Bitcoin Forum
September 23, 2018, 09:43:13 AM *
News: ♦♦ New info! Bitcoin Core users absolutely must upgrade to previously-announced 0.16.3 [Torrent]. All Bitcoin users should temporarily trust confirmations slightly less. More info.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Is reusing addresses safer?  (Read 1094 times)
aplistir
Full Member
***
Offline Offline

Activity: 257
Merit: 108



View Profile
October 06, 2017, 10:53:02 AM
 #1

For each bitcoin address, there exists about 2^96=79228162514264337593543950336 private keys, that generate the same address.

And any of those private keys can be used to send coins from that address.

My question is: If one key has already been used to send from an address, can the other private keys still be used to send from the same address?

Or does the blockchain check what private key has already been used, and accept only the payments signed with that private key?

Accepting only the key that has already been used, would increase security. Since it is much more difficult to find 1 key than any of 2^96 keys.
(both cases are of course extremely unlikely, but the second case is still 2^96 times more likely)

If only one private key is valid, then an address, that has a send action is safer than an address that does not have a send action. And reusing an address is the safest choice. (at-least before quantum computers)

How is it? The wiki is not clear about this.

My Address: 121f7zb2U4g9iM4MiJTDhEzqeZGHzq5wLh
1537695793
Hero Member
*
Offline Offline

Posts: 1537695793

View Profile Personal Message (Offline)

Ignore
1537695793
Reply with quote  #2

1537695793
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1537695793
Hero Member
*
Offline Offline

Posts: 1537695793

View Profile Personal Message (Offline)

Ignore
1537695793
Reply with quote  #2

1537695793
Report to moderator
DannyHamilton
Legendary
*
Offline Offline

Activity: 2198
Merit: 1373



View Profile
October 06, 2017, 12:22:18 PM
 #2

For each bitcoin address, there exists about 2^96=79228162514264337593543950336 private keys, that generate the same address.

And any of those private keys can be used to send coins from that address.

My question is: If one key has already been used to send from an address, can the other private keys still be used to send from the same address?

Yes.

Or does the blockchain check what private key has already been used,

The blockchain doesn't check anything.  The blockchain is just data that has been stored.

Full Nodes check transactions and blocks.  Full Nodes do not check to see what keys have been used in the past.

and accept only the payments signed with that private key?

No.  The payment scripts only require a valid signature. As long as the signature is valid and the public key hashes to the correct value, it doesn't matter which public key is used.

Accepting only the key that has already been used, would increase security.

Not by enough to matter.

Since it is much more difficult to find 1 key than any of 2^96 keys.

It isn't going to happen.

(both cases are of course extremely unlikely, but the second case is still 2^96 times more likely)

Correct.

There are 2256 private keys, so you have a 1 in 2256 chance of finding a specific private key.

However, since there are 2160 possible addresses, you have a 1 in 2160 chance of finding a usable private key.

If only one private key is valid, then an address, that has a send action is safer than an address that does not have a send action. And reusing an address is the safest choice. (at-least before quantum computers)

How is it? The wiki is not clear about this.

If you want to make sure that a specific private key is needed, then you cant use P2PKH addresses.  You can use a P2PK address instead, but I'm not aware of any wallets that have a user interface that is designed for that.  You'll probably need to write your own software to do that.

aleksej996
Sr. Member
****
Offline Offline

Activity: 406
Merit: 301


Do not trust the government


View Profile WWW
October 06, 2017, 02:01:52 PM
 #3

There is a lot bigger security risk to reuse your address then for someone to find a key with the same address, since quantum computers should be able to find a private key for any public key very quickly while they are not good at trying out hashes. There is no quantum computers that are close to being big enough for this job yet, and making bigger quantum chips gets exponentially harder so it might be impossible, but it is still more likely then to find a collision.

So don't reuse addresses, since it is insecure anyway and then you won't have this issue either, since this issue is negligible compared to the quantum one, that is also extremely small on it's own.

