We know that "change" in real life are useful because you give ten dollars and you get back change. However in Bitcoin you can send a precise amount of coins, so change is not really "necessary" - not even as an option. It's not needed and adds bloat out of nowhere.

Some say "change increase privacy so that's why it was placed in there". Surely, a protocol as transparent as bitcoin, wouldn't increase its privacy by any significant amount through change (not to mention that change can be linked during future spending). This is stuff that even a script can put together, deanonymizing transactions.

And why, if it is privacy-related, wouldn't one be able to control change spending so as to not be linked together?

So there has to be something else here that Satoshi saw.

I'm thinking it may be related to Quantum-Computing resistance. By moving the amount to the recipient + change to a new address (which hasn't yet published its public key), a good portion of the network's money will remain uncrackable by a quantum computer as the QC won't know the public key to extrapolate the private key.

If control of change is going to be implemented in future versions of Bitcoin, this quantum-resistance could be broken. Perhaps it should also be accompanied by a change in the private/public key algorithm to a quantum-resistant one.

Or, alternatively, introduce a button in the wallet that places one's funds into "quantum storage" - aggregating them automatically in a single address with no spends (that prevent QC cracking). One could even checkbox something like "automatic quantum storage" so that when one wants to spend money, one amount would go to the destination and the other would go to a new address with zero spends. Thus change control won't affect the principle of QC-resistance, if that's the rationale of Satoshi.

No, you don't know how bitcoin works at protocol level. It has nothing to do with privacy or quantum computing.

Bitcoin is like a banknote. You can only spend it as one piece. You can't cut it into 2 halves by yourself. If you want to spend part of its value, you need someone (e.g. a bank) to divide it into 2 banknotes for you. That's how "change" comes. (of course, we don't have a bank in bitcoin, but miners are doing such job)

Sorry, can't get you.

Perhaps you are right. I am no expert on these matters - I try to understand them.

On what you say:

a) That's a very artificial limitation for an electronic payment system, wouldn't you agree?

b) 1 Bitcoin consists of millions of satoshis anyway - so again the fictional bank to do the division is quite redundant...

c) In terms of future-proofing, what's the chance that the coins remain undivided over the course of 10-20-30-40-50 years? They will be divided anyway, so? If the currency is successful it's almost a given that the vast majority of transactions will be conducted in fractional amounts. Why the need to divide them?

d) What about halvings in block reward that produce fractional coins to begin with?

Understand that "coins" get split up and recombined all the time.

So your 100 received 0.001 BTC's can be sent out as 0.1 BTC (so the system doesn't *break down* because of everything turning into dust).

The point all along is to help keep things more "anonymous" and "coin control" can help in giving you more "control" over this process.

Think a bit more about what it means for Bitcoin to be a distributed computer.

Also, the word "Bitcoin" doesn't only have one meaning.

He is right.  This is directly from Satoshi's white paper (Section 9): https://bitcoin.org/bitcoin.pdf


No.  It is the most flexible way to solve the problem.


Yes.  Transactions destroy inputs (in their entirety) and create new outputs.  The rule is that the sum of the outputs must be less than the sum of the inputs for the transaction to be valid.

Sorry, you misunderstand Bitcoin horribly— you're in good company: The blockexplorers present a cooked view of the system to make things simpler, but promote this sort of misunderstanding as an unfortunate side effect.

In Bitcoin you cannot send a precise amount. You must send an amount which is a sum of some subset of the amounts you've previously received. A good mental model is to imagine that when someone pays you they give you a metal coin with a certain weight (value) with a public key of yours written on it.  You know which payment was being made by virtue of which public key received the funds.  When you later want to spend the coin you visit a forge (the network) and ask it to melt down one or more coins that you have and make one or more new coins of equal or lesser weight with whatever public keys you want to be paid paid inscribed on them and you present signatures to show you were authorized to spend the coin(s).

The Bitcoin blockchain has no "balances" and instead tracks atomic "coins" (transaction outputs). When your wallet authors a transaction it picks one or more of the payments you've previously received to spend completely. Often the amount is more than the amount you are spending (obviously it cannot be less), and so you need to take change as part of the transaction.

The coin tracking design is important because it prevents replay and also allows clear deterministic behavior in the event of reorganization. The lack of any persistent accounts is also beneficial for privacy.

May I know why ?

Off-topic :- Your PD signature is messed somehow, the two blue lines are taller than the in-between sentence.

Nice analogy. Thank you for your time answering this... I still have a problem digesting the "why can't I simply cut the gold bar in half and pay with half of it and keep the rest" instead of remelting it / recasting it into new bars.

I think I understand why it happens as it happens (because obviously it was designed to be performed that way) but I still have questions on why it was designed that way when it could have been designed in a more straightforward manner. Maybe this is a multi-layered redundancy against a QC-attack-vector.

There are at least 2 "convenient" coincidences regarding quantum-computing protection...

1) the use of addresses as a hash of the public key (a quantum computer can't extrapolate the private key based on the hash of the public key, but it can do so with the public key itself - so as far as there is no spending, the money are safe from QC-attacks)

2) the use of change => destroying prior input and creating change. Thus the remains are not vulnerable to a QC attack to the public key (neither should the main output if the recipient follows best practices on how he uses his addresses).

The design doesn't seem arbitrary. The fact that Satoshi didn't go for a quantum-resistant algorithm for public/private keys is the only troubling aspect - unless we presume there wasn't an adequate solution at his time or the solutions he considered were probably deemed problematic in some other way that we don't know of. But he sure made his best to secure the system anyway despite the lack of QC-resistant algo.