Why isn't public key enough?

[smemo92]

Hi, I'm studying Bitcoin protocol and I have a question: why can't we use public key as an address? Why is it not enough? Address is simply obtained from public key that is hashed ecc.. I can't understand why we need an address and we can't use public key instead. Public key is public as it is defined so I can only imagine that we don't use that because it is too long.
Is this the reason?
I've found this question here http://bitcoin.stackexchange.com/questions/3600/why-are-bitcoin-addresses-hashes-of-public-keys but there is only one answer and it is about the size of the public key and some not specified security problem. Anyone can explain with more details this problem?
Thank you

[HELP.org]

Hi, I'm studying Bitcoin protocol and I have a question: why can't we use public key as an address? Why is it not enough? Address is simply obtained from public key that is hashed ecc.. I can't understand why we need an address and we can't use public key instead. Public key is public as it is defined so I can only imagine that we don't use that because it is too long.
Is this the reason?
I've found this question here http://bitcoin.stackexchange.com/questions/3600/why-are-bitcoin-addresses-hashes-of-public-keys but there is only one answer and it is about the size of the public key and some not specified security problem. Anyone can explain with more details this problem?
Thank you

I think one reason was that it uses multiple types of cryptography so if there was issues with one type being broken you still can't reverse the public address into a private key.

https://en.bitcoin.it/wiki/Technical_background_of_version_1_Bitcoin_addresses is the process

[CIYAM]

The problem is if someone ever finds a weakness in ECDSA that might enable a private key to be recovered from a public one. Although in general this is a "theoretical" problem a "real" problem was found (last year from memory) due to the use of "non-random" K values (you'll need to google that to find out the gory details).

Provided an address has not been used then its public key does not appear in the blockchain (only the hashed "address") so it keeps your "savings safer". Of course if a weakness was found in ECDSA that did allow "private keys to be worked out" then you would not be able to "spend your BTC" until some kind of "fix" was made available (as your first attempt to do so would publish the public key making it vulnerable to a tx "replacement" that might steal your BTC).

[smemo92]

thank you for your answers, I understand what you say, but when I send a transaction on the network I've understood that i also send my public key because I've signed the transaction with my private key and so everyone had to check the transaction with my public one.
So everyone can know my public key, it is not true? Maybe I've don't understood how transactions work. If it works in this way the problem still remains and using an address doesn't hide the public key.

[HELP.org]

The problem is if someone ever finds a weakness in ECDSA that might enable a private key to be recovered from a public one. Although in general this is a "theoretical" problem a "real" problem was found (last year from memory) due to the use of "non-random" K values (you'll need to google that to find out the gory details).

http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html

[DannyHamilton]

- snip -
why can't we use public key as an address? Why is it not enough? Address is simply obtained from public key that is hashed ecc.. I can't understand why we need an address and we can't use public key instead. Public key is public as it is defined so I can only imagine that we don't use that because it is too long.
Is this the reason?
- snip -
 Anyone can explain with more details this problem?
Thank you

Public key is enough.  You can use public key if you want.  Most people prefer to use Bitcoin address.

There are a few reasons that Bitcoin addresses are more popular than Public Keys:

• Bitcoin addresses are shorter.
• Bitcoin addresses have a checksum built in to prevent a typo from resulting in lost bitcoins
• Bitcoin addresses provide 2 additional layers of cryptography. If ECDSA is ever weakened, your bitcoins will still be safe with a bitcoin address.
• Bitcoin addresses have a version number that allows new address types with new functionality (such as P2SH)

[CIYAM]

thank you for your answers, I understand what you say, but when I send a transaction on the network I've understood that i also send my public key because I've signed the transaction with my private key and so everyone had to check the transaction with my public one.
So everyone can know my public key, it is not true? Maybe I've don't understood how transactions work. If it works in this way the problem still remains and using an address doesn't hide the public key.

Yes - but only when you *send* (where that address is one of the UTXOs). If you create a new address and "receive" BTC then your public key has *not hit the blockchain* (and won't until you spend that UTXO).

Note also that I am pretty sure that if you sign a "verifymessage" then your public key is included in that "signature" (so don't sign messages with a bitcoin address that you haven't "spent from" unless you really have to).

[DannyHamilton]

thank you for your answers, I understand what you say, but when I send a transaction on the network I've understood that i also send my public key because I've signed the transaction with my private key and so everyone had to check the transaction with my public one.
So everyone can know my public key, it is not true?

No.  You sign a transaction when you spend the output, not when you receive it.  Therefore, when you give out a new bitcoin address, the sender does not know your public key, and does not need to know your public key.  They just send the output to the RIPEMD-160 hash (bitcoin address) that you provide them.

The unspent output then remains unspendable until someone with the private key can provide a valid signature.  It is only when you spend that output that you then sign the transaction that spends it and include the public key for the network to verify the signature.  However, once you broadcast that transaction with the signature, the output is spent and no longer available for anyone to take if there is a weakness in ECDSA.

This is one of several reasons why bitcoin addresses are not supposed to be re-used.  If you re-use a bitcoin address for receiving more than one transaction, then any unspent outputs that are still associated with the bitcoin address after the public key has been broadcast become susceptible to attack if ECDSA is ever weakened.  If you use a new address for EVERY transaction, then you aren't exposed to this risk.

Maybe I've don't understood how transactions work. If it works in this way the problem still remains and using an address doesn't hide the public key.

Perhaps you understand better now?

[smemo92]

Oh yes I know that my public key is sent only when I spend Bitcoin, the mistake that i've done is to consider using only one bitcoin address for more transactions. Now i've understood why we use it, it is not necessary but it is a good way to prevent some attacks or problem, thank you to everyone

[amaclin]

In the beginning of bitcoin era there was only one script type - transferring bitcoins to a public key (not to its hash)

look at the first p2p transacton (Satoshi Nakamoto to Hal Finney)
http://webbtc.com/tx/f4184fc596403b9d638783cf57adfe4c75c605f6356fbc91338530e9831e9e16
(right-bottom corner, "Scripts" column)

there are two outputs in it:
1) transfer 10 btc to publicKey "04ae1a62fe09c5f51b1390..." (this is Finney)
2) send 40 btc change to publicKey "0411db93e1dcdb8a016b49840f8c..." (this is Satoshi)

[TimS]

Of course if a weakness was found in ECDSA that did allow "private keys to be worked out" then you would not be able to "spend your BTC" until some kind of "fix" was made available (as your first attempt to do so would publish the public key making it vulnerable to a tx "replacement" that might steal your BTC).

That depends on how severe the weakness is. If it allows you to trivially calculate the private key from the public key, then it is a severe problem as you describe. If the vulnerability allows you to calculate it, but still non-trivially (e.g. 1 minute to a few years), then using addresses (without reusing them or leaving a balance after spending once) will provide you the security required for you and you alone to spend your BTC.

[justusranvier]

Oh yes I know that my public key is sent only when I spend Bitcoin, the mistake that i've done is to consider using only one bitcoin address for more transactions. Now i've understood why we use it, it is not necessary but it is a good way to prevent some attacks or problem, thank you to everyone

Public keys in Bitcoin are ephemeral.

It's an error to use them more than once.