The security of exposed Bitcoin public keys is just fine for general usage.  They cannot be hacked.  Answer to the thread’s subject line:  “A million billion trillion zillion years.”  But there is a different, unrelated reason to avoid address reuse:  Privacy.  Avoiding address reuse gives you a modicum of privacy.  That at least makes Chainalysis work for their pay.  Re-using addresses makes transaction linkage trivial, child’s play.

A public key is called a “public key”, because it is secure when exposed in public.  I publish my PGP public keys (and if I didn’t, PGP would be useless).  I am not worried about that.  Each and every time you connect to an https website secured by TLS, the server’s public key is exposed to you—and your symmetric session key is derived from a key-agreement process based on the hardness of the same DLP as is the fundamental basis of most widely-used public-key cryptography other than RSA.  I am not worried about that, either!  Likewise, I am not worried about the security of my Bitcoin public keys.

---

Those concerned about bad randomness causing leaked secret key bits need to read RFC 6979:


Core’s secp256k1 library uses this deterministic, “derandomized” DSA.

I don’t know if Core v0.15.1 uses that library for signing, as of yet; and I am too lazy to grep sources at the moment.  I know that older versions used this library only for verification, where it beat OpenSSL 5–10x in performance.  Does somebody else know off-hand?

If your wallet does not use deterministic ECDSA signing, then—well, I suggest that you should switch software.  This should now be considered a baseline “best practice”.

Of course, if your platform’s RNG is broken, then you have other problems.  Big, bad problems.  But with RFC 6979 signing, leakage of ECDSA private key bits will not be one of them.

---

I argue that even mentioning public-key security in the context of address reuse is a terrible disservice to Bitcoin.  To anybody who do not understand the nuanced technical discussion, it FUDs Bitcoin security for no good reason.  In ordinary circumstances, there is one, and only one excellent reason to avoid address reuse:  Making transaction linking less easy.

I call myself “paranoid”; and there is only one use case in which I would be concerned about exposing the public key:  Long-term storage of funds for decades.  Yes, in that case, I want the extra security of reducing my attack surface to the Hash160.  That will guard against unforeseen cryptanalytic breakthroughs, hypothetical quantum computers, ECDSA-cracking unicorns, the arrival of superintelligent space aliens on Earth, etc.  So if I make a cold-storage address for my grandkids’ inheritance, I will keep the public key secret, and sleep 3.1337% more quietly at night.  I am just that paranoid.

N.b. that using a new address for every transaction does not by itself provide good privacy.  Blockchain analysis heuristics can link transactions with high reliability, even if addresses are not reused.  It is only the most basic privacy measure, as well as being the prerequisite for all better privacy measures.  For this reason alone, avoiding address reuse is very important.

---

This must be emphasized at every opportunity.  When you use a Segwit address, you are helping the network by using less of a globally shared resource for your transactions; in BIP 141 terms, your transactions have less “weight”.  Fees are calculated by weight.  Therefore, when you use a Segwit address, you get a huge discount on fees.

---

The aptly-named “bitfools” appears to be trolling with voluminous spew of patent nonsense.  Newbies, don’t believe anything he says.  Just ignore.  It is all 100% incorrect.  Sheer idiocy.