Bitcoin wallet key pool

Mike Hearn is a software developer who works on the Bitcoin Core development team and also at Google. In this article, Mike discusses some bitcoin privacy leaks, and a new technique that does not currently have a name, but which he calls merge avoidance.

Introduction to bitcoin privacy

It’s an unfortunate fact that, despite bitcoin’s reputation in the press, its users currently leak large amounts of personal information.

It is distressingly easy for someone to learn about your balance, trading history and more. Protecting this information is a basic function of any useful financial system.

Here are a handful of leaks that crop up in daily usage.

Address reuse

Many privacy problems in Bitcoin are caused by an adversary learning which outputs are owned by the same wallet. If you can calculate this, you can discover the wallets balance and possibly who it traded with.

The most common way this happens is when addresses are reused. This is easily understood because popular sites like blockchain.info index outputs and transactions by address, allowing you to quickly look up all the transactions that reference any given address.

Address reuse has many different root causes. Here are a sampling:

1. End-user wallet problems

The bitcoinj library always reuses addresses by policy, thus leaking a lot of private information. There are two reasons for this. One is that prior to the development of HD wallets, constantly using up keys would result in invalidation of old wallet backups.

Bitcoin-Qt has a “key pool” to try and address this, but it only puts the problem off: the key pool can be silently exhausted giving the same problem. Invalidating backups can cause people to lose money.

Once HD wallets are implemented (which is in progress) this problem will go away, leaving only the second problem of memory pressure on low end phones. Address re-use may still be required on such devices, but higher end phones and desktops/laptops shouldn’t encounter any issues.