Miners: Time to deprioritise/filter address reuse!

[kuzetsa]

The current design for p2pool pays out as a trickle of multiple payouts across a 72 hour period to the same address...

This patch really seems to punish / rate limit anyone using p2pool since they will only be able to spend once every ten minutes for any transactions which had to tap into the freshly mined bitcoins (120+ confirm-blocks deep in bitcoin's blockchain)

[1714042623]

1714042623

[1714042623]

1714042623

[chriswilmer]

Yeah lets make things more complicated!! Who wants user-friendly bitcoins anyways...  

There are things in the works to make things easier, like the payment protocol and BIP32.
As I said, it would have been nice if these matured before we phased out address reuse, but it seems we don't have that kind of convenience.

Is it really THAT urgent? I figured the payment protocol was coming out within 6-12 months... and I doubt any coinvalidation thing is going to gain significant ground before then. What are your projections for how things would evolve in time?

[Unacceptable]

Soooo...I use the same receive addy for mining on Eligius & other pools,do I have to change that addy every say 2 hours or 2 days on every pool  

Or am I missing the point 

[gmaxwell]

This patch really seems to punish / rate limit anyone using p2pool since they will only be able to spend once every ten minutes for any transactions which had to tap into the freshly mined bitcoins (120+ confirm-blocks deep in bitcoin's blockchain)

What the wallet software should be doing is taking as many payments as possible to the same address and spending them at once, fixing that has been on my radar for some time.  Personally what I (as a p2pool miner) do these days is group up my p2pool inputs via manual coin control whenever I spend them.

In the future the p2pool share chain could include BIP32 extended public key in the shares and ~every block could be paid to a new address, though they'd be linked to any party that captured the sharechain.  But in general better coin selection in the wallet should handle it nicely.

[Luke-Jr]

Question: if one were to apply this patch to bitcoind that is being used by a local p2pool instance, what happens?

I guess it should work.... thinking it through.  Unpatched machines would be submitting shares including the re-used addresses, but patched machines would be submitting shares with unique output addresses only.  A block may be found by a patched or unpatched bitcoind, so the uniqueness would be enforced (or not) depending on the bitcoind instance of the miner that finds it.  So everyone just gets along.

Does that sound correct?

Yes, p2pool users can immediately make use of the patch like this.

[BurtW]

What the wallet software should be doing is taking as many payments as possible to the same address and spending them at once, fixing that has been on my radar for some time.  

Shouldn't this go first or at least be done somewhat concurrently with the proposal?

More importantly shouldn't the input selection algorithm on the wallets be changed to take this new mining behaviour into account and attempt to group inputs and select them in a way that minimizes the number of times a spend is delayed due to this change?

[BitThink]

One very common scenario is to use a bitcoin address as the identification. This may be used in faucets, mining pool, gambling sites, and maybe future block-chain based exchanges. If address reusing is discouraged, any alternative is suggested? To introduce another identity-> bitcoin address translation layer?

Maybe you mean outgoing only? An bitcoin can accept many incoming transactions, but it can send out coins only once? That's a little bit better, but still in many scenarios people are expecting coins are sent from the same address. Mastercoin is an example.

If people want to hide their trace, they can choose not to reuse addresses. If people don't care, why have to increase the difficulty for them? Why not just let the users to make the decision?
 

[Luke-Jr]

One very common scenario is to use a bitcoin address as the identification. This may be used in faucets, mining pool, gambling sites, and maybe future block-chain based exchanges. If address reusing is discouraged, any alternative is suggested? To introduce another identity-> bitcoin address translation layer?

Address-as-identity does not use the blockchain at all.

If people want to hide their trace, they can choose not to reuse addresses. If people don't care, why have to increase the difficulty for them? Why not just let the users to make the decision?

Reusing addresses doesn't merely hurt your own privacy. It hurts everyone's.
There are also security ramifications. And now adoption issues too.

[btc4ever]

Hmm.   I'm not sure it is rate limiting p2pool payments.   Can someone clarify?

I interpreted Luke's announcement to mean that the patch only enforces uniqueness (per block) for addresses that are being paid to.   afaik, p2pool only makes one payment to a given address per block, so should be unaffected.

