Topic: re-use of addresses - page 5. (Read 5530 times)

Thanks for the lesson.  

(I was also unaware that there was a separate PubKeyHash.)

Follow-up question:


What if they spent all?  Wouldn't we still need to provide the PubKey as an input?  

The first thing you need to do is remove incorrect concepts like receiving and spending addresses.   There is no such thing.   There are only addresses.   The protocol doesn't even use addresses it converts addresses to the raw PubKeyHash (which is a hash of the Public Key).

When you send funds to a given address you are actually sending it to the PubKeyHash.  The transaction becomes a public record thus the PubKeyHash (and the address can be computed from it) is a known however the Public Key (PubKey) is NOT known.   Look at the output of any transaction  the funds are sent to a PubKeyHash (160 bits).

For example here is a recent tx (pulled at random).   
http://blockchain.info/tx/4c555be716ccf923252ae118f2e9719a7ce6d4fdbf52a8cc03489b330debbd01

Funds were sent to 1Fv1uSsxr8z4hCHi2yhzuLf2sQafJfLbF8

Technically the output is this

a3988fd05be9c9b642503e61ec6bb6ed553ab8a2 is the PubKeyHash which corresponds to address 1Fv1uSsxr8z4hCHi2yhzuLf2sQafJfLbF8.

So the PubKeyHash is known and if you search the blockchain by address you will see this address received funds multiple times.   However the PubKey is unknown.  What is the PubKey for a3988fd05be9c9b642503e61ec6bb6ed553ab8a2?  There is no feasible method of finding out (unless you already know because you have seen the PubKey.

Now if 1Fv1uSsxr8z4hCHi2yhzuLf2sQafJfLbF8 spends some but not all of these outputs then in the input side of the tx, to "prove" the outputs correspond to his keypair the user will provide the PubKey.  The PubKey becomes known when it is spent because it is provided in the input side of the spending transaction.   Until that happens the PubKey is unknown.

If tomorrow there was an exploit which required knowledge of the PubKey this user would not be immediately at risk.


If they were based on Bitcoin or a derivative of Bitcoin then yes.  If they were completely new then it is possible this doesn't apply although I don't know of any.

Wow.  I didn't know that scenario existed. 

I guess there are MANY things that could wrong
with a flawed wallet, including weak cryptography,
coins being burned, or something as dumb as
it accidentally deletes your private keys.

This has been asked and answered thee times.   Reusing addresses reduces security.  Period.   The risks can't be quantified as an exact % of losing funds tomorrow or next year, or next decade but the risk is increased, the margin of safety is decreased.

If tomorrow Sean signed a tx using a flawed wallet which used a repeated k value then hacker would probably detected that and exploit it within seconds emptying the wallet.   If addresses were not reused then there would be no risk even if same k value was used.  Likewise we simply do not know if/when cryptanalysis will yield usable exploits againsts ECDSA.  It could be tomorrow or might never happen before you die.   It isn't something that can be definitively quantified.  Hashing the public key is a secondary safety.  You can remove that safety and if the primary safety (the security of ECDSA and the secp256k1 curve) remains intact you are fine.   In other words you are safe until you aren't.

1. we just established that its ok to re-use a receive-only address and you stay at 160 bit security.

2. even if an address is re-used for sending and you're down to 128 bits of security, its still
hypothetical weakness.  Quantum computers today cannot compute/factor more than a few bits, and
there is no known weakness to the elliptic curves used in Bitcoin.

ok time to not be subtle

after all whats the point in telling everyone that bitcoin is so great due to funds being secured by 256bit and elliptic curved private keys at the back end of a transaction which never appear on the blockchain, if someone can steal funds from the front end that are only 128bit secured using publicly available data

so my next question:

so everyone should be screaming at 'seans outpost' that he can lose all donations in his address tomorrow?? not next year or 10 years time when quantum computers are around.. but tomorrow.

or is this just a hypothetical future-proofing of a possible risk relating to quantum computers maybe in the future cracking 128bit

i only ask this in common human understanding so that the laymen of the world who are already gossiping and starting to FUD spread that bitcoin is already broke due to a re-use address vulnerability

What I would like to know now is
on a technical level, WHY
you can safely re-use a receiving address
but not a sending address?

we are using cryptography to sign
the transaction and verify the
transaction... so why does
the address become known only
on the sending side and not
the receiving side?

Is this a feature of all the altcoins
as well?

I have no idea about the internals of blockchain or how
they are handling their cold wallets.

You can't blame me for my condition!

Nope, Not our SUN! He is too small!

If you are interested you might want to check this article http://www.universetoday.com/107791/will-the-sun-explode/

Enjoy

No you can't.


Which has nothing to do with the points you "quantified".

Cheers J

Assumed it was autogenerated from the blockchain.info with multisig because when you click on the address in "wallet", links to site.

But see what you mean    So do they move our BTC funds when we deposit into:

cold storage wallet

He said cryptoanalysis and quantum computing, not ordinary brute-forcing, but you're right. 

On a side note, will the sun really "explode"  or just burn out?

I think I can quantify this!

with the current hash power for BTC if everyone would mine in a pool to brute force your address  then first the sun will explode and after they will break into your address ... witch will be pointless because we won't have any sun

Blockchain.info ?  That's an online wallet.  The main risks there are
some hacker steals your password (please set up 2FA!) or
the site itself is hacked or internally compromised.  (Goxxed).

Although I trust Blockchain (Andreas Antonopolous is their chief of security)
infinitely more than Mark Karpeles and Gox, its still an online wallet
and it could happen.

Those things are probably more likely to happen than
you losing your coins because of address re-use.

I don't re-use addresses but I might as well because I use a wallet (armory) program that can send from any of my addresses.  kind of annoying

Any Localbitcoin Sellers on here?

Reading this thread made me a bit worried about the auto-generated blockchain wallet attached to our accounts.

Apparently we can change them (+still have access to previous?) but thought it's pretty damn secure at any rate. What do you guys reckon?

It seems my electrum wallet is pretty good about automatically creating new addresses for most transactions.

I was just reviewing my cold storage coins and seems that the main addresses are only used once despite a few transactions in the wallet.

I think you misunderstand. If your public key is known then the security of your address is reduced.   Today assuming the wallet implementation is proper it is reduced by 160 bit to 128 bit security.  It is the public knowledge of the PubKey which reduces the security of the funds.  So public knowledge of the PubKey IS a security not just privacy issue.

Can a known PubKey lead to a loss of funds?  In most cases in may not but
* if Quantum Computing ever advances to a point where it is economical to break a 256 bit PubKey your funds could be stolen.
* if cryptanalysis advances to a point where it becomes possible to brute force a 256 bit PubKey your funds could be stolen.
* if your wallet implementation (or underlying library and/or OS) through deliberate intent or negligence ruses the same k value for the same PubKey your funds could be stolen.

There is no way to quantity the risk of the the first two factors however if it happens and you have funds stored in a know pubkey it will be too late.   The third scenario has already happened multiple times (android OS and bitcon.js).

The hash of the pubkey is a secondary line of defense.  It is like asking why can't I clean a firearm while it is loaded and the safety off.  In theory if you do everything right you could accomplish that without incident but taking that risk serves no purpose and if it doesn't end badly for you, if enough people try it, it will end badly for someone.

all im reading is about privacy so people cant track you and that a public key will become............ public..

so to quote myself as i think the main point people are truly concerned with is losing their coins, so:


the layman wishes to know SECURITY risk not privacy risk