Change addresses: What was the motive of Satoshi?

[joshraban76]

Thank you for clarification.

It sounds wiser now.

[1715609426]

1715609426

[1715609426]

1715609426

[DannyHamilton]

You are asking two different questions (and I'm not even sure if you realize it).  Some people are responding to one of those questions, and other people are responding to the other question.  This is creating confusion and miscommunications.  I suppose, we need to start by figuring out which question you are trying to understand.

Question 1.
Why does a transaction need to include an output specifically for sending the change from the transaction back into the wallet? This could also be phrased as "Why was the protocol designed to spend previously spent outputs in their entirety?"

The answer to this question is that it is the most efficient and reliable way that Satoshi could come up with to create a trustless distributed system.  If you have a better way, go ahead and suggest it, but you'll almost certainly find that it won't work without a centralized trusted source of authority.

Question 2.
Why does the Bitcoin Core wallet choose to create a brand new address to send this change back to with every transaction sent, rather then sending to one of the existing "receiving addresses" in the wallet?

There are several answers to this question:

• It slightly increases anonymity and privacy
• It slightly increases security by maintaining 3 levels of cryptographic functions between the private key and the address
• It allows a user to track where all the payments to their wallet came from, since they can give out a new receiving address for every transaction.

[AlexGR]

You are asking two different questions (and I'm not even sure if you realize it).  Some people are responding to one of those questions, and other people are responding to the other question.  This is creating confusion and miscommunications.  I suppose, we need to start by figuring out which question you are trying to understand.

Question 1.
Why does a transaction need to include an output specifically for sending the change from the transaction back into the wallet? This could also be phrased as "Why was the protocol designed to spend previously spent outputs in their entirety?"

The answer to this question is that it is the most efficient and reliable way that Satoshi could come up with to create a trustless distributed system.  If you have a better way, go ahead and suggest it, but you'll almost certainly find that it won't work without a centralized trusted source of authority.

I don't "buy" that part - but I'm not necessarily implying you are "selling" it. The fact that Bitcoin is trustless is related to the PoW that makes it possible for the algorithm to determine the validity of transactions through network consensus - not because it uses change addresses.

I haven't done extensive research on other types of blockchains (PoW / PoS) that are written from scratch - perhaps someone that has a greater familiarity with such blockchains can tell us whether they are emulating Bitcoin's choice or if it is unique in Bitcoin.

Question 2.
Why does the Bitcoin Core wallet choose to create a brand new address to send this change back to with every transaction sent, rather then sending to one of the existing "receiving addresses" in the wallet?

There are several answers to this question:

• It slightly increases anonymity and privacy
• It slightly increases security by maintaining 3 levels of cryptographic functions between the private key and the address
• It allows a user to track where all the payments to their wallet came from, since they can give out a new receiving address for every transaction.

The first part seems slightly futile when you do a common spend and things get linked. But it is a slight increase, I agree.

The second part, IMO, can be a small factor or a large factor, depending the point of time. In other words: Has a QC been developed (whether the public knows it or not) at a specific time? If the answer is yes, then money are far better protected.

The third part would be ok in theory but it creates more confusion for the average user due to all those tiny amounts that end up being an entire list. A visual representation tool would be, IMO, better for that purpose.

[DannyHamilton]

You are asking two different questions (and I'm not even sure if you realize it).  Some people are responding to one of those questions, and other people are responding to the other question.  This is creating confusion and miscommunications.  I suppose, we need to start by figuring out which question you are trying to understand.

Question 1.
Why does a transaction need to include an output specifically for sending the change from the transaction back into the wallet? This could also be phrased as "Why was the protocol designed to spend previously spent outputs in their entirety?"

The answer to this question is that it is the most efficient and reliable way that Satoshi could come up with to create a trustless distributed system.  If you have a better way, go ahead and suggest it, but you'll almost certainly find that it won't work without a centralized trusted source of authority.

I don't "buy" that part - but I'm not necessarily implying you are "selling" it. The fact that Bitcoin is trustless is related to the PoW that makes it possible for the algorithm to determine the validity of transactions through network consensus - not because it uses change addresses.

I haven't done extensive research on other types of blockchains (PoW / PoS) that are written from scratch - perhaps someone that has a greater familiarity with such blockchains can tell us whether they are emulating Bitcoin's choice or if it is unique in Bitcoin.

You don't "buy" it because you want there to be a simpler way.  I've not heard of any better ways in the 28 months that I've been studying cryptocurrencies. Wanting something doesn't make it so.  If you know of any better ways, please suggest them, but anytime I've seen anyone try to present something that they thing is simpler it's been clear that they haven't really thought the process through and their idea is full of holes.
 

Question 2.
Why does the Bitcoin Core wallet choose to create a brand new address to send this change back to with every transaction sent, rather then sending to one of the existing "receiving addresses" in the wallet?

There are several answers to this question:

• It slightly increases anonymity and privacy
• It slightly increases security by maintaining 3 levels of cryptographic functions between the private key and the address
• It allows a user to track where all the payments to their wallet came from, since they can give out a new receiving address for every transaction.

The first part seems slightly futile when you do a common spend and things get linked. But it is a slight increase, I agree.

