Why has my newly created Bitcoin address already been used?

[PrimeNumber7]

You have to trust software to spend your coin when you spend it.

Risk and trust can never be zero, but it is all about reducing your risk to a minimum.

You need to weigh the risk with the cost of mitigating the risk. Creating a 7 of 7 multi-sig private key should be less risky than creating a private key that requires one signature to spend coin (assuming you can easily replicate the procedure to keep each private key secure). At a minimum, this would increase the time it takes you to sign transactions and would increase the cost you pay to get each transaction confirmed. You could further reduce your risk by storing each of the 7 private keys in different countries, each located in a different continent; assuming you are acting as an individual, it would cost you thousands of dollars each time you want to spend coin because you would have to travel to 7 different countries to do so.

Even if I have the most malicious software wallet in existence on my airgapped computer, there is nothing it can do to steal my coins. If it signs a transaction to the wrong address, for example, I can easily pick that up before moving the transaction to my live computer to be broadcast.

This is not entirely true, see this thread. In addition to leaking your private key, it could leak additional information.

In a simplistic example, the k value could be 20 digits, the malicious software could always have a value of xxxxxxxxxxxxxx[13 digits that is known to the author of the malicious software]yy[the index of a list]zzzzz[the actual message]. The x values would be one of a set of known values allowing the attacker to easily filter possible k values. The y values would be the index in a list, with the entire list being the entire message, such as your seed.

I just generated a seed: [concert, eyebrow, peasant, exile, fold, gather, sense, drastic, twice, clip, orchard, defy]

The y and z values could be 02peasa to correspond to the 2 index of the above list and the first 5 digits of the seed word. After this happens many times, the attacker would have enough information to easily brute force your entire seed.

Or malicious software could simply use a k value known to the attacker, the attacker could check all unconfirmed transactions for that k value, and create a double-spend transaction with a high transaction fee before your transaction is confirmed.

[o_e_l_e_o]

Creating a 7 of 7 multi-sig private key should be less risky than creating a private key that requires one signature to spend coin (assuming you can easily replicate the procedure to keep each private key secure).

I mean, sure, but that is completely irrelevant to what we are discussing here. Paper wallets which are generated via flipping a coin and paper wallets which are generated via third party code/software will be exactly as easy or difficult to spend from as each other, and exactly as secure or not to spend from as each other, depending on how and where you opt to import the seed/private key. Generating entropy by hand decreases your risk from malicious or flawed code generating non-random entropy. It is irrelevant to the spending process.

This is not entirely true, see this thread. In addition to leaking your private key, it could leak additional information.

Perhaps I didn't explain myself clearly. My point wasn't "There is no method by which it could leak information", but rather "There is no method by which it could leak information that I can't detect before I choose to broadcast my transaction". If the wallet attempts to reuse a k value, as in your example, then I could detect that by reviewing the source code and realizing it is not using a deterministic process for generating the k value, or by generating multiple different transactions and comparing the R values. The amount of trust you need to place in an airgapped wallet is much lower than the trust you place in any "live" software or mobile wallet, which could steal all your coins immediately upon you importing your seed phrase.

[LoyceV]

You need to trust the software you're using. It's a lot more difficult to compromise a coin flip than it is to compromise a recently sold paper wallet website.

You have to trust software to spend your coin when you spend it. When you sign a message or transaction, you combine what should be a random value with your private key to generate the signature. If you know one, it is trivial to calculate the other with a given signature. Malicious software could possibly leak information via this random value.

That can't be a problem as long as you use the address only once, right?

Whenever I sign a message offline, I use different software to decode the raw transaction and see if it still does what I want. I've never seen a problem there, but it doesn't hurt to be sure.

Creating a kay "by hand" also has a greater potential to make mistakes.

