The Huge Mistake of Reusing Bitcoin Adresses

By fred_nurk | pragprog | 26 Jul 2021


An Unintended Practice

 

    We all know that everything that happens on the blockchain is visible to anybody who wants to take a look. Even though this adds to the security and confidentiality of the public ledger, there is a misuse problem that can lead to serious security and privacy risks for not only you bu tothers involved. What I am referring to is the reuse of a bitcoin address in multiple transactions, over a prolonged period of time. Many people think of a bitcoin address to be a sort of "account number" that you can associate to yourself. This is WRONG, a bitcoin address is more like an invoice. Here is where the problem starts. If you, let's say make a purchase online using your address and then afterwords make a donation, then send some money to a freind, etc. you will be "mapping" the activity of a bitcoin address with your identity. The more you use an address, the more likelyhood it has of being tied to your identifity and the more certaintity someone is going to relate it to you.

 

Transaction Signing and Privacy

   Each address has a set of key pairs, a public and a private key, the private key is used to sign transactions and the public key is associated with the address. When you send BTC to someone, they have access to your address, your public key and a signature produced by your private key. When someone receives a transaction from an address that you have reused over a period of time they can lookup your address and associate all of its previous transactions with your identity, completley compromising the privacy of the entire history of transactions on that address. Through the authority of your private key they can link all the inputs that address has generated to all the outpurs.

 

Affecting Yourself and Others

    With the knowledge of multiple reused addresses, researchers can form something that is called an 'identity collapse' where the identities of multiplel holders are linked to the addresses, not just the compromised ones.Once this is started, receiving people unknowing of your address being compromised willl continue the singing chain and could later put you in trouble, especially if their transactions get the attention of law enfocement.

   The previous description was for a personal address use, now think if you are a merchant or retailer and you receive BTC payments using the same address, you will not only put your money at risk but you will also be responsible for the compromise of all of your customers' privacy loss.

  If you use the same address for all transactions it would be worse for your privacy than using a centralized payment method. When you use a centralized payment method, only the central authority can see your information such as your deposit history, current balance and transactions, when you use a single bitcoin address anyone from your family and freinds to your employer has access to this information

 

Security Risks

   Remmember I mentioned the private key an address has linked to it? When you use the same address for multiple transactions, there is more signatures signed with the same private key giving malicious actors more data to potencially calculate your private key based on these signatures, compromising your address and all the assets associated with it. This cannot be avoided being that at a low level in bitcoin there isn't a concept of addresses. The best way to avoid this is using a different address for every use case.

 

Misconceptions

    The biggest misunderstanding I see in the bitcoin user community is that of a "from address". Bitcoin addresses are made to receive transactions, not to send them. The human learning model suggests that we relate new concepts with already known ones, that is why this "a transaction was sent from" gets confusing. In traditional payment systems, I hand a paper bill to you or maybe I wire transfer money to you. Then on top of that some block explorers actual show a "balance" for an address and many people are led to beleive that a bitcoin address is like a bank account. I will go into more depth on this in a future post, but it is important to keep in mind that this is not true.

 

Basic Tips

    Generate new addresses regularly. When you use up all the BTC associated to one address, don't "fill it back up' generate a new one. Also try to stay clear from Bitcoin that was obtained on an exchage, you can bet that any address that comes from an exchange is compromised. If you realy on an exchange to actually purchase your bitcoin, first of all don't take it all out at once, send it in parts and seperate them by random periods of times, even weeks or months between withdrawls if possible. Also if possible don-t send it all to the same address, this will link your exchange identity to your new adress, send seperate amounts to different addresses

 

 

 

 

 

 

 

How do you rate this article?


11

0

fred_nurk
fred_nurk

I like programming and this whole new blockchain wrold.


pragprog
pragprog

This is a side project from my main blog (termuxuser01.blogspot.com) mainly dedicated to my exploracion into blockchain technology and the new fronteirs it opens. I like learning and sharing what I find in the digital sea.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.