Hi guys, I learnt from the Yoroi mobile app source code that they generate a new change address whenever they make a transaction?
What is the reason behind this? Is it a good practice?
What if I use the same sending address for change address?
Many thanks 
There is no reason for it, anymore, just tradition.
It once was privacy. But since all addresses of a waller are usually linked via the stake address that point is 99% moot.
Other wallet apps – e.g., Nami – use a single address for everything.
Many thanks. Really appreciate.
@_ilap is right in the answer to the same question on Telegram:
It may be used as an additional security measure, since the public key itself is not … well … public, until the first transaction spends from its address.
If a vulnerability would be discovered allowing to derive private from public keys (worst case for an asymmetric cipher) or to derive something from known signatures, it would affect single-address wallets like Nami, stake addresses, the pool.skey files of pools run with one of the standard guides, but not wallets that generate new addresses for everything.
I understand that reasoning.
But I don’t understand that. @HeptaSean Do you mean that following one of the standard guides makes the situation somehow worse?
cold.skey (= pool.skey) is used every time a new certificate is created. cold.vkey is public and already exposed isn’t it? In that case it wouldn’t matter how many times it is used to create a new certificate, would it?
For reference, @_ilap’s reasoning, why the “always generate new change and receive addresses” policy is more secure was:
For security reason, one address one hashed public key. When u receive money multiple times to the same address, that means multiple UTxO. And when you spend any of those multiple UTxOs the addres publickey will be exposed in the wittnes. If the Ed25519 will have some securiry vulnerability in the futre for figuring out th priv key somehow, then all ur fund on that address will be lost. That is, one reason, why the pubkey is protected by an additional hash.
And the public keys for stake and pool keys are exposed in that way, because registrations, updates, and withdrawals are signed by them.
As far as I can see there is no possibility to keep stake and pool keys as secure as payment keys and only expose the hash, since we will always have to sign at least one registration.
But I also don’t think that a vulnerability in Ed25519 is that likely.
That is what I thought. Thanks for the well articulated explanation.
Though people say that elliptic curve ciphers may be easier to crack using Quantum computers compared with a similar strength RSA.