░░░░░░░▄▄▄▄▄▄
░░░░▄██████████▄
░░░██████████████
░░██████▐▌██████
█████░░░░░░░▀█████
██████▄▄░░▄▄░░██████
████████░░▀▀▄██████
████████░░▄▄▄░░█████
██████▀▀░░▀▀▀░░█████
█████░░░░░░░░█████
░░██████▐▌██████
░░░██████████████
░░░░▀██████████▀
░░░░░░░▀▀▀▀▀▀
░░░

                   BitCloak Bitcoin Mixer  
  BTC & BCH | API| MULTIADDRESS| PGP PROOF|  FAST MIX |  ESCROW|  MORE !

░░░░░░░▄▄▄▄▄▄
░░░░▄██████████▄
░░░██████████████
░░██████▐▌██████
█████░░░░░░░▀█████
██████▄▄░░▄▄░░██████
████████░░▀▀▄██████
████████░░▄▄▄░░█████
██████▀▀░░▀▀▀░░█████
█████░░░░░░░░█████
░░██████▐▌██████
░░░██████████████
░░░░▀██████████▀
░░░░░░░▀▀▀▀▀▀
░░░

btctousd81
Sr. Member
****
Offline Offline

Activity: 392
Merit: 252


View Profile WWW
October 06, 2017, 03:50:29 PM
 #4

There is a lot bigger security risk to reuse your address then for someone to find a key with the same address, since quantum computers should be able to find a private key for any public key very quickly while they are not good at trying out hashes. There is no quantum computers that are close to being big enough for this job yet, and making bigger quantum chips gets exponentially harder so it might be impossible, but it is still more likely then to find a collision.

So don't reuse addresses, since it is insecure anyway and then you won't have this issue either, since this issue is negligible compared to the quantum one, that is also extremely small on it's own.

i dont get this, why it is security risk ?

if private key is unknown then it does not matter , if address has 1 tx or 1000 tx.

and i read quantum computers does not works like that. so they wont help to calculate/break private key of specific address.

any references  ?

to op.

people say to use new address, is to make it difficult to track the owner of bitcoins.
that is why default bitcoin cliets sends change to new address, instead of the sender addres.,

but imho, if you dont have anything to hide, then using same addresses is fine.
i manage 2 addresss and they have multiple tx on them, its much easier to manage/handle 2 private keys instead of backing up private key/wallet of new change address after each tx.

if i am wrong, please enlighten me, i am still learnning.

DannyHamilton
Legendary
*
Offline Offline

Activity: 2198
Merit: 1373



View Profile
October 06, 2017, 04:01:24 PM
 #5

but imho, if you dont have anything to hide, then using same addresses is fine.

You reduce your own privacy AND the privacy of everyone that you transact with when you re-use addresses.  Have a little respect for others and stop re-using addresses.


its much easier to manage/handle 2 private keys instead of backing up private key/wallet of new change address after each tx.

Use Hierarchical Deterministic (HD) wallet such as Electrum or Bitcoin Core.
Create a backup of your seed words once.
Use a new address for every transaction.

You will no longer need to "back up private key/wallet of new change address after each tx".

btctousd81
Sr. Member
****
Offline Offline

Activity: 392
Merit: 252


View Profile WWW
October 06, 2017, 04:33:45 PM
 #6

but imho, if you dont have anything to hide, then using same addresses is fine.

You reduce your own privacy AND the privacy of everyone that you transact with when you re-use addresses.  Have a little respect for others and stop re-using addresses.


its much easier to manage/handle 2 private keys instead of backing up private key/wallet of new change address after each tx.

Use Hierarchical Deterministic (HD) wallet such as Electrum or Bitcoin Core.
Create a backup of your seed words once.
Use a new address for every transaction.

You will no longer need to "back up private key/wallet of new change address after each tx".

i am using Bitcoin Core  in command line., but never used it to send funds.,
i use my js script to send tx.

does the old behaviour of  Bitcoin Core changed ? so no more need to backup wallet after each tx ?

thanks

J. Cooper
Full Member
***
Offline Offline

Activity: 238
Merit: 103


Alea iacta est


View Profile
October 06, 2017, 04:59:12 PM
 #7

but imho, if you dont have anything to hide, then using same addresses is fine.