If only the random part is done "by hand" and the key is generated by software, I don't expect mistakes. But I'd want to make sure the same private key is generated with at least 2 different pieces of software (I imagine malicious software can produce a private key that's not based on your random input).
And just in case, after creating the paper wallet and before funding it, I'd reboot a fresh offline LIVE OS to test if the private key still produces the same address, again using different software.

The scope of possible attacks is also greater when using a paper wallet than using an encrypted wallet.

So encrypt the paper wallet

Even if I have the most malicious software wallet in existence on my airgapped computer, there is nothing it can do to steal my coins. If it signs a transaction to the wrong address, for example, I can easily pick that up before moving the transaction to my live computer to be broadcast.

This is not entirely true, see this thread. In addition to leaking your private key, it could leak additional information.

I've seen the scenario before, and you're right. I've consolidated a paper wallet before, sending the funds back to the same wallet.

If the wallet attempts to reuse a k value, as in your example, then I could detect that by reviewing the source code and realizing it is not using a deterministic process for generating the k value, or by generating multiple different transactions and comparing the R values.

Have you ever checked this much before broadcasting a transaction?

[o_e_l_e_o]

That can't be a problem as long as you use the address only once, right?

It could also be a problem if you have exposed your master public key to anyone. The combination of knowing a master public key and one of the child private keys allows you to derive all the other child private keys.

Have you ever checked this much before broadcasting a transaction?

Once or twice, but mostly as a learning exercise for myself rather than any genuine concern that the software I am using is using a non-random k value. However, I generally use Electrum as my interface for accessing paper wallets or other cold storage, which has used RFC 6979 for generating k values since version 1.9, so this isn't an attack vector I am particularly concerned about.

[bob123]

Even if I have the most malicious software wallet in existence on my airgapped computer, there is nothing it can do to steal my coins.

Technically, this isn't completely true 

There are quite a few paper about how to exfiltrate data from air-gapped computers.
Those techniques are highly sophisticated and the chances of happening to are close to zero. But some would include:

• AirHopper: Malware to encode data into FM signals transmitted from a screen cable. This signal can be received by any smartphone with an FM receiver
• PowerHammer: Exfiltration via Powerline: With probes on the computer and the power control box, malware on the air-gapped computer can increase/decrease the cpu load by doing useless (but ressource heavy) calculations to transmit data via the power line.
• Another option requires a camers to be installed close to the computer: Using the hard disk led's to transmit data.

Those are not just theories, but they have been proven to work.
There are a few more extremely fascinating (and highly unlikely) attacks which could extract data from such an air-gapped setup.
Quite a few paper have been published which cover exactly that: Exfiltrating data from air-gapped computers. They are quite exciting to read.

It is obvious that no typical crypto holder will face such an attack, altough its interesting to know which techniques exist 

[royalfestus]

Is it by chance possible to change the private key to that address?

[bob123]

Is it by chance possible to change the private key to that address?

No.
The address is basically the hash of the public key. And the public key is derived from the private key.

[bitmover]

Flip a coin 11 times, turn the resulting number in to a BIP39 word from the word list. Repeat 22 more times.

This guys shows in this video how to do it
Very interesting, and if you want to do it it worth checking it out.
https://www.youtube.com/watch?v=ieHoQ4sGuEY

[o_e_l_e_o]

-snip-

To be fair, if an attacker is able to install probes on my power supply or a camera in my house, I've got far bigger problems than the safety of my cold storage.

This guys shows in this video how to do it

It's a nice video, but he is only generating a single private key and not an entire seed phrase, which is far more straightforward. Once you've flipped a coin 256 times, all you have to do is convert the result to Base58Check and you've got yourself a private key. You don't need to worry about word lists or checksums as you would if you were generating a seed phrase.

[HCP]

Flip a coin 11 times, turn the resulting number in to a BIP39 word from the word list. Repeat 22 more times.
Flip a coin 3 times, calculate the checksum using a permanently airgapped computer, pick the last word.
Write down on paper, import in to a wallet or iancoleman on your permanently airgapped computer to generate a receiving address (Optional: add in a passphrase and write that down on a separate piece of paper).
Whole thing can be done in 15-20 minutes.

