Armory security on address reuse

[ThePurplePlanet]

Hi all,

Is armory safe to REUSE the same offline bitcoin address with regards to recent SSL library linux issues and transaction malleability?

Thanks

[justusranvier]

Whether it's apparently safe or not, address reuse is always a bad idea.

Just Say No to address reuse.

[ThePurplePlanet]

Whether it's apparently safe or not, address reuse is always a bad idea.

Just Say No to address reuse.

Still my first question holds.

If armory users are not to reuse the address, do they need to create a new wallet? Offline you create an address, how do you know the future address? Reusing the initial address is very convenient. Also ELI5 why is a bad idea to reuse the address apart from privacy maybe?

Thanks

[CircusPeanut]

If armory users are not to reuse the address, do they need to create a new wallet? Offline you create an address, how do you know the future address?

Armory is a Type-2 Deterministic wallet. Read about it here https://en.bitcoin.it/wiki/Deterministic_wallet

Also ELI5 why is a bad idea to reuse the address apart from privacy maybe?

The only other reason that I know of is to help maintain your records. That could also be a reason to use the same address multiple times with the same party that you transact with frequently.

It seems like you are wondering if there is some technical reason not to reuse address, and there isn't one that I know of.

Here is one of several other threads where address reuse is discussed https://bitcointalk.org/index.php?topic=139381.0
I found this by googling "bitcoin address reuse"

[Brangdon]

Is armory safe to REUSE the same offline bitcoin address with regards to recent SSL library linux issues and transaction malleability?

Address reuse is not affected by transaction malleability.

The SSL issue is a valid reason to avoid reusing addresses. (Specifically, to minimise the number of times you spend from an address - you can pay into it as many times as you want.) However, it's arguably less of a danger than key loggers. Either way, if the transaction signing is done by an offline Armory wallet, it will be difficult for an attacker to get their malware onto the same machine, and then difficult to get the leaked key information off so they can use it. Basically, this attack is another reason to use Armory offline wallets.

I don't think Armory does anything to encourage address reuse anyway. It has a checkbox for "Use an existing address for change", but it's unchecked by default.

If armory users are not to reuse the address, do they need to create a new wallet?

No. Each wallet manages multiple addresses.

Offline you create an address, how do you know the future address?

The wallet will create new addresses in a deterministic way, so paying-in addresses for an offline wallet will be the same as those generated by its watch-only online version. So avoiding reuse is usually as convenient as allowing it.

Reusing the initial address is very convenient.

It can be, if you need a stable address to publish. Vanity addresses also get reused a lot. In those cases you don't much care about privacy anyway. If you need to reuse an address, feel free to do so.

Note that you can pay into an address as many times as you like without issue. It's only when you spend from it that the SSL attack comes into play, and even then it needs a lot of spends.

Also ELI5 why is a bad idea to reuse the address apart from privacy maybe?

Privacy and security.

The privacy can be over-rated. In practice, all the inputs and one of the outputs for a given transaction probably come from the same wallet. Knowing this, an attacker can link addresses together even if they are "new". To get reliable privacy requires more knowledge and effort than is usually worthwhile. On the other hand, why make it easy for anyone?

The usual security reason given is that paying into an address only releases a hash of its public key, and paying out reveals the public key itself. Revealing the public key gives an attacker a theoretical advantage. In practice not enough to matter, but again, why make it easier?

[picobit]

The SSL issue is a valid reason to avoid reusing addresses

Can someone please point me to some information about this weakness?  What is the problem with SSL in relation to bitcoin, and how does address reuse affect it.

[justusranvier]

Revealing the public key gives an attacker a theoretical advantage. In practice not enough to matter, but again, why make it easier?

You couldn't be more wrong.

Remember the Android RNG flaw that caused wallets to generate insecure private keys? The bug only affected people whose wallets reused addresses.

In theory, assuming no implementation errors anywhere in the software and hardware stack, the advantage of keeping the public key secret is negligible. In practice, using public keys only once means that large numbers of unknown vulnerabilities are off the table.

[Brangdon]

Can someone please point me to some information about this weakness?  What is the problem with SSL in relation to bitcoin, and how does address reuse affect it.

See for example, Ars Technica.

As I understand it, the approach is to install malware onto the PC that is doing the signing. This malware flushes the CPU's L3 cache, and waits, and then tries to access some code. If the code loads quickly, it means something else already used it. From this they deduce what code is running in the crypto-library, and from that they claim they can deduce the private key.

They mention needing "as few" as 200 attempts, as if each attempt extracted one bit. So if you only spend from a given address once, this attack doesn't get them very far.

I suspect it's not very practical in the real world regardless. Hopefully the libraries will be updated to negate it. We've been calling it the "SSL issue" because SSL is also vulnerable, and that's used far more widely than Bitcoin.

[Brangdon]

In theory, assuming no implementation errors anywhere in the software and hardware stack, the advantage of keeping the public key secret is negligible. In practice, using public keys only once means that large numbers of unknown vulnerabilities are off the table.

Fair point. I was indeed supposing that Armory was getting the basic cryptography right.

[berliston]

I need good tutorial about armory security on address!