Allowing (or at least making standard) a small hash in a transaction would encourage merchant to just use a single address instead of forcing them to use a different address for each transaction. If the hash is too small, it then becomes possible for someone other than the sender of the transactions to impersonate the customer and convince the merchant to "refund" the transaction to their account.
I still don't get it. You make a transaction with a merchant with a hashed receipt in the transaction. This receipt lets the merchant know which payment this is. Refunds will still be handled over the internet as usual and the customer can provide a payment address. There is nothing that a birthday attack on 18 quintillion can accomplish here. This hash is not being used to convince anyone of anything, it is only informative. Perhaps if the transaction were completely anonymous like a silk road purchase (lol refunds) there might be some remote issue here, but the would-be attacker would have to somehow know everything about the existing transaction and somehow intercept communications between user and merchant, and even then all they would have to do is replace the payment address, no attack on the hash required.
Under the current coin-selection rules used by most clients, this is only presently the case. A business could, instead, make their payments in chunks to several different addresses over several different transactions over multiple days. All except for the last transaction wouldn't contain a change output. However, the other transactions could also include a fake change output that really also just goes to another one of the addresses of the person they're paying, another one of their own wallets that would never again be mixed with the receiving wallet, or even better, someone else that they have to pay.
With such a setup, the most you can learn about are the other transaction outputs that were combined with yours. Even then, they don't even need to do that and just send each output entirely to another unique address.
If you spot any holes in this, I can think of ways to complicate it further.
Businesses are just going to love having to hire someone to configure their bitcoin transactions. Anyways, all it takes is a few legitimate purchases every so often by the company trying to spy, and then if the payment receiver decides to combine inputs that includes one of those purchases, the spy has a direct link. How is a business supposed to make sure everyone they send payments to will be as thorough as they are? The weakest link in the chain and all. And this
does bloat the blockchain if every business works this way. Every small transaction can never (or not often) be combined with another lest obscurity be broken for the previous payer. Once lots of transactions are combined into one, that is only one input that need be in the merkle tree. If every transaction stays separate, all inputs must be maintained. Businesses must keep massive amounts of payment wallets for everyone they work with. It is not very elegant.
