Generating differnet addresses from same public key?

There's a gap in my understanding regarding the generation, via hashing, of bitcoin addresses. (I'm quoting from Antonoplous below for convenience, but I have consulted multiple other sources.)

According to Antonpolous:

"The bitcoin address is derived from the public key through the use of one-way cryptographic hashing. (Antonpolous, 2014:71)"

My understanding of public keys is that they do not change once generated from a private key (via ECDSA multiplication):

"Because the generator point is always the same for all bitcoin users, a private key k multiplied with G will always result in the same public key K.(Antonpolous, 2014:68)"

Best practice regarding bitcoin addresses recommends that:

"a unique address should be used for each transaction. Most Bitcoin software and websites will help with this by generating a brand new address each time you create an invoice or payment request. (Antonpolous, 2014:188)"

I understand that performing a hash function on the same data will always produce the same result (digest):

"For any specific input, the resulting hash will always be the same and can be easily calculated and verified by anyone implementing the same hash algorithm." (Antonpolous, 2014:188).

Given all of the above, my question is, how can different addresses be generated from the same, unchanging input, namely the public key?

Is it the double-hashing (SHA256 + RIPEMD160)? Is it the address pool? Is it due to deterministic wallets? The answer is probably simple and staring me in the face, but I can't see it. Thanks for any clarification.

Colman McMahon

Posted 2017-02-25T01:53:59.340

Reputation: 125

1When you want to generate a new unique address, you start by generating a new private key, then using it to generate the corresponding public key, then hash it to get an address. You don't generate a new address from a public key you already have. – Nate Eldredge – 2017-02-25T01:55:57.477

There are generally two approaches to getting multiple addresses: 1) have multiple private keys 2) use BIP32

– Nick ODell – 2017-02-25T04:38:06.880

@NateEldredge Thanks! I've seen lots about generating new addresses for every transaction but don't remember (or have blanked) seeing that a new private/public key is required also per transaction. Obvious now, but don't want to make any assumptions. – Colman McMahon – 2017-02-25T12:07:38.313

@ColmanMcMahon: Using a new address is recommended, but not required; if you want you can reuse an address you've used before (thus reusing the corresponding private/public key). – Nate Eldredge – 2017-02-25T14:15:24.950

@NickODell: While reading the question I was wondering: would it be indeed possible to generate two different addresses corresponding to the same public key by hashing either the compressed version of the public key or the uncompressed one? – cpsola – 2017-03-23T14:33:32.227

@disckjet Yes, that's right. – Nick ODell – 2017-03-23T15:20:59.400

Answers

For some reason you came to the conclusion that you can just derive multiple addresses from a single public key, but the quoted text doesn't say that. It says that the public key is uniquely generated from the private key (by multiplying the curve generator G by a random 256-bit number which is the private key). It also says that the address is derived from the public key by hashing it (RIPEMD160 & SHA256). Finally it says that it's a good idea to use a different address every time.

That doesn't mean you generate multiple addresses from the same public key. Each time you have to generate a new private key, then public key from that private key and finally the address from the public key.

ManfredMacx

Posted 2017-02-25T01:53:59.340

Reputation: 151

Thank you. That was exactly the source of my confusion (my "gap"). I appreciate the clarification on this fundamental step. Every transaction requires its own unique private key, public key, address and signature(s). – Colman McMahon – 2017-02-25T12:09:42.727

To reinforce the good answers already given about key pairs...

"As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner."

Satoshi Nakamoto, Bitcoin whitepaper, 2009, page 6:

Colman McMahon

Posted 2017-02-25T01:53:59.340

Reputation: 125

What's with the downvote? That's a good reference. – Colman McMahon – 2017-04-05T16:38:55.330

indeed, vetoed it ;) – yosemite_k – 2017-09-25T11:02:02.643

As to further elaborate the question, accepting that the paragraph indicated in the question just implies that different private/public pairs must be generated for each request:

"a unique address should be used for each transaction. Most Bitcoin software and websites will help with this by generating a brand new address each time you create an invoice or payment request. (Antonpolous, 2014:188)"

it is in fact possible to generate always at least three different valid bitcoin addresses from the same public key, as there exist always a hybrid, compressed and uncompressed form of the same pair of public/private keys.
So for example, the public key (x,y):

(50863ad64a87ae8a2fe83c1af1a8403cb53f53e486d8511dad8a04887e5b2352, 
 2cd470243453a299fa9e77237716103abc11a1df38855ed6f2ee187e9c582ba6)

with its corresponding unique private key, can be expressed with these three different addresses:

16UwLL9Risc3QfPqBUvKofHmBQ7wMtjvM
1PMycacnJaSqwwJqjawXBErnLsZ7RkXUAs
1DcuACZPCeAEmvSPzKiF8pAaZAEY1XPyue

which in fact correspond to completely different bitcoin addresses, but all of which in principle could be accessed with the same pair of private/public keys.

circulosmeos

Posted 2017-02-25T01:53:59.340

Reputation: 526