What is the purpose of sending change to a new address

[myfirst]

I apologize if this has been asked or debated before.  I am wondering what was the rational behind having the 'change' sent to a new address instead of the existing one?  Besides a false sense of anonymity, what else does it offer.

I understand that with coin control this is an optional behavior, but why is it still the default?

To me it seems to create more problems than benefits, for example, now you have to keep a pool of private keys.  Should your wallet be a busy one and get corrupted, you could loose some private keys between back-ups.  Where as with a single address, the one backup is all you would ever need.

[jbrnt]

Sending change to a new address means you are never reusing an address. That improves anonymity and security. An address which has transactions going out has slightly less security than a brand new address.

[(Lithium)]

If one wanna stalk you at least he will have some work to do.

If you only have 1 address for input and output anyone can see anything they want with no efford

[Moonpig]

Sending change to a new address means you are never reusing an address. That improves anonymity and security. An address which has transactions going out has slightly less security than a brand new address.

Does it though? How does it improve anonymity when you can see where the change has gone and it just makes it more likely that you will spendlink from the addresses in the future.

[Muhammed Zakir]

Sending change to a new address means you are never reusing an address. That improves anonymity and security. An address which has transactions going out has slightly less security than a brand new address.

Does it though? How does it improve anonymity when you can see where the change has gone and it just makes it more likely that you will spendlink from the addresses in the future.

Every time change is send to new address. Except persons who you told that they are your addresses, nobody has concrete proofs they are you addresses unless it is somehow linked in a transaction.

When reusing address i.e. always sending change back to the input address, people will know how much Bitcoin you have, where you get your Bitcoin etc...

After evaluating both cases, first is better than second i.e. sending change to new address is better than sending it back to the input address.

P.S. Reusing address especially if you use a buggy client has a high risk of exposing private key of your address.

[myfirst]

Thanks for the constructive replies.  I'm hoping to gain an understanding as to why the Bitcoin developers chose this behavior as a design/feature for the reference implementation of the wallet.  They are intelligent individuals so there must be a reason beyond 'anonymity'.

If one wanna stalk you at least he will have some work to do.

If you only have 1 address for input and output anyone can see anything they want with no efford

An understandable and valid point.

However a stalker can use the power of a computer and scan the block chain much the way a block explorer currently does.  Before the block explorer, it took some effort to trace a single address.  With the block explorer, it's dead simple. Today it takes a little extra effort to trace multiple address back to the source.  As Bitcoin matures, so will the tools and utilities that analyze the block chain, eventually making the trace-ability of multiple address dead simple to anyone.  

The fact that the block chain is a public record accessible to the public nullifies any type of 'anonymity'.  Once a person is matched with an address, no matter how many they have, a computer can analyze the ins and outs, and provided the desired data.

An address which has transactions going out has slightly less security than a brand new address.

I don't understand.  In what context are you referring to 'security' here?

P.S. Reusing address especially if you use a buggy client has a high risk of exposing private key of your address.

Interesting... I knew there was more to it.

[Muhammed Zakir]

Thanks for the constructive replies.  I'm hoping to gain an understanding as to why the Bitcoin developers chose this behavior as a design/feature for the reference implementation of the wallet.  They are intelligent individuals so there must be a reason beyond 'anonymity'.

If one wanna stalk you at least he will have some work to do.

If you only have 1 address for input and output anyone can see anything they want with no efford

An understandable and valid point.

However a stalker can use the power of a computer and scan the block chain much the way a block explorer currently does.  Before the block explorer, it took some effort to trace a single address.  With the block explorer, it's dead simple. Today it takes a little extra effort to trace multiple address back to the source.  As Bitcoin matures, so will the tools and utilities that analyze the block chain, eventually making the trace-ability of multiple address dead simple to anyone. 

The fact that the block chain is a public record accessible to the public nullifies any type of 'anonymity'.  Once a person is matched with an address, no matter how many they have, a computer can analyze the ins and outs, and provided the desired data.