Now I do sometimes consolidate p2pool generated transactions into larger ones by sending larger and larger amounts back to myself.  I have re-used the same address for this purpose so that usage would be affected, but that is already somewhat rate limited by the coin-freshness checks anyway, and also I could just use a unique address for each payment.

The current design for p2pool pays out as a trickle of multiple payouts across a 72 hour period to the same address...

This patch really seems to punish / rate limit anyone using p2pool since they will only be able to spend once every ten minutes for any transactions which had to tap into the freshly mined bitcoins (120+ confirm-blocks deep in bitcoin's blockchain)

[gmaxwell]

Shouldn't this go first or at least be done somewhat concurrently with the proposal?

Certainly before _all_ the hashrate does something like this. But so long as there is a substantial portion of hashrate not doing it the other behaviors will still continue.

Basically concurrently is the only option, because people who are _pro_ things like blacklists (and, yes, they do exist) are going to argue against privacy enhancing features,  and so with miners running this there is now a pragmatic non-privacy and non-anti-blacklisting reason to change behavior: Faster confirmations. There also needs to be some co-evolution, e.g. what reuse depriorizing schemes are easy to implement and what reuse avoidance schemes are easy to deploy.

[jgarzik]

The software ecosystem is missing a useful piece:

When you are receiving regular payouts, from a job salary or mining pool for example, there needs to be address rotation.

Right now, the only way to do that is manually logging into the payer's website, and replacing the current payout address with a new one.

Software should communicate with the payer, or give the payer a list of addresses, or an HD seed that may generate additional public keys, etc.

Address reuse in these circumstances is annoying, hurting privacy, but inevitable until software improves.

[BitThink]

One very common scenario is to use a bitcoin address as the identification. This may be used in faucets, mining pool, gambling sites, and maybe future block-chain based exchanges. If address reusing is discouraged, any alternative is suggested? To introduce another identity-> bitcoin address translation layer?

Address-as-identity does not use the blockchain at all.

If people want to hide their trace, they can choose not to reuse addresses. If people don't care, why have to increase the difficulty for them? Why not just let the users to make the decision?

Reusing addresses doesn't merely hurt your own privacy. It hurts everyone's.
There are also security ramifications. And now adoption issues too.

So you mean BTC is mainly adopted by people wants 100% privacy?  On the contrary, it's possible that the majority haven't adopt BTC just because of the anonymity. Most of people heard of BTC but haven't convinced to use them because they think the government will not allow such things to exist. The main objective of BTC foundation is not to increase its anonymity, but to explain to the authority that it's not as anonymous as they think. What you are doing, IMHO, is not helping the BTC but killing it.

For those who wants complete anonymity, they can go for some altcoins supporting it. In my opinion, BTC is supposed to be used by everyone and everywhere as mainstream currency. So please stop doing things like this to push the majority away just for the sake of niche market.

[kuzetsa]

Hmm.   I'm not sure it is rate limiting p2pool payments.   Can someone clarify?

---snip---

The current design for p2pool pays out as a trickle of multiple payouts across a 72 hour period to the same address...

This patch really seems to punish / rate limit anyone using p2pool since they will only be able to ///SPEND/// once every ten minutes for any transactions which had to tap into the freshly mined bitcoins (120+ confirm-blocks deep in bitcoin's blockchain)

To clarify the part which I just bolded:

I meant that this will act as rate limiting on the ///SPENDING/// of any new p2pool-generated funds as they come in

Not sure why you got the idea that I meant payouts.

[BurtW]

Hence my question/comment above:

More importantly shouldn't the input selection algorithm on the wallets be changed to take this new mining behaviour into account and attempt to group inputs and select them in a way that minimizes the number of times a spend is delayed due to this change?

But even these changes to the input selection algorithm will not help you if all of your income is from one source (one pool to your one payout address) and you go on a spending spree and try to make a lot of payments in a short period of time, all your inputs will have to come from your one income address - delaying your payments.

Not sure how big/widespread of a problem this would be.

[eleuthria]

The software ecosystem is missing a useful piece:

When you are receiving regular payouts, from a job salary or mining pool for example, there needs to be address rotation.

Right now, the only way to do that is manually logging into the payer's website, and replacing the current payout address with a new one.

Software should communicate with the payer, or give the payer a list of addresses, or an HD seed that may generate additional public keys, etc.

