How long to hack an address that is used to send BTC multiple times?

[cryptoking555]

If you have a public address and you reuse this address to send BTC from multiple times, my understanding is that your public address is more susceptible to being hacked (ie. easier for somebody to generate the private key from your public address).  From what I have read, if you send BTC from your public address and you keep any leftover coins in that public address, your public address is only protected by ECDSA.  I have also read that the more you reuse the same address to send BTC, the more your address is susceptible to being hacked.

So let's say I am using a public address.  I send a portion of my BTC from my public address to somebody else but the leftover BTC remains in my public address (doesn't Electrum keep your leftover BTC in the same address by default?).  I use this same public address to send BTC from over the next several weeks.  In total, I have sent from this address 4 or 5 times over several weeks.  Several weeks later, after I am done sending my BTC, I backup my wallet and my private key, uninstall Electrum and decide to let my leftover BTC sit there in my public address.

With today's technology, how long would it take to hack this public address?  Is this something I don't have to worry about for the next 10 years?  The next 5 years?  The next 1 year?

[1715307850]

1715307850

[1715307850]

1715307850

[ranochigo]

I have also read that the more you reuse the same address to send BTC, the more your address is susceptible to being hacked.

Untrue. Unless your wallet generate keys with reused R values, it is safe to say that your BTC is safe for the time being.

So let's say I am using a public address.  I send a portion of my BTC from my public address to somebody else but the leftover BTC remains in my public address (doesn't Electrum keep your leftover BTC in the same address by default?).

Depends. If you generated the HD wallet in Electrum, Electrum will automatically send the change to a new address. The other unspent inputs remain in the address unless you change your settings.

I use this same public address to send BTC from over the next several weeks.  In total, I have sent from this address 4 or 5 times over several weeks.  Several weeks later, after I am done sending my BTC, I backup my wallet and my private key, uninstall Electrum and decide to let my leftover BTC sit there in my public address.

With today's technology, how long would it take to hack this public address?  Is this something I don't have to worry about for the next 10 years?  The next 5 years?  The next 1 year?

With todays technology, it would be infeasible to crack ECDSA (way more than 10 years). It might change with quantum computing though. You don't have to worry about it. Due to some circumstances, I was reusing my previous address for 3 years with upwards of 700 transactions. Nothing has happened yet.

[haltingprobability]

If you have a public address and you reuse this address to send BTC from multiple times, my understanding is that your public address is more susceptible to being hacked (ie. easier for somebody to generate the private key from your public address).  From what I have read, if you send BTC from your public address and you keep any leftover coins in that public address, your public address is only protected by ECDSA.  I have also read that the more you reuse the same address to send BTC, the more your address is susceptible to being hacked.

So let's say I am using a public address.  I send a portion of my BTC from my public address to somebody else but the leftover BTC remains in my public address (doesn't Electrum keep your leftover BTC in the same address by default?).  I use this same public address to send BTC from over the next several weeks.  In total, I have sent from this address 4 or 5 times over several weeks.  Several weeks later, after I am done sending my BTC, I backup my wallet and my private key, uninstall Electrum and decide to let my leftover BTC sit there in my public address.

With today's technology, how long would it take to hack this public address?  Is this something I don't have to worry about for the next 10 years?  The next 5 years?  The next 1 year?

It's unknown. The advice against address-reuse is based on the general risk of future breaks against ECDSA, which cannot be ruled out. It's certainly not susceptible to brute-forcing, since that is on the order of 2²⁵⁵, which is effectively infinite (more than the number of particles in the universe, etc. etc.) But if some clever mathematician figures out a cryptographic break against ECDSA that weakens ECDSA keys, it would be necessary to sweep funds from wallets secured only by ECDSA to something else. P2PKH/P2WPKH resolves this issue by publishing only the key-fingerprint instead of the entire pubkey. Even if there is a break against ECDSA, there is no short-term risk of your coins being stolen. Coins in long-term cold storage (timelocked), for example, need this feature.

[cryptoking555]

I have also read that the more you reuse the same address to send BTC, the more your address is susceptible to being hacked.

Untrue. Unless your wallet generate keys with reused R values, it is safe to say that your BTC is safe for the time being.

Ok.  I'm not an expert in this, that's why I'm asking.  I read this reply in another thread (https://bitcointalk.org/index.php?topic=277097.msg2969391#msg2969391):

As an example, if the random number generator that is used to generate the k value when singing a transaction isn't sufficiently "random" it becomes possible for someone to use multiple signatures from the same private key to compute that private key and steal your bitcoins.  If you use a new address for each transaction, then you never have multiple signatures from the same private key, so this is no longer an issue.

The author of this quote is implying that the more you reuse your public address, the easier it becomes to generate the private key from the public key.  The author seems to be implying there is a flaw with the RNG (I assume your reply assumes the RNG is not flawed).  Is there a flaw with the author's quote above?

[ranochigo]

The author of this quote is implying that the more you reuse your public address, the easier it becomes to generate the private key from the public key.  The author seems to be implying there is a flaw with the RNG (I assume your reply assumes the RNG is not flawed).  Is there a flaw with the author's quote above?

No. He's correct.

