change addresses

[BRules]

I use the original bitcoin client and I have questions.

- Do I need to make a new wallet backup everytime the original client creates a new "Change address"?

- Is there a limit of change addresses that the original client will create?

- Does the original client have any setting to send the change to the input address?

Tks in advance

[CIYAM]

Each time a change address is needed (which will generally once per tx) then it will be taken from the wallet address "pool" (the size of which by default is 100) with a new entry being then added to the end of the pool.

Thus until the original pool has been exhausted (i.e. after 100 addresses whether explicit or change ones) your old backup will be fine. Note that you can adjust the pool size to make it bigger (say 1000) if you think that 100 is too small for the number of tx's you are doing and the frequency at which you take backups.

There is no limit to the total # of addresses a client will create (just the pool size as described).

Unfortunately in the Satoshi client you have no control over the change address unless you want to use the console and play around with the raw tx API (not something for the feint of heart and an easy way to lose a lot of btc as tx fees if you don't know exactly what you are doing).

[BRules]

tks for you reply, I'm kind curious and I wanna learn how to deal with raw treansactions (I already played around with bitcoin and vb net)

do you recommend any good reading (besides bitcoin.it)?

regards

[DannyHamilton]

. . .There is no limit to the total # of addresses a client will create (just the pool size as described). . .

I have heard some people who have generated really large numbers of addresses (tens of thousands or hundreds of thousands) complain that the bitcoin-qt program becomes unusably slow when you have an excessively large number of addresses in your wallet.  So "no limit" might be a bit subjective.

[CIYAM]

I have heard some people who have generated really large numbers of addresses (tens of thousands or hundreds of thousands) complain that the bitcoin-qt program becomes unusably slow when you have an excessively large number of addresses in your wallet.  So "no limit" might be a bit subjective.

True - and of course as in any software system the term "unlimited" is always limited (by memory and patience at the very least).

I also recall reading something about the next release having some changes that will help the "large number of addresses" problem (although I haven't got a link - you there Stephen?).

[Rygon]

Each time a change address is needed (which will generally once per tx) then it will be taken from the wallet address "pool" (the size of which by default is 100) with a new entry being then added to the end of the pool.

Thus until the original pool has been exhausted (i.e. after 100 addresses whether explicit or change ones) your old backup will be fine. Note that you can adjust the pool size to make it bigger (say 1000) if you think that 100 is too small for the number of tx's you are doing and the frequency at which you take backups.
There is no limit to the total # of addresses a client will create (just the pool size as described).

Unfortunately in the Satoshi client you have no control over the change address unless you want to use the console and play around with the raw tx API (not something for the feint of heart and an easy way to lose a lot of btc as tx fees if you don't know exactly what you are doing).

Sorry for bringing back an old thread, but I'm trying to learn about change addresses, and my question was an extension of this conversation. I don't really understand why there needs to be a new change address every time a tx is sent. Why isn't two addresses sufficient? The change could just go back and forth between the two. My concern (since it almost happened to me), is that someone who sends a lot of tx's will have change sent to a newly created address, and have their computer crash before they backup their wallet.

It would be a rare occurance, but the bitcoin-qt client doesn't warn users when it creates a new pool in order for the user to backup. Plus, even if it did, during that period between sending the tx and making the backup (or sending the change to a backup address), users are completely unprotected in case of a system crash and loss of the wallet file. How does everyone else manage this risk?

[DannyHamilton]

I don't really understand why there needs to be a new change address every time a tx is sent. Why isn't two addresses sufficient? The change could just go back and forth between the two.

It increases anonymity and security. There are other wallet clients out there that will let you specify a change address so you don't end up with 100's of change addresses.

On the anonymity:
If bitcoins are sent back to an address that is already identified as belonging to you, then it can be identified through inspection of the public blockchain that you have those bitcoins.
If bitcoins are always sent to a brand new address, then it becomes more dificult to determine if that address is a change address, or the recipient of bitcoins that you are sending.

On the security:
When bitcoins are received at a brand new or at least "never used to send" address, they are protected by 3 layers of cryptography.  First there is ECDSA, then SHA-256, and finally RIPEMD-160.  It would be necessary to find a weakness in all three algorithms for anyone to steal the coins.  As soon as you spend bitcoins from an address, the ECDSA public key is recorded in the blockchain.  At that point, the SHA-256 and RIPEMD-160 are no longer protecting any coins at that address.  If a weakness were discovered only in ECDSA, the security of any coins at that address would be compromised.  This is one reason why it is generally considered a "best practice" to use a unique address for every transaction.  That way no coins are ever stored at an address that has sent coins.

