tomtomtom7
Jr. Member
 Offline
Activity: 38
Merit: 18
|
 |
May 18, 2017, 02:26:10 PM |
|
However, lets imagine for a moment that ECDSA is broken in such a way that the time to crack a private key from a public key is reduced to 6 months.
If I always use a new address for every transaction, then all of my bitcoins are protected by SHA256 and RIPEMD160.
If you have an address that you've re-used, then you might have bitcoins sitting out there on the blockchain with their public key exposed. An attacker can spend the next 6 months working out your private key and then steal your bitcoins.
If I send a transaction, the attacker has (on average) 10 minutes to figure out the private key, craft a replacement transaction that pays the bitcoins to him, and then convince a miner to mine his transaction instead of mine.
Which is safer? Your bitcoins sitting on the blockchain with an exposed public key allowing the attacker to continuously try to craft a transaction that takes your bitcoins until you get around to sending them to a new address? Or my bitcoins that have a window of 10 minutes on average to try to both crack the key AND convince a miner to accept a double-spend transaction in place of the existing one?
The increase in security from using a new address for every transaction is quite small, but it is still better than re-using addresses.
Using a new address for every transaction can also increase your privacy a bit.
I am not arguing that it is not harder to steal or doesn't increase privacy, which is obviously true. But the value of Bitcoin depends on being able to transact securely. If there is a 6 month attack with independent trials, and there are 6 miners attacking, then every month some transaction will get stolen. What would the value of Bitcoin be? Would anybody still give a dime for a Bitcoin in such scenario? What would be the use of being the "more secure" owner of a worthless coin? |
|
|
|
|
|
|
|
|
|
|
|
"The nature of Bitcoin is such that once version 0.1 was released, the
core design was set in stone for the rest of its lifetime." -- Satoshi
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
adaseb (OP)
Legendary
Offline
Activity: 3738
Merit: 1708
|
|
May 23, 2017, 12:00:09 AM |
|
Basically I think if ECDSA gets cracked then most likely any active addresses won't be targetted to attract attention. If people's cold storage all of a sudden gets stolen, people would start complaining and eventually a conclusion might be drawn that ECDSA is broken due to re-used addresses using public keys.
Most likely someone would target those large 50-100 BTC addresses with unspent outputs since 2010 and assume that its a lost key.
That might even be happening right now but we don't know it.
It would be stupid to hack every public key which is 50% of all the coins in existence and crash the price to $0 and get nothing.
|
|
|
|
|
dinofelis
|
|
May 23, 2017, 03:40:30 AM |
|
Basically I think if ECDSA gets cracked then most likely any active addresses won't be targetted to attract attention. If people's cold storage all of a sudden gets stolen, people would start complaining and eventually a conclusion might be drawn that ECDSA is broken due to re-used addresses using public keys.
Most likely someone would target those large 50-100 BTC addresses with unspent outputs since 2010 and assume that its a lost key.
That might even be happening right now but we don't know it.
If ECDSA is cracked, there are more fun things to do than to steal 100 BTC ! |
|
|
|
|
^BuTcH^
Full Member
Offline
Activity: 671
Merit: 103
Moni
|
|
May 24, 2017, 09:59:23 PM
Last edit: May 24, 2017, 10:14:15 PM by ^BuTcH^ |
|
I can't understand if my addresses are re-used. Example:
I create a wallet with Electrum and it generates by default some receiving addresses (A, B, C...)
then if I receive one incoming transaction in A and another in B, I have re-used my addresses or both are safe?
|
|
|
|
|
fudge
|
|
May 24, 2017, 11:24:47 PM |
|
guys, what do you think
how safe is to keep some BTC in the coldwallet for 20 years with no attention to crypto world?
|
Haшa гpyшa нaйpoзкopчyмaкyвaтiшa!
|
|
|
BurtW
Legendary
Offline
Activity: 2646
Merit: 1130
All paid signature campaigns should be banned.
|
|
May 25, 2017, 12:00:47 PM |
|
I can't understand if my addresses are re-used. Example:
I create a wallet with Electrum and it generates by default some receiving addresses (A, B, C...)
then if I receive one incoming transaction in A and another in B, I have re-used my addresses or both are safe?