Now all you need to do is do your SHA256 hash by hand to generate the checksum and you've got the complete no computer solution to generating a seed mnemonic

It would however blow out your 15-20 minute time frame to probably closer to a day... having to do 64 rounds of SHA256 to get your final hash at a rough speed of 1 round per 15 minutes or so


There are just some things that are better left to computers

[pooya87]

Now all you need to do is do your SHA256 hash by hand to generate the checksum and you've got the complete no computer solution to generating a seed mnemonic
It would however blow out your 15-20 minute time frame to probably closer to a day... having to do 64 rounds of SHA256 to get your final hash at a rough speed of 1 round per 15 minutes or so
There are just some things that are better left to computers

well you don't have to have a checksum since it is not mandatory. you can just pad the entropy with zeros and then derive the mnemonic from that.
besides the problem is never with checksum and things like that. the problem that makes people want to flip coins is the Random Number Generators, everything else can still be done with a computer after the number was physically generated using a coin or something like that.

[HCP]

Won't padding out the checksum cause issues down stream when you attempt to restore this in a wallet tho?

It'll complain that it's not a valid BIP39 mnemonic. I know Electrum will let you bypass that and go ahead and use it anyway... but surely for max compatibility you'd want a "valid" mnemonic!

But yes, I was being facetious about manually calculating the SHA256 hash ... the setup you are using has a really good mix of "randomness", security and convenience. I like it.

[pooya87]

Won't padding out the checksum cause issues down stream when you attempt to restore this in a wallet tho?

that's true but when someone is going around the conventional methods of creating a mnemonic then the assumption is that they are already using unconventional methods and codes that should take all of this into consideration.

[o_e_l_e_o]

If you are going to use something like Electrum on your airgapped device to import your hand-generated seed phrase to give you an address to send to, then you could skip manually calculating the hash for the checksum altogether and just brute force it, as Electrum will tell you when you are using an invalid checksum. With the first 3 bits of entropy already known, there will only be 256 possible words.

everything else can still be done with a computer after the number was physically generated using a coin or something like that.

You still need to be sure that the software you are using isn't just spitting out pre-generated addresses regardless of what seed phrase you enter. You could go through the process of performing each operation from seed to address manually, or more simply (as Loyce has said above) you could import your seed phrase in to multiple different wallets (all airgapped of course) and ensure the generated addresses match up.

It'll complain that it's not a valid BIP39 mnemonic. I know Electrum will let you bypass that and go ahead and use it anyway... but surely for max compatibility you'd want a "valid" mnemonic!

Yeah, there's no good reason to settle for an invalid checksum. If you input a 24 word phrase in to iancoleman which has an invalid checksum and then click "Show entropy details", it will automatically change the final word to the correct checksum, maintaining the same 3 bits of initial entropy. Doing so will obviously then lead to a different wallet with different addresses, so can only lead to more confusion down the line.

[HCP]

Yeah, there's no good reason to settle for an invalid checksum. If you input a 24 word phrase in to iancoleman which has an invalid checksum and then click "Show entropy details", it will automatically change the final word to the correct checksum, maintaining the same 3 bits of initial entropy.

That's actually a pretty neat feature of that BIP39 tool... Just need to pick a word that uses the same initial entropy as the N bits of entropy leftover (7 for 12 words, 3 for 24 words) and then pad it out to 11 bits, then click "entropy details" and it'll correct it automagically!

So, basically, an offline copy of the BIP39 tool and a coin... and one can randomly generate mnemonics to their hearts content, knowing that they don't need to worry about "bad" RNGs (assuming their coin isn't biased! )

[PrimeNumber7]

This is not entirely true, see this thread. In addition to leaking your private key, it could leak additional information.

