Why does Bitcoin use UTXO as transaction inputs instead of just public keys?

[ArithmomanicVampire]

In Bitcoin, a simple transaction input consists essentially of a TXO, a public key, and a signature. A database is used to check that the TXO is actually an UTXO.

Why not use simply the public key as input and have the transaction signed with each public key employed? In this case, the database maps addresses to the sum of their unspent outputs. Am I missing something?

[aleksej996]

In the transaction's input a signature is a must. Otherwise, anyone with your public key (everyone, if you used your address before for spending coins) could make a transaction.

Second, UTXO (unspent transaction output) is a second half of the script that is attached to the input of the transaction that is spending those funds and needs to return 0 (maybe 1, I forgot) in order to be valid. So you kinda need it to make sure that you can spend the funds.

[ArithmomanicVampire]

In the transaction's input a signature is a must. Otherwise, anyone with your public key (everyone, if you used your address before for spending coins) could make a transaction.

Agreed. That's why I wrote that the transaction should be signed with all public keys employed.

Second, UTXO (unspent transaction output) is a second half of the script that is attached to the input of the transaction that is spending those funds and needs to return 0 (maybe 1, I forgot) in order to be valid. So you kinda need it to make sure that you can spend the funds.

Does this mean the need to include UTXO is a concession to the powerful script system Bitcoin has? Put another way: in a hypothetical, very simple altcoin with no scripts and that can do only simple transfers, it would be possible to get rid of the need to include the UTXO in the transaction?

[achow101]

What you are proposing is essentially an accounts system which then limits what you can do to just public keys and their addresses. But Bitcoin has a scripting language, and that scripting language is not limited to just public keys, it can do a lot of things. An accounts system would make that scripting language impossible to use because a script is not a public key. Also such a system has less double spend detection and resistance and it has less replay resistance. If a fork were to be made, transactions would be far more replayable without explicit UTXO references.

[gmaxwell]

Alice pays address 1Bob for his monthly paycheck
Bob uses the 1Bob coin to pays address 1Carol for dinner

Alice pays address 1Bob again his next paycheck
Mallory shows up and replays the transaction where 1Bob is paid to 1Carol

Bob is sad.

There are many other cases like this. If you address all of the one by one, you just end up with an inefficient and inflexible version of the UTXO model.

[ArithmomanicVampire]

Alice pays address 1Bob for his monthly paycheck
Bob uses the 1Bob coin to pays address 1Carol for dinner

Alice pays address 1Bob again his next paycheck
Mallory shows up and replays the transaction where 1Bob is paid to 1Carol

Bob is sad.

There are many other cases like this. If you address all of the one by one, you just end up with an inefficient and inflexible version of the UTXO model.

I didn't think of replay attacks. Now this makes much more sense. Thank you very much!