On Wed, Mar 05, 2014 at 12:54:04PM -0800, Gregory Maxwell wrote: > On Wed, Mar 5, 2014 at 12:32 PM, Peter Todd wrote: > > That's nice, but I wrote my advice to show people how even if they don't > > know any crypto beyond what the "black boxes" do - the absolute minimum > > you need to know to write any Bitcoin software - you can still defend > > yourself against that attack and many others. > > But it's still incomplete. > > Say you have an address— used only once!— with a txout with a lot of value. > > Someone starts paying you small amounts to that address over and over > again. You haven't asked them to, they're just doing it. > > Do you ignore the funds?— maybe tell some customer that was ignorantly > paying you over and over again to a single address "sorry, those are > my rules: I only acknowledge the first payment, those funds are > lost!". > > No, of course not. You spend the darn coins and if you're on a shared > host perhaps you disclose a private key. > > The probability of an attack actually going on is low enough compared > to the cost of spending the coins in that case that even someone with > good knoweldge of the risks will choose to do so. > > So absolutely, not reusing addresses massively increases your safety > and limits losses when there is theft. But it isn't enough alone. (Nor > is smarter signing, considering complex software like this has bugs > and its hard to be confident that something is side channel free— esp > when you allow attacker interference). I think you're misunderstanding me: I'm assuming one of the n parties signing transactions in my multi-factor authentication scheme is uncompromised - much easier to do when it's a low-bandwidth box sitting in a secure location. Not re-using keys is nice too of course, and while not perfect - your above scenario - certainely helps limit losses. -- 'peter'[:-1]@petertodd.org 0000000000000000afcad9265e8b44bf1171a08165c09b329fab2893bf13ec69