Author

Topic: Revealing public key (address re-use) (Read 2357 times)

full member
Activity: 121
Merit: 103
March 28, 2013, 12:33:58 PM
#5
Not re-using addresses makes sense, both from a security and potential privacy point of view.

I see #3 on the Bitcoin 400 Rich List has revealed their public key to the world. I take comfort in knowing that this owner would likely become a target first before any of my modest holdings, in the event of an ECDSA crisis. The blockchain could potentially be salvaged under such a scenario, but some coins could be moved without the owner's consent. I understand that not re-using addresses protects coins further by benefiting from the cryptographic hash functions, limiting any potential attacks.

...

tldr. Paranoid.

didn't quite get the 2nd part of your post, so i don't think i can make a coherent response to it Smiley

it does make sense to limit the amount of coins stored at a given address since if one were able to generate your private key they could steal the coins. having less than the equivalent of USD 50K at an address is probably sufficient to be "safe" in the event that ECDSA weaknesses are exploited.
hero member
Activity: 900
Merit: 1014
advocate of a cryptographic attack on the globe
March 27, 2013, 10:48:28 PM
#4
The people who've assigned very large amounts of coins to single addresses, or even single outputs— I think these people are insane.  They are a lose cosmic ray away from all that coin being gone forever when they form a transaction and send all that change at once. Or some crazy glitch causes them to reuse a K value in a signing... private key is revealed... all that gone goes bye bye. etc.

What would you recommend as the best way to keep multiple wallets secure (from cosmic rays and thieves) which have multiple inputs and outputs? And what is the best way to conduct frequent audits to make sure that one still controls the coins?
staff
Activity: 4284
Merit: 8808
March 27, 2013, 09:58:25 PM
#3
However, at times I also have this silly illogical action-outcome monkey brain which tells me I would feel better if I see my keys signing a tx first before I send larger holdings to it.
I've also felt that way— and when I feel that way I use signmessage/verifymessage exactly as you've suggested. (I'd say— use a raw transaction, but you can't really do that until you have coin assigned to that address). Doing so shows that there was no crazy cosmic ray induced insanity with the key generation.

The people who've assigned very large amounts of coins to single addresses, or even single outputs— I think these people are insane.  They are a lose cosmic ray away from all that coin being gone forever when they form a transaction and send all that change at once. Or some crazy glitch causes them to reuse a K value in a signing... private key is revealed... all that gone goes bye bye. etc.

The reference client has unit tests that should catch systemic failure, compiler bugs, etc— but if some crazy faulty hardware or radioactive whatsit makes you send change to an address you can't sign for... you're SOL.
legendary
Activity: 1176
Merit: 1280
May Bitcoin be touched by his Noodly Appendage
March 27, 2013, 06:51:03 PM
#2
Don't worry, I think your pubic key is pretty safe with bitcoin
member
Activity: 75
Merit: 10
March 27, 2013, 08:40:54 AM
#1
Not re-using addresses makes sense, both from a security and potential privacy point of view.

I see #3 on the Bitcoin 400 Rich List has revealed their public key to the world. I take comfort in knowing that this owner would likely become a target first before any of my modest holdings, in the event of an ECDSA crisis. The blockchain could potentially be salvaged under such a scenario, but some coins could be moved without the owner's consent. I understand that not re-using addresses protects coins further by benefiting from the cryptographic hash functions, limiting any potential attacks.

Whilst I don't understand all of the cryptographic axioms and low-level fundamentals of pubic key and hash functions, I do understand their principles and appreciate the mathematics. Mathematics and its proofs are the only thing that my logical brain can completely put its faith and trust in.

However, at times I also have this silly illogical action-outcome monkey brain which tells me I would feel better if I see my keys signing a tx first before I send larger holdings to it. In fact, early on before I understood "change" (and did not consider coin control), I was rather ignorant to the fact that change was being spent to new addresses. Ignorance truly is bliss.

I now like to know the locations of my coins. However, I also don't completely trust myself manipulating the protocol specification (especially not raw txs) and still like to see some burden of proof. I also like using the reference client. I find myself exporting signed txs first before I broadcast, so I know where my change will be spent to! Wink

For these silly paranoid moments, can signing a message and then verifying the message suffice as "proof" that the reference client and network will "accept" future transactions? Whilst I understand the signature functions are practically the same, I am theorising if some unknown bug in the larger majority install base could reject a spend from some weird malformed address. I recall an early version of bitaddress.org had some sort of malformed key issue. Wouldn't want to be in a position where the network would accept a spend to a hashed public key, but prevented its spend.

tldr. Paranoid.
Jump to: