Address reuse is simpler than alternatives and not always bad - discussion

[digaran]

About the clipboard malware where it can replace your address with a fairly similar address, how can they generate such addresses at will, isn't that hard to do?

However if you are using one address over and over, and if your device is compromised, the attacker then has enough time to somehow generate an address to trick you. This alone could be a disadvantage.

[1714236649]

1714236649

[1714236649]

1714236649

[1714236649]

1714236649

[digaran]

About the clipboard malware where it can replace your address with a fairly similar address, how can they generate such addresses at will, isn't that hard to do?

The creator of the malware could just include list of Bitcoin address from their wallet to the malware.

Well I know that, but it's the matter of similarity between your address and the atacker's.
For example if I use this address 

Code:

111113DUwES2ZNWSJztA3oBuhzfcdmiaG

all the time, wouldn't it be easy for me to notice another address when I copy paste it? How can the attacker generate an address that looks just like my address? As I said above, it is possible for the hacker to generate look alike address if they have enough time, hence the disadvantage of re-used addresses.

[DaveF]

The ONLY reason to reuse an address is for simple proof verification and for static publication.
i.e. Dave send money to X here is the always same address and here is the txid and here is something signed by Dave from the sending address.

There are reasons it's done. i.e. signature campaigns, which would just about impossible to do if the participants had to give the manager a new address every week. Mistakes would be made a lot of people would not do it anyway. i.e. just keep swapping between 2 or 3 addresses.

Beyond that every wallet generates a new address every time and that should just be the way it is.

Your security / privacy is up to you if you want to sacrifice some of that for convenience that is your choice.

-Dave

[BlackHatCoiner]

Address reuse is sometimes needed. For example, adding a donation address saves time, in comparison with setting up a server software that automatically generates a new one in each request. It's desired if privacy isn't a concern. Another example is signature campaigns. The campaign manager saves a lot of time if he's saved addresses in a spreadsheet and doesn't request a new one each week.

How can the attacker generate an address that looks just like my address?

If he owns a lot of computational power, he can work out every, say, 6 characters possible starting combination. Example:

Code:

1111111...
1111112...
1111113...
[...]
1zzzzzx...
1zzzzzy...
1zzzzzz...

[BlackHatCoiner]

It talks exactly about address reuse and an alternative to the current address-per-payment method that's widely adopted.

How's this paper related to address reuse? It first describes what's the current "status quo" of standard for payment request, namely either the address or an invoice. Then, it proposes payment amounts to be identifiers (which I'm not sure how it makes sense), because it finds it more efficient as you say. Then, exchange rate becomes somewhat relevant, and then boom; conclusion. 

[AverageGlabella]

@blackhatcoiner you are correct that reuse of addresses sometimes is the best option but for most transactions we can generate addresses quickly and without any effort. The HUGE downside to using addresses is the huge privacy problem which I think should be avoided whenever possible but you are correct sometimes especially when you need to post a address and receive long term support through it (donations) then reusing the address is beneficial.

Maybe there is a way to increase privacy for reused address?

[Charles-Tim]

Maybe there is a way to increase privacy for reused address?

If you are reusing an address, it only means you have no privacy at all, but you can use a single address while you connect your wallet through Tor which can anonymize your transactions, but anonymity is not the same as privacy. There is much more ways to privacy, like not letting many of your addresses not to link together on blockchain and also in a way central servers will not be able to link your addresses and your IP addresses.

[hopenotlate]

About the clipboard malware where it can replace your address with a fairly similar address, how can they generate such addresses at will, isn't that hard to do?
 - snip -

Vanity addresses are Btc address with certain starting letters that spell out words predefined in advance , basically are personalized Btc addresses that you can create using a dedicated software a nice chunk of your computing power.

Check this thread for more info about Vanity Addresses : https://bitcointalk.org/index.php?topic=25804.0

[LoyceV]

wouldn't it be easy for me to notice another address when I copy paste it?

Of course But many people are too lazy to verify the address, and malware is still profitable when it's success rate is far under 100%.
See: How to lose your Bitcoins with CTRL-C CTRL-V.

[BlackHatCoiner]

@blackhatcoiner you are correct that reuse of addresses sometimes is the best option but for most transactions we can generate addresses quickly and without any effort.