You reduce your own privacy AND the privacy of everyone that you transact with when you re-use addresses.  Have a little respect for others and stop re-using addresses.


its much easier to manage/handle 2 private keys instead of backing up private key/wallet of new change address after each tx.

Use Hierarchical Deterministic (HD) wallet such as Electrum or Bitcoin Core.
Create a backup of your seed words once.
Use a new address for every transaction.

You will no longer need to "back up private key/wallet of new change address after each tx".
I've recently started using electrum and I have got everything up and running but I have one concern. When I go to the receiving tab I see a bunch of receiving addresses but those are limited. So if you advise pro always using a diffrent address I will eventually run out of address to use. How will I be able to fix this when I have used each address at least once?
susila_bai
Hero Member
*****
Offline Offline

Activity: 924
Merit: 524


View Profile
October 06, 2017, 05:29:57 PM
 #8

but imho, if you dont have anything to hide, then using same addresses is fine.

You reduce your own privacy AND the privacy of everyone that you transact with when you re-use addresses.  Have a little respect for others and stop re-using addresses.


its much easier to manage/handle 2 private keys instead of backing up private key/wallet of new change address after each tx.

Use Hierarchical Deterministic (HD) wallet such as Electrum or Bitcoin Core.
Create a backup of your seed words once.
Use a new address for every transaction.

You will no longer need to "back up private key/wallet of new change address after each tx".
I've recently started using electrum and I have got everything up and running but I have one concern. When I go to the receiving tab I see a bunch of receiving addresses but those are limited. So if you advise pro always using a diffrent address I will eventually run out of address to use. How will I be able to fix this when I have used each address at least once?

Dont worry about the address as their is no limit in creating address and even if you want you can use the same address. Electrum is a good desktop wallet and you wont get any problem.
aplistir
Full Member
***
Offline Offline

Activity: 257
Merit: 108



View Profile
October 06, 2017, 05:36:48 PM
 #9

The blockchain doesn't check anything.  The blockchain is just data that has been stored.
Full Nodes check transactions and blocks.  Full Nodes do not check to see what keys have been used in the past.

No.  The payment scripts only require a valid signature. As long as the signature is valid and the public key hashes to the correct value, it doesn't matter which public key is used.
That is interesting. It would be easy to get more security by doing the extra check.

If I understand correctly that also means that multiSig addresses are not as safe than advertised. If you have a 4/5 multiSig address, the attacker could treat it as a normal segWit address and ignore your 4 required keys. He would "only" need to find one private key, that would hash to the same address as your multiSig address.
And then he can spend your coins. (Yep, I know it is still almost impossible, but a lot easier than finding your 4 keys) 

Quote
If you want to make sure that a specific private key is needed, then you cant use P2PKH addresses.  You can use a P2PK address instead, but I'm not aware of any wallets that have a user interface that is designed for that.  You'll probably need to write your own software to do that.
Do you mean P2SH ?
P2PK Pays to public key, but the coins go to a normal hashed bitcoin address.

My Address: 121f7zb2U4g9iM4MiJTDhEzqeZGHzq5wLh
aplistir
Full Member
***
Offline Offline

Activity: 257
Merit: 108



View Profile
October 06, 2017, 05:52:30 PM
 #10

There is a lot bigger security risk to reuse your address then for someone to find a key with the same address, since quantum computers should be able to find a private key for any public key very quickly while they are not good at trying out hashes. There is no quantum computers that are close to being big enough for this job yet, and making bigger quantum chips gets exponentially harder so it might be impossible, but it is still more likely then to find a collision.

So don't reuse addresses, since it is insecure anyway and then you won't have this issue either, since this issue is negligible compared to the quantum one, that is also extremely small on it's own.
I do not think reusing addresses is a big risk. The elliptic curve crypto that bitcoin uses is still considered safe. And as  it is a public key crypto, the public key can be safely published.

The 3rd, 5th and 6th richest Bitcoin addresses are nice and brave enough to risk all their coins by reusing their addresses and publishing their public keys.
16rCmCmbuWDhPjWTrpQGaU3EPdZF7MTdUk91,203 BTC ($400,535,695 USD)
18rnfoQgGo1HqvVQaAN4QnxjYE7Sez9eca70,000 BTC ($307,418,600 USD)
1HQ3Go3ggs8pFnXuHVHRytPCq5fGG8Hbhx69,370 BTC ($304,652,297 USD)

There is $1000.000.000 betting that ECDSA will not be broken anytime soon.

Whenever ECDSA will be broken some of these addresses will probably be emptied. Interesting to see when it will happen.

Anyway. If you have less than 1000BTC in your address I think you do not need to worry. You would not be an interesting target...
 

My Address: 121f7zb2U4g9iM4MiJTDhEzqeZGHzq5wLh
DannyHamilton
Legendary
*
Offline Offline

Activity: 2198
Merit: 1373



View Profile
October 06, 2017, 06:30:49 PM
 #11

If I understand correctly that also means that multiSig addresses are not as safe than advertised. If you have a 4/5 multiSig address, the attacker could treat it as a normal segWit address and ignore your 4 required keys. He would "only" need to find one private key, that would hash to the same address as your multiSig address.

MultiSig typically uses P2SH.  In that case it is not necessary to find a private key at all.  All you need to do is find a script that resolves successfully and that hashes to the value in the transaction output. Just choose ANY private key, create a script that includes a nonce and a signature using the private key that you chose.  All you need to do is find the right nonce.  With the typical P2SH, that means each nonce value has a 1 in 2160 chance of allowing you access.

And then he can spend your coins. (Yep, I know it is still almost impossible, but a lot easier than finding your 4 keys)

The difficulty in calculating 4 keys isn't what makes multi-sig "safe". It is assumed that it is not possible to calculate any of the keys, just like it is assumed that it is not possible to create an arbitrary valid script that hashes to a given value.  What increases the security of multi-sig is the fact that you are still secure even if you accidentally (or intentionally) reveal one of your keys.

Quote
If you want to make sure that a specific private key is needed, then you cant use P2PKH addresses.  You can use a P2PK address instead, but I'm not aware of any wallets that have a user interface that is designed for that.  You'll probably need to write your own software to do that.
Do you mean P2SH ?
P2PK Pays to public key, but the coins go to a normal hashed bitcoin address.

No.  The coins NEVER "go to a normal hashed bitcoin address".  Regardless of whether you are using P2PK, P2PKH, or P2SH, there are no "coins", and there are no "addresses".  Those are concepts that we humans use to make it easier to talk about the transfer of control over value.  In the actual transaction and blockchain there are only inputs (with input scripts) and outputs (with output scripts). Outputs are assigned a value, and inputs reference outputs that haven't been referenced by any other inputs yet.

  • A P2PK script requires you to provide a signature that can be validated with a specific public key.  That's why it is called "pay to public key". Since the output script specifies the public key, and there is only 1 private key for each public key, only that specific private key will work.
  • A P2PKH script requires you to provide a public key that results in a specific hash, and then provide a signature that can be validated with the public key you provided. That's why it is called "pay to public key hash". Since there are 2256 possible public keys, and only 2160 possible hash values, each hash value has on average 2256 / 2160 = 296 private keys that will work. Only one of those private keys will be known.
  • A P2SH script requires you to provide a script that hashes to a specific value and which resolves successfully. That's why it is called "pay to script hash". Since there are 2160 possible hash values, and 280000 potential scripts(1), each hash value has on average 280000 / 2160 = 2500 possible scripts that will work. Depending on the structure of the script, only a few of those potential scripts will ever be known.

(1) I think I recall that there is a limit on script size of 10,000 bytes.  If I'm incorrect about that, then the P2SH calculation will be incorrect.

aplistir
Full Member
***
Offline Offline

Activity: 257
Merit: 108



View Profile
October 07, 2017, 11:05:23 AM
 #12

MultiSig typically uses P2SH.  In that case it is not necessary to find a private key at all.  All you need to do is find a script that resolves successfully and that hashes to the value in the transaction output.
That is really disappointing. I thought that multiSig is much safer than normal addresses. But it seems it is just the same level of security. Sad 

P2PK Pays to public key, but the coins go to a normal hashed bitcoin address.
No.  The coins NEVER "go to a normal hashed bitcoin address".  Regardless of whether you are using P2PK, P2PKH, or P2SH, there are no "coins", and there are no "addresses".  Those are concepts that we humans use to make it easier to talk about the transfer of control over value.  In the actual transaction and blockchain there are only inputs (with input scripts) and outputs (with output scripts). Outputs are assigned a value, and inputs reference outputs that haven't been referenced by any other inputs yet.

  • A P2PK script requires you to provide a signature that can be validated with a specific public key.  That's why it is called "pay to public key". Since the output script specifies the public key, and there is only 1 private key for each public key, only that specific private key will work.
  • A P2PKH script requires you to provide a public key that results in a specific hash, and then provide a signature that can be validated with the public key you provided. That's why it is called "pay to public key hash". Since there are 2256 possible public keys, and only 2160 possible hash values, each hash value has on average 2256 / 2160 = 296 private keys that will work. Only one of those private keys will be known.
  • A P2SH script requires you to provide a script that hashes to a specific value and which resolves successfully. That's why it is called "pay to script hash". Since there are 2160 possible hash values, and 280000 potential scripts(1), each hash value has on average 280000 / 2160 = 2500 possible scripts that will work. Depending on the structure of the script, only a few of those potential scripts will ever be known.

Thank you for having the patience to explain it.
I have studied bitcoin quite a lot, but never really read about how the input/output scripts validate the spent coins.  Now I understand better, and also realize, that I should read more about the topic. Smiley
Really interesting, that spending P2PK inputs only accept the pubkey given previously.
 

My Address: 121f7zb2U4g9iM4MiJTDhEzqeZGHzq5wLh
aleksej996
Sr. Member
****
Offline Offline

Activity: 406
Merit: 301


Do not trust the government


View Profile WWW
October 07, 2017, 01:49:21 PM
 #13

i dont get this, why it is security risk ?

if private key is unknown then it does not matter , if address has 1 tx or 1000 tx.

and i read quantum computers does not works like that. so they wont help to calculate/break private key of specific address.

any references  ?

to op.

people say to use new address, is to make it difficult to track the owner of bitcoins.
that is why default bitcoin cliets sends change to new address, instead of the sender addres.,

but imho, if you dont have anything to hide, then using same addresses is fine.
i manage 2 addresss and they have multiple tx on them, its much easier to manage/handle 2 private keys instead of backing up private key/wallet of new change address after each tx.

if i am wrong, please enlighten me, i am still learnning.

Because public key is not known if there were no transactions before, only a hash of the public key is known if it was never used.
Quantum computers use something called Shor's algorithm to quickly find a private key of the certain public key, but there are no quantum computers big enough for it yet and it may never be possible to build such a big quantum computer anyway. However, this is still unimaginably more likely then getting a collision of the two public keys to get a same hash.

I do not think reusing addresses is a big risk. The elliptic curve crypto that bitcoin uses is still considered safe. And as  it is a public key crypto, the public key can be safely published.

The 3rd, 5th and 6th richest Bitcoin addresses are nice and brave enough to risk all their coins by reusing their addresses and publishing their public keys.
16rCmCmbuWDhPjWTrpQGaU3EPdZF7MTdUk91,203 BTC ($400,535,695 USD)
18rnfoQgGo1HqvVQaAN4QnxjYE7Sez9eca70,000 BTC ($307,418,600 USD)
1HQ3Go3ggs8pFnXuHVHRytPCq5fGG8Hbhx69,370 BTC ($304,652,297 USD)

There is $1000.000.000 betting that ECDSA will not be broken anytime soon.

Whenever ECDSA will be broken some of these addresses will probably be emptied. Interesting to see when it will happen.

Anyway. If you have less than 1000BTC in your address I think you do not need to worry. You would not be an interesting target...

I agree. I didn't say it was something to worry about, I simply made a comment that it is a lot more likely then the op's worries.

That is interesting. It would be easy to get more security by doing the extra check.