Perhaps I didn't explain myself clearly. My point wasn't "There is no method by which it could leak information", but rather "There is no method by which it could leak information that I can't detect before I choose to broadcast my transaction". If the wallet attempts to reuse a k value, as in your example, then I could detect that by reviewing the source code and realizing it is not using a deterministic process for generating the k value, or by generating multiple different transactions and comparing the R values. The amount of trust you need to place in an airgapped wallet is much lower than the trust you place in any "live" software or mobile wallet, which could steal all your coins immediately upon you importing your seed phrase.

My described scenario would not necessarily reuse a k value. It could possibly use one of thousands of k values that would appear "random" unless you produced and inspected thousands of transactions that you ultimately did not broadcast.

You need to trust the software you're using. It's a lot more difficult to compromise a coin flip than it is to compromise a recently sold paper wallet website.

You have to trust software to spend your coin when you spend it. When you sign a message or transaction, you combine what should be a random value with your private key to generate the signature. If you know one, it is trivial to calculate the other with a given signature. Malicious software could possibly leak information via this random value.

That can't be a problem as long as you use the address only once, right?

No. The point of my hypothetical attack is to leak information that is more valuable than a single private key, such as a seed list. Your seed list might be able to calculate many private keys that hold a lot of coin, but each private key only contains a small amount of coin.

In my hypothetical example, there might be 12 combinations in the yyzzzzz portion of the k value that are produced at random, plus one additional message that indicates to an attacker that messages are being "sent", similar to a "ping". Once a single message hidden in the k value is detected, the hacker could look at change addresses for additional hidden messages in the k value.

The scope of possible attacks is also greater when using a paper wallet than using an encrypted wallet.

So encrypt the paper wallet

I was actually referring to a wallet encrypted on a hard drive or computer. A paper wallet encrypted with the passphrase "LoyceV123" has less security than a private key encrypted on a hard drive/computer encrypted with the same passphrase. When you want to spend coin on a paper wallet, you need to load the private key, temporarily onto a computer to sign a transaction, and there are some things that could cause the private key to become compromised. Your private key could become compromised via your computer, and any of these things could happen regardless of if the private key is on a paper wallet or stored on a hard drive. There are additional things that could happen that could cause your private key to become compromised while you are transferring the private key from a paper wallet to your computer, and these things are not possible if your private key was stored on your hard drive.

[o_e_l_e_o]

My described scenario would not necessarily reuse a k value. It could possibly use one of thousands of k values that would appear "random" unless you produced and inspected thousands of transactions that you ultimately did not broadcast.

Or unless you read the source code to see how the k values were being generated, as I said above.

There are additional things that could happen that could cause your private key to become compromised while you are transferring the private key from a paper wallet to your computer, and these things are not possible if your private key was stored on your hard drive.

Provided you are importing your paper wallet to an airgapped computer in the privacy of your own house, and you don't have a camera pointed at you while you are doing it or something equally stupid, what kind of things are you referring to that make a paper wallet more risky than an airgapped wallet?

[cryptoworld99]

Be cautious with services generating your addresses, you should look into bitcore.io it's easy to use


Here is how you can install it and run it
https://github.com/bitpay/bitcore#bitcore

[The Cryptovator]

The case is interesting, that's the reason why I always discouraged newbies to use paper wallet. Because a newbie couldn't determine which is scam or phishing website and they might get scam eventually. We should do good practice always, if you use Electrum original software and verify Signature then you may use it as a paper wallet as well since you are allowed to export private keys. Otherwise I will encourage to buy hardware wallet instead of paper wallet if you can afford small investment. Your fund alt least will be safe. But don't forget to write your seed or private keys on multiple paper and keep them safe on multiple places. Don't save into any online machine.

[Btckeypuzzle]

On the service https: // bitcoinpaperwall ... on the second attempt, the address 1MfPqSDiraPRBVyYASNkF8oc5Ja1ZkdsZn was "generated". I even made a screenshot for memory.