Pages:
Author

Topic: Why/Is reusing BTC address (both for receiving and sending) harmful (Read 2562 times)

legendary
Activity: 882
Merit: 1000
So that means addresses in a wallet is very easy to be associated. Then not-reusing address is not enough, and we have to generate a new wallet for each transaction?

Even if people all generate new address for each transaction, since the addresses in one wallet is easy to be found associated, their addresses are still can be classified into one big 'address family'. So there may be no 'well known address', but 'well know address family'. Did I make any mistake here? If this is true, why the trouble?

No, if you use each Address only once, it will be completely empty after you send BTC from that address the first time and will never be used for any transaction again. There would be no difference in creating a new Wallet.

The client takes care that Change addresses are only used once, the only thing you have to do is to use addresses for reviving transactions only once.

If you only revive at B one time, there never will be a B-2 Change.

Unless what you send exactly equals to what you received before, otherwise there's a change and the change needs to be sent to a change address in the same transaction. So if you see a transaction S -> A and S -> S2, you know it's highly likely S and S2 belongs to the same wallet. As a result, your address S is associated with the change address S2, but not so closely because you can still claim (arguably weakly) that you are sending to two different people simultaneously and happens to used up all the unspent amount of S.

Then let's say you have change address A, and change Address B, they all have 0.5 BTC and you want to send to user U 1 BTC, then this time you will see A -> U 0.5 and B -> U 0.5. This makes a strong association between A and B and every one knows A and B belongs to the same wallet.

Therefore, it is easy to associate the addresses in the same wallet by analysing the block chain.

If you don't reuse the address S. It will never have an unspent output after this transaction again. If you use every address only once. S will receive exactly 1 Transaction and never again a second one. Therefore there will never be more than one change address for ever address. And it's impossible to tell which address is the change address and which one is the reviving address.

Changing Wallets here makes absolutely 0 difference. That was the point.

What you are missing here is that a wallet may contain many unspent txouts from receiving many payments from different sources before there is any need to purchase something with the wallet.

Lets say I sell alpaca socks out of a truck down by the river. I would be receiving many 0.10 BTC payments from different individuals to different addresses, suppose for a total of 20 .1 BTC payments in my wallet.

Now, I donate 0.95 BTC to a known-address donation site and say to everybody "hey, I just donated!". There will be a 0.05 change back to my wallet, that is now considered "tainted" - based on my declaration of donation, or the site owner saying "thanks for donating, deepceleron", it has become simple to figure out my donation AND determine which is the change back to me that is still in my wallet.

So I've got 1.00 BTC of sock-selling money that 10 sock buyers know the address of, and 0.05 that anybody interested can know about.

I then send the entire contents of my wallet to a man-boy snowden tibet love honey pot that is supposed to be anonymous, but is monitored or busted by a government. Even with this site using one-time addresses, the previous use of a reused address has compromised my identity and made my payment have little plausible deniability, due to my control of the change. The "change" could have been a multi-send to a third party, and the third party may have made the illicit payment, but LE will not care to investigate so much when they need doors to kick in.

The disclosure is because you publicly donated to a know address and later send money to another well known address (at least known to the authority), and it of course make your address public and makes all your efforts in never reusing addresses void.

I believe if someone wants to do some problematic donation, he has to create a new wallet and use some mix service anyway.
legendary
Activity: 3472
Merit: 4801
Someone can't trace your transactions on blockchain?Huh? Huh

Yes.
member
Activity: 113
Merit: 10
Someone can't trace your transactions on blockchain?Huh? Huh
legendary
Activity: 1512
Merit: 1036
So that means addresses in a wallet is very easy to be associated. Then not-reusing address is not enough, and we have to generate a new wallet for each transaction?

Even if people all generate new address for each transaction, since the addresses in one wallet is easy to be found associated, their addresses are still can be classified into one big 'address family'. So there may be no 'well known address', but 'well know address family'. Did I make any mistake here? If this is true, why the trouble?

No, if you use each Address only once, it will be completely empty after you send BTC from that address the first time and will never be used for any transaction again. There would be no difference in creating a new Wallet.

The client takes care that Change addresses are only used once, the only thing you have to do is to use addresses for reviving transactions only once.

If you only revive at B one time, there never will be a B-2 Change.

