Reusing bitcoin addresses?

[phoenox]

I have heard that you are not supposed to reuse your bitcoin addresses.  I have been looking around to but have been unable to find any good information about this.  I am interested in finding both the technical reasons for this and the practical implications.

At this point my understanding of the issue is that it is ok to reuse a recieving address(public key hash), but after you have spent any of the bitcoins then you need to generate new addresses. 

Does this mean that if someone is making regular payments to me over a long period of time, I will have to send them a new address for each payment?

I am using the Bitcoin-Qt client, if I am going to send or recieve money multiple times do I need to take special steps to ensure security, or is this all handled by the client.  I have noticed that the recieving addresses used before I spent money are still available for use, is this ok?

I am really confused about this issue, hope someone can make tis clear.

Thanks

[1714055450]

1714055450

[ThickAsThieves]

While there are reasons a person might want to "burn" addresses, it is not necessary.

[Gabi]

Only reason is anonimity. Except that, there is no problem.

[Akka]

There is no technical reason to not reuse addresses. Also you don't give one person each time you revive a payment a new address.

The only reason you might not want to reuse addresses is to maximise anonymity.

For example there even are services like BTCT.co that don't allow you to change you receive address once you have set one.

[Otoh]

It's only relevant if you are aiming for 100% anonymity, otherwise it doesn't matter at all & you can keep using the same addresses for receiving & also sending TX np.

edit: as above

[timando]

The main reason to use a new address is to hide the fact that it's you. The reason that the client gives a new address each time is to help you to stay anonymous. The reason you need to stay anonymous is because the entire transaction history is available to everyone. This means that people can see exactly what's going on. If you reuse addresses, it makes it a lot easier for someone to see what's going on with your bitcoins. Reusing an address has no disadvantages if you don't care about everyone seeing exactly what you do with your money (If you're the type of person who tweets about their breakfast and posts on Facebook about their every action, you have nothing to worry about)

[dbasql]

It seems you may want to have several addresses if you are getting coins from multiple sources. At least then you know who and what has come in.

[scrumbly]

Yeah, this feels like paranoia for the normal use case. If you're just fiddling around with bitcoins (and not, I dunno, laundering drug money) is it really worth all the effort and maintenance to have a new address for every transaction?

[edd]

Providing a new address for each transaction is a very efficient way for merchants to track payments.

[CIYAM]

It is much more secure (not just more anonymous) to never re-use an address (and yes - am aware of my sig and you'll notice there a no unspent outputs on that address).

The reason being that once you have signed a tx for any unspent output that was sent to that address (i.e. once you "spend from it" and with the standard client you can't easily control how it chooses which unspent outputs to "spend from") then you have "released" your "public key" (prior to that only the Base58 encoded RIPEMD hash of it was publicly known - also known as the "address").

Now if the ECDSA that Bitcoin uses ever becomes found to be "crackable" then the "private key" to your "address" could be feasibly be cracked and any "remaining" unspent outputs to that address could now be spent by the cracker.

[phoenox]

Looks like there is a lot of misinformation about this.

So if you don't reuse your addresses then you will have two layers of encryption, but if you do you will only have one?  But this only applies if you reuse the address after you have spent money from it.

If i am understanding right, this is also related to why when you spend coins, the entire balance in that account is spent, but whatever change you need is sent back to you in a new address.

If I spend money twice or three times, will the client or the network automatically change the account that is being spent from every time?

[CIYAM]

So if you don't reuse your addresses then you will have two layers of encryption, but if you do you will only have one?  But this only applies if you reuse the address after you have spent money from it.

Pretty much correct - to spend an "unspent output" (i.e. a part of your total BTC "balance") you must include the public key for the address and a script signature (so it can be verified). At that point any other "unspent outputs" to that same address are *more vulnerable* as your public key is now known (before only a RIPEMD hash was known).

If i am understanding right, this is also related to why when you spend coins, the entire balance in that account is spent, but whatever change you need is sent back to you in a new address.

A transaction is actually a "script" that can have multiple inputs and outputs with the "inputs" being either "coinbase" (from mining) or "unspent outputs" (from transactions that were sending funds to yourself).

Each "input" must be completely spent (fees are actually the total amount of the inputs minus the total outputs so you effectively don't spend a small amount of your inputs in order to "pay a fee").

Typically your input(s) are not going to exactly match the amount you want to send and so a "change" address is added as another output to solve this.

If I spend money twice or three times, will the client or the network automatically change the account that is being spent from every time?

The network has nothing to do with it - your client will "somewhat" randomly choose which "unspent outputs" to use (with some checks to avoid you needing to pay too much in fees).

