Topic: Change addresses: What was the motive of Satoshi? (Read 1488 times)

This is what already happens with change.  You have unspent outputs, for which the sum is 10 BTC.  You create a transaction that is funded by some of those unspent outputs.  The transaction makes sure that when it is confirmed, I will have a new unspent output valued at 7.3 BTC, and the sum of your unspent outputs will be 2.7 BTC.

The point is, to create a trustless distributed system, you need a way for the receiver to know for certain that you have control of the 7.3 BTC that you are sending them.  You also need a way to prevent you from sending that same 7.3 BTC to multiple people.

This is handled by having a chain of signed transactions where the input to a transaction is one or more previously unspent outputs, and the transaction then creates one or more new unspent outputs.

So, change is what allows the system to do exactly what you've asked.  I haven't heard of any better ways to do it.  Have you?

There is no need to be defensive like I'm "challenging" the entire system. My money is on the system that we have, so... take that as a vote of confidence.

As for the ideal system - in the context of transactions - well, it would be more straightforward in the sense that I have 10 BTCs, I give you 7.3 BTCs and I'm left with 2.7 BTCs. Can I code a fork of Bitcoin and make it work? No because I haven't coded in like 15-20 years and thus I suck at it.

As for the ideal system - in a broader sense - I think it would have to be something that is both trustless and decentralized, yet doesn't suffer from the 51% vector. The only way that I can think of, to do that, is the AI route: A trustless solution in the form of a self-aware supra-human AI network taking care of the transactions instead of a "dumb" if-then-else network. The reliability would be higher in the sense that it would still be a computer algorithm in charge, but it would be free of the human politics and bias + it would eliminate the need for 51% miner consensus or 51% stake consensus.

But it wouldn't only take care of transactions, it would be like a personal banker, but at the same time an efficient network administrator that prevents DOS attacks and manages the network load + distributing the storage requirements of the network to its nodes + ensuring the anonymity and privacy of its users by autonomously taking decisions that break pattern recognition and analysis by other AI software. It would also need to have QC-resistance and forking self-awareness when parts of the network go down (the AI would be decentralized - so, say, if Syria went offline, the AI part of the network would understand that transactions with the outside world would be problematic and the other AI part of the network residing in the global fork would understand Syria is "cut-off").

Authentication on said network could probably be done with ways that are unavailable today, like the network "operator" (AI) directly interfacing with the user and checking him out for his face, voice characteristics etc - instead of using keys. Keys could co-exist but they would be optional for the most part as people would interact with the AI.

Human-machine integration could also allow for authentication by producing keys that are unique to the individual, through external devices attached to one's body or internal implants. That's the part I don't like, but by the time suprahuman AI is available, human-machine integration will be a reality anyway in some degree or the other.

Escrow capabilities would be easy for that type of network and the potential for running other type of services on it (due to the supra-human intelligence associated with its operation) would be significant.

Please describe HOW your ideal system works, not just tell us what system you want. If you can't describe an alternative system, just accept what we have

You don't "buy" it because you want there to be a simpler way.  I've not heard of any better ways in the 28 months that I've been studying cryptocurrencies. Wanting something doesn't make it so.  If you know of any better ways, please suggest them, but anytime I've seen anyone try to present something that they thing is simpler it's been clear that they haven't really thought the process through and their idea is full of holes.
 

Yes, a slight increase.  As you've mentioned, the increase in privacy and anonymity is rather insignificant unless the spender is using coin control and is very careful about how they structure their transactions.


Even without QC, there is a distinct possibility that in the near future mathematicians could discover previously unknown weaknesses in ECDSA.  Such weaknesses might not result in the ability to calculate a private key from a public key in a few minutes, but even if it reduced the time to calculate a private key down to a few years (or months, or days, or hours) your bitcoins would be safe as long as they were associated with an address that had never had its private key used to sign any previous transactions.


It only causes confusion if you are trying to understand the technical details or use the wallet in a way that it isn't intended to be used.

If you create receiving addresses to receive bitcoins from people, and use the wallet to send bitcoins to people, and maintain a reasonable backup schedule, there isn't anything confusing about it.

I don't "buy" that part - but I'm not necessarily implying you are "selling" it. The fact that Bitcoin is trustless is related to the PoW that makes it possible for the algorithm to determine the validity of transactions through network consensus - not because it uses change addresses.

I haven't done extensive research on other types of blockchains (PoW / PoS) that are written from scratch - perhaps someone that has a greater familiarity with such blockchains can tell us whether they are emulating Bitcoin's choice or if it is unique in Bitcoin.


The first part seems slightly futile when you do a common spend and things get linked. But it is a slight increase, I agree.

The second part, IMO, can be a small factor or a large factor, depending the point of time. In other words: Has a QC been developed (whether the public knows it or not) at a specific time? If the answer is yes, then money are far better protected.

The third part would be ok in theory but it creates more confusion for the average user due to all those tiny amounts that end up being an entire list. A visual representation tool would be, IMO, better for that purpose.

You are asking two different questions (and I'm not even sure if you realize it).  Some people are responding to one of those questions, and other people are responding to the other question.  This is creating confusion and miscommunications.  I suppose, we need to start by figuring out which question you are trying to understand.