You got the meaning wrong however. My reply does assume that the RNG is flawed(in a poorly implemented wallet). The point with that sort of attack is that an attacker can easily get your private key using at least two signatures that reuses the R value. If the wallet is flawed, the values could potentially be the same and address reuse does mitigate this since each address would only have one output that would be spent and the address would only be used once.

[DannyHamilton]

The author seems to be implying there is a flaw with the RNG (I assume your reply assumes the RNG is not flawed).

The author is suggesting that IF there is a flaw in the RNG that YOU are using THEN "it becomes possible for someone to use multiple signatures from the same private key to compute that private key and steal your bitcoins".

If you don't re-use the address, then that is less of a concern. A poor RNG used when generating the signature is less significant if you don't re-use the address.

Under NORMAL use (where your RNG and signature generating software is not compromised), ECDSA is CURRENTLY sufficiently secure to re-use addresses.

However...

WHY would you INTENTIONALLY expose yourself to the POSSIBILITY that your RNG MIGHT not be as good as you'd like?

WHY would you INTENTIONALLY expose yourself to the POSSIBILITY that a weakness in ECDSA MIGHT be discovered in the future?

WHY would you INTENTIONALLY reduce your own privacy AND the privacy of those that you engage in transactions with?

Especially, when you can improve all 3 of those situations by simply generating a new address for EVERY transaction?  A business wouldn't re-use an invoice number, why would you re-use a bitcoin address?


A bitcoin address is NOT an account number.  A bitcoin address is something that you give to a single entity for a single purpose, so that you can identify when that entity has paid you for that purpose.

Lets imagine that I have a single address that I use for everything.  Lets call it 1ThisIsReallyStupid.

Now, lets say John offers to buy something from me. I give John my address "1ThisIsReallyStupid" and tell John I'll ship it as soon as I see a payment.  Now lets say Mike, who has purchased from me in the past, sends me a payment and an email saying "Hey Danny, I just sent you a payment, can you send me some more of your awesome product?".  Unfortunately, I don't immediately see Mike's email, so I assume that the payment was from John.  I ship John the product.  Then I see Mike's email!

Oh noes!

John is now receiving product that he never paid for!  How could I possibly have avoided this terrible problem???

Oh, wait. Lets hop back in our time machine to the first time I ever engaged in business with Mike...

"Mike, the address FOR THIS TRANSACTION is '1UniqueAddressForTransaction001'. As soon as proper payment is received at that address, I'll ship the product.  Please contact me for a new address for any future shipments."

Now we can fast-forward to the present where John wants some product...

"John, the address FOR THIS TRANSACTION is '1UniqueAddressForTransaction002'. As soon as proper payment is received at that address, I'll ship the product.  Please contact me for a new address for any future shipments."

Then Mike fails to follow instructions.  He sends to the ONLY address for me that he has EVER known '1UniqueAddressForTransaction001'. and sends his email.

John's product does not get shipped, because '1UniqueAddressForTransaction002' is STILL UNFUNDED!  Wow! Amazing how well that works.

I send a quick email to Mike:
"Mike, our order tracking system uses bitcoin addresses as invoice numbers.  Your payment to '1UniqueAddressForTransaction001' will not trigger shipment on your new product order since that shipment requires the appropriate funds to be sent to '1AddressAlsoUniqueForTx003'.  Would you like us to forward the funds from '1UniqueAddressForTransaction001' to '1AddressAlsoUniqueForTx003' on your behalf or would you like us to send those funds back to you (if so, please provide a bitcoin address to send to)? Note that (as indicated in our terms of service) re-sending funds that have been sent to an incorrect bitcoin address will incur a 0.002 BTC fee per transaction received by us."

The advice against address-reuse is based on the general risk of future breaks against ECDSA, which cannot be ruled out.

Actually, I think the advice against address-reuse is based on the concept that it reduces both your own privacy AND the privacy of everyone that you engage in transactions with.

The slight protection against "future breaks against ECDSA" is an added side-benefit, but not the most compelling reason.

[cryptoking555]

However...

WHY would you INTENTIONALLY expose yourself to the POSSIBILITY that your RNG MIGHT not be as good as you'd like?

WHY would you INTENTIONALLY expose yourself to the POSSIBILITY that a weakness in ECDSA MIGHT be discovered in the future?

WHY would you INTENTIONALLY reduce your own privacy AND the privacy of those that you engage in transactions with?

Especially, when you can improve all 3 of those situations by simply generating a new address for EVERY transaction?  A business wouldn't re-use an invoice number, why would you re-use a bitcoin address?

Yeah, I admit it's lazy.  I need to tinker with Electrum more.  I imported a private key into Electrum-LTC and spent some LTC.  For whatever reason, by default, after I spent a portion of the LTC, the Electrum-LTC wallet sent the leftover LTC back to the original address.  I'm assuming if Electrum-LTC is a fork of Electrum, they both work similarly for imported private keys.

Having said that though, I have my private key for my BTC address printed out.  I plan to spend some BTC over the next several weeks (or months).  At the very end of my spending, I then plan to move the remaining BTC to a new address so that it cannot be hacked.  But during the next few weeks and months, it's just a hassle to generate a new address each time, and then record the private key for each new address (hardware wallets are all sold out around the area I live).  As for the privacy of the destination address, it's a BTC address for my account on an exchange so I don't care too much about privacy.

