re-use of addresses

[serje]

There is no way to quantity the risk of the the first two factors however if it happens and you have funds stored in a know pubkey it will be too late.   The third scenario has already happened multiple times (android OS and bitcon.js).

I think I can quantify this!

with the current hash power for BTC if everyone would mine in a pool to brute force your address  then first the sun will explode and after they will break into your address ... witch will be pointless because we won't have any sun

He said cryptoanalysis and quantum computing, not ordinary brute-forcing, but you're right. 

On a side note, will the sun really "explode"  or just burn out?

Nope, Not our SUN! He is too small!

If you are interested you might want to check this article http://www.universetoday.com/107791/will-the-sun-explode/

Enjoy

[1714616429]

1714616429

[1714616429]

1714616429

[1714616429]

1714616429

[1714616429]

1714616429

[1714616429]

1714616429

[1714616429]

1714616429

[serje]

There is no way to quantity the risk of the the first two factors however if it happens and you have funds stored in a know pubkey it will be too late.   The third scenario has already happened multiple times (android OS and bitcon.js).

I think I can quantify this!

No you can't.

with the current hash power for BTC if everyone would mine in a pool to brute force your address  then first the sun will explode and after they will break into your address

Which has nothing to do with the points you "quantified".

You can't blame me for my condition!

Code:

Refference: [quote author=serje link=topic=467641.msg6545604#msg6545604 date=1399237859]
[quote author=dopecoindude link=topic=467641.msg6544934#msg6544934 date=1399234916]
[quote author=fredeq link=topic=467641.msg6544370#msg6544370 date=1399232355]
Hello,

Added Dopecoin to [url=http://whattomine.com]whattomine.com[/url] 
[/quote]

Thanks!  ;D
[/quote]

if dope coin would be as high as I am we all would be millionaires!
[/quote]

[jonald_fyookball]

Any Localbitcoin Sellers on here?

Reading this thread made me a bit worried about the auto-generated blockchain wallet attached to our accounts.

Apparently we can change them (+still have access to previous?) but thought it's pretty damn secure at any rate. What do you guys reckon?

Blockchain.info ?  That's an online wallet.  The main risks there are
some hacker steals your password (please set up 2FA!) or
the site itself is hacked or internally compromised. 

Those things are probably more likely to happen than
you losing your coins because of address re-use.

Cheers J

Assumed it was autogenerated from the blockchain.info with multisig because when you click on the address in "wallet", links to site.

But see what you mean    So do they move our BTC funds when we deposit into:

cold storage wallet<trade request<cold storage to Buyers withdrawal address ?

I have no idea about the internals of blockchain or how
they are handling their cold wallets.

[jonald_fyookball]

What I would like to know now is
on a technical level, WHY
you can safely re-use a receiving address
but not a sending address?

we are using cryptography to sign
the transaction and verify the
transaction... so why does
the address become known only
on the sending side and not
the receiving side?

Is this a feature of all the altcoins
as well?

[franky1]

ok time to not be subtle

after all whats the point in telling everyone that bitcoin is so great due to funds being secured by 256bit and elliptic curved private keys at the back end of a transaction which never appear on the blockchain, if someone can steal funds from the front end that are only 128bit secured using publicly available data

so my next question:

so everyone should be screaming at 'seans outpost' that he can lose all donations in his address tomorrow?? not next year or 10 years time when quantum computers are around.. but tomorrow.

or is this just a hypothetical future-proofing of a possible risk relating to quantum computers maybe in the future cracking 128bit

i only ask this in common human understanding so that the laymen of the world who are already gossiping and starting to FUD spread that bitcoin is already broke due to a re-use address vulnerability

[jonald_fyookball]

ok time to not be subtle

after all whats the point in telling everyone that bitcoin is so great due to funds being secured by 256bit and elliptic curved private keys at the back end of a transaction which never appear on the blockchain, if someone can steal funds from the front end that are only 128bit secured using publicly available data

so my next question:

so everyone should be screaming at 'seans outpost' that he can lose all donations in his address tomorrow?? not next year or 10 years time when quantum computers are around.. but tomorrow.

or is this just a hypothetical future-proofing of a possible risk relating to quantum computers maybe in the future cracking 128bit

1. we just established that its ok to re-use a receive-only address and you stay at 160 bit security.

2. even if an address is re-used for sending and you're down to 128 bits of security, its still
hypothetical weakness.  Quantum computers today cannot compute/factor more than a few bits, and
there is no known weakness to the elliptic curves used in Bitcoin.

[DeathAndTaxes]

so everyone should be screaming at 'seans outpost' that he can lose all donations in his address tomorrow?? not next year or 10 years time when quantum computers are around.. but tomorrow.

This has been asked and answered thee times.   Reusing addresses reduces security.  Period.   The risks can't be quantified as an exact % of losing funds tomorrow or next year, or next decade but the risk is increased, the margin of safety is decreased.