Yes, a slight increase.  As you've mentioned, the increase in privacy and anonymity is rather insignificant unless the spender is using coin control and is very careful about how they structure their transactions.

The second part, IMO, can be a small factor or a large factor, depending the point of time. In other words: Has a QC been developed (whether the public knows it or not) at a specific time? If the answer is yes, then money are far better protected.

Even without QC, there is a distinct possibility that in the near future mathematicians could discover previously unknown weaknesses in ECDSA.  Such weaknesses might not result in the ability to calculate a private key from a public key in a few minutes, but even if it reduced the time to calculate a private key down to a few years (or months, or days, or hours) your bitcoins would be safe as long as they were associated with an address that had never had its private key used to sign any previous transactions.

The third part would be ok in theory but it creates more confusion for the average user due to all those tiny amounts that end up being an entire list. A visual representation tool would be, IMO, better for that purpose.

It only causes confusion if you are trying to understand the technical details or use the wallet in a way that it isn't intended to be used.

If you create receiving addresses to receive bitcoins from people, and use the wallet to send bitcoins to people, and maintain a reasonable backup schedule, there isn't anything confusing about it.

[jl2012]

I don't "buy" that part - but I'm not necessarily implying you are "selling" it.

Please describe HOW your ideal system works, not just tell us what system you want. If you can't describe an alternative system, just accept what we have

[AlexGR]

I don't "buy" that part - but I'm not necessarily implying you are "selling" it.

Please describe HOW your ideal system works, not just tell us what system you want. If you can't describe an alternative system, just accept what we have

There is no need to be defensive like I'm "challenging" the entire system. My money is on the system that we have, so... take that as a vote of confidence.

As for the ideal system - in the context of transactions - well, it would be more straightforward in the sense that I have 10 BTCs, I give you 7.3 BTCs and I'm left with 2.7 BTCs. Can I code a fork of Bitcoin and make it work? No because I haven't coded in like 15-20 years and thus I suck at it.

As for the ideal system - in a broader sense - I think it would have to be something that is both trustless and decentralized, yet doesn't suffer from the 51% vector. The only way that I can think of, to do that, is the AI route: A trustless solution in the form of a self-aware supra-human AI network taking care of the transactions instead of a "dumb" if-then-else network. The reliability would be higher in the sense that it would still be a computer algorithm in charge, but it would be free of the human politics and bias + it would eliminate the need for 51% miner consensus or 51% stake consensus.

But it wouldn't only take care of transactions, it would be like a personal banker, but at the same time an efficient network administrator that prevents DOS attacks and manages the network load + distributing the storage requirements of the network to its nodes + ensuring the anonymity and privacy of its users by autonomously taking decisions that break pattern recognition and analysis by other AI software. It would also need to have QC-resistance and forking self-awareness when parts of the network go down (the AI would be decentralized - so, say, if Syria went offline, the AI part of the network would understand that transactions with the outside world would be problematic and the other AI part of the network residing in the global fork would understand Syria is "cut-off").

Authentication on said network could probably be done with ways that are unavailable today, like the network "operator" (AI) directly interfacing with the user and checking him out for his face, voice characteristics etc - instead of using keys. Keys could co-exist but they would be optional for the most part as people would interact with the AI.

Human-machine integration could also allow for authentication by producing keys that are unique to the individual, through external devices attached to one's body or internal implants. That's the part I don't like, but by the time suprahuman AI is available, human-machine integration will be a reality anyway in some degree or the other.

Escrow capabilities would be easy for that type of network and the potential for running other type of services on it (due to the supra-human intelligence associated with its operation) would be significant.

[DannyHamilton]

I don't "buy" that part - but I'm not necessarily implying you are "selling" it.

Please describe HOW your ideal system works, not just tell us what system you want. If you can't describe an alternative system, just accept what we have

- snip -
As for the ideal system - in the context of transactions - well, it would be more straightforward in the sense that I have 10 BTCs, I give you 7.3 BTCs and I'm left with 2.7 BTCs.
- snip -

This is what already happens with change.  You have unspent outputs, for which the sum is 10 BTC.  You create a transaction that is funded by some of those unspent outputs.  The transaction makes sure that when it is confirmed, I will have a new unspent output valued at 7.3 BTC, and the sum of your unspent outputs will be 2.7 BTC.

The point is, to create a trustless distributed system, you need a way for the receiver to know for certain that you have control of the 7.3 BTC that you are sending them.  You also need a way to prevent you from sending that same 7.3 BTC to multiple people.

This is handled by having a chain of signed transactions where the input to a transaction is one or more previously unspent outputs, and the transaction then creates one or more new unspent outputs.

So, change is what allows the system to do exactly what you've asked.  I haven't heard of any better ways to do it.  Have you?

As for the ideal system - in a broader sense - I think it would have to be something that is both trustless and decentralized, yet doesn't suffer from the 51% vector. The only way that I can think of, to do that, is {a bunch of Sci-Fi fantasy that would require centralization in the form of an "artificial intelligence" in place of an individual or organization, requiring trust in the "AI" to be beyond outside influence, and to always act in an honest and trustworthy manner}