I have no idea about the internals of blockchain or how
they are handling their cold wallets.

ok time to not be subtle

after all whats the point in telling everyone that bitcoin is so great due to funds being secured by 256bit and elliptic curved private keys at the back end of a transaction which never appear on the blockchain, if someone can steal funds from the front end that are only 128bit secured using publicly available data

so my next question:

so everyone should be screaming at 'seans outpost' that he can lose all donations in his address tomorrow?? not next year or 10 years time when quantum computers are around.. but tomorrow.

or is this just a hypothetical future-proofing of a possible risk relating to quantum computers maybe in the future cracking 128bit

i only ask this in common human understanding so that the laymen of the world who are already gossiping and starting to FUD spread that bitcoin is already broke due to a re-use address vulnerability

This has been asked and answered thee times.   Reusing addresses reduces security.  Period.   The risks can't be quantified as an exact % of losing funds tomorrow or next year, or next decade but the risk is increased, the margin of safety is decreased.

If tomorrow Sean signed a tx using a flawed wallet which used a repeated k value then hacker would probably detected that and exploit it within seconds emptying the wallet.   If addresses were not reused then there would be no risk even if same k value was used.  Likewise we simply do not know if/when cryptanalysis will yield usable exploits againsts ECDSA.  It could be tomorrow or might never happen before you die.   It isn't something that can be definitively quantified.  Hashing the public key is a secondary safety.  You can remove that safety and if the primary safety (the security of ECDSA and the secp256k1 curve) remains intact you are fine.   In other words you are safe until you aren't.

The first thing you need to do is remove incorrect concepts like receiving and spending addresses.   There is no such thing.   There are only addresses.   The protocol doesn't even use addresses it converts addresses to the raw PubKeyHash (which is a hash of the Public Key).

When you send funds to a given address you are actually sending it to the PubKeyHash.  The transaction becomes a public record thus the PubKeyHash (and the address can be computed from it) is a known however the Public Key (PubKey) is NOT known.   Look at the output of any transaction  the funds are sent to a PubKeyHash (160 bits).

For example here is a recent tx (pulled at random).   
http://blockchain.info/tx/4c555be716ccf923252ae118f2e9719a7ce6d4fdbf52a8cc03489b330debbd01

Funds were sent to 1Fv1uSsxr8z4hCHi2yhzuLf2sQafJfLbF8

Technically the output is this

a3988fd05be9c9b642503e61ec6bb6ed553ab8a2 is the PubKeyHash which corresponds to address 1Fv1uSsxr8z4hCHi2yhzuLf2sQafJfLbF8.

So the PubKeyHash is known and if you search the blockchain by address you will see this address received funds multiple times.   However the PubKey is unknown.  What is the PubKey for a3988fd05be9c9b642503e61ec6bb6ed553ab8a2?  There is no feasible method of finding out (unless you already know because you have seen the PubKey.

Now if 1Fv1uSsxr8z4hCHi2yhzuLf2sQafJfLbF8 spends some but not all of these outputs then in the input side of the tx, to "prove" the outputs correspond to his keypair the user will provide the PubKey.  The PubKey becomes known when it is spent because it is provided in the input side of the spending transaction.   Until that happens the PubKey is unknown.

If tomorrow there was an exploit which required knowledge of the PubKey this user would not be immediately at risk.


If they were based on Bitcoin or a derivative of Bitcoin then yes.  If they were completely new then it is possible this doesn't apply although I don't know of any.

Yes but there would no longer be any unspent outputs associated with that keypair.  It is more of an issue if you don't spend all the outputs.

Inputs are just references to specific outputs.

So say your address was assigned the following outputs

1 BTC to Address A
1 BTC to Address A
3 BTC to Address A
5 BTC to Address A
All these outputs would be locked to the PubKeyHash (decoded addresses).   The PubKey is unknown to the public.

Now lets say you wanted to send 0.5 BTC to your friend.  Your wallet may construct a tx with 1 BTC as the input and two outputs 0.5 BTC to your friend and 0.5 BTC in change.

So you are left with
1 BTC to Address A spent
1 BTC to Address A
3 BTC to Address A
5 BTC to Address A
0.5 BTC to Address A (or B depending on wallet behavior) <- your change

The issue is the tx spending the 1 BTC revealed the PubKey for address A however you still have another 9 BTC in other unspent outputs which share the same address, pubkeyhash, and pubkey.   The attacker now knows the PubKey for your other 9 BTC.  This by itself doesn't allow the theft of funds however if there is a flaw/weakness which requires the PubKey to be know, spending 0.5 BTC left 9 BTC in a weakened state.

On the other hand if you didn't re-use addresses each of those outputs would be a different Address:
1 BTC to Address A spent
1 BTC to Address B
3 BTC to Address C
5 BTC to Address D
0.5 BTC to Address E <- your change

The PubKey for Address A has been revealed however there are no unspent outputs associated with A.  You don't really need to think about it, this is the default behavior of most clients (including bitcoin-core).  Just request a new address whenever someone needs to send you funds.

well no he can keep clearing that address.

It's only tomorrow if his wallet is flawed. Since these issues are well-known by wallet authors, his wallet is probably fine. In which case, he has 128-bit security and that is pretty good. He can mitigate the risk by transferring funds out frequently, and by monitoring the news for developments in quantum computing. He probably figures his expected loss from reusing addresses is more than compensated by the donations he gets from having a fixed, published address.

Simple solution: Stealth Addresses.
In this context, "Stealth" is a misnomer. Stealth addresses can be used to receive bitcoins in a "stealthy" manner, but they are also perfect for organisations like charities that are interested in the exact opposite of stealth - high public exposure for one particular donation address. With stealth, they can publish one address publicly but never actually receive any coins with it, thus maintaining all the privacy and security advantages of not re-using addresses.


By the way, it's not at all true that legit charities don't care about financial privacy.
They care about their own privacy: no one needs to know where they send their donated coins. If they want to be transparent (and they should), they will publish a full report detailing their expenses, but they don't necessarily want the money to be easy to track.  
They should also care about the privacy of the people who donate to them: I'm not sure you'd want the government to know that you donated to wikileaks. Of course it's your job to worry about your financial privacy; personally, I always mix before donating. But it sure would make things easier if the charities I donate to would use stealth addresses.

Agreed.  There is also the security aspect to consider.  Say some Bitcoin millionaire decided to drop a ten thousand BTC into Sean's wallet.  That information will be instantly and globally available, even to bad actors.  For that kind of money someone may decide to engage in some rubber-hose cryptanalysis (aka $5 wrench analysis http://xkcd.com/538/ ).  The idea that literally the entire planet needs to know every detail of your finances to provide accountability is a naive implementation of a good concept.