That's why I was wondering what is the possibility that somebody can hack my address over the next several months if I reuse it.  If the probability is extremely low, I don't mind the risk I take over the next several months, provided that at the end of my spending at the end of the next few months, that I move my coins to a new address and don't spend from the new address.

In your opinion, do hackers even have the technology or has a weakness in ECDSA been found recently such that reusing the same address over the next few months is susceptible to being hacked?

[ranochigo]

Yeah, I admit it's lazy.  I need to tinker with Electrum more.  I imported a private key into Electrum-LTC and spent some LTC.  For whatever reason, by default, after I spent a portion of the LTC, the Electrum-LTC wallet sent the leftover LTC back to the original address.  I'm assuming if Electrum-LTC is a fork of Electrum, they both work similarly for imported private keys.

If you imported your address into Electrum, the default behaviour is to send the coins back to the origin address. They cannot implement change address since they aren't going to generate addresses without seeds for you. The reason for this is to minimise confusion.

That's why I was wondering what is the possibility that somebody can hack my address over the next several months if I reuse it.  If the probability is extremely low, I don't mind the risk I take over the next several months, provided that at the end of my spending at the end of the next few months, that I move my coins to a new address and don't spend from the new address.

In your opinion, do hackers even have the technology or has a weakness in ECDSA been found recently such that reusing the same address over the next few months is susceptible to being hacked?

The current problem with ECDSA is that it is susceptible to attacks by quantum computer due to Shor's algorithm. This means that quantum computers can potentially crack ECDSA in a reasonable amount of time. However, the current progress of quantum computing is not anywhere near to the point for which encryptions are vulnerable to them. Even so, it may take some time for each address to be cracked.

Frankly speaking, unless you own thousands of BTC, no one would bother to try your address. It isn't free to use nor is it cheap and there are other things to crack than your BTC address.

[cryptoking555]

If you imported your address into Electrum, the default behaviour is to send the coins back to the origin address. They cannot implement change address since they aren't going to generate addresses without seeds for you. The reason for this is to minimise confusion.

Thanks.  Switching to a new address after every transaction is not feasible because of the high transaction fees.  Not to mention the transaction time. 

The current problem with ECDSA is that it is susceptible to attacks by quantum computer due to Shor's algorithm. This means that quantum computers can potentially crack ECDSA in a reasonable amount of time. However, the current progress of quantum computing is not anywhere near to the point for which encryptions are vulnerable to them. Even so, it may take some time for each address to be cracked.

Frankly speaking, unless you own thousands of BTC, no one would bother to try your address. It isn't free to use nor is it cheap and there are other things to crack than your BTC address.

Thanks.  I don't own thousands of BTC, lol.  At the end of all my transactions (after a few months), I'll probably move my BTC to a new address then.  Hopefully, the transaction costs will be equal or less than what it is now (but who really knows).

[haltingprobability]

The current problem with ECDSA is that it is susceptible to attacks by quantum computer due to Shor's algorithm. This means that quantum computers can potentially crack ECDSA in a reasonable amount of time.

Shor's algorithm only provides quadratic speedup. That means that the approx. 256 bits of security of secp256k1 becomes approx 128 bits of security in a world of readily-available, at-scale quantum computing. I wouldn't call 2¹²⁸ brute-forceable "in a reasonable amount of time."

[DannyHamilton]

Switching to a new address after every transaction is not feasible because of the high transaction fees.  Not to mention the transaction time.

I don't understand what you are saying here.

Why would using a new address for the change from your transaction have any effect at all on the transaction fees or the transaction time?

To reduce fees, you may want to consider moving your bitcoins to a SegWit address.

[cryptoking555]

Switching to a new address after every transaction is not feasible because of the high transaction fees.  Not to mention the transaction time.

I don't understand what you are saying here.

Why would using a new address for the change from your transaction have any effect at all on the transaction fees or the transaction time?

To reduce fees, you may want to consider moving your bitcoins to a SegWit address.

My reply was to what ranochigo wrote:

If you imported your address into Electrum, the default behaviour is to send the coins back to the origin address. They cannot implement change address since they aren't going to generate addresses without seeds for you. The reason for this is to minimise confusion.

I imported my private key to Electrum.  When I spend BTC, any remaining BTC gets sent back to my original address.  In effect, Electrum is reusing my BTC address as its default behavior for an imported private key.  To move my remaining BTC to a new address would require a second transaction, which would incur a transaction fee (about $25 USD to $30 USD based on today's rate?).

[ArithmomanicVampire]

The current problem with ECDSA is that it is susceptible to attacks by quantum computer due to Shor's algorithm. This means that quantum computers can potentially crack ECDSA in a reasonable amount of time.

Shor's algorithm only provides quadratic speedup. That means that the approx. 256 bits of security of secp256k1 becomes approx 128 bits of security in a world of readily-available, at-scale quantum computing. I wouldn't call 2¹²⁸ brute-forceable "in a reasonable amount of time."

I think you're mixing up Shor's with Grover's.

https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Quantum_computing_attacks

[haltingprobability]

The current problem with ECDSA is that it is susceptible to attacks by quantum computer due to Shor's algorithm. This means that quantum computers can potentially crack ECDSA in a reasonable amount of time.

