[mason55]

Article says

> This is also why address reuse in Bitcoin is encouraged as to sign a transaction you need to reveal your public key. If you don't reuse an address after sending a transaction from the address, you don't need worry about the private key of that address being exposed.

Shouldn't that say "address reuse in Bitcoin is discouraged"? Otherwise I don't think I understand what he's trying to say.

[SakiWatanabe]

It should say This is also why address reuse in Bitcoin is "discouraged" as to sign a transaction you need to reveal your public key. If you don't reuse an address after sending a transaction from the address, you don't need worry about the "public key" of that address being exposed

The reason being without revealing public key, with only the bitcoin address the attacker first need to guess the public key from the address, then guess the private key from there. So just breaking one of the hash algorithm or ecdsa algorithm is not enough to steal funds. at least that's in theory, in reality if either algorithm is broken we have a much bigger problem.

[placeybordeaux]

I was under the impression that ecdsa was potentially broken by quantum computers, but SHA-256 was not. Is that not the case?

[jamesmishra]

Yes, in theory. See https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#Qu...

ECDSA is vulnerable to a modified version of Shor's quantum integer factorization algorithm. However, nobody on Earth is known to be close to producing such a computer. Adiabatic quantum computers like the ones produced by D-Wave are not known to be capable of running Shor's algorithm. See https://en.wikipedia.org/wiki/Adiabatic_quantum_computation

SHA-256 and hashing algorithms have no known quantum attack against them, but one could theoretically gain a sqrt(n) advantage in brute-force search using Grover's quantum search algorithm. https://en.wikipedia.org/wiki/Grover%27s_algorithm

[placeybordeaux]

Huh I knew that Grover's algorithm would yield speed ups in db searches, but apparently I didn't read the wikipedia article closely enough. It allows for inversion of any function in sqrt time!

[coopc]

Address reuse is most certainly discouraged from a security standpoint! I expect that you are correct as to the article's intended meaning.

[narrator]

Address reuse only becomes a problem in the theoretical case that someone can determine the private key from a signature. This would only happen if there was some sort of breakthrough in cryptoanalysis of elliptic curve cryptography, which while theoretically possible, is unlikely.

[Obi_Juan_Kenobi]

The idea is that you don't want to be secure now, but also in the future. The ECC Bitcoin uses is vulnerable to Shor's algorithm, and thus quantum computation. Quantum computing at that scale is a fair ways off, most likely, but on a timescale of a couple decades or more, a successful attack seems quite reasonable.

Bitcoin can soft-fork, allowing address generation with a different algorithm. It's not any sort of existential threat to Bitcoin. But it does require that you move your coins to a new address if you reuse an address, else you are vulnerable.

[julian_1]

Not to mention, that such a discovery would be significant enough - that a protocol upgrade and fork would be inevitable, in order to protect addresses retroactively.

[45h34jh53k4j]

or you reuse the nonce in ECDSA.

This burned sony, and burned people that had faulty wallet code that submitted transactions with the duplicate nonces.

If you only published, and signed a transaction once, you would be immune to fail by ECDSA nonce reuse.

Its good to rotate the publickey/address per transaction in bitcoin

[samlewis]

Oops, you are correct. Good pick up, I'll get to changing that!