6

Suppose my private key is properly generated. My public key is known to everybody. I don't care about privacy.

How many times can I reuse my bitcoin address until someone has enough information from all my transaction data to break my private key?

Assume I operate as an eBay seller who sells USDT (zero loses purchases where anybody can resell later at the same price), where adversaries can freely transact with me to get the transaction data, signature etc.

What is the term for this case/matter? is it "chosen cipher text attack", "plain text attack" etc.

Cisco Mmu
  • 335
  • 1
  • 9

2 Answers2

10

How many times can I reuse my bitcoin address until someone has enough information from all my transaction data to break my private key?

An arbitrary number of times.

Assuming the discrete logarithm problem for secp256k1 is hard (the basic security assumption underlying Bitcoin's digital signatures), it does not matter at all how many signatures an attacker sees. He will not be able to find the private key, or be able to forge a signature.

There are two contexts in which the advice for not reusing keys appears:

  • Privacy. Reusing addresses increases the linkability of your transactions, which reduces your privacy as well as everyone else that you interact with through that address.
  • Post-quantum security. As soon as you've spent an output assigned to a given address once, its public key becomes public knowledge. Before that point, someone with a hypothetical machine that can compute private keys from public keys cannot even start their search. I personally think this is not a particularly strong reason not to reuse addresses though (the real reason not to is privacy); see What are the potential attacks against ECDSA that would be possible if we used raw public keys as addresses? for why.

What is the term for this case/matter? is it "chosen cipher text attack", "plain text attack" etc.

This crypto SE answer is relevant: https://crypto.stackexchange.com/a/32715/72983

What you really want is protection against existential forgery (the ability for an attacker to sign a message he has never seen a signature for). That is a stronger notion of security than what you were talking about (as forgeries do not require the attacker to actually learn your private keys).

Pieter Wuille
  • 105,497
  • 9
  • 194
  • 308
  • 1
    TQ for the additional information. I will look it up. – Cisco Mmu Jun 26 '20 at 03:30
  • 1
    Most security notions in classic crypto -- I don't know about post-quantum -- rely on adversaries being polynomially bounded in their runtime. Hence, even if you have a EUF-CMA-secure -- existentially unforgeable under chosen message attack -- signature scheme, saying one can sign "an unlimited number of times" is a bit of a stretch in my opinion. For practical purposes, yes. Theoretically speaking, no. – ComFreek Jun 26 '20 at 13:08
  • 2
    @ComFreek Sure, I was trying to keep things simple. But EUF-CMA also only prevents the attacker from forging in a polynomial amount of time, which I would think implies he can't examine more than a polynomial number of signatures either? – Pieter Wuille Jun 26 '20 at 15:48
  • 1
    @PieterWuille Oh, true, so even if you publish "exponentially many" signatures, the adversary can only inspect "polynomially many". (I'm sure you know, but for other readers: speaking of functions actually doesn't make much sense if one is talking about concrete instances with fixed security parameters anyway.) In any case, I happily retract my comment. – ComFreek Jun 26 '20 at 16:07
  • 1
    Actually your second point doesn't apply. Your private key is only worth something once someone sent you some bitcoins, at which point the public key is made visible in the ledger. – csiz Jun 26 '20 at 18:23
  • @csiz The public key is visible as soon as you've spent an output that was sent to the corresponding address; it needs more than just sending to it. – Pieter Wuille Jun 26 '20 at 20:30
  • @PieterWuille Ah, I thought address and public key are the same. I (re)learned now that addresses are a hash of the pub key for extra security. – csiz Jun 26 '20 at 20:42
3

There is one case the private key is revealed: Nonce reuse. For the same private key, if two different messages are signed with the same nonce, your private key becomes "public".

Secp256k1 signing uses an 256-bit nonce. If you sign about 2^256 transactions, I guarantee that your private key will have been revealed. (But theoretically! Though you need a super-super-super-computer to scan for duplicates. Complexity O(n^2) For 2^256, that's just even less infeasible than bruteforcing private keys)

By default, on most implementations the nonce is generated as defined in RFC6979. The nonce is defined as the hash of some signing data in some order.

If you're going to sign 2^128 transactions, the probability that a nonce will be reused is about 39%. Therefore, using a counter to sign a large number of transactions is safer.

Note that even 2^128 transactions is not realistic.

MCCCS
  • 10,206
  • 5
  • 27
  • 56