If I understand correctly that also means that multiSig addresses are not as safe than advertised. If you have a 4/5 multiSig address, the attacker could treat it as a normal segWit address and ignore your 4 required keys. He would "only" need to find one private key, that would hash to the same address as your multiSig address.
And then he can spend your coins. (Yep, I know it is still almost impossible, but a lot easier than finding your 4 keys

Quote
If you want to make sure that a specific private key is needed, then you cant use P2PKH addresses.  You can use a P2PK address instead, but I'm not aware of any wallets that have a user interface that is designed for that.  You'll probably need to write your own software to do that.
Do you mean P2SH ?
P2PK Pays to public key, but the coins go to a normal hashed bitcoin address.

It really doesn't make any sense to waste real resources for non-real issues. Whether it is 4 times easier or not, it makes absolutely no difference, since it is still not going to happen and we have everything else more to worry about than this.

░░░░░░░▄▄▄▄▄▄
░░░░▄██████████▄
░░░██████████████
░░██████▐▌██████
█████░░░░░░░▀█████
██████▄▄░░▄▄░░██████
████████░░▀▀▄██████
████████░░▄▄▄░░█████
██████▀▀░░▀▀▀░░█████
█████░░░░░░░░█████
░░██████▐▌██████
░░░██████████████
░░░░▀██████████▀
░░░░░░░▀▀▀▀▀▀
░░░

                   BitCloak Bitcoin Mixer  
  BTC & BCH | API| MULTIADDRESS| PGP PROOF|  FAST MIX |  ESCROW|  MORE !

░░░░░░░▄▄▄▄▄▄
░░░░▄██████████▄
░░░██████████████
░░██████▐▌██████
█████░░░░░░░▀█████
██████▄▄░░▄▄░░██████
████████░░▀▀▄██████
████████░░▄▄▄░░█████
██████▀▀░░▀▀▀░░█████
█████░░░░░░░░█████
░░██████▐▌██████
░░░██████████████
░░░░▀██████████▀
░░░░░░░▀▀▀▀▀▀
░░░

DannyHamilton
Legendary
*
Offline Offline

Activity: 2198
Merit: 1373



View Profile
October 07, 2017, 11:21:45 PM
 #14

MultiSig typically uses P2SH.  In that case it is not necessary to find a private key at all.  All you need to do is find a script that resolves successfully and that hashes to the value in the transaction output.
That is really disappointing. I thought that multiSig is much safer than normal addresses. But it seems it is just the same level of security. Sad

It is MUCH safer.  You can leak one (or more) private keys, and your bitcoins will still be safe.  You can split private keys up among multiple people, so that a single person can't access the bitcoins by them selves.  There are many ways that multisig is safer than single signature addresses.

P2PK Pays to public key, but the coins go to a normal hashed bitcoin address.
No.  The coins NEVER "go to a normal hashed bitcoin address".  Regardless of whether you are using P2PK, P2PKH, or P2SH, there are no "coins", and there are no "addresses".  Those are concepts that we humans use to make it easier to talk about the transfer of control over value.  In the actual transaction and blockchain there are only inputs (with input scripts) and outputs (with output scripts). Outputs are assigned a value, and inputs reference outputs that haven't been referenced by any other inputs yet.

  • A P2PK script requires you to provide a signature that can be validated with a specific public key.  That's why it is called "pay to public key". Since the output script specifies the public key, and there is only 1 private key for each public key, only that specific private key will work.
  • A P2PKH script requires you to provide a public key that results in a specific hash, and then provide a signature that can be validated with the public key you provided. That's why it is called "pay to public key hash". Since there are 2256 possible public keys, and only 2160 possible hash values, each hash value has on average 2256 / 2160 = 296 private keys that will work. Only one of those private keys will be known.
  • A P2SH script requires you to provide a script that hashes to a specific value and which resolves successfully. That's why it is called "pay to script hash". Since there are 2160 possible hash values, and 280000 potential scripts(1), each hash value has on average 280000 / 2160 = 2500 possible scripts that will work. Depending on the structure of the script, only a few of those potential scripts will ever be known.

Thank you for having the patience to explain it.
I have studied bitcoin quite a lot, but never really read about how the input/output scripts validate the spent coins.  Now I understand better, and also realize, that I should read more about the topic. Smiley
Really interesting, that spending P2PK inputs only accept the pubkey given previously.