Shor's algorithm only provides quadratic speedup. That means that the approx. 256 bits of security of secp256k1 becomes approx 128 bits of security in a world of readily-available, at-scale quantum computing. I wouldn't call 2¹²⁸ brute-forceable "in a reasonable amount of time."

I think you're mixing up Shor's with Grover's.

https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Quantum_computing_attacks

Yes, thank you. Both provide quadratic speedup so I forget which is which. QC is not my field, I just see a lot of obvious misinfo and FUD on this forum and feel the urge to try to set the record straight as best I can.

[ArithmomanicVampire]

The current problem with ECDSA is that it is susceptible to attacks by quantum computer due to Shor's algorithm. This means that quantum computers can potentially crack ECDSA in a reasonable amount of time.

Shor's algorithm only provides quadratic speedup. That means that the approx. 256 bits of security of secp256k1 becomes approx 128 bits of security in a world of readily-available, at-scale quantum computing. I wouldn't call 2¹²⁸ brute-forceable "in a reasonable amount of time."

I think you're mixing up Shor's with Grover's.

https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Quantum_computing_attacks

Yes, thank you. Both provide quadratic speedup so I forget which is which. QC is not my field, I just see a lot of obvious misinfo and FUD on this forum and feel the urge to try to set the record straight as best I can.

Unfortunately, Shor's is stronger than just quadratic speedup: in the case of secp256k1 it transforms the roughly 2²⁵⁶ into roughly 256³. This writeup: https://arxiv.org/abs/quant-ph/0012084 while a bit technical, details what's going on under the hood, and how breaking RSA (integer factorization) and ECDSA (discrete logarithm) are just special cases of a more general principle.

Of course, the quantum computer to implement this will not be built for at least another decade, so we can relax for the time being…

[bitfools]

If you have a public address and you reuse this address to send BTC from multiple times, my understanding is that your public address is more susceptible to being hacked (ie. easier for somebody to generate the private key from your public address).  From what I have read, if you send BTC from your public address and you keep any leftover coins in that public address, your public address is only protected by ECDSA.  I have also read that the more you reuse the same address to send BTC, the more your address is susceptible to being hacked.

So let's say I am using a public address.  I send a portion of my BTC from my public address to somebody else but the leftover BTC remains in my public address (doesn't Electrum keep your leftover BTC in the same address by default?).  I use this same public address to send BTC from over the next several weeks.  In total, I have sent from this address 4 or 5 times over several weeks.  Several weeks later, after I am done sending my BTC, I backup my wallet and my private key, uninstall Electrum and decide to let my leftover BTC sit there in my public address.

With today's technology, how long would it take to hack this public address?  Is this something I don't have to worry about for the next 10 years?  The next 5 years?  The next 1 year?

It's unknown. The advice against address-reuse is based on the general risk of future breaks against ECDSA, which cannot be ruled out. It's certainly not susceptible to brute-forcing, since that is on the order of 2²⁵⁵, which is effectively infinite (more than the number of particles in the universe, etc. etc.) But if some clever mathematician figures out a cryptographic break against ECDSA that weakens ECDSA keys, it would be necessary to sweep funds from wallets secured only by ECDSA to something else. P2PKH/P2WPKH resolves this issue by publishing only the key-fingerprint instead of the entire pubkey. Even if there is a break against ECDSA, there is no short-term risk of your coins being stolen. Coins in long-term cold storage (timelocked), for example, need this feature.

That's not really true, its easy to harvest all used addresses in history, easy-peasy

Then you create bloom filter and mark all seen addresses, and then decide how you want to attack btc, either by was of generating deterimistic keys, or brute-intelligent force forward by big-step/baby-step, ...

When you have all the addresses its just like having the public keys, for all the private-key guesses no matter your ALGO, you simple generate a pubkey and then generate say 8192 addresses for every pubkey and check the bloom-table if one of those addresses are  hot

U can also hash all the X values from ecdsa into a hash-table and use that to correspond to known addresses,

Then you can watch R values on the block chain, and look for patterns to make a guess to the private-key

It really blows me away how the majority here always say "that can't be done", oh but they have a caveat that a real smart math guy will solve the discrete-log problem tomorrow and sweep all the coin, thus they know it can be done

People who have studied SECP256k1(ECDSA) long enough see the patterns,

But getting back to your question, the public-key isn't required, its easy use a DISCRETE-LOG algo to run through private-keys generated and then super easy to test the priv-key with a function that uses a bloom-table on all known addresses with balance, right now there are +3 million of  the puppys

IMHO the founders are scared to death, but the majority are just bots who repeat the mantra u know "BITCOIN is Safe", nothing is safe in life, not walking across the street.

I can say this targeting a PRISTINE address is not easy, but I think that throwing lots of shit on the wall using intelligent ideas from the discrete-log papers, and then testing your X's that come back with public-key hash tests which are super easy, is all doable

WRT to that mathematician who solves the discrete-log problem, IMHO most mathematicians are too pure to stoop to the low level of 'hacking' to resolve this problem, so it probably will not be solved by your math guy, it will be solved by a teenager in Burma, using a low tech chrome-book running crouton

Nothing is SAFE, never its always been this way,

But the above said, BTC is amazing in its general safety, I think the majority will always be safe,

Lastly, studying this stuff, actually improves your knowledge and ability to protect your own coins,

IMHO the NSA created BITCOIN, They're just watching and waiting to see who & how breaks this stuff first, like DES, or SHA, or anything that comes out of NSA, they always have a backdoor, never seen otherwise, thus in a way BTC is real nice way to have everybody on earth hitting their code and then they can keep one step ahead of the best hackers on earth, ...

