Does the constant generation of bitcoin addresses clutter the blockchain?

[Minsc]

Back in Spring 2010, websites used to recycle receiving addresses.  Now, at least MtGox, will generate a new one each time you receive donations.  On the client there is no way to delete or unmake a receiving address and MtGox says old ones still work.  And a lot of commerce bitcoin sites generate new addresses each time and that's what people do now.

Doesn't each new address used or not then clutter the blockchain?

[1713267001]

1713267001

[1713267001]

1713267001

[1713267001]

1713267001

[nibor]

In a word no.
Blockchain would be the same size no matter what address you used, new or old.

Intention of Bitcoin was that you used lots of different address to create a sense of anonymity even though the chain is public.

So I think we should encourage use of lots of addresses rather than discourage.

Only issue is that the client has to manage more private keys, and the interface at the moment is not great at doing that. (e.g. you can not see the address that are used for the "Change").

[etotheipi]

I echo the same thing as the others : there is no space savings in the blockchain if you recycle addresses.

But I wanted to add some useless information, because I just did a unique address scan of the blockchain in response to someone's request on another post.

As of around block 140,000, there are:
2,504,000 addresses referenced in the blockchain
1,510,000 unique addresses in the blockchain

[dustintrammell]

Intention of Bitcoin was that you used lots of different address to create a sense of anonymity even though the chain is public.

So I think we should encourage use of lots of addresses rather than discourage.

I believe that whether or not you use new addresses for any particular transaction should be a personal choice and you shouldn't try to encourage or discourage others from doing either.  Some of us do not care at all about the pseudo-anonymity of Bitcoin.  Some of us do.

[etotheipi]

I believe that whether or not you use new addresses for any particular transaction should be a personal choice and you shouldn't try to encourage or discourage others from doing either.  Some of us do not care at all about the pseudo-anonymity of Bitcoin.  Some of us do.

I agree that users should make their own decisions on this matter, but they should also be made aware that each of their transactions is globally public information.  If you use the same address for everything, then anyone you ever give that address to can see every transaction you've ever made.  This is like someone being able to access all emails you've ever written just by giving them your email address.  I think most users who realize this would prefer the new-address-every-transaction.

Since the blockchain does not benefit from recycling addresses, users should not be afraid to generate new addresses if they favor any degree of anonymity.

[2112]

I believe that whether or not you use new addresses for any particular transaction should be a personal choice and you shouldn't try to encourage or discourage others from doing either.  Some of us do not care at all about the pseudo-anonymity of Bitcoin.  Some of us do.

This is a weak and not well thought out statement. Reuse of addresses could make it easier to attack the elliptic curve crytography that underpins the security of particular bitcoins.

So the choice isn't just privacy vs. no privacy. The additional influential factor is: Do we believe that the reuse of the points on the elliptic curve weakens the resistance against the possible cryptological attack on private keys?

I mean at one time WEP was considered "Wired-Equivalent Privacy" wiith no hint of sarcasm. Are you willing to make the same statements about ECC?

[Minsc]

Why can't the bitcoin software delete old bitcoin addresses?  Old versions and the current could not delete them.

[bitrick]

This is a weak and not well thought out statement. Reuse of addresses could make it easier to attack the elliptic curve crytography that underpins the security of particular bitcoins.

Was that first period meant to be a colon?

[etotheipi]

This is a weak and not well thought out statement.  Reuse of addresses could make it easier to attack the elliptic curve crytography that underpins the security of particular bitcoins.

This is not a well-researched statement.  There is no reduction in security of ECDSA by using the same key on multiple signatures.   If there was, then no one would use ECDSA, as most other applications for it cannot accommodate new keys for every exchange.

The only known weakness of ECDSA in this regard is if the same random number is used in the signature algorithm on two different signed messages.  Of course, with 2^256 possible random numbers to apply here, it just doesn't happen.  As such, ECDSA is an extraordinarily secure signature algorithm, proven to be as difficult as the elliptic curve discrete logarithm problem.  The only thing that will compromise ECDSA (or any other asymmetric encryption such as RSA) is going to be quantum computers or an extraordinary breakthrough in mathematics.  Luckily, there are potentially decades between now and when QCs will be good enough to hack 256-bit ECDSA.  A breakthrough in mathematics that solves the discrete logarithm problem is going to break all internet security not just bitcoin.

BTW, WEP was a joke.  The creators can name it whatever they want, it doesn't mean that the community of informed people actually believed it.  I studied WEP in my cryptography class, and there are half a dozen security holes clear as day if you know what you're looking for.  It is an insult to cryptographers/mathematicians to, in any way, compare WEP to elliptic curve cryptography.  

[2112]

This is not a well-researched statement.  There is no reduction in security of ECDSA by using the same key on multiple signatures.   If there was, then no one would use ECDSA, as most other applications for it cannot accommodate new keys for every exchange.
[...]
It is an insult to cryptographers/mathematicians to, in any way, compare WEP to elliptic curve cryptography.  

I fully agree with you that ECDSA is mathematically sound. And comparing it to WEP was an insult.

But I will disagree with you from the standpoint of implementation engineering. In my career I was involved in several fracas where a mathematically sound idea got corrupted by the cargo-cult style of its implementation in software or hardware. Side-channels are hard to detect, and the way the current Satoshi bitcoin client development is progressing, I will probably be willing to bet a small sum on an interesting crypto-snafu that's going to happen in some of its branches.

The above isn't a mathematical theorem, it is my hunch based on past experience with implementations of patented cryptographic methods. I have signed at least two NDAs related to the above, as of now I don't remember if they had already expired.

