Untrue. Unless your wallet generate keys with reused R values, it is safe to say that your BTC is safe for the time being.
Depends. If you generated the HD wallet in Electrum, Electrum will automatically send the change to a new address. The other unspent inputs remain in the address unless you change your settings.
With todays technology, it would be infeasible to crack ECDSA (way more than 10 years). It might change with quantum computing though. You don't have to worry about it. Due to some circumstances, I was reusing my previous address for 3 years with upwards of 700 transactions. Nothing has happened yet.

Ok.  I'm not an expert in this, that's why I'm asking.  I read this reply in another thread (https://bitcointalk.org/index.php?topic=277097.msg2969391#msg2969391):


The author of this quote is implying that the more you reuse your public address, the easier it becomes to generate the private key from the public key.  The author seems to be implying there is a flaw with the RNG (I assume your reply assumes the RNG is not flawed).  Is there a flaw with the author's quote above?

The author is suggesting that IF there is a flaw in the RNG that YOU are using THEN "it becomes possible for someone to use multiple signatures from the same private key to compute that private key and steal your bitcoins".

If you don't re-use the address, then that is less of a concern. A poor RNG used when generating the signature is less significant if you don't re-use the address.

Under NORMAL use (where your RNG and signature generating software is not compromised), ECDSA is CURRENTLY sufficiently secure to re-use addresses.

However...

WHY would you INTENTIONALLY expose yourself to the POSSIBILITY that your RNG MIGHT not be as good as you'd like?

WHY would you INTENTIONALLY expose yourself to the POSSIBILITY that a weakness in ECDSA MIGHT be discovered in the future?

WHY would you INTENTIONALLY reduce your own privacy AND the privacy of those that you engage in transactions with?

Especially, when you can improve all 3 of those situations by simply generating a new address for EVERY transaction?  A business wouldn't re-use an invoice number, why would you re-use a bitcoin address?

---

A bitcoin address is NOT an account number.  A bitcoin address is something that you give to a single entity for a single purpose, so that you can identify when that entity has paid you for that purpose.

Lets imagine that I have a single address that I use for everything.  Lets call it 1ThisIsReallyStupid.

Now, lets say John offers to buy something from me. I give John my address "1ThisIsReallyStupid" and tell John I'll ship it as soon as I see a payment.  Now lets say Mike, who has purchased from me in the past, sends me a payment and an email saying "Hey Danny, I just sent you a payment, can you send me some more of your awesome product?".  Unfortunately, I don't immediately see Mike's email, so I assume that the payment was from John.  I ship John the product.  Then I see Mike's email!

Oh noes!

John is now receiving product that he never paid for!  How could I possibly have avoided this terrible problem???

Oh, wait. Lets hop back in our time machine to the first time I ever engaged in business with Mike...

"Mike, the address FOR THIS TRANSACTION is '1UniqueAddressForTransaction001'. As soon as proper payment is received at that address, I'll ship the product.  Please contact me for a new address for any future shipments."

Now we can fast-forward to the present where John wants some product...

"John, the address FOR THIS TRANSACTION is '1UniqueAddressForTransaction002'. As soon as proper payment is received at that address, I'll ship the product.  Please contact me for a new address for any future shipments."

Then Mike fails to follow instructions.  He sends to the ONLY address for me that he has EVER known '1UniqueAddressForTransaction001'. and sends his email.

John's product does not get shipped, because '1UniqueAddressForTransaction002' is STILL UNFUNDED!  Wow! Amazing how well that works.

I send a quick email to Mike:
"Mike, our order tracking system uses bitcoin addresses as invoice numbers.  Your payment to '1UniqueAddressForTransaction001' will not trigger shipment on your new product order since that shipment requires the appropriate funds to be sent to '1AddressAlsoUniqueForTx003'.  Would you like us to forward the funds from '1UniqueAddressForTransaction001' to '1AddressAlsoUniqueForTx003' on your behalf or would you like us to send those funds back to you (if so, please provide a bitcoin address to send to)? Note that (as indicated in our terms of service) re-sending funds that have been sent to an incorrect bitcoin address will incur a 0.002 BTC fee per transaction received by us."

---

Actually, I think the advice against address-reuse is based on the concept that it reduces both your own privacy AND the privacy of everyone that you engage in transactions with.

The slight protection against "future breaks against ECDSA" is an added side-benefit, but not the most compelling reason.

If you imported your address into Electrum, the default behaviour is to send the coins back to the origin address. They cannot implement change address since they aren't going to generate addresses without seeds for you. The reason for this is to minimise confusion.


The current problem with ECDSA is that it is susceptible to attacks by quantum computer due to Shor's algorithm. This means that quantum computers can potentially crack ECDSA in a reasonable amount of time. However, the current progress of quantum computing is not anywhere near to the point for which encryptions are vulnerable to them. Even so, it may take some time for each address to be cracked.

