Bitcoin Forum

Just curious if Electrum is subject to the whole resused R value issue that b.info had? Is it ok to re-use Electrum addresses?

Electrum uses python-ecdsa for signing, and python-ecdsa uses RFC 6979 deterministic k signatures.

This means that for any given message (transaction) and private key, the r value will always be the same. However, inversely, if the message is different, or the private key is different, it is guaranteed (as long as SHA256 is not broken) to be different.

Since the exploit of the r values requires 2 different transactions signed by the same private key with the same r values, it is impossible for 2 different transactions to have the same r value using RFC 6979. (in theory)

However, you should not reuse addresses, as it lowers privacy for yourself AND the privacy of those you send money to. (which is not nice, now is it.)

If the private key is recoverable through reused R values, then all keys and addresses in that account is vulnerable.

SHA256 doesn't make these guarantees.  There is a tiny chance that the value is reused.  However, it is more likely that you create a new address that is already in use.  The chance for this to happen is so small that it will with a high probability never occur in the next billion years. Of course, this assumes there are no implementation errors.


This is only true, if the master public key was leaked.  Since keeping it secret is important to maintain privacy (using the master public key, one can see all transaction from and to your account), it is unlikely that a random attacker has this.  It is stored unencrypted in your wallet, though.  Does anyone know if Electrum sends the master public key to the server, or does it only send the first n public keys?

Only sends list of addresses it wants to query. Never sends the MPK to server.