Why/Is reusing BTC address (both for receiving and sending) harmful

[BitThink]

Could you provide a concrete example to explain why reusing addresses by A will affect B if B always carefully choosing address. and how both A and B never reusing addresses prevent it? I'm still not so clear about it.

A always reuses addresses. Blockchain.info uses this to display their name and IP address along with their transactions, everyone else they've ever transacted with knows who they are, anyone can identify who they are with a simple google search, etc. Because A reuses so often even if A sometimes doesn't reuse, the coins they receive inevitably get mixed up with the non-reused one. A is entirely public.

Now B is super careful and paranoid... and we're not even in a world where blacklisting or whitelisting prevents B from comfortably using his paranoid practices. He never reuses.  Someone is trying to figure out who B is because they want to defraud him.  Initially they are thwarted by B's pratices but then they see that B initially received his coins from A. Everyone knows who A is. Moreover, they see when they did so. From that alone they've learned a ton of information about B, beyond that they can now go ask A to tell them— they could coerce A, or just trick him, as we've already established that A is pretty happy go lucky and not very cautious.   Beyond that it isn't just A,  B also transacts with other people who are not hygienic and those all potentially leak information too.

This actually works in practice, too... A nice whitehat hacker on IRC was playing around with brainwallet cracking and hit a phrase with ~250 BTC in it.  We were able to identify the owner from just the address alone, because they'd been paid by a Bitcoin service that reused addresses and he was able to talk them into giving up the users contact information. He actually got the user on the phone, they were shocked and confused— but grateful to not be out their coin.  A happy ending there. (This isn't the only example of it, by far ... but its one of the more fun ones).

Uh. We've gone pretty far offtopic here, perhaps these posts should be split from this thread?

Actually I lost here:

Initially they are thwarted by B's pratices but then they see that B initially received his coins from A.

How can they know that transaction belongs to B?

[1714241320]

1714241320

[1714241320]

1714241320

[1714241320]

1714241320

[BitThink]

Could you provide a concrete example to explain why reusing addresses by A will affect B if B always carefully choosing address. and how both A and B never reusing addresses prevent it? I'm still not so clear about it.

Since the drawbacks are very apparent, IMHO you need a very clear explanation about the benefit and why the benefit is far more important than the drawbacks.

http://blockexplorer.com/address/1Lukejrwhew7sj4TvWCKksaVo7aLpedHDt

Follow the coins back ~12 hops to where they were generated, then follow forward where they were sent to "A". Easy to identify the recipient and owner. Backwards, not so much.

Now if B's next payment with the change from that transaction is to "free Tibet", buy "recreational substances", or pay a hitman to whack a business partner, association with the transaction A may reveal identity. When A is shared and reused, as in "this is the donation address for Eligius", any separate-channel information about someone making a donation to Eligius can be used with this known address to reveal a path to their money.

How do you know it's a change rather than another transaction to others? Why sending BTC to a donation address will disclose my identity and address? People all around the world send to well known address of 'just-dice' and never worry about their identity is disclosed.

[gmaxwell]

How can they know that transaction belongs to B?

Whatever made {B} interesting to them in the first place. Perhaps he was involved in an unusually high value transaction.  Perhaps {B} paid to a "Free tibet" honeypot or well known (reused) donation address and the attacker is the chinese government and now they want to identify B to send him to a reeducation camp.

and never worry about their identity is disclosed

People never worry about a lot of things, including some things they really should and some things they'll later greatly regret not worrying about.

[BitThink]

How can they know that transaction belongs to B?

Whatever made {B} interesting to them in the first place. Perhaps he was involved in an unusually high value transaction.  Perhaps {B} paid to a "Free tibet" honeypot or well known (reused) donation address and the attacker is the chinese government and now they want to identify B to send him to a reeducation camp.

and never worry about their identity is disclosed

People never worry about a lot of things, including some things they really should and some things they'll later greatly regret not worrying about.

But B never reuses address, so whatever interests others is not the same address used to transact with A. B use address 1 to donate to 'Free Tibet' or whatever, and B use address 2 to send to 'well known' A. Why do you know address 1 and address 2 both belong to B?

[deepceleron]

How can they know that transaction belongs to B?

Whatever made {B} interesting to them in the first place. Perhaps he was involved in an unusually high value transaction.  Perhaps {B} paid to a "Free tibet" honeypot or well known (reused) donation address and the attacker is the chinese government and now they want to identify B to send him to a reeducation camp.

and never worry about their identity is disclosed

People never worry about a lot of things, including some things they really should and some things they'll later greatly regret not worrying about.

But B never reuses address, so whatever interests others is not the same address used to transact with A. B use address 1 to donate to 'Free Tibet' or whatever, and B use address 2 to send to 'well known' A. Why do you know address 1 and address 2 both belong to B?

Address 1 may have separate fund sources in the same wallet as Address 2.

If payments from B are to known reused addresses, the change is easily identifiable as still under the control of the wallet owner.