Frankly speaking, unless you own thousands of BTC, no one would bother to try your address. It isn't free to use nor is it cheap and there are other things to crack than your BTC address.

Shor's algorithm only provides quadratic speedup. That means that the approx. 256 bits of security of secp256k1 becomes approx 128 bits of security in a world of readily-available, at-scale quantum computing. I wouldn't call 2¹²⁸ brute-forceable "in a reasonable amount of time."

My reply was to what ranochigo wrote:


I imported my private key to Electrum.  When I spend BTC, any remaining BTC gets sent back to my original address.  In effect, Electrum is reusing my BTC address as its default behavior for an imported private key.  To move my remaining BTC to a new address would require a second transaction, which would incur a transaction fee (about $25 USD to $30 USD based on today's rate?).

Yes, thank you. Both provide quadratic speedup so I forget which is which. QC is not my field, I just see a lot of obvious misinfo and FUD on this forum and feel the urge to try to set the record straight as best I can.

That's not really true, its easy to harvest all used addresses in history, easy-peasy

Then you create bloom filter and mark all seen addresses, and then decide how you want to attack btc, either by was of generating deterimistic keys, or brute-intelligent force forward by big-step/baby-step, ...

When you have all the addresses its just like having the public keys, for all the private-key guesses no matter your ALGO, you simple generate a pubkey and then generate say 8192 addresses for every pubkey and check the bloom-table if one of those addresses are  hot

U can also hash all the X values from ecdsa into a hash-table and use that to correspond to known addresses,

Then you can watch R values on the block chain, and look for patterns to make a guess to the private-key

It really blows me away how the majority here always say "that can't be done", oh but they have a caveat that a real smart math guy will solve the discrete-log problem tomorrow and sweep all the coin, thus they know it can be done

People who have studied SECP256k1(ECDSA) long enough see the patterns,

But getting back to your question, the public-key isn't required, its easy use a DISCRETE-LOG algo to run through private-keys generated and then super easy to test the priv-key with a function that uses a bloom-table on all known addresses with balance, right now there are +3 million of  the puppys

IMHO the founders are scared to death, but the majority are just bots who repeat the mantra u know "BITCOIN is Safe", nothing is safe in life, not walking across the street.

I can say this targeting a PRISTINE address is not easy, but I think that throwing lots of shit on the wall using intelligent ideas from the discrete-log papers, and then testing your X's that come back with public-key hash tests which are super easy, is all doable

WRT to that mathematician who solves the discrete-log problem, IMHO most mathematicians are too pure to stoop to the low level of 'hacking' to resolve this problem, so it probably will not be solved by your math guy, it will be solved by a teenager in Burma, using a low tech chrome-book running crouton

Nothing is SAFE, never its always been this way,

But the above said, BTC is amazing in its general safety, I think the majority will always be safe,

Lastly, studying this stuff, actually improves your knowledge and ability to protect your own coins,

IMHO the NSA created BITCOIN, They're just watching and waiting to see who & how breaks this stuff first, like DES, or SHA, or anything that comes out of NSA, they always have a backdoor, never seen otherwise, thus in a way BTC is real nice way to have everybody on earth hitting their code and then they can keep one step ahead of the best hackers on earth, ...

Let me run this question as an answer. Say you gen a private key and public address pair, then you keep generating addresses for a long time with that public-key.

What happens is that each address is just a I*PubKey ( where I is the i'th address you generated from that mother public-key )  that is hashed, so the more you use that same pubkey to generate addresses you increase probability that I will hit your address with my pub-key guess box, everytime you use the same public-key to gen an address its a dart on the wall, an the more darts on the wall the higher probability that I will hit that dart.

It's easy to guess private-keys, and its easy to make a public-key from them, and then its super easy to generate 10k addresses from that public-key and test them all in a second,


... Its not easy to take a public-key and make a private-address, but the more addresses you generate the easier it is for me to guess your private key.

For me I have all the addresses known on BTC on my wall, thus I'm not likely in all history of universe to hit your address, unless you have lots of them for me to 'sticky' on my wall.

I don't want to diss you but are you from another planet?

The invoice number? A Bitcoin address is more like a customer ID, which remains fixed!

It would be much more convenient for businesses or individuals, to provide their counterparties with fixed addresses for further use.
 
Otherwise a new one would have to be created everytime someone sends you a payment. What a nuisance! And imagine this is done automatically, and a partial payment is received: CHAOS, CONFUSION and MAYHEM!

For privacy you would need a new private key (HD) every time anyways. But if you want privacy, BTC is not the right crypto.

I guess a company with good blockchain knowledge could try and create 1 private key per customer, then issuing a different address on that key for each invoice. But for the average company/individual that is way too much overhead.

So yes I do think address re-use should be fully supported.