My concern (since it almost happened to me), is that someone who sends a lot of tx's will have change sent to a newly created address, and have their computer crash before they backup their wallet.

It would be a rare occurance, but the bitcoin-qt client doesn't warn users when it creates a new pool in order for the user to backup. Plus, even if it did, during that period between sending the tx and making the backup (or sending the change to a backup address), users are completely unprotected in case of a system crash and loss of the wallet file. How does everyone else manage this risk?

Back up your wallet often.  At least every 100 transactions.  Also, you can configure Bitcoin-Qt to increase the size of the address pool.  100 addresses is just the default that is used if you don't configure it.  You are responsible for protecting your own money.  Failing to backup your wallet often enough is a bit like storing your cash wedged in a stack of firewood and then worrying that it might accidentally get tossed into a fire.

[Rygon]

On the security:
When bitcoins are received at a brand new or at least "never used to send" address, they are protected by 3 layers of cryptography.  First there is ECDSA, then SHA-256, and finally RIPEMD-160.  It would be necessary to find a weakness in all three algorithms for anyone to steal the coins.  As soon as you spend bitcoins from an address, the ECDSA public key is recorded in the blockchain.  At that point, the SHA-256 and RIPEMD-160 are no longer protecting any coins at that address.  If a weakness were discovered only in ECDSA, the security of any coins at that address would be compromised.  This is one reason why it is generally considered a "best practice" to use a unique address for every transaction.  That way no coins are ever stored at an address that has sent coins.

Ah. Thanks. I can see now why it's good to use new address for all received coins, including change coins. It just isn't very clear anywhere. I'm not sure that is a huge security risk, because it would be a big deal if someone discovered a weakness in ECDSA. And then the bitcoin code would likely be rewritten quickly. Explaining the difference to a muggle like myself is tough to quantify though. I would still consider those coins very very secure, perhaps 99%, even if I had spent from that address before.

Back up your wallet often.  At least every 100 transactions.  Also, you can configure Bitcoin-Qt to increase the size of the address pool.  100 addresses is just the default that is used if you don't configure it.  You are responsible for protecting your own money.  Failing to backup your wallet often enough is a bit like storing your cash wedged in a stack of firewood and then worrying that it might accidentally get tossed into a fire.

Yeah, I do that anyhow. But the bitcoin client (or any client) should tell me on transaction 101 that it has created new addresses, and I should back up immediately, or before it sends coins again. I know that now, but the average person just getting into bitcoin isn't going to understand that nuance. I can see a very plausible scenario how this happens to a newbie. Someone downloads the client, starts to learn a little bit about bitcoin, puts in a small amount they can afford to lose, maybe $100 to understand it better. They back up their wallet file because they've read the rules and know that it will recover their account. Perhaps they even try deleting the wallet file and replacing it with a backup. They get comfortable. Then perhaps they'll do some light gambling on SD, rack up just over 100 transactions in a few months. They think they're protected because their wallet is backed up, then their computer crashes. Coins are gone because they didn't back up after that 100 transaction point.

So at least for me, I'll just start a new wallet every few transactions, just to make sure I'm never sending change to an address that I don't have backed up somewhere.

[DannyHamilton]

. . . the bitcoin client (or any client) should tell me on transaction 101 that it has created new addresses, and I should back up immediately, or before it sends coins again.

It doesn't wait until transaction 101.  It continuously replenishes the pool as it pulls from it.  Think of it like a queue with 100 addresses lined up in it.  Each time the client pulls an address from the front of the queue, it adds a new one to the back.  The focus of the development team for Bitcoin-Qt seems to be the protocol and how to maintain the scalability of a "full node".  The user interface is rather minimal and it seems likely that it will remain that way for some time.  I suppose it would be nice to have a setting that is "on" by default that keeps track of the newest address in the queue when you use the "Backup Wallet" menu option, and warns you if that address will be next.  This isn't likely to happen any time soon.  It would have to be an option that could be turned off, because many people back up their wallets manually by copying the files from their hard drives.  The client wouldn't even know you had done that.