Question 1.
Why does a transaction need to include an output specifically for sending the change from the transaction back into the wallet? This could also be phrased as "Why was the protocol designed to spend previously spent outputs in their entirety?"

The answer to this question is that it is the most efficient and reliable way that Satoshi could come up with to create a trustless distributed system.  If you have a better way, go ahead and suggest it, but you'll almost certainly find that it won't work without a centralized trusted source of authority.

Question 2.
Why does the Bitcoin Core wallet choose to create a brand new address to send this change back to with every transaction sent, rather then sending to one of the existing "receiving addresses" in the wallet?

There are several answers to this question:

• It slightly increases anonymity and privacy
• It slightly increases security by maintaining 3 levels of cryptographic functions between the private key and the address
• It allows a user to track where all the payments to their wallet came from, since they can give out a new receiving address for every transaction.

Thank you for clarification.

It sounds wiser now.

I like to do it keep everything separate. I can see which addresses received what funds from where just by looking at whatever address received the coins. If i gave address x to someone and it gets a 0.5 btc I know where it came from. That's one reason anyway.

Nice analogy. Thank you for your time answering this... I still have a problem digesting the "why can't I simply cut the gold bar in half and pay with half of it and keep the rest" instead of remelting it / recasting it into new bars.

I think I understand why it happens as it happens (because obviously it was designed to be performed that way) but I still have questions on why it was designed that way when it could have been designed in a more straightforward manner. Maybe this is a multi-layered redundancy against a QC-attack-vector.

There are at least 2 "convenient" coincidences regarding quantum-computing protection...

1) the use of addresses as a hash of the public key (a quantum computer can't extrapolate the private key based on the hash of the public key, but it can do so with the public key itself - so as far as there is no spending, the money are safe from QC-attacks)

2) the use of change => destroying prior input and creating change. Thus the remains are not vulnerable to a QC attack to the public key (neither should the main output if the recipient follows best practices on how he uses his addresses).

The design doesn't seem arbitrary. The fact that Satoshi didn't go for a quantum-resistant algorithm for public/private keys is the only troubling aspect - unless we presume there wasn't an adequate solution at his time or the solutions he considered were probably deemed problematic in some other way that we don't know of. But he sure made his best to secure the system anyway despite the lack of QC-resistant algo.

Because it is harder to know which person has how many coins if you use a new address for every transaction. It helps with the ano-/pseudonymitiy. If you allways use the same address I only have to get that address and know how much bitcoins you have and where you spend them to.



Thats the way Stunna wanted it when I copied it. I dont think its a problem.

May I know why ?

Off-topic :- Your PD signature is messed somehow, the two blue lines are taller than the in-between sentence.

You can do this, but you should make a new address for every time you get some coins. Its not like you have to.

Sorry, you misunderstand Bitcoin horribly— you're in good company: The blockexplorers present a cooked view of the system to make things simpler, but promote this sort of misunderstanding as an unfortunate side effect.

In Bitcoin you cannot send a precise amount. You must send an amount which is a sum of some subset of the amounts you've previously received. A good mental model is to imagine that when someone pays you they give you a metal coin with a certain weight (value) with a public key of yours written on it.  You know which payment was being made by virtue of which public key received the funds.  When you later want to spend the coin you visit a forge (the network) and ask it to melt down one or more coins that you have and make one or more new coins of equal or lesser weight with whatever public keys you want to be paid paid inscribed on them and you present signatures to show you were authorized to spend the coin(s).

The Bitcoin blockchain has no "balances" and instead tracks atomic "coins" (transaction outputs). When your wallet authors a transaction it picks one or more of the payments you've previously received to spend completely. Often the amount is more than the amount you are spending (obviously it cannot be less), and so you need to take change as part of the transaction.

The coin tracking design is important because it prevents replay and also allows clear deterministic behavior in the event of reorganization. The lack of any persistent accounts is also beneficial for privacy.

What if I created a account with my name on blockchain and there I've my only one BTC address, still it will be my main one.

He is right.  This is directly from Satoshi's white paper (Section 9): https://bitcoin.org/bitcoin.pdf


Yes.  Transactions destroy inputs (in their entirety) and create new outputs.  The rule is that the sum of the outputs must be less than the sum of the inputs for the transaction to be valid.

Key question: Are change addresses *needed* for this splitting and recombination? Can't they just be performed on a transaction basis?

Think a bit more about what it means for Bitcoin to be a distributed computer.

Also, the word "Bitcoin" doesn't only have one meaning.

"What is needed is an electronic payment system based on cryptographic proof instead of trust,
allowing any two willing parties to transact directly with each other without the need for a trusted
third party."

--Satoshi (whitepaper)

Understand that "coins" get split up and recombined all the time.

So your 100 received 0.001 BTC's can be sent out as 0.1 BTC (so the system doesn't *break down* because of everything turning into dust).

The point all along is to help keep things more "anonymous" and "coin control" can help in giving you more "control" over this process.

Treating Bitcoin like an electronic payment system is a very artificial limitation for a distributed computer.