Bitcoin isn't built for anonymity even though it offers it but it has limits. Only way people can know two addresses are connected to each other is if a transactions used inputs from those two addresses but it still doesn't mean they are owned by *one* person.

An address which has transactions going out has slightly less security than a brand new address.

I don't understand.  In what context are you referring to 'security' here?

P.S. Reusing address especially if you use a buggy client has a high risk of exposing private key of your address.

Interesting... I knew there was more to it.

jbrnt probably meant what I said by "security issues".

Reusing addresses especially if you use a buggy client exposes reused R values. Reused R values can be used to find your private key. For educational purpose only: https://bitcointalk.org/index.php?topic=977070.msg10669517#msg10669517.

[DannyHamilton]

Using a new address for every transaction doesn't guarantee anything.

However it does improve security, privacy, and the fungible nature of bitcoin.

Additionally, it discourages the mistaken assumption that a bitcoin address is an "account number".

[Scamalert]

I apologize if this has been asked or debated before.  I am wondering what was the rational behind having the 'change' sent to a new address instead of the existing one?  Besides a false sense of anonymity, what else does it offer.

I understand that with coin control this is an optional behavior, but why is it still the default?

To me it seems to create more problems than benefits, for example, now you have to keep a pool of private keys.  Should your wallet be a busy one and get corrupted, you could loose some private keys between back-ups.  Where as with a single address, the one backup is all you would ever need.

Some wallets is not using change addresses, they send the change directly back to the sending address, effectly only using one address ... it works fine.
But this is not how bitcoin is designed, it works because there is no limitation to doing so.

The purpose of the change address has nothing to do with anonymity, since it provide none.
The problem is that each time you sign a transaction, you "expose" a correlation to the private key.
There has been examples where this can be used to "hack" your private key, but this was due to bad wallet implementation.

The safest way to use bitcoin, is to only use a private key one time and one time only.

I know the counter argument to this:
This will confuse the user, when constantly change address?

The answer is: The user should really not care about addresses and blockchain, the only reason why a bitcoin user today need to care about these things, is because bitcoin is not yet fully developed.
 

[ticoti]

The simple purpose is to increase your anonimity,by using many address,tracing your bitcoins is more difficult

[odolvlobo]

You can't always tell which address is the change address. Take a look at this this random transaction:

1BQ944dD9LdGcimEdwPmDjMSnvpNssgKAt (0.06604888 BTC - Output)
1PD6hoVQXk8h4y4CX2DdjnVHsS4iRNSG6L (0.13745586 BTC - Output)
1AMgG4bbUeXWnVkGwJxEWhLgfxRvxhmM8o (0.00213323 BTC - Output)

1C9PYgmZYNouknr9H2bbHg8tb2n54mqUyS - (Unspent) 0.20350474 BTC
1LxHJeLPbiRGoMkTHdzfbSaty5NJ2sHWnE - (Unspent) 0.00203323 BTC

There is no way to know which one is the change address. Is the person sending $47 or $0.47?

On the other hand, take a look at this transaction. This person (Bob) uses only one address, 3Agx... You can see every one of Bob's transactions just by looking at that one address. Furthermore, if the person he is sending to (Alice) always receives at the same address, 1NSW..., then you have a clear and unambiguous record of all their transactions. Hmmm. I wonder why Bob sends $800 to Alice every week.

3AgxodEvv9FZtm6LMgPxCSmBwhNSBdFsSk (69.10684169 BTC - Output)

1NSWT62vC4nNSiZdqXPhVu7K37HjXZb19n - (Unspent) 3.46987004 BTC
3AgxodEvv9FZtm6LMgPxCSmBwhNSBdFsSk - (Unspent) 65.63696165 BTC

To me it seems to create more problems than benefits, for example, now you have to keep a pool of private keys.  Should your wallet be a busy one and get corrupted, you could loose some private keys between back-ups.  Where as with a single address, the one backup is all you would ever need.

That is not really true. Though Bitcoin Core (and some others) have the disadvantage of requiring you to back up your wallet every 100 transactions, the best wallets now are HD wallets and only require you to back up the initial seed used to create the wallet.