Jurov manages to misrepresent the problem on Bitcoinpete's blog with the following comment :
Please ELI5 where is any substantial difference between:
Source1 -> utxo1@MyNeverReusedAddr1 -> Spent
Source2 -> utxo2@MyNeverReusedAddr2 ^
Source1 -> utxo1@MyAddr – > Spent
Source2 -> utxo2@MyAddr ^
You are spending 2 distinguishable unspent outputs in both cases.
The fact that these two situations are equivalent (which they are) is irrelevant. Consider the relevant situation :
May 1st, Source1 -> utxo1@MyNeverReusedAddr1 -> Dest1.
May 2nd, Source2 -> utxo2@MyNeverReusedAddr2 -> Dest2.
May 3nd, Source3 -> utxo3@MyNeverReusedAddr2 -> Dest3.
May 4nd, Source4 -> utxo4@MyNeverReusedAddr2 -> Dest4.
May 5nd, Source5 -> utxo5@MyNeverReusedAddr2 -> Dest5.
May 1st, Source1 -> utxo1@MyAddr – > Dest1.
May 2nd, Source2 -> utxo2@MyAddr -> Dest2.
May 3nd, Source3 -> utxo3@MyAddr -> Dest3.
May 4nd, Source4 -> utxo4@MyAddr -> Dest4.
May 5nd, Source5 -> utxo5@MyAddr -> Dest5.
Through process 1 above, Source and Destination can be paired : 1 goes with 1. It is not possible for Source 1 to have been paid at Destination 3, or 5. It is not possible for Destination 4 to have been paid from Source 2i. Thus, always using unique BTC addresses guarantees to any third party that our service is transparent for purposes of tracking our users.
Through process 2 above, Source and Destination can not be paired, other than saying that Source1 or another user prior to May 1st was paid through Dest1 ; that Source2 or any other user prior to May 1st was paid through Dest2 and so on. At any point in time, the Sources which may be paired to a Destination are numerous, and as the address keeps being reused, their numbers continue to increase. Thus, always reusing the same BTC address guarantees to any third party that our service is opaque for the purposes of tracking our users. Fail that, sometimes reusing BTC addresses does not guarantee opacity, but does also not guarantee transparency.
It is worth nothing that stuff like m-of-n signatures serve a very similar anti-fungibility purpose, under the veneer of "extra security". If a Bitcoin service allows such a model, it implicitly loses the ability to mix the Bitcoin coming in from different sources, and it consequently becomes even more transparent for the third party spook than case 1 discussed above. On the other hand, the supposed added security is useless in most cases. There may still exist some edge situations where m-of-n signatures are perhaps useful, but this is dubious at best, and probably not your situation.
Summa : If you're a Bitcoin user and don't know why m-of-n would be useful for you, specifically, don't use it. It's not helping "in general", it's not some sort of Universal Security Bonus or anything similar. Moreover, Universal Security Bonus providing items do not exist.
If you're a Bitcoin service and can't get a good RNG then close down. Now. If you're a Bitcoin service with a good RNG, then reuse your addresses at least some of the time. You're doing everyone in Bitcoin, and your customers especially, a huge favour.
If you're interested in Bitcoin's future, don't :
- Use any service that never reuses any addresses ;
- Use anything that comes from Mike Hearn.ii
That'd be all, thanks for reading.———
- Obviously, the argument can be brought that even in this case, "tracking" is pure nonsense, as there's no such thing as Bitcoin taint in the first place, and for very good reasons. Services such as BitBet manage to preserve users anonimity quite perfectly even if employing very little address reusage.
Nevertheless, for the sort of idiots that are not capable to comprehend this point on their own, and for the sort of despicable scumbags that comprehend it just fine, but like to pretend that playing the whore for outgoing lords is somehow going to prove a worthwhile activity, this argument stands. This category includes the courts. [↩]
- The guy's only job in Bitcoin is to try and break it. He works for the bad guys, forget about him, he's the enemy. [↩]