You can read part 1 here, part 2 here, part 3A here, part 3B here, part 3C here, part 4A here, part 4B here, and part 4C here, and part 4D here, part 5 A here, part 5 B here, part 5 C here part 5 D here, and part 5 E here
But even if you consider the above an acceptable risk, just because you yourself will make sure you never reuse an address, then still, the fact that only the hashed public key is published until you make a transaction is a false sense of security. It only works, if you never make a transaction, so if you never spend your funds. Why? Public keys are revealed while making a transaction, so transactions can be hijacked from the moment you send them from your device.
It is important to fully understand two things:
1.) How is a transaction sent?
The owner has the private key and the public key and uses that to log into the secured environment, the wallet. This can be online or offline. Once he is in his wallet, he states how much he wants to send and to what address.
When he sends the transaction, it will be broadcasted to the blockchain network. But before the actual transaction will be sent, it is formed into a package, created by the wallet. This happens out of sight of the sender.
That package ends up carrying roughly the following info: the public key to point to the address where the funds will be coming from, the amount that will be transferred, the address the funds will be transferred to (depending on the blockchain this could be the hashed public key, or the original public key of the address the funds will be transferred to). This package also carries the most important thing: a signature, created by the wallet, derived from the private- public key combination. This signature proves to the miners that you are the rightful owner and you can send funds from that public key.
Then this package is sent out of the secure wallet environment to multiple nodes. The nodes don’t need to trust the sender or establish the sender’s “identity”, because the sender proofs he is the rightful owner by adding the signature that corresponds with the public key. And because the transaction is signed and contains no confidential information, private keys, or credentials, it can be publicly broadcast using any underlying network transport that is convenient. As long as the transaction can reach a node that will propagate it into the network, it doesn’t matter how it is transported to the first node.
2.) How is a transaction confirmed/ fulfilled and registered on the blockchain?
After the transaction is sent to the network, it is ready to be processed. The transaction waits to be added to a block. Transactions will not be added to a block immediately. It depends on the fee that is added to the transaction and to the amounts of transactions that need to be added. At rush hours, it can take longer then usual. The nodes will bundle transactions to verify and register on the next block. The verifying is done during a period called the block time. In the case of BTC that is 10 minutes.
If we process the information written above, we will see that there are two moments where you can actually see the public key, while the transaction is not fulfilled and registered on the blockchain yet. So:
1: During the time the transaction is sent from the sender to the nodes
2: During the time the nodes verify the transaction. (The blocktime)
In the next parts I describe