If tomorrow Sean signed a tx using a flawed wallet which used a repeated k value then hacker would probably detected that and exploit it within seconds emptying the wallet.   If addresses were not reused then there would be no risk even if same k value was used.  Likewise we simply do not know if/when cryptanalysis will yield usable exploits againsts ECDSA.  It could be tomorrow or might never happen before you die.   It isn't something that can be definitively quantified.  Hashing the public key is a secondary safety.  You can remove that safety and if the primary safety (the security of ECDSA and the secp256k1 curve) remains intact you are fine.   In other words you are safe until you aren't.

[jonald_fyookball]

If tomorrow Sean signed a tx using a flawed wallet which used a repeated k value then hacker would probably detected that and exploit it within seconds emptying the wallet.  

Wow.  I didn't know that scenario existed. 

I guess there are MANY things that could wrong
with a flawed wallet, including weak cryptography,
coins being burned, or something as dumb as
it accidentally deletes your private keys.

[DeathAndTaxes]

What I would like to know now is
on a technical level, WHY
you can safely re-use a receiving address
but not a sending address?

we are using cryptography to sign
the transaction and verify the
transaction... so why does
the address become known only
on the sending side and not
the receiving side?

The first thing you need to do is remove incorrect concepts like receiving and spending addresses.   There is no such thing.   There are only addresses.   The protocol doesn't even use addresses it converts addresses to the raw PubKeyHash (which is a hash of the Public Key).

When you send funds to a given address you are actually sending it to the PubKeyHash.  The transaction becomes a public record thus the PubKeyHash (and the address can be computed from it) is a known however the Public Key (PubKey) is NOT known.   Look at the output of any transaction  the funds are sent to a PubKeyHash (160 bits).

For example here is a recent tx (pulled at random).   
http://blockchain.info/tx/4c555be716ccf923252ae118f2e9719a7ce6d4fdbf52a8cc03489b330debbd01

Funds were sent to 1Fv1uSsxr8z4hCHi2yhzuLf2sQafJfLbF8

Technically the output is this

Code:

OP_DUP OP_HASH160 a3988fd05be9c9b642503e61ec6bb6ed553ab8a2 OP_EQUALVERIFY OP_CHECKSIG 

a3988fd05be9c9b642503e61ec6bb6ed553ab8a2 is the PubKeyHash which corresponds to address 1Fv1uSsxr8z4hCHi2yhzuLf2sQafJfLbF8.

So the PubKeyHash is known and if you search the blockchain by address you will see this address received funds multiple times.   However the PubKey is unknown.  What is the PubKey for a3988fd05be9c9b642503e61ec6bb6ed553ab8a2?  There is no feasible method of finding out (unless you already know because you have seen the PubKey.

Now if 1Fv1uSsxr8z4hCHi2yhzuLf2sQafJfLbF8 spends some but not all of these outputs then in the input side of the tx, to "prove" the outputs correspond to his keypair the user will provide the PubKey.  The PubKey becomes known when it is spent because it is provided in the input side of the spending transaction.   Until that happens the PubKey is unknown.

If tomorrow there was an exploit which required knowledge of the PubKey this user would not be immediately at risk.

Is this a feature of all the altcoins
as well?

If they were based on Bitcoin or a derivative of Bitcoin then yes.  If they were completely new then it is possible this doesn't apply although I don't know of any.

[jonald_fyookball]

Thanks for the lesson.  

(I was also unaware that there was a separate PubKeyHash.)

Follow-up question:

Now if 1Fv1uSsxr8z4hCHi2yhzuLf2sQafJfLbF8 spends some but not all of these outputs then in the input side of the tx, to "prove" the outputs correspond to his keypair the user will provide the PubKey.  The PubKey becomes known when it is spent because it is provided in the input side of the spending transaction.   Until that happens the PubKey is unknown.

What if they spent all?  Wouldn't we still need to provide the PubKey as an input?  

[DeathAndTaxes]

Yes but there would no longer be any unspent outputs associated with that keypair.  It is more of an issue if you don't spend all the outputs.

Inputs are just references to specific outputs.

So say your address was assigned the following outputs

1 BTC to Address A
1 BTC to Address A
3 BTC to Address A
5 BTC to Address A
All these outputs would be locked to the PubKeyHash (decoded addresses).   The PubKey is unknown to the public.

Now lets say you wanted to send 0.5 BTC to your friend.  Your wallet may construct a tx with 1 BTC as the input and two outputs 0.5 BTC to your friend and 0.5 BTC in change.

So you are left with
1 BTC to Address A spent
1 BTC to Address A
3 BTC to Address A
5 BTC to Address A
0.5 BTC to Address A (or B depending on wallet behavior) <- your change

The issue is the tx spending the 1 BTC revealed the PubKey for address A however you still have another 9 BTC in other unspent outputs which share the same address, pubkeyhash, and pubkey.   The attacker now knows the PubKey for your other 9 BTC.  This by itself doesn't allow the theft of funds however if there is a flaw/weakness which requires the PubKey to be know, spending 0.5 BTC left 9 BTC in a weakened state.

On the other hand if you didn't re-use addresses each of those outputs would be a different Address:
1 BTC to Address A spent
1 BTC to Address B
3 BTC to Address C
5 BTC to Address D
0.5 BTC to Address E <- your change

The PubKey for Address A has been revealed however there are no unspent outputs associated with A.  You don't really need to think about it, this is the default behavior of most clients (including bitcoin-core).  Just request a new address whenever someone needs to send you funds.