Unless what you send exactly equals to what you received before, otherwise there's a change and the change needs to be sent to a change address in the same transaction. So if you see a transaction S -> A and S -> S2, you know it's highly likely S and S2 belongs to the same wallet. As a result, your address S is associated with the change address S2, but not so closely because you can still claim (arguably weakly) that you are sending to two different people simultaneously and happens to used up all the unspent amount of S.

Then let's say you have change address A, and change Address B, they all have 0.5 BTC and you want to send to user U 1 BTC, then this time you will see A -> U 0.5 and B -> U 0.5. This makes a strong association between A and B and every one knows A and B belongs to the same wallet.

Therefore, it is easy to associate the addresses in the same wallet by analysing the block chain.

If you don't reuse the address S. It will never have an unspent output after this transaction again. If you use every address only once. S will receive exactly 1 Transaction and never again a second one. Therefore there will never be more than one change address for ever address. And it's impossible to tell which address is the change address and which one is the reviving address.

Changing Wallets here makes absolutely 0 difference. That was the point.

What you are missing here is that a wallet may contain many unspent txouts from receiving many payments from different sources before there is any need to purchase something with the wallet.

Lets say I sell alpaca socks out of a truck down by the river. I would be receiving many 0.10 BTC payments from different individuals to different addresses, suppose for a total of 20 .1 BTC payments in my wallet.

Now, I donate 0.95 BTC to a known-address donation site and say to everybody "hey, I just donated!". There will be a 0.05 change back to my wallet, that is now considered "tainted" - based on my declaration of donation, or the site owner saying "thanks for donating, deepceleron", it has become simple to figure out my donation AND determine which is the change back to me that is still in my wallet.

So I've got 1.00 BTC of sock-selling money that 10 sock buyers know the address of, and 0.05 that anybody interested can know about.

I then send the entire contents of my wallet to a man-boy snowden tibet love honey pot that is supposed to be anonymous, but is monitored or busted by a government. Even with this site using one-time addresses, the previous use of a reused address has compromised my identity and made my payment have little plausible deniability, due to my control of the change. The "change" could have been a multi-send to a third party, and the third party may have made the illicit payment, but LE will not care to investigate so much when they need doors to kick in.
legendary
Activity: 882
Merit: 1000
Ok. That's interesting. Thanks for sharing.

Then I am more convinced that if a careful person always use address only once, no need to worry about the other part has a well known address. It's very difficult to link the address he uses this time with all other addresses he owns.
legendary
Activity: 1232
Merit: 1001
How about the combining case?
If we see B -> E
             C ->

Then B, C are associated right?

Still a new Wallet makes no sense, unless you abandon all BTC in the old Wallet.

And yes, 2 outputs combinated are likely to be from one person, but there is still no guarantee.

See: https://bitcointalksearch.org/topic/i-taint-rich-raw-txn-fun-and-disrupting-taint-analysis-51kbtc-linked-139581

Edit: Typo
legendary
Activity: 882
Merit: 1000
Even if it is risky, I'm to lazy to make new addresses
If you are using clients other than MultiBit, (e.g. the Qt version and Amony), most likely the client is creating a new change address whenever you send out BTC.
legendary
Activity: 882
Merit: 1000
How do you tell which of the two outputs was the change and which the payment?

With each transaction you have a 50% chance to follow the wrong path.

Good point, but sometimes by looking at the amount you can know better than 50% chance.
full member
Activity: 182
Merit: 100
Even if it is risky, I'm to lazy to make new addresses
legendary
Activity: 882
Merit: 1000
How about the combining case?
If we see B -> E
             C ->

Then B, C are associated right?
legendary
Activity: 1232
Merit: 1001
So that means addresses in a wallet is very easy to be associated. Then not-reusing address is not enough, and we have to generate a new wallet for each transaction?

Even if people all generate new address for each transaction, since the addresses in one wallet is easy to be found associated, their addresses are still can be classified into one big 'address family'. So there may be no 'well known address', but 'well know address family'. Did I make any mistake here? If this is true, why the trouble?

No, if you use each Address only once, it will be completely empty after you send BTC from that address the first time and will never be used for any transaction again. There would be no difference in creating a new Wallet.