[bitfools]

Switching to a new address after every transaction is not feasible because of the high transaction fees.  Not to mention the transaction time.

I don't understand what you are saying here.

Why would using a new address for the change from your transaction have any effect at all on the transaction fees or the transaction time?

To reduce fees, you may want to consider moving your bitcoins to a SegWit address.

The problem here is majority are using these 3rd party wallet packages on the internet that place the fee's,

I use the Bitcoin-CLI (cmd line) to do my transaction, I set my feed schedule to zero, and I rarely see fee's, thus I know it can be done,


IMHO its just the day-traders that are generating 1,000's of 0.0001 BTC trades a day complaining about 0.002 BTC fee's, the problem is people just don't take the time  to learn the software, its all there testnet, to learn, and minimal fees that are selectable by the user, but people choose to use these fancy GUI platforms that set the fee's and most likely give the user a hair-cut to boot.

Conversation here is about 'loss' in BTC, most loss occurs at the exchange or wallet, from malicious or sloppy software, and the fee's is just another example, they just don't care, but if you did care you would learn to set the fee schedule yourself.

If you keep our private-keys off the exchanges or away from wallet-software, if you keep your keeps on a closed system, running your own node, I don't see how you could lose money, unless you did it on purpose, the bitcoind&bitcoin-cli software seem pretty solid, but I gather from the comments on these forums that 99% of the users are just putting their private-keys into the hands of third  party's.

[bitfools]

If you have a public address and you reuse this address to send BTC from multiple times, my understanding is that your public address is more susceptible to being hacked (ie. easier for somebody to generate the private key from your public address).  From what I have read, if you send BTC from your public address and you keep any leftover coins in that public address, your public address is only protected by ECDSA.  I have also read that the more you reuse the same address to send BTC, the more your address is susceptible to being hacked.

So let's say I am using a public address.  I send a portion of my BTC from my public address to somebody else but the leftover BTC remains in my public address (doesn't Electrum keep your leftover BTC in the same address by default?).  I use this same public address to send BTC from over the next several weeks.  In total, I have sent from this address 4 or 5 times over several weeks.  Several weeks later, after I am done sending my BTC, I backup my wallet and my private key, uninstall Electrum and decide to let my leftover BTC sit there in my public address.

With today's technology, how long would it take to hack this public address?  Is this something I don't have to worry about for the next 10 years?  The next 5 years?  The next 1 year?

Let me run this question as an answer. Say you gen a private key and public address pair, then you keep generating addresses for a long time with that public-key.

What happens is that each address is just a I*PubKey ( where I is the i'th address you generated from that mother public-key )  that is hashed, so the more you use that same pubkey to generate addresses you increase probability that I will hit your address with my pub-key guess box, everytime you use the same public-key to gen an address its a dart on the wall, an the more darts on the wall the higher probability that I will hit that dart.

It's easy to guess private-keys, and its easy to make a public-key from them, and then its super easy to generate 10k addresses from that public-key and test them all in a second,


... Its not easy to take a public-key and make a private-address, but the more addresses you generate the easier it is for me to guess your private key.

For me I have all the addresses known on BTC on my wall, thus I'm not likely in all history of universe to hit your address, unless you have lots of them for me to 'sticky' on my wall.

[nullius]

The security of exposed Bitcoin public keys is just fine for general usage.  They cannot be hacked.  Answer to the thread’s subject line:  “A million billion trillion zillion years.”  But there is a different, unrelated reason to avoid address reuse:  Privacy.  Avoiding address reuse gives you a modicum of privacy.  That at least makes Chainalysis work for their pay.  Re-using addresses makes transaction linkage trivial, child’s play.

A public key is called a “public key”, because it is secure when exposed in public.  I publish my PGP public keys (and if I didn’t, PGP would be useless).  I am not worried about that.  Each and every time you connect to an https website secured by TLS, the server’s public key is exposed to you—and your symmetric session key is derived from a key-agreement process based on the hardness of the same DLP as is the fundamental basis of most widely-used public-key cryptography other than RSA.  I am not worried about that, either!  Likewise, I am not worried about the security of my Bitcoin public keys.


Those concerned about bad randomness causing leaked secret key bits need to read RFC 6979:

Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)

Abstract

This document defines a deterministic digital signature generation procedure.  Such signatures are compatible with standard Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures and can be processed with unmodified verifiers, which need not be aware of the procedure described therein.  Deterministic signatures retain the cryptographic security features associated with digital signatures but can be more easily implemented in various environments, since they do not need access to a source of high-quality randomness.

Core’s secp256k1 library uses this deterministic, “derandomized” DSA.

I don’t know if Core v0.15.1 uses that library for signing, as of yet; and I am too lazy to grep sources at the moment.  I know that older versions used this library only for verification, where it beat OpenSSL 5–10x in performance.  Does somebody else know off-hand?

If your wallet does not use deterministic ECDSA signing, then—well, I suggest that you should switch software.  This should now be considered a baseline “best practice”.

