and they have so many customers. On the other hand they were the first to implement the coinjoin protocol proposed by gmaxwell and offer this service very cheaply (0.0005 BTC per mixing round) to their customers.  I applaud their efforts to help rectify the privacy dilution they helped to create.

And an ad:  bitmixer.io is the best mixing service I have found so far.  They can handle mixing amounts up to 2K BTC.  I tried to invest but they are not taking investors at this time.

Good luck with that but I somehow don't see it happening any time soon but in the meantime it is of course a good idea to educate people about "smarter and safer" ways to do Bitcoin transactions.

Also I think that ideas along the lines of "stealth addresses" might hold more promise for the dealing with the issues of traceability.

People have formed some bad habits and have taught those bad habits to others.

I'm in support of BurtW's opinion that this is the one of two forking changes to the protocol that I'd be most in support of.

Then it will be how it works.

True - but that is not how Bitcoin works (and not how *everyone was taught it works*) so that argument doesn't really work for me sorry.

If the protocol were changed as BurtW has suggested so that address re-use is not possible, then newbies will stop making the mistake of thinking of an address as an "account number" or "wallet" or "personal identifier", and will start thinking of it more like an invoice number (as they should).

Imagine someone saying "but I want to re-use invoice numbers. It's so much easier not to have to remember to use a new invoice number every time I pay a new invoice".  And someone else saying, "the world isn't as black and white as you might want it to be.  People should be able to re-use invoice numbers for multiple payments on multiple purchases".

Now tell me which one sounds silly?

Oh - okay - yes I remember that horrible stuff.

In any case - in general I would always use new address for each tx but I have found that for some things (such as not at home and don't have my own computer but need to receive funds for a face to face trade for example) a firstbits can be handy (I really have used this in the past back when blockchain.info supported firstbits).

Certainly I would not want people to ever use stupid black/white/orange lists.

In terms of "scaring off newbies" I think that one should educate them "one step at a time" and not expect them to be able to do "best practice" from the get-go.

If I recall correctly, when this first became a heated topic about a year ago or so, there was talk about blacklisting and whitelisting addresses.  If addresses are re-used, then it is becomes possible to choose addresses and state that they are "blacklisted" (or whitelisted) for any reason that a group of people might want to blacklist them.

If addresses are not re-used, then it is impossible to know what addresses will exist in the future, and therefore impossible to create a blacklist (or whitelist).

The ability to create a blacklist (or whitelist) destroys fungibility since coins that are received at, stored at, and sent from a blacklisted (or whitelisted) address are seen as somehow different than those that are not associated with an address on the list.

From there, additional conversations popped up discussing various other concerns about address re-use, but that was the concept that first turned many people away from thinking that address re-use was a good thing.

And I likewise do value your opinion but I just find the extreme position a bit "hard to swallow" (in particular when we are hoping for more adoption of Bitcoin).

Certainly I do understand the issues of privacy (and potentially security) but I don't quite see how "fungibility" gets into this. Just because an address has been used doesn't make the funds "less spendable" (unless you guys are wanting to make it so - in which case you are the ones destroying fungibility IMO).

I don't value the opinions of those that don't understand the protocol or its implications.

I do value the opinions of those that have put in the time and effort to learn how and why this all works. This includes CIYAM even though I happen to disagree with him on this particular matter.

Greg Maxwell and Death&Taxes are two others whose opinions I value on such matters.

It would be interesting to put together a list of people who have a reputation for understanding these details and then list out which of them are against the concept of address re-use and which are in favor of it.