Spending P2PK outputs (using referring to them in an input) does not require you to provide a pubKey at all.  In a P2PK output, the pubKey is ALREADY SUPPLIED IN THE OUTPUT that is being spent.  The only thing that is supplied in the input when spending it is a signature.  That signature MUST be verifiable with the pubKey that was presented in the output when the output was created.

The hash of the pubKey is not used and carries no meaning in a P2PK transaction. Some block explorer websites might hash that pubKey when they show it to you because the average user doesn't understand how bitcoin works, and expects to see an address, but there is no address or pubKey hash in the actual transaction at all.

Dalmar
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500



View Profile
October 08, 2017, 02:24:15 AM
 #15

MultiSig typically uses P2SH.  In that case it is not necessary to find a private key at all.  All you need to do is find a script that resolves successfully and that hashes to the value in the transaction output.
That is really disappointing. I thought that multiSig is much safer than normal addresses. But it seems it is just the same level of security. Sad

It is MUCH safer.  You can leak one (or more) private keys, and your bitcoins will still be safe.  You can split private keys up among multiple people, so that a single person can't access the bitcoins by them selves.  There are many ways that multisig is safer than single signature addresses.

P2PK Pays to public key, but the coins go to a normal hashed bitcoin address.
No.  The coins NEVER "go to a normal hashed bitcoin address".  Regardless of whether you are using P2PK, P2PKH, or P2SH, there are no "coins", and there are no "addresses".  Those are concepts that we humans use to make it easier to talk about the transfer of control over value.  In the actual transaction and blockchain there are only inputs (with input scripts) and outputs (with output scripts). Outputs are assigned a value, and inputs reference outputs that haven't been referenced by any other inputs yet.

  • A P2PK script requires you to provide a signature that can be validated with a specific public key.  That's why it is called "pay to public key". Since the output script specifies the public key, and there is only 1 private key for each public key, only that specific private key will work.
  • A P2PKH script requires you to provide a public key that results in a specific hash, and then provide a signature that can be validated with the public key you provided. That's why it is called "pay to public key hash". Since there are 2256 possible public keys, and only 2160 possible hash values, each hash value has on average 2256 / 2160 = 296 private keys that will work. Only one of those private keys will be known.
  • A P2SH script requires you to provide a script that hashes to a specific value and which resolves successfully. That's why it is called "pay to script hash". Since there are 2160 possible hash values, and 280000 potential scripts(1), each hash value has on average 280000 / 2160 = 2500 possible scripts that will work. Depending on the structure of the script, only a few of those potential scripts will ever be known.

Thank you for having the patience to explain it.
I have studied bitcoin quite a lot, but never really read about how the input/output scripts validate the spent coins.  Now I understand better, and also realize, that I should read more about the topic. Smiley
Really interesting, that spending P2PK inputs only accept the pubkey given previously.

Spending P2PK outputs (using referring to them in an input) does not require you to provide a pubKey at all.  In a P2PK output, the pubKey is ALREADY SUPPLIED IN THE OUTPUT that is being spent.  The only thing that is supplied in the input when spending it is a signature.  That signature MUST be verifiable with the pubKey that was presented in the output when the output was created.

The hash of the pubKey is not used and carries no meaning in a P2PK transaction. Some block explorer websites might hash that pubKey when they show it to you because the average user doesn't understand how bitcoin works, and expects to see an address, but there is no address or pubKey hash in the actual transaction at all.

Thank you for great explanation! I always thought that my knowledge is enough to explain this things to average Joe.But sometimes this kind of tough questions make me to think deeply Smiley



             ▄█
            ██  ██
           ██  ████
          ██  ██  ██
         ██  ██    ██
        ██  ██  ██  ██
       ██  ██    ██  ██
      ██  ██  ██  ██  ██
     ██  ██  ████  ██  ██
    ██  ██  ██  ██  ██  ██
   ██  ██  ██    ██  ██  ██
  ██  ██  ██████████  ██  ██
 ██                    ██  ██
█████████████████████▄  ██  █
                         ██
▀███████████████████████████