[jonald_fyookball]

Yes, I understand.

In a nutshell, I believe the answer to my question is:
the transaction is signed once with the public key
of the sender (which is then visible), and
the protocol requires nothing further to create those
outputs and send them along.

[jubalix]

try to explain it to a legit charity that does not care about privacy at all.
example: donation address to seans outpost

he does not care about privacy AT ALL infact he wants the world to know and use that address for donations, and he 'spends' the inputs manytimes a month. explain the risk and/or chance all their donations can be lost by using the same address.

(without meandering into a privacy concern)

well no he can keep clearing that address.

[jonald_fyookball]

try to explain it to a legit charity that does not care about privacy at all.
example: donation address to seans outpost

he does not care about privacy AT ALL infact he wants the world to know and use that address for donations, and he 'spends' the inputs manytimes a month. explain the risk and/or chance all their donations can be lost by using the same address.

(without meandering into a privacy concern)

well no he can keep clearing that address.

Not if he wants to maintain highest level 160-bit security!  That's what we just got done discussing.
But i guess it doesn't matter since he wouldn't have that much at any given time if it kept clearing.

[Brangdon]

so everyone should be screaming at 'seans outpost' that he can lose all donations in his address tomorrow?? not next year or 10 years time when quantum computers are around.. but tomorrow.

It's only tomorrow if his wallet is flawed. Since these issues are well-known by wallet authors, his wallet is probably fine. In which case, he has 128-bit security and that is pretty good. He can mitigate the risk by transferring funds out frequently, and by monitoring the news for developments in quantum computing. He probably figures his expected loss from reusing addresses is more than compensated by the donations he gets from having a fixed, published address.

[activebiz]

Yes u only reveal a part of the key when u use it to create a transaction

[MaxwellsDemon]

try to explain it to a legit charity that does not care about privacy at all.
example: donation address to seans outpost

he does not care about privacy AT ALL infact he wants the world to know and use that address for donations, and he 'spends' the inputs manytimes a month. explain the risk and/or chance all their donations can be lost by using the same address.

(without meandering into a privacy concern)

Simple solution: Stealth Addresses.
In this context, "Stealth" is a misnomer. Stealth addresses can be used to receive bitcoins in a "stealthy" manner, but they are also perfect for organisations like charities that are interested in the exact opposite of stealth - high public exposure for one particular donation address. With stealth, they can publish one address publicly but never actually receive any coins with it, thus maintaining all the privacy and security advantages of not re-using addresses.


By the way, it's not at all true that legit charities don't care about financial privacy.
They care about their own privacy: no one needs to know where they send their donated coins. If they want to be transparent (and they should), they will publish a full report detailing their expenses, but they don't necessarily want the money to be easy to track.  
They should also care about the privacy of the people who donate to them: I'm not sure you'd want the government to know that you donated to wikileaks. Of course it's your job to worry about your financial privacy; personally, I always mix before donating. But it sure would make things easier if the charities I donate to would use stealth addresses.

[jonald_fyookball]

how long until stealth features part of core and stable?

[DeathAndTaxes]

try to explain it to a legit charity that does not care about privacy at all.
example: donation address to seans outpost

he does not care about privacy AT ALL infact he wants the world to know and use that address for donations, and he 'spends' the inputs manytimes a month. explain the risk and/or chance all their donations can be lost by using the same address.

(without meandering into a privacy concern)

Simple solution: Stealth Addresses.
In this context, "Stealth" is a misnomer. Stealth addresses can be used to receive bitcoins in a "stealthy" manner, but they are also perfect for organisations like charities that are interested in the exact opposite of stealth - high public exposure for one particular donation address. With stealth, they can publish one address publicly but never actually receive any coins with it, thus maintaining all the privacy and security advantages of not re-using addresses.


By the way, it's not at all true that legit charities don't care about financial privacy.
They care about their own privacy: no one needs to know where they send their donated coins. If they want to be transparent (and they should), they will publish a full report detailing their expenses, but they don't necessarily want the money to be easy to track.  
They should also care about the privacy of the people who donate to them: I'm not sure you'd want the government to know that you donated to wikileaks. Of course it's your job to worry about your financial privacy; personally, I always mix before donating. But it sure would make things easier if the charities I donate to would use stealth addresses.

Agreed.  There is also the security aspect to consider.  Say some Bitcoin millionaire decided to drop a ten thousand BTC into Sean's wallet.  That information will be instantly and globally available, even to bad actors.  For that kind of money someone may decide to engage in some rubber-hose cryptanalysis (aka $5 wrench analysis http://xkcd.com/538/ ).  The idea that literally the entire planet needs to know every detail of your finances to provide accountability is a naive implementation of a good concept.

[jonald_fyookball]

  For that kind of money someone may decide to engage in some rubber hose cryptanalysis (or maybe $5 wrench analysis http://xkcd.com/538/).  

In the future, instead of "security by wesson" , my house will say "security by multisig"