The client takes care that Change addresses are only used once, the only thing you have to do is to use addresses for reviving transactions only once.

If you only revive at B one time, there never will be a B-2 Change.

Unless what you send exactly equals to what you received before, otherwise there's a change and the change needs to be sent to a change address in the same transaction. So if you see a transaction S -> A and S -> S2, you know it's highly likely S and S2 belongs to the same wallet. As a result, your address S is associated with the change address S2, but not so closely because you can still claim (arguably weakly) that you are sending to two different people simultaneously and happens to used up all the unspent amount of S.

Then let's say you have change address A, and change Address B, they all have 0.5 BTC and you want to send to user U 1 BTC, then this time you will see A -> U 0.5 and B -> U 0.5. This makes a strong association between A and B and every one knows A and B belongs to the same wallet.

Therefore, it is easy to associate the addresses in the same wallet by analysing the block chain.

If you don't reuse the address S. It will never have an unspent output after this transaction again. If you use every address only once. S will receive exactly 1 Transaction and never again a second one. Therefore there will never be more than one change address for ever address. And it's impossible to tell which address is the change address and which one is the reviving address.

Changing Wallets here makes absolutely 0 difference. That was the point.
full member
Activity: 168
Merit: 100
How do you tell which of the two outputs was the change and which the payment?

With each transaction you have a 50% chance to follow the wrong path.
legendary
Activity: 882
Merit: 1000
So that means addresses in a wallet is very easy to be associated. Then not-reusing address is not enough, and we have to generate a new wallet for each transaction?

Even if people all generate new address for each transaction, since the addresses in one wallet is easy to be found associated, their addresses are still can be classified into one big 'address family'. So there may be no 'well known address', but 'well know address family'. Did I make any mistake here? If this is true, why the trouble?

No, if you use each Address only once, it will be completely empty after you send BTC from that address the first time and will never be used for any transaction again. There would be no difference in creating a new Wallet.

The client takes care that Change addresses are only used once, the only thing you have to do is to use addresses for reviving transactions only once.

If you only revive at B one time, there never will be a B-2 Change.

Unless what you send exactly equals to what you received before, otherwise there's a change and the change needs to be sent to a change address in the same transaction. So if you see a transaction S -> A and S -> S2, you know it's highly likely S and S2 belongs to the same wallet. As a result, your address S is associated with the change address S2, but not so closely because you can still claim (arguably weakly) that you are sending to two different people simultaneously and happens to used up all the unspent amount of S.

Then let's say you have change address A, and change Address B, they all have 0.5 BTC and you want to send to user U 1 BTC, then this time you will see A -> U 0.5 and B -> U 0.5. This makes a strong association between A and B and every one knows A and B belongs to the same wallet.

Therefore, it is easy to associate the addresses in the same wallet by analysing the block chain.
full member
Activity: 168
Merit: 100
There is also a security reason why you should not send twice from the same address.

Once you create a transaction, the public key for the sending address is revealed (before there is only the hash). This gives an adversary more information for an attack.

A specific example where this was exploited is the Android RNG issue. Signing with the same private key multiple times allowed attackers to calculate the private key.
legendary
Activity: 1232
Merit: 1001
So that means addresses in a wallet is very easy to be associated. Then not-reusing address is not enough, and we have to generate a new wallet for each transaction?

Even if people all generate new address for each transaction, since the addresses in one wallet is easy to be found associated, their addresses are still can be classified into one big 'address family'. So there may be no 'well known address', but 'well know address family'. Did I make any mistake here? If this is true, why the trouble?

No, if you use each Address only once, it will be completely empty after you send BTC from that address the first time and will never be used for any transaction again. There would be no difference in creating a new Wallet.

The client takes care that Change addresses are only used once, the only thing you have to do is to use addresses for reviving transactions only once.

If you only revive at B one time, there never will be a B-2 Change.
legendary
Activity: 882
Merit: 1000
Quote
How can they know that transaction belongs to B?
Whatever made {B} interesting to them in the first place. Perhaps he was involved in an unusually high value transaction.  Perhaps {B} paid to a "Free tibet" honeypot or well known (reused) donation address and the attacker is the chinese government and now they want to identify B to send him to a reeducation camp.

