Security when re-using the same Bitcoin address for deposits

[hodl_worries]

Hi everyone,

I am new to the forum (and Bitcoin in general) so apologies if this is a stupid question.  I still have a lot to learn  

I have a technical question related to address reuse, which I'm struggling to find a clear answer to.  In the past few months I have been using the same address when withdrawing from my exchange to cold storage (I use both a Trezor and a Ledger).  Both Ledger and Trezor claim that reusing an address is only a privacy concern and not a security concern:
Trezor: https://wiki.trezor.io/Address_reuse
Ledger: https://support.ledger.com/hc/en-us/articles/4404389453841-Receive-crypto-assets?docs=true
Similarly, Andreas only seems to think this is a privacy concern: https://www.youtube.com/watch?v=4A3urPFkx8g&ab_channel=aantonop
Not sure I entirely understand the privacy argument completely, either though.  For example, if each time I transfer from the exchange to a new address, in theory the exchange now has a list of various addresses which all belong to me, so I am still not anonymous.  

Anyways, my primary question is about security.  I recently came across these threads:
https://bitcoin.stackexchange.com/questions/20621/is-it-safe-to-reuse-a-bitcoin-address
https://bitcointalk.org/index.php?topic=2669689
https://bitcointalk.org/index.php?topic=5325956.0

As far as I understand, the TLDR seems to be: If you use the same address and the wallet you use signs transactions using weak signatures (I probably don't understand this, but the wallet signs transactions with R or K which are generated deterministically?), then you can reverse engineer the private key for the address.  I assume it is the child private key and not the extended private key?

I am currently using Segwit for my addresses.  My questions:

• Is this still a problem today or has it been patched, as one of the responders suggested?  A lot of posts related to this issue date back to 2013-2017
• Do Ledger / Trezor produce weak signatures (ie. deterministic R or K)?  I cannot find this info anywhere...
• Given that every time you generate a transaction, the unspent transaction output gets sent to a new address, doesn't that automatically mean your coins now live in another address?  Is it still possible for someone reverse engineer your private key then?
• Given that I have been using the same Segwit address, should I consider it compromised and move everything over into a new wallet?  Ie. are both my privacy and security compromised or is it just a privacy issue?

Thank you so much in advance!  I know the above is a lot to digest!

[1713537776]

1713537776

[1713537776]

1713537776

[BlackHatCoiner]

For example, if each time I transfer from the exchange to a new address, in theory the exchange now has a list of various addresses which all belong to me, so I am still not anonymous.

You can't understand the difference if you think in terms of the exchange. You need to install a non-custodial wallet and start making transactions yourself, without the need of those intermediaries. Once you do, you'll see that every transaction you make is publicly available for anyone to see.

If you send money to a merchant, they now know your address. If you decide to deposit money to the same address again, then the merchant can know you just deposited money. More info can be leaked if we continue this further. For instance, you may decide to spend all of your money, from all of your addresses in one transaction. One can therefore conclude that all these addresses come from the same owner.

As far as I understand, the TLDR seems to be: If you use the same address and the wallet you use signs transactions using weak signatures [...]

Yes, there's a security issue when it comes to ECDSA signatures. One transaction contains several stuff, but what matters in this case is: A public key and a signature. The signature is consisted of two values, one called r and another called s. Mathematically speaking, one can work out your private key if they have two signatures which have been signed using the same private key and have the same r-value.

Also, if the software you're using doesn't create strong signatures, such as ones less than 256 bits, they can solve the hidden number problem and reach to your private key by having your weak signature and your public key. For example, a compromised software may generate insecure nonce values. [1]

Your wallet is supposed to create strong 256-bit signatures with random r-values in each transaction. It's taken for granted that it will. You should always ensure the authenticity of the wallet software you install by verifying the developers' signature.

I assume it is the child private key and not the extended private key?

Yes, what I've written above refers to child private keys. They're also called private keys, plainly. Extended private keys are used to derive them deterministically.