As long as you use each of the default receiving addresses only once then you are not reusing the addresses. I am not sure how that can be made more clear. If you send, or have people send, Bitcoins to the same address more than once then you are reusing the address. Also, if you spend the Bitcoins from an address, then send Bitcoins to that same address again, then spend them from that address again you are reusing the address. Ideally there should only be one single transaction to send Bitcoins to the address and then one single transaction to spend the Bitcoins from the address and then the address should never be used again. |
Our family was terrorized by Homeland Security. Read all about it here: http://www.jmwagner.com/ and http://www.burtw.com/ Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated! |
|
|
kallerosenbaum
Newbie
Offline
Activity: 6
Merit: 0
|
|
May 30, 2017, 01:06:47 PM |
|
I've been trying to sort this out myself. I posted a question on reddit ( https://www.reddit.com/r/Bitcoin/comments/677y1b/how_to_steal_coins_if_some_oneway_function_is/) that summarize what I've figured out. I haven't seen any comments on it, so I'm not sure if there's anything incorrect in it. Reposting here: I'm trying to grasp the different implications if any one-way function of the address creation process is flawed. I've come up with two different types of potential flaws - The output space for the function is smaller than anticipated so brute-force becomes viable
- One can craft an input that produce a certain output.
Both of these imaginary flaws can be found in either the specification or in an implementation. I only focus on specification flaws here, but I do think the same analysis holds for implementation flaws as well. The tables list my understanding of what needs to be done in order to steal someone's coins, given that only the public key hash or script hash is known. Are these tables correct? Is there any important information to add? *Version 0 addresses* | Function | Small output space | Can craft input | | Random number generator | Doomed! | N/A | | Public key derivation | Doomed! | Must pre-image attack RIPEMD(SHA()) | | SHA256 | Doomed! | Must pre-image attack RIPEMD AND brute force public key derivation | | RIPEMD160 | Doomed! | Must brute force SHA(pubkeyderivation()) |
*Pay-to-script-hash addresses* | Function | Small output space | Can craft input | | SHA256 | Doomed! | If I know the script [1], I can craft a second script with same SHA256 value. If script is not known, I need to pre-image attack RIPEMD160 | | RIPEMD160 | Doomed! | Must pre-image attack SHA256 |
[1] is very likely. For example a party in a multisig address knows the script and can rip off the other parties. We are doomed if any of the functions are brute-forceable. That means that the more fancy one-way functions we use, the more vulnerable we are. Sources: * https://en.bitcoin.it/wiki/Technical_background_of_version_1_Bitcoin_addresses* https://bitcointalk.org/index.php?topic=141848.0* https://bitcoin.stackexchange.com/questions/9202/why-does-bitcoin-use-two-hash-functions-sha-256-and-ripemd-160-to-create-an-ad |
|
|
|
|
adaseb (OP)
Legendary
Offline
Activity: 3738
Merit: 1708
|
|
June 07, 2017, 12:55:25 AM |
|
I can't understand if my addresses are re-used. Example:
I create a wallet with Electrum and it generates by default some receiving addresses (A, B, C...)
then if I receive one incoming transaction in A and another in B, I have re-used my addresses or both are safe?
As long as you use each of the default receiving addresses only once then you are not reusing the addresses. I am not sure how that can be made more clear. If you send, or have people send, Bitcoins to the same address more than once then you are reusing the address. Also, if you spend the Bitcoins from an address, then send Bitcoins to that same address again, then spend them from that address again you are reusing the address. Ideally there should only be one single transaction to send Bitcoins to the address and then one single transaction to spend the Bitcoins from the address and then the address should never be used again.Why is it that most exchanges, pools, and most of the addresses on the BTC richlist all reuse the same address over and over again. They sent multiple deposits to the address and then made multiple transactions from the address I like reusing addresses because I know that I will be able to retrieve the BTC because I got proof that the transaction will go through because it went thru once in the past. Imagine sending all your life savings to a BTC paper wallet and in 10 years trying to spend it and there is some "error". |
|
|
|
|
Argon2
|
|
June 07, 2017, 01:48:53 AM |
|
None of Satoshi's mined coin transactions used P2SH. Therefore all of his public keys for about 1 million coins are in plain view. They have not been cracked and generating a private key from its public key is theory.
|
|
|
|
|
BurtW
Legendary
Offline
Activity: 2646
Merit: 1130
All paid signature campaigns should be banned.
|
|
June 07, 2017, 02:41:06 PM |
|
None of Satoshi's mined coin transactions used P2SH. Therefore all of his public keys for about 1 million coins are in plain view. They have not been cracked and generating a private key from its public key is theory.