█████ █   █ █████      ███          █████████████▄▄    ████            ████     ▄▄██████████      ▄▄██████████
  █   █   █ █         █████         ████████████████    ████          ████     █████████████     █████████████
  █   █████ █████    ███████        ███         ▀███     ████        ████     ███▀              ███▀
  █   █   █ █        ███ ███        ███          ███      ████      ████      ███               ███
  █   █   █ █████   ███   ███       ███          ███       ████    ████       ███               ███
                    ███   ███       ███         ▄███        ████  ████        ███▄              ███▄
                   ███     ███      ██████████████▀          ████████          ██████████▄▄      ██████████▄▄
                   ███     ███      ██████████████▄           ██████            ▀▀██████████      ▀▀██████████
                  ███       ███     ███         ▀███           ████                      ▀███              ▀███
                  █████████████     ███          ███           ████                       ███               ███
                 ███████████████    ███          ███           ████                       ███               ███
                 ███         ███    ███         ▄███           ████                      ▄███              ▄███
                ███           ███   ████████████████           ████           ██████████████    ██████████████
                ███           ███   █████████████▀▀            ████           ███████████▀▀     ███████████▀▀

█  █
█  █
█  █
█  █
█  █
█▄▄
▀▀█
█  █
█  █
█  █
█  █
█  █

█  █
█  █
█  █
█  █
█  █
█▄▄
▀▀█
█  █
█  █
█  █
█  █
█  █
.TOKEN SALE. Apr 16 2018
      .DAICO.      May 16 2018

ANN Thread  ■  Whitepaper
■  Twitter
■  Telegram
■  Facebook
Thirdspace
Hero Member
*****
Offline Offline

Activity: 742
Merit: 580


Mixing reinvented for your privacy | chipmixer.com


View Profile
October 08, 2017, 03:18:28 AM
 #16

Danny explained the technical pretty good and clear
and you actually has answered some part of your own question too

---snip---
I do not think reusing addresses is a big risk. The elliptic curve crypto that bitcoin uses is still considered safe. And as  it is a public key crypto, the public key can be safely published.
---snip---

and I think the main reason behind using new address for every new transaction
is not about its security but more about anonymity, one of Satoshi Nakamoto intentions when he created bitcoin
you're losing bit by bit your anonymity when re-using the same address for different transactions
by using new address you can stay anonymous and also improve your security
because your bitcoin balance will keep moving to new address
and key-breaker would have no time to catch up with your moving balance
thus I agree with what btctousd81 said here
note: I myself reuse a few addresses too  Cheesy

---snip---

people say to use new address, is to make it difficult to track the owner of bitcoins.
that is why default bitcoin cliets sends change to new address, instead of the sender addres.,

but imho, if you dont have anything to hide, then using same addresses is fine.
i manage 2 addresss and they have multiple tx on them, its much easier to manage/handle 2 private keys instead of backing up private key/wallet of new change address after each tx.

if i am wrong, please enlighten me, i am still learnning.

jennywhzz
Sr. Member
****
Offline Offline

Activity: 414
Merit: 250


View Profile
October 10, 2017, 04:49:45 PM
 #17

For each bitcoin address, there exists about 2^96=79228162514264337593543950336 private keys, that generate the same address.

And any of those private keys can be used to send coins from that address.

My question is: If one key has already been used to send from an address, can the other private keys still be used to send from the same address?

Or does the blockchain check what private key has already been used, and accept only the payments signed with that private key?

Accepting only the key that has already been used, would increase security. Since it is much more difficult to find 1 key than any of 2^96 keys.
(both cases are of course extremely unlikely, but the second case is still 2^96 times more likely)

If only one private key is valid, then an address, that has a send action is safer than an address that does not have a send action. And reusing an address is the safest choice. (at-least before quantum computers)

How is it? The wiki is not clear about this.


No, why would it be? Why is it something that you think about, if you think that you are in that much danger, then you do not have to use crypto, there is still a huge world of people out there using FIAT and they are doing just fine. Fear is the thin that makes you guys do stupid things and that is how the markets get so up and down, but it makes the rest of us rich, so either way, go for it. But for you, if you are that scared, just do something else.


Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!