[kjj]

This is not a well-researched statement.  There is no reduction in security of ECDSA by using the same key on multiple signatures.   If there was, then no one would use ECDSA, as most other applications for it cannot accommodate new keys for every exchange.
[...]
It is an insult to cryptographers/mathematicians to, in any way, compare WEP to elliptic curve cryptography.  

I fully agree with you that ECDSA is mathematically sound. And comparing it to WEP was an insult.

But I will disagree with you from the standpoint of implementation engineering. In my career I was involved in several fracas where a mathematically sound idea got corrupted by the cargo-cult style of its implementation in software or hardware. Side-channels are hard to detect, and the way the current Satoshi bitcoin client development is progressing, I will probably be willing to bet a small sum on an interesting crypto-snafu that's going to happen in some of its branches.

The above isn't a mathematical theorem, it is my hunch based on past experience with implementations of patented cryptographic methods. I have signed at least two NDAs related to the above, as of now I don't remember if they had already expired.

I've had this exact same debate on these forums already.  2112 is right about the keys.

We are, ahem, sure that ECDSA has no weaknesses against private key reuse.  But it is also a bad idea to reuse private keys, just because.  It is just a tiny little bit bad of an idea.  It is incredibly unlikely to ever be a problem.  But throughout history, cryptographic system breaches in the real world have always been facilitated by key reuse.

People should be free to do whatever they want, but they should understand that reusing keys results in a slight decrease in overall security.  The decrease might be infinitesimal, and it probably is, but it is still a decrease.

[etotheipi]

First, I wanted to make sure that there was a differentiation between WEP and ECC, as WEP was a joke of a security protocol, and ECC is blessed by the NSA in Crypto Suite B.  The two protocols are in different galaxies.  A crypto-algorithm needs to be rock-f***ing-solid to get NIST and NSA approval (barring all conspiracy theories). 

Second, I recognize that there could be implementation issues with ECDSA in BTC that makes it less than 100.0000% of the theoretical security.  But the kinds of side-channel attacks in this environment are extremely limited.  Messages are signed on demand and the inputs to the signings are very specific, limiting plaintext injection attacks.   The number of messages ever signed by a single key would be so low and spread out, that timing attacks would never get enough samples to be useful.  Most other attacks would have to have a level of access to the computer that is already game-over for the regular user.   I would argue that the biggest risk would probably be the random number generator. 

Third, I would argue that the security decrease of a perfectly-implemented ECC protocol using the same key for two messages is so negligible, it should have no bearing on one's decision to recycle keys.  Bitcoin isn't the only system in the world that uses ECDSA, and most other systems don't get the luxury of changing their keys after every exchange.  In fact, using ECDSA for authentication isn't very useful if you have to send a new public key every time, as you would open yourself up to MITM attacks -- you want to send and thoroughly verify public keys once, and then use those as your identity going forward.  It is for this purpose that the NSA/NIST has blessed ECDSA, and probably one of the reasons the algorithm was chosen for BTC (not for recycling keys, but because it's so respected).

I'm interested to hear of feasible side-channel attacks I neglected to consider, but I'm not convinced that there is a tangible threat.  People with millions of dollars in BTC might be motivated to use new keys every time because it's good practice, but it's misleading to suggest that somehow the average user is compromising their own security by recycling keys.

[2112]

I'm interested to hear of feasible side-channel attacks I neglected to consider,

Non-random random number generator.

[ArtForz]

I'm interested to hear of feasible side-channel attacks I neglected to consider,

Non-random random number generator.

Iirc the current implementation uses openssls default crypto RNG, so should be decently secure unless a debian maintainer comes by. *ducks*

[Minsc]

What would happen if someone goes and constantly generates new addresses as some kind of attack on the network?  Would they eventually usurp most possible network addresses or get some other person's address and potentially usurp their payments?

[Gavin Andresen]

What would happen if someone goes and constantly generates new addresses as some kind of attack on the network?  Would they eventually usurp most possible network addresses or get some other person's address and potentially usurp their payments?

No.

There are 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976 possible bitcoin addresses.

If your calculator can handle numbers that big, you can play around with how long it would take to try generate one quadrillionth of them if you could generate a trillion per second.

(I get an answer of a bit over 46 trillion years)

[2112]

Sorry for the belated post.

Iirc the current implementation uses openssls default crypto RNG, so should be decently secure unless a debian maintainer comes by. *ducks*

ArtForz certainly has a sick & twisted sense of humor, in the superlative sense of those words. If there are any readers for whom the joke was too insidery, here's the link to the explanation:

http://digitaloffense.net/tools/debian-openssl/

[2112]

Oh, and one more belated post. The quote is about the "forum" users but it is unfortunately applicable to many of the wider group of "bitcoin users and developers". The quote is somewhat inflamatory and offensive, but the offense is aimed at those, who won't believe that sticking finngers into a fire will hurt until they try it themselves.

https://bitcointalk.org/index.php?topic=43858.msg523997#msg523997

I have to believe that one or more of the following three things are true: 1) these people are paid to be here, 2) Bitcoin threatens their very manner of existence in some way, or 3) these people operate with a totally different set of values than the rest of us.

You missed one...

4) Some people who were interested in Bitcoin have seen it attract crowds of gullible fucking lunatics who queue up to be scammed again and again and again. They tried pointing out the stupidity, wishful thinking and maybe even predicted some of the incessant chain of cluster-fucks that more-or-less defines the "bitcoin ecosystem". About the only thing left to do is try and get a laugh out of it.