Of course, if your platform’s RNG is broken, then you have other problems.  Big, bad problems.  But with RFC 6979 signing, leakage of ECDSA private key bits will not be one of them.

The advice against address-reuse is based on the general risk of future breaks against ECDSA, which cannot be ruled out.

Actually, I think the advice against address-reuse is based on the concept that it reduces both your own privacy AND the privacy of everyone that you engage in transactions with.

The slight protection against "future breaks against ECDSA" is an added side-benefit, but not the most compelling reason.

I argue that even mentioning public-key security in the context of address reuse is a terrible disservice to Bitcoin.  To anybody who do not understand the nuanced technical discussion, it FUDs Bitcoin security for no good reason.  In ordinary circumstances, there is one, and only one excellent reason to avoid address reuse:  Making transaction linking less easy.

I call myself “paranoid”; and there is only one use case in which I would be concerned about exposing the public key:  Long-term storage of funds for decades.  Yes, in that case, I want the extra security of reducing my attack surface to the Hash160.  That will guard against unforeseen cryptanalytic breakthroughs, hypothetical quantum computers, ECDSA-cracking unicorns, the arrival of superintelligent space aliens on Earth, etc.  So if I make a cold-storage address for my grandkids’ inheritance, I will keep the public key secret, and sleep 3.1337% more quietly at night.  I am just that paranoid.

N.b. that using a new address for every transaction does not by itself provide good privacy.  Blockchain analysis heuristics can link transactions with high reliability, even if addresses are not reused.  It is only the most basic privacy measure, as well as being the prerequisite for all better privacy measures.  For this reason alone, avoiding address reuse is very important.

To reduce fees, you may want to consider moving your bitcoins to a SegWit address.

This must be emphasized at every opportunity.  When you use a Segwit address, you are helping the network by using less of a globally shared resource for your transactions; in BIP 141 terms, your transactions have less “weight”.  Fees are calculated by weight.  Therefore, when you use a Segwit address, you get a huge discount on fees.

[pseudo-technical babble evidently designed to impress newbies and non-technical people—abysmally unimpressive to anybody who has technical expertise in Bitcoin]

[incomprehensible gibberish talk]

[blah blah blah]

The aptly-named “bitfools” appears to be trolling with voluminous spew of patent nonsense.  Newbies, don’t believe anything he says.  Just ignore.  It is all 100% incorrect.  Sheer idiocy.

[leopard2]

Especially, when you can improve all 3 of those situations by simply generating a new address for EVERY transaction?  A business wouldn't re-use an invoice number, why would you re-use a bitcoin address?

I don't want to diss you but are you from another planet?

The invoice number? A Bitcoin address is more like a customer ID, which remains fixed!

It would be much more convenient for businesses or individuals, to provide their counterparties with fixed addresses for further use.
 
Otherwise a new one would have to be created everytime someone sends you a payment. What a nuisance! And imagine this is done automatically, and a partial payment is received: CHAOS, CONFUSION and MAYHEM!

For privacy you would need a new private key (HD) every time anyways. But if you want privacy, BTC is not the right crypto.

I guess a company with good blockchain knowledge could try and create 1 private key per customer, then issuing a different address on that key for each invoice. But for the average company/individual that is way too much overhead.

So yes I do think address re-use should be fully supported.

[nullius]

Especially, when you can improve all 3 of those situations by simply generating a new address for EVERY transaction?  A business wouldn't re-use an invoice number, why would you re-use a bitcoin address?

I don't want to diss you but are you from another planet?

The invoice number? A Bitcoin address is more like a customer ID, which remains fixed!

Nonsense.  What DannyHamilton described is not only a well-known “best practice”, but also the actual and longstanding current practice of numerous Bitcoin businesses, both large and small.  Assigning one address per transaction is also the only practical, reliable means of tracking payments and matching payments to transactions; thus, a Bitcoin address works out perfectly as a quasi invoice number—or even an actual invoice number.

I emphasize that this is the common and customary usage.  Forget about discussing your qualifications as a developer:  If you have not seen this as a customer, such reveals that you have rarely if ever used Bitcoin at all.

It would be much more convenient for businesses or individuals, to provide their counterparties with fixed addresses for further use.
 
Otherwise a new one would have to be created everytime someone sends you a payment. What a nuisance! And imagine this is done automatically, and a partial payment is received: CHAOS, CONFUSION and MAYHEM!

Years of the real-world experience of actual businesses flatly contradict your supposition.

What happens if a partial payment is received?  Whatever happens according to the payee’s usual handling of partly-paid invoices—that’s what.  Using one address per transaction makes it easier to track and account for partial payments.

For privacy you would need a new private key (HD) every time anyways.

With your reference to “(HD)”, you are confusing the BIP 32 seed with a Bitcoin private key.  From a single seed, a BIP 32 HD wallet can generate up to 2,147,483,648 hardened or non-hardened private-key/address pairs per derivation path.  That’s over two billion addresses.

At the current rate of transactions per day, it would take about 25–35 years for the entire Bitcoin network to process 2,147,483,648 transactions.  If you had somehow anachronistically created an HD wallet when Bitcoin was first released in January 2009, and every Bitcoin transaction ever made had been spent to you with a new address for each one, then you would have still only used a fraction of your addresses.

