Address reuse

From Bitcoin Wiki
Revision as of 22:41, 11 April 2021 by Belcher (talk | contribs) (→‎Worked Example 4: Clarify)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Address reuse refers to the use of the same address for multiple transactions. It is an unintended practice, abusing the privacy and security of the participants of the transactions as well as future holders of their value. It also only functions by accident, not by design, so cannot be depended on to work reliably.

The most private and secure way to use bitcoin is to send a brand new address to each person who pays you. After the received coins have been spent the address should never be used again. Also when sending money to people always ask them for a brand new bitcoin address.

It has been argued that the phrase "bitcoin address" was a bad name for this object. A better name would be something like "bitcoin invoice".

All good wallets today use Deterministic wallets and have a user interface which make it easy and safe to have many wallet addresses. Previously (before around 2013) this was not the case as creating new addresses could invalidate backups leading to loss of funds.

Problems

Privacy

Address reuse harms the privacy of not only yourself, but also others - including many not related to the transaction. In some cases, these risks are serious enough that they are likely in violation of reasonable consumer protection laws.

When addresses are re-used, they allow others to much more easily and reliably determine that the address being reused is yours. Every time the re-used address's private key signs a fresh transaction, whoever receives it can use the histories of that address to discover information about you, and everyone who is interested in discovering the identity of the address's owner has one more target they can try to contact to discover who you are.

The relationship graph in a re-used address is powerfully-linked in that all of the inputs to that address are necessarily joined (via the spending authority of your private key) to all of its outputs.

There has been significant research into the area of what researchers are calling 'identity collapse', which is what happens when more than one Bitcoin address is strongly-linked via the Bitcoin transaction graph to another. Re-using addresses makes their job trivial. There are publically-known databases that exist, right now, that have not only collapsed millions of Bitcoin addresses, but used publically-available information to link those collapsed identities to individuals, and these databases are being actively maintained.

While you may be okay with some random European researcher bound by his ethics board to conceal your identity from the public at-large, it is very possible that people who accept money from you may not be aware of your decision: thus, via your privacy-decreasing action, people further on the address signing chain could thus be putting you at risk if they spend their bitcoin on something that catches the attention of law enforcement.

Additionally, in the event that you knowingly make this choice (which you are doing, now that you've read this,) the transaction histories that you are responsible for linking in the event you are a retailer of some sort could put the privacy of your customers at risk because now your well-known singular address(es) which can be strongly linked to your corporate identity can be assumed to be economic activity interacting with your corporate identity.

See also: Innovations that Enhance Bitcoin Anonymity

Worked Example 1 - Savings Revealed

  • You save in bitcoin, using a single-address paper wallet.
  • All your bitcoin savings to this same address, let's say it contains $1 million worth.
  • You buy a small amount of bitcoins to add to your savings, depositing in the paper wallet.
  • The person who sold you the bitcoins follows their trail on the blockchain and finds your paper wallet containing $1 million.
  • He mentions it to someone in a cafe or bar.
  • Word gets around. A burglar raids your home. Kidnappers capture your children and know exactly how much to demand in ransom.

Worked Example 2 - Exchange Front Running

  • You have an account on a bitcoin exchange, you want to deposit some bitcoins to sell.
  • You send bitcoins to the same exchange deposit address you have used in the past.
  • Because of the address reuse, its easy to see on the blockchain that some bitcoins are being sent to an exchange.
  • The exchange requires 3 confirmations before crediting your account, but in that time the price has already moved against you as other traders become aware of your deposit transaction.
  • You sell the bitcoins for a less attractive price than you otherwise would have.
  • This is easily avoided by clicking the Generate New Deposit Address button on the exchange's website and depositing there.

Worked Example 3

  • You use a single Bitcoin address for all your earning and spending. Anyone you trade with can see a complete history of your finances.
  • Your landlord can see your salary, when he raises the rent he knows exactly how much to ask for.
  • Your shopkeeper can see your spending. Gossip gets around of how much you spend on pornography and how little on church donations.
  • Your employer can see your spending. When you pay labour union dues or donate to wikileaks or another non-profit, your boss knows who not to trust.

Censorship resistance

A reused address is much more easily linked with a certain entity. Because of this, it is easy for people to build up a blacklist of bitcoin addresses to which they will not allow transfers to. Avoiding address reuse makes this much harder.

Worked Example 4

  • You want to accept donations in bitcoin, so you publish a single reused bitcoin address on your website.
  • Some people want to donate to you by buying bitcoins from an exchange and have the coins sent immediately to your donation address.
  • Unlucky for you, the exchange wants to block donations to you, so it does not allow people to send coins to your address.
  • The way to solve this is to avoid address reuse by displaying a brand new address to each visitor. That visitor can tell the exchange to send coins to that address. Because the address is new and unused the exchange will have no idea that it belongs to you, and so will be unable to block the transfer.

Security

Bitcoin does not, at a low level, have any concept of addresses, only individual coins. Address reuse, at this layer, requires producing multiple digital signatures when you spend bitcoins. Multiple situations have been found where more than one digital signature can be used to calculate the private key needed to spend bitcoins. Even if you spend all the bitcoins claimed by this private key at once, it is still possible to double-spend them in theft before they confirm. While the known situations for finding the private key from signatures have been fixed, it is not prudent to assume there aren't more such situations yet unknown.

In the case of spending all the TXOs in a single transaction, there is an additional risk if someone is actively monitoring the network for vulnerable transactions. Upon receiving such a transaction, they can split up their double spends such that there is only one ECDSA verification per transaction (making a single transaction for each TXO). This will cause the attacker's transactions to relay across the rest of the nodes faster than the legitimate one, increasing success of a double spend.

Known attacks

Accidental loss

In Bitcoin abstraction, an address is an invoice for a specific payment. Once that payment is made, the receiving party has no reason to retain the data for the address (technical details simplified) and may discard it. Even if someone does not choose to discard that data, it may have since been lost in an accident or compromised. In any of these situations, any future payments to the same address would go in to a "black hole", and be forever lost through no fault of the recipient.

Confusion

Users who see addresses reused may incorrectly be led to believe they function similarly to wallets or bank accounts. Often this is manifested in people talking about nonsense like "address balance", "wallet address", "from address", and similar misconceptions that don't actually exist in Bitcoin.

High Fees

A single invoice payment using P2PKH can be redeemed and spent with a predictable fee because the transaction should have a predictable size. Software that determines payment and available funds based on "address balance" can cause loss through high fees. If you are paid to an address in many small increments, you will pay a much higher transaction fee when redeeming those payments. It is much more useful for a client to display transaction outputs spendable than address balances for this reason.

Notable offenders

Some notable Bitcoin software and services encourage or require address reuse:

  • Many bitcoin mining pools (especially Eligius)
  • Paper wallet which use a single bitcoin private key/address pair

References