Very true. In fact all those millions of dollars can be seen as a "test" of the security of the ECDSA since they are just sitting there waiting for someone to crack ECDSA and take them. To answer the question about address reuse above: Reusing addresses -> very secure but damaging to the privacy of the Bitcoin system and the fungible property of Bitcoins. Using addresses once -> even more secure and enhances the privacy of the Bitcoin system and preserves the fungible property of Bitcoins.Address reuse is a minimal security concern but security is not the only issue. |
Our family was terrorized by Homeland Security. Read all about it here: http://www.jmwagner.com/ and http://www.burtw.com/ Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated! |
|
|
RobHag
Newbie
Offline
Activity: 5
Merit: 0
|
|
June 07, 2017, 03:48:39 PM |
|
That would crack up the world...  Dare not to even think about it! |
|
|
|
|
|
dinofelis
|
|
June 08, 2017, 10:21:39 AM |
|
Ideally there should only be one single transaction to send Bitcoins to the address and then one single transaction to spend the Bitcoins from the address and then the address should never be used again.
You are perfectly right, and I consider it a design error (one of many) in bitcoin not to have enforced this in the protocol. In the same way that an UTXO can only be spent once, an address could be used only once. This would have simplified VASTLY several aspects of the protocol (there would have been no need for a transaction hash: given that an address only occurs once in an output, the address itself is sufficient to indicate the transaction ; this would have avoided transaction malleability, it would have divided the amount of data in a transaction by about half, ....). |
|
|
|
|
|
dinofelis
|
|
June 08, 2017, 10:22:46 AM |
|
None of Satoshi's mined coin transactions used P2SH. Therefore all of his public keys for about 1 million coins are in plain view. They have not been cracked and generating a private key from its public key is theory.
This is not true. Only the hashes of his public keys are in plain view, so there's nothing to attack. Even if ECDS were completely cracked, nobody could do anything with the hashes of these keys. |
|
|
|
|
|
honestis.network
|
|
June 08, 2017, 10:50:13 AM |
|
Basically I think if ECDSA gets cracked then most likely any active addresses won't be targetted to attract attention. If people's cold storage all of a sudden gets stolen, people would start complaining and eventually a conclusion might be drawn that ECDSA is broken due to re-used addresses using public keys.
Most likely someone would target those large 50-100 BTC addresses with unspent outputs since 2010 and assume that its a lost key.
That might even be happening right now but we don't know it.
It would be stupid to hack every public key which is 50% of all the coins in existence and crash the price to $0 and get nothing.
Maybe, also the response from the network could be a hardfork ... making better cryptography should consider also people in long term run not just making more space in block to accept more transactions. |
Honestis . Network Portable Identity Provider ICO
|
|
|
BurtW
Legendary
Offline
Activity: 2646
Merit: 1130
All paid signature campaigns should be banned.
|
|
June 08, 2017, 11:02:24 AM |
|
None of Satoshi's mined coin transactions used P2SH. Therefore all of his public keys for about 1 million coins are in plain view. They have not been cracked and generating a private key from its public key is theory.
This is not true. Only the hashes of his public keys are in plain view, so there's nothing to attack. Even if ECDS were completely cracked, nobody could do anything with the hashes of these keys. If I recall correctly some early transactions were sent directly to public keys instead of sent to the public key hash therefore the public key is available in the block chain for some early transactions. |
Our family was terrorized by Homeland Security. Read all about it here: http://www.jmwagner.com/ and http://www.burtw.com/ Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated! |
|
|
fan_of_things_and_stuff
Newbie
Offline
Activity: 36
Merit: 0
|
|
June 09, 2017, 06:21:56 AM |
|
I'll be honest if people are able to figure out how to crack today's asymmetric crypto (elliptic curve, discrete log, or otherwise), the least of your issues will be the price of BTC. You'll probably be more concerned with your online traffic being captured and pretty much every login to online banking systems or other exploitable secret information being exposed.
You're right in pointing out that it probably would destroy BTC, but that wouldn't seem so bad compared to all the other issues
|
|
|
|
|
|
rngkll
|
|
June 10, 2017, 05:44:58 AM |
|
I'll be honest if people are able to figure out how to crack today's asymmetric crypto (elliptic curve, discrete log, or otherwise), the least of your issues will be the price of BTC. You'll probably be more concerned with your online traffic being captured and pretty much every login to online banking systems or other exploitable secret information being exposed.
You're right in pointing out that it probably would destroy BTC, but that wouldn't seem so bad compared to all the other issues
Agree with this guy, I'll render everything we know regarding digital security useless. |
|
|
|
|
|