Still worried about running out of addresses in your HD wallet?

But if you want privacy, BTC is not the right crypto.

So, if Bitcoin does not provide a privacy suit of armour without special measures, you recommend walking around naked?  (Moreover, given some effort and skill, Bitcoin can be plenty private.)

I guess a company with good blockchain knowledge could try and create 1 private key per customer, then issuing a different address on that key for each invoice. But for the average company/individual that is way too much overhead.

So yes I do think address re-use should be fully supported.

For a lightweight solution, Electrum provides easy merchant features which even the dullest developer should be able to get working and integrate with a shopcart and accounting backend.  It automatically provides a new address for each payment request, and serves up fancy auto-generated payment request pages with QR codes.  For security, it works fine with a cold wallet (no webserver access to funds).  If you can set up a webserver and a basic shopcart package, then you are capable of doing this, too.

Making this work with Core is not exactly rocket science, either.

[DannyHamilton]

I don't want to diss you but are you from another planet?

No.

But, it appears you may be.

The invoice number? A Bitcoin address is more like a customer ID, which remains fixed!

You are quite mistaken about that.

A bitcoin address is intended to be used only once and as a method to identify a payment.  That sounds like an invoice number to me.

It would be much more convenient for businesses or individuals, to provide their counterparties with fixed addresses for further use.

I suppose it would be convenient to provide "counterparties" with a fixed invoice number for further use as well, but it doesn't make sense and is really quite silly.

Otherwise a new one would have to be created everytime someone sends you a payment.

You mean, like an invoice number?  Right.  Exactly.

What a nuisance!

Most people don't think of invoice numbers as being a nuisance.

And imagine this is done automatically, and a partial payment is received: CHAOS, CONFUSION and MAYHEM!

Or, you just wait to receive the full amount.

For privacy you would need a new private key every time anyways.

Correct.  Each new address comes with its own new private key.

But if you want privacy, BTC is not the right crypto.

Perhaps, but it's better than alternative forms of electronic representation of value (such as bank accounts).

I guess a company with good blockchain knowledge could try and create 1 private key per customer

Any company that doesn't understand that every address has a separate private key doesn't have good blockchain knowledge and shouldn't be managing their own cryptocurrency decisions.

issuing a different address on that key

Not possible.  Each private key has only one address.

for the average company/individual that is way too much overhead.

It's too much overhead for a company (or individual) to keep track of what addresses they give out for which payments?  Then they probably can't manage money at all.  They probably need to get someone else to manage their money for them.

So yes I do think address re-use should be fully supported.

You can think whatever you like.  It doesn't make it a good idea.

[leopard2]

No matter what you and Nullius say, the fact remains that in the real world, having a fixed address is an advantage from a usability perspective.

Examples: donation addresses, used by the thousands on webpages and signatures. Or exchanges, which use address locking as a security measure. Or address books in each and every client, which would be utterly useless and stupid if you were right.

I do not condone address re-use, but I believe a good crypto should be designed so that security is not compromised when doing it. This related to the technical issue OP is talking about.

Of course for privacy, address re-use is bad. But sometimes you do not need privacy (e.g. paying your phone bill). If you better privacy, use HD wallets which create new addresses automatically. If you want perfect privacy use Monero, Byteball or Spectrecoin - they offer private and public addresses.

But the people I know, real people in the real world, would prefer to send their recurring payments (phone, rent etc.) to the same address. Businesses call such numbers "billing accounts" and they don't change.

I simply oppose the idea of calling address re-use a user fault.

I believe every person has a right to re-use an address or not, it is not up to developers to decide that for them!

Flame me all you want, but don't you whine when idiots flock to (ewwww....) XRP or some other crap. 

[leopard2]

One thing, though.

It is really bad for privacy. In fact Nullius has a point about the long term thinking. I did re-use addresses in the past and regretted that later.

Every client should pop up a warning about it, to make it clear that this should be avoided unless you really need it for XYZ purpose.

Or is it still a bad idea, even then? I am willing to learn, you know...

[DannyHamilton]

No matter what you and Nullius say, the fact remains that in the real world, having a fixed address is an advantage from a usability perspective.

You are mistaken.

It can equally be true to say that "in the real world, having a fixed invoice number is an advantage from a usability perspective".

Sure its true that the customer doesn't need to keep track of which invoice number ot use when they pay you (since they always use the same one), but it doesn't fit it's purpose (identifying a payment) and is therefore a DISADVANTAGE.

Examples: donation addresses, used by the thousands on webpages and signatures.

A webpage can easily generate a new address everytime the page refreshes.

Earning money through signatures on a forum is a cancer. it is a perfect example of why you shouldn't be allowed to re-use an address, and why you should refuse to ever engage in any transaction with anyone that ever re-uses an address.

Or exchanges, which use address locking as a security measure.

Every well run exchange that I've ever used generates a brand new address for every deposit.

Or address books in each and every client, which would be utterly useless and stupid if you were right.

They are utterly useless and stupid.  I never use them.  I expect them to slowly fade away into the pages of history.

I do not condone address re-use,

I don't think that word means what you seem to think it means.

but I believe a good crypto should be designed so that security is not compromised when doing it.

It's a bad idea regardless.  It reduces privacy, and it is a bad practice.

Of course for privacy, address re-use is bad.