Correct.

The HUGE downside to using addresses is the huge privacy

That's the only downside. There is no other disadvantage in re-using an address, only small advantages.

Maybe there is a way to increase privacy for reused address?

There is no point. Generating another address if desired is easy to do. It's just not worth it sometimes like when you need to setup a site, and have little time to make everything work, and you don't care about your privacy of course.

[o_e_l_e_o]

That's the only downside. There is no other disadvantage in re-using an address, only small advantages.

Not entirely true. Address reuse more easily allows you to be censored, although I suppose you could argue this is simply an extension of poor privacy. More importantly, though, there have been plenty of cases in the past of buggy or vulnerable wallet software reusing k values and leading to coins being stolen. Although all good wallet software will protect against this, it is unwise to consider it an impossible scenario. There is also the scenario of if you only ever use a single address, then you have a single point of failure for your entire bitcoin holdings. Better to spread it around a bit.

[BlackHatCoiner]

More importantly, though, there have been plenty of cases in the past of buggy or vulnerable wallet software reusing k values and leading to coins being stolen.

I don't believe that's a valid argument. If a software reuses k values (which is trivial to verify it does) then you shouldn't be using that software at all. First of all, such vulnerability should make you question the development. I don't trust a developer who doesn't know that reusing a k value is prone to failure. So, you last concern should be reusing addresses, in that case. Secondly, signing the same message (which is also possible to happen), with the same k value (as you assume it reuses k) allows anyone with the signature and the message work out the private keys that were used during signing.

There is also the scenario of if you only ever use a single address, then you have a single point of failure for your entire bitcoin holdings

True, but the same applies for the seed phrase. Again, the only disadvantage, which I agree is major, is privacy related.

[o_e_l_e_o]

If a software reuses k values (which is trivial to verify it does) then you shouldn't be using that software at all.

And for every single transaction you make, do you confirm that the k value was generated using RFC 6979 as it should have been? You confirm that there isn't some unknown bug or vulnerabilities in your wallet which has result in a reused k value or a piece of malware being able to feed a k value to your wallet? I very much doubt it, and even if you personally do, it's safe to say that 99.9999% of bitcoin users don't.

It is not realistic to say "Just don't use such a wallet", just as it is not realistic to say "Just don't get malware" or "Just don't be hacked".

Once such a bug or vulnerability has been discovered, then absolutely move to new software. But it is impossible to know that you shouldn't be using such software before the first time the vulnerability is exploited. Not reusing addresses protects you against such eventualities.

[BlackHatCoiner]

And for every single transaction you make, do you confirm that the k value was generated using RFC 6979 as it should have been?

That is the same as saying "do you confirm that the blockchain is valid as it should have been?". Software does that, not humans. Humans solve the problem, and use computers to implement the solution. If humans have solved the problem with RFC 6979, you don't have to manually check if the k value is the same. The computer does it. (Of course, assuming the software has been reviewed by multiple individuals)

It is not realistic to say "Just don't use such a wallet", just as it is not realistic to say "Just don't get malware" or "Just don't be hacked".

No, it's not the same. You don't get to choose if you get a malware; you get it without consent if you're not cautious. You do choose which wallet software you install, and it's plain dumb to use bad software if you know it's bad.

Not reusing addresses protects you against such eventualities.

If we're about to take this route, usage of software that forces reuse of addresses does protect you from the eventuality of potential vulnerability exploit in more complicated software with master public keys and so on. Is it worth it? Does this discussion have any point at all?

[o_e_l_e_o]

That is the same as saying "do you confirm that the blockchain is valid as it should have been?". Software does that, not humans.

Software written by humans, and humans make mistakes. There have been critical bugs in bitcoin, such as the time we printed 92 billion out of thin air, despite the code being review by multiple competent individuals. A fork was needed to fix that particular bug. You will be unable to fork the network to recover your coins should they be stolen from you via a reused k value.

You do choose which wallet software you install, and it's plain dumb to use bad software if you know it's bad.

Obviously, but my point is that often you don't know software is flawed/bugged/vulnerable/whatever until after the incident in question. Assuming that ever piece of software you are using is completely immune to bugs or vulnerabilities is a recipe for disaster.