I know that now, but the average person just getting into bitcoin isn't going to understand that nuance. I can see a very plausible scenario how this happens to a newbie. Someone downloads the client, starts to learn a little bit about bitcoin, puts in a small amount they can afford to lose, maybe $100 to understand it better. They back up their wallet file because they've read the rules and know that it will recover their account. Perhaps they even try deleting the wallet file and replacing it with a backup. They get comfortable. Then perhaps they'll do some light gambling on SD, rack up just over 100 transactions in a few months. They think they're protected because their wallet is backed up, then their computer crashes. Coins are gone because they didn't back up after that 100 transaction point.

So at least for me, I'll just start a new wallet every few transactions, just to make sure I'm never sending change to an address that I don't have backed up somewhere.

I think some work is being done to modify Bitcoin-Qt to use deterministic addresses.  Assuming this is true, it may only be necessary to back up the wallet once with future versions.  There are other wallets, such as Electrum, that already use deterministic addresses so they don't have this problem (unless you import your own private keys into the wallet).

[DeathAndTaxes]

the bitcoin client (or any client) should tell me on transaction 101 that it has created new addresses, and I should back up immediately, or before it sends coins again.

As Danny pointed out there is always 100 "next" addresses in the address pool.  If you make a backup today it cointains all your used address plus the next 100 address you will use.  If you make a backup next week it will contain all your used address plus the next 100.  The pool continually refills so a backup will always have all used address plus your next 100.

I know that now, but the average person just getting into bitcoin isn't going to understand that nuance. I can see a very plausible scenario how this happens to a newbie. Someone downloads the client, starts to learn a little bit about bitcoin, puts in a small amount they can afford to lose, maybe $100 to understand it better. They back up their wallet file because they've read the rules and know that it will recover their account. Perhaps they even try deleting the wallet file and replacing it with a backup. They get comfortable. Then perhaps they'll do some light gambling on SD, rack up just over 100 transactions in a few months. They think they're protected because their wallet is backed up, then their computer crashes. Coins are gone because they didn't back up after that 100 transaction point.

A couple of things.
1) You can change the size of the keypool with the command (from command prompt in windows) bitcoin -keypool=[size of keypool].  For example bitcoind -keypool=250 will increase your keypool to 250.  Note when you run this command the client will create all the new keys and then open the client so there may be a delay.  Also understand very large wallets can be slow on some systems.  Our company wallet uses a keypool of 2000 keys but that likely is overkill.

2)A noob should just make regular backups.  Once a week is likely fine, once a day if you are paranoid.  If your tx is volume is higher than 100tx per day you likely should increase the keypool size.  If the wallet is encrypted with a strong password using a backup to cloud service like dropbox is a good idea.  It is a good idea to use a backup service that allows keeping older version in case the wallet becomes corrupt and the corrupt version is also backed up.  Note: Waula supports encrypted backups and accepts Bitcoins.

3) Random wallets are likely on their way out.  Deterministic wallets generate keys in a reproducible manner so the only thing that needs to be backed up is a seed value.  This could even be backed up as a paper printout.  The reference client doesn't yet support deterministic wallets but I believe it is only a matter of time.   As you pointed out there are "gotchas" with random key wallets which means they probably will never be user friendly.  A random key wallet (where wallet is just a collection of random 256bit private keys) is simpler to develop but there are limits on how "user proof" it can be made.   Fast forward a couple years and I would imagine almost nobody will use random private keys (outside of some niche applications by experienced users who understand the limitations).  Even eWallets like blockchain.info could be made more user friendly by using deterministic wallets (make a single encrypted backup and/or printout) and if the site ever goes down you can always reconstruction your wallet.

[Rygon]

Thanks everyone. I guess that's good to know that I'm still safe in the default mode as long as I'm backing up more often than every 100 transactions. Although I feel a little more comfortable telling people to try out BTC, there is still enough "gotchas" that I'm only going to recommended it to people that are reasonably computer savvy and geeky enough to do their homework. Even if I put in the caveat of "don't put in more than you can afford to lose", it seems like a lot of people are seeing $$$ when they look at bitcoin, and I don't want to take the blame for a family or friend who gets in too deep without doing their research and slips up a little bit, ya know?