This Well-Known Bitcoin Privacy Flaw Is Still Found in 54% of TransactionsBy Kyle Torpey
The overall picture of Bitcoin privacy has looked a bit more promising lately. The Lightning Network, which allows transactions to take place on a secondary payment network rather than the public Bitcoin blockchain, is growing in popularity, and some bitcoin wallets, such as Samourai Wallet and Wasabi Wallet, have added ZeroLink and other privacy features for their users.
Privacy features, however, are only useful if people actually use them.
In the case of Bitcoin, there is a privacy deficiency that is in some ways enabled by default. This is the issue of reusing addresses.
Why is Bitcoin Address Reuse Bad?
It is considered bad hygiene to reuse Bitcoin addresses because it weakens privacy for the entity who is reusing the address as well as everyone else they are interacting with on the blockchain. If an adversary can tie one transaction to the real world identity behind a particular address, then they also know all of the other payments sent to that address were received by that same individual. Additionally, payments sent from that address are known to be sent from that same person.
It is argued on the Bitcoin Wiki that “Bitcoin invoices” may have been a better name for this part of the Bitcoin system due to the the misconceptions around the “Bitcoin address” terminology. After all, if Bitcoin addresses are supposed to be single use, they act more like invoices than addresses in the traditional sense.
There are also potential security issues associated with address reuse, although they would likely require the use of quantum computing to be relevant.
Modern Bitcoin software uses hierarchical deterministic wallets to make it easier to work with many different Bitcoin addresses. Yet address reuse is still rampant on the Bitcoin network.
Address Reuse is Growing
OXT calculates address reuse ratio as: (UTXOs created - new addresses) / UTXOs created. The solution to this equation provides a percentage of addresses used in a particular time period that are not new, but are being reused.
The monthly historical data provided by OXT can be used to track trends in Bitcoin address reuse.
After a peak of 77.63% address reuse in February 2013, there was a downward trend to a bottom of 41.34% in December 2017. There was a spike in address reuse around July 2015, but this was likely due to a “stress test” during that month.
More recently, Bitcoin address reuse has been on the rise. In November 2018, more than 50% of the addresses used were not new. So far in March 2019, 53.57% of the addresses used have been used before.
It should be noted that much of the recent increase in Bitcoin address reuse may have been caused by VeriBlock, which is a project that uses Bitcoin OP_RETURN transactions in an effort to bring additional security to alternative blockchains. Recently, Forbes reported that VeriBlock accounts for 20% of daily Bitcoin transactions, and the relevant transactions listed on the VeriBlock website indicate that the system reuses addresses many times for their proof-of-proof (PoP) activities. Here’s a VeriBlock-related address that has been used 97 times at the time of this writing.
Having said that, the reverse in the trend regarding address reuse on the Bitcoin network happened roughly seven or eight months before VeriBlock started having any kind of impact on the Bitcoin network. It’s possible that this initial trend reversal was related to the massive drop in the influx of new users in reaction to the bursting of the bubble in the overall crypto asset market around this time.
According to OXT’s “LaurentMT,” exchanges and other custodial wallets could be at the center of the increased reuse of addresses in the aftermath of the 2017 crypto asset bubble. Data shared by LaurentMT appears to support this hypothesis.
What Can Be Done About This?
There have been a number of proposals that could be used to help lower the address reuse ratio. As mentioned previously, deterministic wallets are useful for making it easier for users to create new addresses for every payment. It’s clear, however, more advancements are needed.
At the end of the day, this issue may come down to the fact that people are still sending each other random strings of numbers and letters in order to send and receive Bitcoin payments.
Reusable payment codes (now sometimes called paynyms) and the payment protocol are two options that could be used to help improve the sharing of Bitcoin addresses for payments, but they aren’t compatible or widely used. The debate over which one would be a better option as a standard has been going on for many years.