[DannyHamilton]

Pretty much correct - to spend an "unspent output" (i.e. a part of your total BTC "balance") you must include the public key for the address and a script signature (so it can be verified). At that point any other "unspent outputs" to that same address are *more vulnerable* as your public key is now known (before only a RIPEMD hash was known).

Unless I'm mistaken, prior to spending any unspent outputs associated with an address, what was known was a RIPEMD hash of a SHA256 hash.

So, when you first receive an output to a previously unused address, the layers between your private key and what is publicly known are ECDSA->SHA256->RIPEMD resulting in a "bitcoin address".

Once you spend any single (or more) output that had been sent to the address, the only layer between your private key and what is publicly known is ECDSA.

This means that if a weakness is found in the future in any two of ECDSA, SHA, and RIPEMD, the bitcoins associated with addresses that are only used once are still safe from any brute force attempt.  However, once an address has been used once to spend a previous output, all current and future bitcoins associated with that address become immediately vulnerable if a weakness is discovered in ECDSA even if no weakness is discovered in SHA or RIPEMD.

[0dayatciyam.org]

102 BTC returned in this transaction: http://blockchain.info/tx-index/42579467/4a0fe8cb78b19778a49d171642649c9ee25453ed206894c88b049d0ee7939a0f

I'd highly recommend not creating raw transactions in the future unless absolutely necessary .  $1,500 is a pretty risky mistake if it didn't land on a known pool wallet/IP.

Very much appreciated - although I've been doing raw tx's without a problem for weeks I guess the exhaustion of working over 12 hours per day for the last week has clearly taken its toll.

I will certainly be "ultra-cautious" with all future raw tx's.

it wuld appear that security is not a thing you should talk.

[uminatsu]

Regardless of future possible discovery of weaknesses in ECDSA, even by today's standards I believe it is much less secure to re-use an address whose ECDSA public key is known.

When the ECDSA public key is not yet publicly known, the bitcoin address is at least as secure as RIPEMD is secure against preimage attack, because anyone able to spend from that address need to find a RIPEMD preimage. There's no known method better than brute-force search which takes ~ 2^160 time.

When the ECDSA public key is publicly known, the bitcoin address is no more harder to crack than solving the EC discrete logarithm problem on the secp256k1 curve, for which there's known methods (such as baby-step giant-step) in ~ 2^128 time.

Pretty much correct - to spend an "unspent output" (i.e. a part of your total BTC "balance") you must include the public key for the address and a script signature (so it can be verified). At that point any other "unspent outputs" to that same address are *more vulnerable* as your public key is now known (before only a RIPEMD hash was known).

Unless I'm mistaken, prior to spending any unspent outputs associated with an address, what was known was a RIPEMD hash of a SHA256 hash.

So, when you first receive an output to a previously unused address, the layers between your private key and what is publicly known are ECDSA->SHA256->RIPEMD resulting in a "bitcoin address".

Once you spend any single (or more) output that had been sent to the address, the only layer between your private key and what is publicly known is ECDSA.

This means that if a weakness is found in the future in any two of ECDSA, SHA, and RIPEMD, the bitcoins associated with addresses that are only used once are still safe from any brute force attempt.  However, once an address has been used once to spend a previous output, all current and future bitcoins associated with that address become immediately vulnerable if a weakness is discovered in ECDSA even if no weakness is discovered in SHA or RIPEMD.

[Rach3]

Very interesting read. So what does 2^128 'time' mean? Aren't we still talking about many many times the universe age? Even with speed increase of supercomputers considered?

[Coef]

Very interesting read. So what does 2^128 'time' mean? Aren't we still talking about many many times the universe age? Even with speed increase of supercomputers considered?

True, but it could be a different story if a weakness in ECDSA is found.

Another problem is anonymity.

[oriel2]

It seems you may want to have several addresses if you are getting coins from multiple sources. At least then you know who and what has come in.

On a non tech level this was true for me - I used the same address in multiple locations and got payments from someone - I hav  no way of knowing now which company / person sent the BTC to me!

[vnvizow]

Normally only large businesses do that, the security an offline wallet provide is enough for personal use.

[vnvizow]

comroll,

What is the purpose of this copy/paste from an earlier post in this same thread?

Regardless of future possible discovery of weaknesses in ECDSA, even by today's standards . . .

Regardless of future possible discovery of weaknesses in ECDSA, even by today's standards . . .

You did the same thing today in at least 3 other threads:
https://bitcointalk.org/index.php?topic=31145.msg5949599#msg5949599
https://bitcointalk.org/index.php?topic=420841.msg5949694#msg5949694
https://bitcointalk.org/index.php?topic=442845.msg5949825#msg5949825

Obviously he's spamming, aaaaand he's deleting his posts