Is z-address reuse considered good practice and, if so, when might one want multiple z-address?
With Bitcoin, address reuse is discouraged. Privacy is a common justification but there are also security concerns.
In the zcash blog post Anatomy of a zcash transaction, Paige Peterson notes:
Thankfully, when sending ZEC from a shielded address, that data is kept private so sending change back to the sending address is permissible. In Zcash, all transactions between shielded addresses look identical so the reuse of shielded addresses is not vulnerable in the same way that transparent addresses are.
This suggests that reusing z-addresses is fine but also that there are no consequences beyond privacy. I’ve found no explicit guidance.
Here’s a great discussion of address reuse in Zcash vs. Bitcoin, by Keybase:
one thing about zaddrs you should know is that each one is going to up the time it takes to scan the wallet anytime zcashd is restarted and has to rescan. The extreme case of this was when zcash was new and mining pool operators were trying to pay out from wallets that had a LOT of zaddrs in them, and it would get to the point where computing a private transaction wouldn’t finish before the next block (or several)! and they’d then never finish.
They’ve been sped up somewhat since then, but due to the inherent nature of how zksnarks work, you have to scan and try to decrypt EVERY private txn since the key was created to see what ZEC it may have received. So adding more zaddrs can really bog things down. And people can’t see what zaddr a txn was sent to, so yes, you can reuse.
The fact that you have to rescan the chain when you import a zaddr, is the same reason that its safe to re-use them: the only way to see if a txn is to a particular zaddr is to try and decrypt it with that zaddr’s key!
Thank you tromer and radix42.
Can anyone speak to the security aspect of address reuse? Might I compromise my private key by repeatedly spending from the same address? (as can happen with Bitcoin when signing transactions using an RNG which is not cryptographically secure) or is the spending process designed to accommodate address reuse.
Is the possibility of address reuse a convenient accident or an intended feature?
I think it was an intended feature, have to ask someone from ZcashCo to be sure
Reuse of shielded addresses is an intended feature, and recommended in most situations. An upcoming blog post will discuss this.