Address reuse in these circumstances is annoying, hurting privacy, but inevitable until software improves.

This is (basically) my argument at the moment against this.  In the case of BTC Guild, the *highest* level of security an account can have is locking the wallet address.  With this, you can not change it unless you digitally sign a message using the private key, confirming ownership.  Removing the lock is a manual process, nothing on the site is capable of removing the wallet lock once it's in place (even an SQL injection would not be able to do it due to lack of permissions).

Similarly, it discourages automatic payouts, since those would use the same address every time unless changed.  The last thing I want is automatic payouts adding hassle, considering they're the best way to encourage users to not use the pool as a bank.

The only fix on this I can see would be on my end adding some kind of "wallet queue" to accounts where they can pre-make a batch of wallets to use (maybe even using the BIP32 suggestions), but my limited knowledge of BIP32 leads me to believe this would still require manual entry on the user part.  If somebody else could generate the chain of public addresses to use, it seems like it wouldn't be very anonymous (they'd actually be able to follow all your transactions forever on that wallet-chain?).

[DeathAndTaxes]

The only fix on this I can see would be on my end adding some kind of "wallet queue" to accounts where they can pre-make a batch of wallets to use (maybe even using the BIP32 suggestions), but my limited knowledge of BIP32 leads me to believe this would still require manual entry on the user part.  If somebody else could generate the chain of public addresses to use, it seems like it wouldn't be very anonymous (they'd actually be able to follow all your transactions forever on that wallet-chain?).

BIP32 supports a hierarchy of pubkey seeds.   So a user can generate a pubkey seed ONLY FOR YOUR SITE and upload it.  Using that seed you can deterministically compute an infinite number of unique addresses in a sequence the user will expect.  

Wallet support isn't there yet which is the only negative of moving forward at this time but in theory that is how it would work in the future.  Your site would simply have user upload a seed for all their future pool payments.  You will be unable to deterimine any of the addresses in the user's wallet. You will always be able to generate a new address.  The same address never needs to be used twice.   For added security you could lock the pubkey seed the same way you now lock a single address.

[gmaxwell]

For those who wants complete anonymity, they can go for some altcoins supporting it. In my opinion, BTC is supposed to be used by everyone and everywhere as mainstream currency. So please stop doing things like this to push the majority away just for the sake of niche market.

I can't seem to find the link to your bank account records, mind posting them for us?

Luke is pretty much the last person you'd expect to give a crap about underground uses. But privacy is _not_ only a consideration for them, or even primarily for them: dope dealers—or whatever you want your bogeyman to be—can buy their way to privacy even in a system which is very non-private.

Financial privacy is an essential element to fungibility in Bitcoin: if you can meaningfully distinguish one coin from another, then their fungibility is weak. If our fungibility is too weak in practice, then we cannot be decentralized: if someone important announces a list of stolen coins they won't accept coins derived from, you must carefully check coins you accept against that list and return the ones that fail.  Everyone gets stuck checking blacklists issued by various authorities because in that world we'd all not like to get stuck with bad coins. This adds friction and transactional costs and makes Bitcoin less valuable as a money.

Financial privacy is an essential criteria for the efficient operation of a free market: if you run a business, you cannot effectively set prices if your suppliers and customers can see all your transactions against your will. You cannot compete effectively if your competition is tracking your sales.  Individually your informational leverage is lost in your private dealings if you don't have privacy over your accounts: if you pay your landlord in Bitcoin without enough privacy in place, your landlord will see when you've received a pay raise and can hit you up for more rent.

Financial privacy is essential for personal safety: if thieves can see your spending, income, and holdings, they can use that information to target and exploit you. Without privacy malicious parties have more ability to steal your identity, snatch your large purchases off your doorstep, or impersonate businesses you transact with towards you... they can tell exactly how much to try to scam you for.

Financial privacy is essential for human dignity: no one wants the snotty barista at the coffee shop or their nosy neighbors commenting on their income or spending habits. No one wants their baby-crazy in-laws asking why they're buying contraception (or sex toys). Your employer has no business knowing what church you donate to. Only in a perfectly enlightened discrimination free world where no one has undue authority over anyone else could we retain our dignity and make our lawful transactions freely without self-censorship if we don't have privacy.