Another security fact is that one can work out all of your child private keys by knowing one of your child private keys and your master public key.


[1] https://eprint.iacr.org/2019/023

[o_e_l_e_o]

For example, if each time I transfer from the exchange to a new address, in theory the exchange now has a list of various addresses which all belong to me, so I am still not anonymous.

You have no privacy form the centralized exchange, but you might have some privacy from other people. If you withdraw all your coins to the same address, and then you pay me a small amount, I can now look at where that small amount came from and see the total amount of bitcoin in that address. Perhaps you don't want me to know how much bitcoin you are holding. Or maybe you use bitcoin to pay a family member, and then you later send some bitcoin to a casino. Perhaps you don't want that family member looking at your address and seeing that you are depositing bitcoin at a casino. And so on. There are endless possibilities.

As far as I understand, the TLDR seems to be: If you use the same address and the wallet you use signs transactions using weak signatures (I probably don't understand this, but the wallet signs transactions with R or K which are generated deterministically?), then you can reverse engineer the private key for the address.  I assume it is the child private key and not the extended private key?

k is a random number, which is then used to deterministically produce r. If you use either the same random number, or use a weak random number generator, then after making multiple transactions out of your address, there would be a chance someone could reverse engineer your private key.

However, both Ledger and Trezor (and indeed most good wallets) use something known as RFC 6979. This means that instead of using a random number generator for k, k is instead produced deterministically using a hash function, your private key, and the thing you are signing. This means that k will always be different and random for different transaction, and therefore removes the risk of k being weak or reused, and removes the risk of this attack being possible.

[garlonicon]

If you use the same address and the wallet you use signs transactions using weak signatures (I probably don't understand this, but the wallet signs transactions with R or K which are generated deterministically?), then you can reverse engineer the private key for the address.

Let's assume that you have some private key "d" and you sign a transaction with some random value "k". Then, you are creating a relation between "d" and "k", so that anyone can view that and validate your signature. For example, if you create a signature, anyone can know that:

Code:

d=1d66d7b06ba309150155f160787c1fd23948db3acb5a4a2544c047bd0fd1516a*k+a1659d4b5ae1b125277d9fed60e4eeeca22c291e84f434eb39f26720459bd189

With each and every signature, you reveal some equation like that in the blockchain. If you reuse your address, you create relations, where your "d" is always the same, then only your "k" and those known numbers are changing. So, after collecting some signatures, everyone can know something like that:

Code:

d=47e7bd059960d4f3f59211b3a42a89bbebe81785c7503d9afe964d098bacc87c*k1+0494c76c02154729c39cefaa85271a8c5574812d958c4be0f463f6c9421857d3
d=a15578fe0d5e80a42a5dc324d1ae305885775797f529195ae927de19b3d16bbf*k2+cd189250f07e518e73f6aa8d35123756466d639ff9cd7b329fb1238424feb318
d=659d096ab38ad11a4263e96ecacfda7b1d758b315c7288385700de2692c5cd91*k3+eed3d1d13eff059dd9efd7e638de2b53694f2fd7d020b2b62892ec4a3b87eab9
d=2d568a69e89765f6e6d7c551e87eba0fd5db67369ceb27bcdeb9b5a5cf1a4dfa*k4+5bef0164c5ca90d3bd6909582d761502acb94f90714c7c14bdb6715e88cfcdc5
d=46c56a62b5c6863b7fecc14cce6c5308b951b1c1c514ea6e9087912078d383a1*k5+f4b8f8e25e5e12b63c51cf9957a95b2f27195bfad17e2d2fab25f366d39fb684
d=345000ccc4a2ae31cdad97956930dc997b0b9e9c9da84696b121d0a2f43a0ec0*k6+f6bcc636a929b55e121b310c88bec0d9f721a773dcb5859fedd7d5803154a331

If you have many signatures, then it may be possible to calculate some kind of relation between your "d" and any of your "kN", or even between "kM" and "kN". If someone will collect many signatures and if someone will simplify that to "d=number*kN" or "d=number+kN", then your private key will be revealed. If all of those numbers are truly random, then it is safe. But if there is some weakness in the way you generate random numbers, then it can be used against you. By using new addresses each time, you reduce that risk.