It's just a bad idea.  It's also bad for privacy, but it shouldn't be done regardless.

But sometimes you do not need privacy (e.g. paying your phone bill).

Privacy is always important. Even if you are paying your phone bill.  I shouldn't need to announce to the world the total value of bitcoins I have just because you want to pay your phone bill.

If you better privacy, use HD wallets which create new addresses automatically.

Correct.  New address for every transaction.

If you want perfect privacy use Monero, Byteball or Spectrecoin - they offer private and public addresses.

There's no such thing as "perfect privacy".  They offer arguably "better" privacy, but not perfect.

But the people I know, real people in the real world, would prefer to send their recurring payments (phone, rent etc.) to the same address.

If you are mailing a payment, you are welcome to re-use a mailing address.

If you are transfering USD (or other local currency) then you are welcome to re-use an account number.

Bitcoin addresses are not mailing addresses, and they are not account numbers. They are a way to identify who sent a payment, when they sent it, and wy they sent it.  In other words, they are an invoice number.

Businesses call such numbers "billing accounts" and they don't change.

Businesses do NOT call invoice numbers "billing accounts" and invoice numbers DO change.  You may have MANY invoices all associated with the same account, just like a business may have MANY bitcoin addresses all associated with your account.  They account identifier (account number) won't change, but the bitcoin address should (if they are doing it right).

I simply oppose the idea of calling address re-use a user fault.

Call it what you want.  That doesn't change the fact that they shouldn't do it, and they are at fault if they do.

I believe every person has a right to re-use an address or not,

That is currently true.  It is possible for users to do a LOT of things that they shouldn't do.  They can publish their private keys if they want.  They can re-use addresses if they want. They can send their bitcoins to random addresses if they want.

The fact that a user CAN do these things, or that they have the "right" to do these things doesn't make ANY of them a good idea.  They should be discouraged from all of these bad concepts.

it is not up to developers to decide that for them!

I'd be pretty happy if Bitcoin ever hard-forked to refuse to accept address re-use.  It's never going to happen, but I can dream.

Flame me all you want, but don't you whine when idiots flock to (ewwww....) XRP or some other crap. 

Idiots can go do whatever they like.  I'm here to help educate people that want to learn and that want to understand.

[leopard2]

But sometimes you do not need privacy (e.g. paying your phone bill).

Privacy is always important. Even if you are paying your phone bill.  I shouldn't need to announce to the world the total value of bitcoins I have just because you want to pay your phone bill.

What? Why would you pay your phone bill from your cold wallet?

But alright. I get your point. 

Perhaps we could leave it at that: a user could re-use addresses for situations where traceability is explicitly desired - but generally it should not be done.

I really wish someone like you would have told me all that shit when I was a newbie :-)

[DannyHamilton]

I really wish someone like you would have told me all that shit when I was a newbie :-)

Which is why I am so adamant about it when I get caught up in a conversation with someone that says something like:

I don't want to diss you but are you from another planet?

The invoice number? A Bitcoin address is more like a customer ID, which remains fixed!

The newbies need to understand just how important it is to use a new address for every transaction.  If I don't refute such statements, then many MORE newbies are going to be wishing later that someone had explained the importance of avoiding address re-use, and wishing they hadn't listened to the person that stated that an address should remain fixed.

Additionally, by voting with my dollars (refusing to do business with ANYONE that asks me to re-use an address to send to them), I make a difference in the marketplace helping (forcing) more merchants to learn the importance about protecting their customer's privacy.  Those that behave appropriately gain more business from me (and others like me) and are therefore more successful.  Those that don't behave appropriately suffer a lack of business from me (and others like me) and are therefore less successful until they learn.

[The Demon Slick]

So I have a miner pointed at nh, and I was planning on using the same adress for my new machine also, because otherwise they don't pay out often enough, and I don't trust sending it to thier online wallet. I'm getting it straight to btc core wallet. Minimum payout is .1 for external wallets. Then I move it to a cold wallet. Are you saying this is not a good way to go? Also, I know it's a little OT, but if I have the core wallet running, open to connections, usually 8 active.... am I running a node? Or do I have to do something else? I couldn't find the answer, I did look. Thanks.

[Destined2B_Rich]

If you have a public address and you reuse this address to send BTC from multiple times, my understanding is that your public address is more susceptible to being hacked (ie. easier for somebody to generate the private key from your public address).  From what I have read, if you send BTC from your public address and you keep any leftover coins in that public address, your public address is only protected by ECDSA.  I have also read that the more you reuse the same address to send BTC, the more your address is susceptible to being hacked.

So let's say I am using a public address.  I send a portion of my BTC from my public address to somebody else but the leftover BTC remains in my public address (doesn't Electrum keep your leftover BTC in the same address by default?).  I use this same public address to send BTC from over the next several weeks.  In total, I have sent from this address 4 or 5 times over several weeks.  Several weeks later, after I am done sending my BTC, I backup my wallet and my private key, uninstall Electrum and decide to let my leftover BTC sit there in my public address.

With today's technology, how long would it take to hack this public address?  Is this something I don't have to worry about for the next 10 years?  The next 5 years?  The next 1 year?

it is almost impossible for you to do it, unless you have a computing power more than the total half of all the computing power participating on a particular blockchain.