When B-1-Change is combined with B-2-Change in a third transaction, those payments are associated and the transaction also identifiable as made by the wallet owner.

[BitThink]

How can they know that transaction belongs to B?

Whatever made {B} interesting to them in the first place. Perhaps he was involved in an unusually high value transaction.  Perhaps {B} paid to a "Free tibet" honeypot or well known (reused) donation address and the attacker is the chinese government and now they want to identify B to send him to a reeducation camp.

and never worry about their identity is disclosed

People never worry about a lot of things, including some things they really should and some things they'll later greatly regret not worrying about.

But B never reuses address, so whatever interests others is not the same address used to transact with A. B use address 1 to donate to 'Free Tibet' or whatever, and B use address 2 to send to 'well known' A. Why do you know address 1 and address 2 both belong to B?

Address 1 may have separate fund sources in the same wallet as Address 2.

If payments from B are to known reused addresses, the change is easily identifiable.

When B-1-Change is combined with B-2-Change in a third transaction, those payments are associated.

So that means addresses in a wallet is very easy to be associated. Then not-reusing address is not enough, and we have to generate a new wallet for each transaction?

Even if people all generate new address for each transaction, since the addresses in one wallet is easy to be found associated, their addresses are still can be classified into one big 'address family'. So there may be no 'well known address', but 'well know address family'. Did I make any mistake here? If this is true, why the trouble?

[Akka]

So that means addresses in a wallet is very easy to be associated. Then not-reusing address is not enough, and we have to generate a new wallet for each transaction?

Even if people all generate new address for each transaction, since the addresses in one wallet is easy to be found associated, their addresses are still can be classified into one big 'address family'. So there may be no 'well known address', but 'well know address family'. Did I make any mistake here? If this is true, why the trouble?

No, if you use each Address only once, it will be completely empty after you send BTC from that address the first time and will never be used for any transaction again. There would be no difference in creating a new Wallet.

The client takes care that Change addresses are only used once, the only thing you have to do is to use addresses for reviving transactions only once.

If you only revive at B one time, there never will be a B-2 Change.

[Barek]

There is also a security reason why you should not send twice from the same address.

Once you create a transaction, the public key for the sending address is revealed (before there is only the hash). This gives an adversary more information for an attack.

A specific example where this was exploited is the Android RNG issue. Signing with the same private key multiple times allowed attackers to calculate the private key.

[BitThink]

So that means addresses in a wallet is very easy to be associated. Then not-reusing address is not enough, and we have to generate a new wallet for each transaction?

Even if people all generate new address for each transaction, since the addresses in one wallet is easy to be found associated, their addresses are still can be classified into one big 'address family'. So there may be no 'well known address', but 'well know address family'. Did I make any mistake here? If this is true, why the trouble?

No, if you use each Address only once, it will be completely empty after you send BTC from that address the first time and will never be used for any transaction again. There would be no difference in creating a new Wallet.

The client takes care that Change addresses are only used once, the only thing you have to do is to use addresses for reviving transactions only once.

If you only revive at B one time, there never will be a B-2 Change.

Unless what you send exactly equals to what you received before, otherwise there's a change and the change needs to be sent to a change address in the same transaction. So if you see a transaction S -> A and S -> S2, you know it's highly likely S and S2 belongs to the same wallet. As a result, your address S is associated with the change address S2, but not so closely because you can still claim (arguably weakly) that you are sending to two different people simultaneously and happens to used up all the unspent amount of S.

Then let's say you have change address A, and change Address B, they all have 0.5 BTC and you want to send to user U 1 BTC, then this time you will see A -> U 0.5 and B -> U 0.5. This makes a strong association between A and B and every one knows A and B belongs to the same wallet.

Therefore, it is easy to associate the addresses in the same wallet by analysing the block chain.

[Barek]

How do you tell which of the two outputs was the change and which the payment?

With each transaction you have a 50% chance to follow the wrong path.

[Akka]

So that means addresses in a wallet is very easy to be associated. Then not-reusing address is not enough, and we have to generate a new wallet for each transaction?

Even if people all generate new address for each transaction, since the addresses in one wallet is easy to be found associated, their addresses are still can be classified into one big 'address family'. So there may be no 'well known address', but 'well know address family'. Did I make any mistake here? If this is true, why the trouble?

No, if you use each Address only once, it will be completely empty after you send BTC from that address the first time and will never be used for any transaction again. There would be no difference in creating a new Wallet.

The client takes care that Change addresses are only used once, the only thing you have to do is to use addresses for reviving transactions only once.

If you only revive at B one time, there never will be a B-2 Change.

Unless what you send exactly equals to what you received before, otherwise there's a change and the change needs to be sent to a change address in the same transaction. So if you see a transaction S -> A and S -> S2, you know it's highly likely S and S2 belongs to the same wallet. As a result, your address S is associated with the change address S2, but not so closely because you can still claim (arguably weakly) that you are sending to two different people simultaneously and happens to used up all the unspent amount of S.