[hodl_worries]

Thank you all for the quick replies!  The info above has been incredibly helpful and I think I finally understand the relationship between k and signed transaction output.  I suppose I need to get out of the habit of having a stored address in my exchange account and get more comfortable with changing it all the time.   

It sounds like the way Trezor and Ledger generate k is secure enough, where I don't need to rebuild my wallet from scratch all over again?  I have had fewer than 10 transactions so far. 

Or do you all recommend I go through the whole new wallet creation again?  What if I were to swap funds between the two wallets?  Eg. send the balance from the trezor to the next child address of the ledger and vice versa?  would that essentially reset my anonymity going forward?

Thank you again for the help so far!

[BlackHatCoiner]

I suppose I need to get out of the habit of having a stored address in my exchange account and get more comfortable with changing it all the time.

I think you should just stop using an exchange for your transactions.

It sounds like the way Trezor and Ledger generate k is secure enough, where I don't need to rebuild my wallet from scratch all over again?  I have had fewer than 10 transactions so far.

No, if you signed the transactions using Trezor or Ledger, you don't have to worry about this technical detail.

What if I were to swap funds between the two wallets?  Eg. send the balance from the trezor to the next child address of the ledger and vice versa?  would that essentially reset my anonymity going forward?

If you swap between those wallets, but without reusing any address, that would be fine.

[hodl_worries]

Thank you again!

I think you should just stop using an exchange for your transactions.

Is there a better way of accumulating Bitcoin (ie. going fiat => Bitcoin)?  As far as I know, this is the only on-ramp to the blockchain.

[BlackHatCoiner]

Is there a better way of accumulating Bitcoin (ie. going fiat => Bitcoin)?  As far as I know, this is the only on-ramp to the blockchain.

This is the way to accumulate, but not necessarily to use Bitcoin. Once you make your purchase, send them to your non-custodial wallet. (e.g., Electrum)

[o_e_l_e_o]

It sounds like the way Trezor and Ledger generate k is secure enough, where I don't need to rebuild my wallet from scratch all over again?  I have had fewer than 10 transactions so far.

No, you don't need to rebuild your wallet. Note that everything we are discussing above is only relevant when you are sending transactions from an address. It doesn't matter how many transactions you receive to an address.

What if I were to swap funds between the two wallets?  Eg. send the balance from the trezor to the next child address of the ledger and vice versa?  would that essentially reset my anonymity going forward?

No, it would not "reset your anonymity". The blockchain is entirely public, and anyone can look at any transaction. Let's say you withdraw all your coins from an exchange to the same address which we will call Address A. Later, you then move the complete balance of Address A to Address B. Such a transaction, where you completely empty one address and move the entire contents to one other address, is almost always someone moving their funds around and very rarely someone sending coins to someone else, since in the latter type of transaction you would rarely send the full balance, would frequently have some change left over, etc.

To break the link from your exchange withdrawal address to where you want the coins to end up and obfuscate the history of the coins, then you need to either mix or coinjoin them. But you also need to figure out exactly what you are trying to achieve first.

Is there a better way of accumulating Bitcoin (ie. going fiat => Bitcoin)?  As far as I know, this is the only on-ramp to the blockchain.

There are other options such as mining at home or earning bitcoin via a job or other employment. If you want to swap fiat to bitcoin, then you pretty much have to use an exchange (unless you know someone else personally whom you trust, who wants to sell bitcoin, and whom you can trade with directly). Although my personal preference is to use a peer-to-peer exchange where you trade directly with other users and do not have to complete KYC or reveal any personal information (and therefore much improve your privacy), there is no denying that using such exchanges is more complicated than using a centralized exchange like Coinbase or Binance.

[hodl_worries]

Thank you all for helping me understand the above.  It was super insightful!!