Most importantly, financial privacy isn't incompatible with things like law enforcement or transparency. You can always keep records, be ordered (or volunteer) to provide them to whomever, have judges hold against your interest when you can't produce records (as is the case today).  None of this requires _globally_ visible public records.

Globally visible public records in finance are completely unheard-of. They are undesirable and arguably intolerable. The Bitcoin whitepaper made a promise of how we could get around the visibility of the ledger with pseudonymous addresses, but the ecosystem has broken that promise in a bunch of places and we ought to fix it. Bitcoin could have coded your name or IP address into every transaction. It didn't. The whitepaper even has a section on privacy. It's incorrect to say that Bitcoin isn't focused on privacy. Sufficient privacy is an essential prerequisite for a viable digital currency.

So, again, I ask—let's see your bank records; I'm sure there is an export to CSV.  Mtgox transaction dumps? Stock trading accounts. Let's see you—even just you—post all this before you presume to say that you think that's what the public wants forced on everyone.

[gmaxwell]

But even these changes to the input selection algorithm will not help you if all of your income is from one source (one pool to your one payout address) and you go on a spending spree

Sure they will, the first transaction will take all your coins from that source and they'll end up at a new, never used before, change address.

D&T answered Eleuthria exactly, the miner payout case was a major design consideration for me for BIP32. It can still be happily locked, and the users non-mining addresses can be unknown to the pool.. and yet every payment can be to a new address known only to the user and the pool. Basically everything you could want there except not being widely deployed. Yet. Isn't it good we've had this conversation now?

[dillpicklechips]

For those who wants complete anonymity, they can go for some altcoins supporting it. In my opinion, BTC is supposed to be used by everyone and everywhere as mainstream currency. So please stop doing things like this to push the majority away just for the sake of niche market.

I can't seem to find the link to your bank account records, mind posting them for us?

Luke is pretty much the last person you'd expect to give a crap about underground uses. But privacy is _not_ only a consideration for them, or even primarily for them: dope dealers—or whatever you want your bogeyman to be—can buy their way to privacy even in a system which is very non-private.

Financial privacy is an essential element to fungibility in Bitcoin: if you can meaningfully distinguish one coin from another, then their fungibility is weak. If our fungibility is too weak in practice, then we cannot be decentralized: if someone important announces a list of stolen coins they won't accept coins derived from, you must carefully check coins you accept against that list and return the ones that fail.  Everyone gets stuck checking blacklists issued by various authorities because in that world we'd all not like to get stuck with bad coins. This adds friction and transactional costs and makes Bitcoin less valuable as a money.

Financial privacy is an essential criteria for the efficient operation of a free market: if you run a business, you cannot effectively set prices if your suppliers and customers can see all your transactions against your will. You cannot compete effectively if your competition is tracking your sales.  Individually your informational leverage is lost in your private dealings if you don't have privacy over your accounts: if you pay your landlord in Bitcoin without enough privacy in place, your landlord will see when you've received a pay raise and can hit you up for more rent.

Financial privacy is essential for personal safety: if thieves can see your spending, income, and holdings, they can use that information to target and exploit you. Without privacy malicious parties have more ability to steal your identity, snatch your large purchases off your doorstep, or impersonate businesses you transact with towards you... they can tell exactly how much to try to scam you for.

Financial privacy is essential for human dignity: no one wants the snotty barista at the coffee shop or their nosy neighbors commenting on their income or spending habits. No one wants their baby-crazy in-laws asking why they're buying contraception (or sex toys). Your employer has no business what church you donate to. Only in a perfectly enlightened discrimination free world where no one has undue authority over anyone else could we retain our dignity and make our lawful transactions freely without self-censorship if we don't have privacy.

Most importantly, financial privacy isn't incompatible with things like law enforcement or transparency. You can always keep records, be ordered (or volunteer) to provide them to whomever, have judges hold against your interest when you can't produce records (as is the case today).  None of this requires _globally_ visible public records.

Globally visible public records in finance are completely unheard-of. They are undesirable and arguably intolerable. The Bitcoin whitepaper made a promise of how we could get around the visibility of the ledger with pseudonymous addresses, but the ecosystem has broken that promise in a bunch of places and we ought to fix it. Bitcoin could have coded your name or IP address into every transaction. It didn't. The whitepaper even has a section on privacy. It's incorrect to say that Bitcoin isn't focused on privacy. Sufficient privacy is an essential prerequisite for a viable digital currency.

So, again, I ask—let's see your bank records; I'm sure there is an export to CSV.  Mtgox transaction dumps? Stock trading accounts. Let's see you—even just you—post all this before you presume to say that you think that's what the public wants forced on everyone.

Awesome post! I truly hope the majority takes this view. I think I'll get too depressed about humanity if they don't.

[BitThink]

For those who wants complete anonymity, they can go for some altcoins supporting it. In my opinion, BTC is supposed to be used by everyone and everywhere as mainstream currency. So please stop doing things like this to push the majority away just for the sake of niche market.

I can't seem to find the link to your bank account records, mind posting them for us?

Luke is pretty much the last person you'd expect to give a crap about underground uses. But privacy is _not_ only a consideration for them, or even primarily for them: dope dealers—or whatever you want your bogeyman to be—can buy their way to privacy even in a system which is very non-private.

Financial privacy is an essential element to fungibility in Bitcoin: if you can meaningfully distinguish one coin from another, then their fungibility is weak. If our fungibility is too weak in practice, then we cannot be decentralized: if someone important announces a list of stolen coins they won't accept coins derived from, you must carefully check coins you accept against that list and return the ones that fail.  Everyone gets stuck checking blacklists issued by various authorities because in that world we'd all not like to get stuck with bad coins. This adds friction and transactional costs and makes Bitcoin less valuable as a money.

Financial privacy is an essential criteria for the efficient operation of a free market: if you run a business, you cannot effectively set prices if your suppliers and customers can see all your transactions against your will. You cannot compete effectively if your competition is tracking your sales.  Individually your informational leverage is lost in your private dealings if you don't have privacy over your accounts: if you pay your landlord in Bitcoin without enough privacy in place, your landlord will see when you've received a pay raise and can hit you up for more rent.

Financial privacy is essential for personal safety: if thieves can see your spending, income, and holdings, they can use that information to target and exploit you. Without privacy malicious parties have more ability to steal your identity, snatch your large purchases off your doorstep, or impersonate businesses you transact with towards you... they can tell exactly how much to try to scam you for.

Financial privacy is essential for human dignity: no one wants the snotty barista at the coffee shop or their nosy neighbors commenting on their income or spending habits. No one wants their baby-crazy in-laws asking why they're buying contraception (or sex toys). Your employer has no business what church you donate to. Only in a perfectly enlightened discrimination free world where no one has undue authority over anyone else could we retain our dignity and make our lawful transactions freely without self-censorship if we don't have privacy.

Most importantly, financial privacy isn't incompatible with things like law enforcement or transparency. You can always keep records, be ordered (or volunteer) to provide them to whomever, have judges hold against your interest when you can't produce records (as is the case today).  None of this requires _globally_ visible public records.

Globally visible public records in finance are completely unheard-of. They are undesirable and arguably intolerable. The Bitcoin whitepaper made a promise of how we could get around the visibility of the ledger with pseudonymous addresses, but the ecosystem has broken that promise in a bunch of places and we ought to fix it. Bitcoin could have coded your name or IP address into every transaction. It didn't. The whitepaper even has a section on privacy. It's incorrect to say that Bitcoin isn't focused on privacy. Sufficient privacy is an essential prerequisite for a viable digital currency.

So, again, I ask—let's see your bank records; I'm sure there is an export to CSV.  Mtgox transaction dumps? Stock trading accounts. Let's see you—even just you—post all this before you presume to say that you think that's what the public wants forced on everyone.

No one asks you to make your btc addresses public. You can keep it as secret as you will. You can always choose to generate one-time receiving address if you want. But is there any reason to stop others to use one address as their public address if they think they don't mind?

Bank records are actually open to banks and authorities. So if there's some need, allowed by the law, they can do the investigation. But it does not mean I have to make it open to you. It is a controlled anonymity. My information is a secret to the public, but can be investigated by the authority based on the law.

Complete anonymity, however, makes laundering money unable to be detected. Then the authority has no other choices but to suppress it. BTC will not dead, I believe, even under suppression, but it will stay where it is and never becomes mainstream in that situation.