Then let's say you have change address A, and change Address B, they all have 0.5 BTC and you want to send to user U 1 BTC, then this time you will see A -> U 0.5 and B -> U 0.5. This makes a strong association between A and B and every one knows A and B belongs to the same wallet.

Therefore, it is easy to associate the addresses in the same wallet by analysing the block chain.

If you don't reuse the address S. It will never have an unspent output after this transaction again. If you use every address only once. S will receive exactly 1 Transaction and never again a second one. Therefore there will never be more than one change address for ever address. And it's impossible to tell which address is the change address and which one is the reviving address.

Changing Wallets here makes absolutely 0 difference. That was the point.

[BitThink]

How about the combining case?
If we see B -> E
             C ->

Then B, C are associated right?

[Rupture]

Even if it is risky, I'm to lazy to make new addresses

[BitThink]

How do you tell which of the two outputs was the change and which the payment?

With each transaction you have a 50% chance to follow the wrong path.

Good point, but sometimes by looking at the amount you can know better than 50% chance.

[BitThink]

Even if it is risky, I'm to lazy to make new addresses

If you are using clients other than MultiBit, (e.g. the Qt version and Amony), most likely the client is creating a new change address whenever you send out BTC.

[Akka]

How about the combining case?
If we see B -> E
             C ->

Then B, C are associated right?

Still a new Wallet makes no sense, unless you abandon all BTC in the old Wallet.

And yes, 2 outputs combinated are likely to be from one person, but there is still no guarantee.

See: https://bitcointalk.org/index.php?topic=139581.0

Edit: Typo

[BitThink]

Ok. That's interesting. Thanks for sharing.

Then I am more convinced that if a careful person always use address only once, no need to worry about the other part has a well known address. It's very difficult to link the address he uses this time with all other addresses he owns.

[deepceleron]

So that means addresses in a wallet is very easy to be associated. Then not-reusing address is not enough, and we have to generate a new wallet for each transaction?

Even if people all generate new address for each transaction, since the addresses in one wallet is easy to be found associated, their addresses are still can be classified into one big 'address family'. So there may be no 'well known address', but 'well know address family'. Did I make any mistake here? If this is true, why the trouble?

No, if you use each Address only once, it will be completely empty after you send BTC from that address the first time and will never be used for any transaction again. There would be no difference in creating a new Wallet.

The client takes care that Change addresses are only used once, the only thing you have to do is to use addresses for reviving transactions only once.

If you only revive at B one time, there never will be a B-2 Change.

Unless what you send exactly equals to what you received before, otherwise there's a change and the change needs to be sent to a change address in the same transaction. So if you see a transaction S -> A and S -> S2, you know it's highly likely S and S2 belongs to the same wallet. As a result, your address S is associated with the change address S2, but not so closely because you can still claim (arguably weakly) that you are sending to two different people simultaneously and happens to used up all the unspent amount of S.

Then let's say you have change address A, and change Address B, they all have 0.5 BTC and you want to send to user U 1 BTC, then this time you will see A -> U 0.5 and B -> U 0.5. This makes a strong association between A and B and every one knows A and B belongs to the same wallet.

Therefore, it is easy to associate the addresses in the same wallet by analysing the block chain.

If you don't reuse the address S. It will never have an unspent output after this transaction again. If you use every address only once. S will receive exactly 1 Transaction and never again a second one. Therefore there will never be more than one change address for ever address. And it's impossible to tell which address is the change address and which one is the reviving address.

Changing Wallets here makes absolutely 0 difference. That was the point.

What you are missing here is that a wallet may contain many unspent txouts from receiving many payments from different sources before there is any need to purchase something with the wallet.

Lets say I sell alpaca socks out of a truck down by the river. I would be receiving many 0.10 BTC payments from different individuals to different addresses, suppose for a total of 20 .1 BTC payments in my wallet.

Now, I donate 0.95 BTC to a known-address donation site and say to everybody "hey, I just donated!". There will be a 0.05 change back to my wallet, that is now considered "tainted" - based on my declaration of donation, or the site owner saying "thanks for donating, deepceleron", it has become simple to figure out my donation AND determine which is the change back to me that is still in my wallet.

So I've got 1.00 BTC of sock-selling money that 10 sock buyers know the address of, and 0.05 that anybody interested can know about.

I then send the entire contents of my wallet to a man-boy snowden tibet love honey pot that is supposed to be anonymous, but is monitored or busted by a government. Even with this site using one-time addresses, the previous use of a reused address has compromised my identity and made my payment have little plausible deniability, due to my control of the change. The "change" could have been a multi-send to a third party, and the third party may have made the illicit payment, but LE will not care to investigate so much when they need doors to kick in.

[indianplayers]

Someone can't trace your transactions on blockchain??

[DannyHamilton]

Someone can't trace your transactions on blockchain??

Yes.