Quote
and never worry about their identity is disclosed
People never worry about a lot of things, including some things they really should and some things they'll later greatly regret not worrying about.
But B never reuses address, so whatever interests others is not the same address used to transact with A. B use address 1 to donate to 'Free Tibet' or whatever, and B use address 2 to send to 'well known' A. Why do you know address 1 and address 2 both belong to B?


Address 1 may have separate fund sources in the same wallet as Address 2.

If payments from B are to known reused addresses, the change is easily identifiable.

When B-1-Change is combined with B-2-Change in a third transaction, those payments are associated.



So that means addresses in a wallet is very easy to be associated. Then not-reusing address is not enough, and we have to generate a new wallet for each transaction?

Even if people all generate new address for each transaction, since the addresses in one wallet is easy to be found associated, their addresses are still can be classified into one big 'address family'. So there may be no 'well known address', but 'well know address family'. Did I make any mistake here? If this is true, why the trouble?
legendary
Activity: 1512
Merit: 1036
Quote
How can they know that transaction belongs to B?
Whatever made {B} interesting to them in the first place. Perhaps he was involved in an unusually high value transaction.  Perhaps {B} paid to a "Free tibet" honeypot or well known (reused) donation address and the attacker is the chinese government and now they want to identify B to send him to a reeducation camp.

Quote
and never worry about their identity is disclosed
People never worry about a lot of things, including some things they really should and some things they'll later greatly regret not worrying about.
But B never reuses address, so whatever interests others is not the same address used to transact with A. B use address 1 to donate to 'Free Tibet' or whatever, and B use address 2 to send to 'well known' A. Why do you know address 1 and address 2 both belong to B?


Address 1 may have separate fund sources in the same wallet as Address 2.

If payments from B are to known reused addresses, the change is easily identifiable as still under the control of the wallet owner.

When B-1-Change is combined with B-2-Change in a third transaction, those payments are associated and the transaction also identifiable as made by the wallet owner.

legendary
Activity: 882
Merit: 1000
Quote
How can they know that transaction belongs to B?
Whatever made {B} interesting to them in the first place. Perhaps he was involved in an unusually high value transaction.  Perhaps {B} paid to a "Free tibet" honeypot or well known (reused) donation address and the attacker is the chinese government and now they want to identify B to send him to a reeducation camp.

Quote
and never worry about their identity is disclosed
People never worry about a lot of things, including some things they really should and some things they'll later greatly regret not worrying about.
But B never reuses address, so whatever interests others is not the same address used to transact with A. B use address 1 to donate to 'Free Tibet' or whatever, and B use address 2 to send to 'well known' A. Why do you know address 1 and address 2 both belong to B?
staff
Activity: 4284
Merit: 8808
Quote
How can they know that transaction belongs to B?
Whatever made {B} interesting to them in the first place. Perhaps he was involved in an unusually high value transaction.  Perhaps {B} paid to a "Free tibet" honeypot or well known (reused) donation address and the attacker is the chinese government and now they want to identify B to send him to a reeducation camp.

Quote
and never worry about their identity is disclosed
People never worry about a lot of things, including some things they really should and some things they'll later greatly regret not worrying about.
legendary
Activity: 882
Merit: 1000
Could you provide a concrete example to explain why reusing addresses by A will affect B if B always carefully choosing address. and how both A and B never reusing addresses prevent it? I'm still not so clear about it.

Since the drawbacks are very apparent, IMHO you need a very clear explanation about the benefit and why the benefit is far more important than the drawbacks.

http://blockexplorer.com/address/1Lukejrwhew7sj4TvWCKksaVo7aLpedHDt

Follow the coins back ~12 hops to where they were generated, then follow forward where they were sent to "A". Easy to identify the recipient and owner. Backwards, not so much.

Now if B's next payment with the change from that transaction is to "free Tibet", buy "recreational substances", or pay a hitman to whack a business partner, association with the transaction A may reveal identity. When A is shared and reused, as in "this is the donation address for Eligius", any separate-channel information about someone making a donation to Eligius can be used with this known address to reveal a path to their money.
How do you know it's a change rather than another transaction to others? Why sending BTC to a donation address will disclose my identity and address? People all around the world send to well known address of 'just-dice' and never worry about their identity is disclosed.
Pages:
Jump to: