Author

Topic: Change addresses: What was the motive of Satoshi? (Read 1489 times)

legendary
Activity: 3472
Merit: 4801

I don't "buy" that part - but I'm not necessarily implying you are "selling" it.

Please describe HOW your ideal system works, not just tell us what system you want. If you can't describe an alternative system, just accept what we have
- snip -
As for the ideal system - in the context of transactions - well, it would be more straightforward in the sense that I have 10 BTCs, I give you 7.3 BTCs and I'm left with 2.7 BTCs.
- snip -

This is what already happens with change.  You have unspent outputs, for which the sum is 10 BTC.  You create a transaction that is funded by some of those unspent outputs.  The transaction makes sure that when it is confirmed, I will have a new unspent output valued at 7.3 BTC, and the sum of your unspent outputs will be 2.7 BTC.

The point is, to create a trustless distributed system, you need a way for the receiver to know for certain that you have control of the 7.3 BTC that you are sending them.  You also need a way to prevent you from sending that same 7.3 BTC to multiple people.

This is handled by having a chain of signed transactions where the input to a transaction is one or more previously unspent outputs, and the transaction then creates one or more new unspent outputs.

So, change is what allows the system to do exactly what you've asked.  I haven't heard of any better ways to do it.  Have you?

As for the ideal system - in a broader sense - I think it would have to be something that is both trustless and decentralized, yet doesn't suffer from the 51% vector. The only way that I can think of, to do that, is {a bunch of Sci-Fi fantasy that would require centralization in the form of an "artificial intelligence" in place of an individual or organization, requiring trust in the "AI" to be beyond outside influence, and to always act in an honest and trustworthy manner}
legendary
Activity: 1708
Merit: 1049

I don't "buy" that part - but I'm not necessarily implying you are "selling" it.

Please describe HOW your ideal system works, not just tell us what system you want. If you can't describe an alternative system, just accept what we have

There is no need to be defensive like I'm "challenging" the entire system. My money is on the system that we have, so... take that as a vote of confidence.

As for the ideal system - in the context of transactions - well, it would be more straightforward in the sense that I have 10 BTCs, I give you 7.3 BTCs and I'm left with 2.7 BTCs. Can I code a fork of Bitcoin and make it work? No because I haven't coded in like 15-20 years and thus I suck at it.

As for the ideal system - in a broader sense - I think it would have to be something that is both trustless and decentralized, yet doesn't suffer from the 51% vector. The only way that I can think of, to do that, is the AI route: A trustless solution in the form of a self-aware supra-human AI network taking care of the transactions instead of a "dumb" if-then-else network. The reliability would be higher in the sense that it would still be a computer algorithm in charge, but it would be free of the human politics and bias + it would eliminate the need for 51% miner consensus or 51% stake consensus.

But it wouldn't only take care of transactions, it would be like a personal banker, but at the same time an efficient network administrator that prevents DOS attacks and manages the network load + distributing the storage requirements of the network to its nodes + ensuring the anonymity and privacy of its users by autonomously taking decisions that break pattern recognition and analysis by other AI software. It would also need to have QC-resistance and forking self-awareness when parts of the network go down (the AI would be decentralized - so, say, if Syria went offline, the AI part of the network would understand that transactions with the outside world would be problematic and the other AI part of the network residing in the global fork would understand Syria is "cut-off").

Authentication on said network could probably be done with ways that are unavailable today, like the network "operator" (AI) directly interfacing with the user and checking him out for his face, voice characteristics etc - instead of using keys. Keys could co-exist but they would be optional for the most part as people would interact with the AI.

Human-machine integration could also allow for authentication by producing keys that are unique to the individual, through external devices attached to one's body or internal implants. That's the part I don't like, but by the time suprahuman AI is available, human-machine integration will be a reality anyway in some degree or the other.

Escrow capabilities would be easy for that type of network and the potential for running other type of services on it (due to the supra-human intelligence associated with its operation) would be significant.
legendary
Activity: 1792
Merit: 1111


I don't "buy" that part - but I'm not necessarily implying you are "selling" it.



Please describe HOW your ideal system works, not just tell us what system you want. If you can't describe an alternative system, just accept what we have
legendary
Activity: 3472
Merit: 4801
You are asking two different questions (and I'm not even sure if you realize it).  Some people are responding to one of those questions, and other people are responding to the other question.  This is creating confusion and miscommunications.  I suppose, we need to start by figuring out which question you are trying to understand.

Question 1.
Why does a transaction need to include an output specifically for sending the change from the transaction back into the wallet? This could also be phrased as "Why was the protocol designed to spend previously spent outputs in their entirety?"

The answer to this question is that it is the most efficient and reliable way that Satoshi could come up with to create a trustless distributed system.  If you have a better way, go ahead and suggest it, but you'll almost certainly find that it won't work without a centralized trusted source of authority.

I don't "buy" that part - but I'm not necessarily implying you are "selling" it. The fact that Bitcoin is trustless is related to the PoW that makes it possible for the algorithm to determine the validity of transactions through network consensus - not because it uses change addresses.

I haven't done extensive research on other types of blockchains (PoW / PoS) that are written from scratch - perhaps someone that has a greater familiarity with such blockchains can tell us whether they are emulating Bitcoin's choice or if it is unique in Bitcoin.

You don't "buy" it because you want there to be a simpler way.  I've not heard of any better ways in the 28 months that I've been studying cryptocurrencies. Wanting something doesn't make it so.  If you know of any better ways, please suggest them, but anytime I've seen anyone try to present something that they thing is simpler it's been clear that they haven't really thought the process through and their idea is full of holes.
 
Quote
Question 2.
Why does the Bitcoin Core wallet choose to create a brand new address to send this change back to with every transaction sent, rather then sending to one of the existing "receiving addresses" in the wallet?

There are several answers to this question:
  • It slightly increases anonymity and privacy
  • It slightly increases security by maintaining 3 levels of cryptographic functions between the private key and the address
  • It allows a user to track where all the payments to their wallet came from, since they can give out a new receiving address for every transaction.

The first part seems slightly futile when you do a common spend and things get linked. But it is a slight increase, I agree.

Yes, a slight increase.  As you've mentioned, the increase in privacy and anonymity is rather insignificant unless the spender is using coin control and is very careful about how they structure their transactions.

The second part, IMO, can be a small factor or a large factor, depending the point of time. In other words: Has a QC been developed (whether the public knows it or not) at a specific time? If the answer is yes, then money are far better protected.

Even without QC, there is a distinct possibility that in the near future mathematicians could discover previously unknown weaknesses in ECDSA.  Such weaknesses might not result in the ability to calculate a private key from a public key in a few minutes, but even if it reduced the time to calculate a private key down to a few years (or months, or days, or hours) your bitcoins would be safe as long as they were associated with an address that had never had its private key used to sign any previous transactions.

The third part would be ok in theory but it creates more confusion for the average user due to all those tiny amounts that end up being an entire list. A visual representation tool would be, IMO, better for that purpose.

It only causes confusion if you are trying to understand the technical details or use the wallet in a way that it isn't intended to be used.

If you create receiving addresses to receive bitcoins from people, and use the wallet to send bitcoins to people, and maintain a reasonable backup schedule, there isn't anything confusing about it.
legendary
Activity: 1708
Merit: 1049
You are asking two different questions (and I'm not even sure if you realize it).  Some people are responding to one of those questions, and other people are responding to the other question.  This is creating confusion and miscommunications.  I suppose, we need to start by figuring out which question you are trying to understand.

Question 1.
Why does a transaction need to include an output specifically for sending the change from the transaction back into the wallet? This could also be phrased as "Why was the protocol designed to spend previously spent outputs in their entirety?"

The answer to this question is that it is the most efficient and reliable way that Satoshi could come up with to create a trustless distributed system.  If you have a better way, go ahead and suggest it, but you'll almost certainly find that it won't work without a centralized trusted source of authority.

I don't "buy" that part - but I'm not necessarily implying you are "selling" it. The fact that Bitcoin is trustless is related to the PoW that makes it possible for the algorithm to determine the validity of transactions through network consensus - not because it uses change addresses.

I haven't done extensive research on other types of blockchains (PoW / PoS) that are written from scratch - perhaps someone that has a greater familiarity with such blockchains can tell us whether they are emulating Bitcoin's choice or if it is unique in Bitcoin.

Quote
Question 2.
Why does the Bitcoin Core wallet choose to create a brand new address to send this change back to with every transaction sent, rather then sending to one of the existing "receiving addresses" in the wallet?

There are several answers to this question:
  • It slightly increases anonymity and privacy
  • It slightly increases security by maintaining 3 levels of cryptographic functions between the private key and the address
  • It allows a user to track where all the payments to their wallet came from, since they can give out a new receiving address for every transaction.

The first part seems slightly futile when you do a common spend and things get linked. But it is a slight increase, I agree.

The second part, IMO, can be a small factor or a large factor, depending the point of time. In other words: Has a QC been developed (whether the public knows it or not) at a specific time? If the answer is yes, then money are far better protected.

The third part would be ok in theory but it creates more confusion for the average user due to all those tiny amounts that end up being an entire list. A visual representation tool would be, IMO, better for that purpose.
legendary
Activity: 3472
Merit: 4801
You are asking two different questions (and I'm not even sure if you realize it).  Some people are responding to one of those questions, and other people are responding to the other question.  This is creating confusion and miscommunications.  I suppose, we need to start by figuring out which question you are trying to understand.

Question 1.
Why does a transaction need to include an output specifically for sending the change from the transaction back into the wallet? This could also be phrased as "Why was the protocol designed to spend previously spent outputs in their entirety?"

The answer to this question is that it is the most efficient and reliable way that Satoshi could come up with to create a trustless distributed system.  If you have a better way, go ahead and suggest it, but you'll almost certainly find that it won't work without a centralized trusted source of authority.

Question 2.
Why does the Bitcoin Core wallet choose to create a brand new address to send this change back to with every transaction sent, rather then sending to one of the existing "receiving addresses" in the wallet?

There are several answers to this question:
  • It slightly increases anonymity and privacy
  • It slightly increases security by maintaining 3 levels of cryptographic functions between the private key and the address
  • It allows a user to track where all the payments to their wallet came from, since they can give out a new receiving address for every transaction.
sr. member
Activity: 252
Merit: 250
Thank you for clarification.

It sounds wiser now.
legendary
Activity: 826
Merit: 1002
amarha
-snip-
What if I created a account with my name on blockchain and there I've my only one BTC address, still it will be my main one.

You can do this, but you should make a new address for every time you get some coins. Its not like you have to.

May I know why ?

Off-topic :- Your PD signature is messed somehow, the two blue lines are taller than the in-between sentence.

I like to do it keep everything separate. I can see which addresses received what funds from where just by looking at whatever address received the coins. If i gave address x to someone and it gets a 0.5 btc I know where it came from. That's one reason anyway.
legendary
Activity: 1708
Merit: 1049
Nice analogy. Thank you for your time answering this... I still have a problem digesting the "why can't I simply cut the gold bar in half and pay with half of it and keep the rest" instead of remelting it / recasting it into new bars.

I think I understand why it happens as it happens (because obviously it was designed to be performed that way) but I still have questions on why it was designed that way when it could have been designed in a more straightforward manner. Maybe this is a multi-layered redundancy against a QC-attack-vector.

There are at least 2 "convenient" coincidences regarding quantum-computing protection...

1) the use of addresses as a hash of the public key (a quantum computer can't extrapolate the private key based on the hash of the public key, but it can do so with the public key itself - so as far as there is no spending, the money are safe from QC-attacks)

2) the use of change => destroying prior input and creating change. Thus the remains are not vulnerable to a QC attack to the public key (neither should the main output if the recipient follows best practices on how he uses his addresses).

The design doesn't seem arbitrary. The fact that Satoshi didn't go for a quantum-resistant algorithm for public/private keys is the only troubling aspect - unless we presume there wasn't an adequate solution at his time or the solutions he considered were probably deemed problematic in some other way that we don't know of. But he sure made his best to secure the system anyway despite the lack of QC-resistant algo.
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
-snip-
What if I created a account with my name on blockchain and there I've my only one BTC address, still it will be my main one.

You can do this, but you should make a new address for every time you get some coins. Its not like you have to.

May I know why ?

Because it is harder to know which person has how many coins if you use a new address for every transaction. It helps with the ano-/pseudonymitiy. If you allways use the same address I only have to get that address and know how much bitcoins you have and where you spend them to.


Off-topic :- Your PD signature is messed somehow, the two blue lines are taller than the in-between sentence.

Thats the way Stunna wanted it when I copied it. I dont think its a problem.
sr. member
Activity: 252
Merit: 250
-snip-
What if I created a account with my name on blockchain and there I've my only one BTC address, still it will be my main one.

You can do this, but you should make a new address for every time you get some coins. Its not like you have to.

May I know why ?

Off-topic :- Your PD signature is messed somehow, the two blue lines are taller than the in-between sentence.
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
-snip-
What if I created a account with my name on blockchain and there I've my only one BTC address, still it will be my main one.

You can do this, but you should make a new address for every time you get some coins. Its not like you have to.
staff
Activity: 4284
Merit: 8808
We know that "change" in real life are useful because you give ten dollars and you get back change. However in Bitcoin you can send a precise amount of coins, so change is not really "necessary" - not even as an option. It's not needed and adds bloat out of nowhere.
Sorry, you misunderstand Bitcoin horribly— you're in good company: The blockexplorers present a cooked view of the system to make things simpler, but promote this sort of misunderstanding as an unfortunate side effect.

In Bitcoin you cannot send a precise amount. You must send an amount which is a sum of some subset of the amounts you've previously received. A good mental model is to imagine that when someone pays you they give you a metal coin with a certain weight (value) with a public key of yours written on it.  You know which payment was being made by virtue of which public key received the funds.  When you later want to spend the coin you visit a forge (the network) and ask it to melt down one or more coins that you have and make one or more new coins of equal or lesser weight with whatever public keys you want to be paid paid inscribed on them and you present signatures to show you were authorized to spend the coin(s).

The Bitcoin blockchain has no "balances" and instead tracks atomic "coins" (transaction outputs). When your wallet authors a transaction it picks one or more of the payments you've previously received to spend completely. Often the amount is more than the amount you are spending (obviously it cannot be less), and so you need to take change as part of the transaction.

The coin tracking design is important because it prevents replay and also allows clear deterministic behavior in the event of reorganization. The lack of any persistent accounts is also beneficial for privacy.
sr. member
Activity: 252
Merit: 250
I'm using it as a sort of privacy, I don't feel that I want to share my MAIN address with everyone for example.

Heh, speaking of privacy, we're not even supposed to -have- a main address. I'm guilty as well, of course.

Sorry, can't get you.

One of the ideas with bitcoin is that you generate a new address for every input you get. So you have no main address you just have bunch of addresses.


What if I created a account with my name on blockchain and there I've my only one BTC address, still it will be my main one.
legendary
Activity: 1162
Merit: 1007
No, you don't know how bitcoin works at protocol level. It has nothing to do with privacy or quantum computing.

Bitcoin is like a banknote. You can only spend it as one piece. You can't cut it into 2 halves by yourself. If you want to spend part of its value, you need someone (e.g. a bank) to divide it into 2 banknotes for you. That's how "change" comes. (of course, we don't have a bank in bitcoin, but miners are doing such job)

Perhaps you are right. I am no expert on these matters - I try to understand them.


He is right.  This is directly from Satoshi's white paper (Section 9): https://bitcoin.org/bitcoin.pdf

Key question: Are change addresses *needed* for this splitting and recombination? Can't they just be performed on a transaction basis?

Yes.  Transactions destroy inputs (in their entirety) and create new outputs.  The rule is that the sum of the outputs must be less than the sum of the inputs for the transaction to be valid.
legendary
Activity: 1708
Merit: 1049
Understand that "coins" get split up and recombined all the time.

So your 100 received 0.001 BTC's can be sent out as 0.1 BTC (so the system doesn't *break down* because of everything turning into dust).

Key question: Are change addresses *needed* for this splitting and recombination? Can't they just be performed on a transaction basis?
legendary
Activity: 1400
Merit: 1013
a) That's a very artificial limitation for an electronic payment system, wouldn't you agree?
Treating Bitcoin like an electronic payment system is a very artificial limitation for a distributed computer.

"What is needed is an electronic payment system based on cryptographic proof instead of trust,
allowing any two willing parties to transact directly with each other without the need for a trusted
third party.
"

--Satoshi (whitepaper)
Think a bit more about what it means for Bitcoin to be a distributed computer.

Also, the word "Bitcoin" doesn't only have one meaning.
legendary
Activity: 1708
Merit: 1049
a) That's a very artificial limitation for an electronic payment system, wouldn't you agree?
Treating Bitcoin like an electronic payment system is a very artificial limitation for a distributed computer.

"What is needed is an electronic payment system based on cryptographic proof instead of trust,
allowing any two willing parties to transact directly with each other without the need for a trusted
third party.
"

--Satoshi (whitepaper)

legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
Understand that "coins" get split up and recombined all the time.

So your 100 received 0.001 BTC's can be sent out as 0.1 BTC (so the system doesn't *break down* because of everything turning into dust).

The point all along is to help keep things more "anonymous" and "coin control" can help in giving you more "control" over this process.
legendary
Activity: 1400
Merit: 1013
a) That's a very artificial limitation for an electronic payment system, wouldn't you agree?
Treating Bitcoin like an electronic payment system is a very artificial limitation for a distributed computer.
legendary
Activity: 1708
Merit: 1049
No, you don't know how bitcoin works at protocol level. It has nothing to do with privacy or quantum computing.

Bitcoin is like a banknote. You can only spend it as one piece. You can't cut it into 2 halves by yourself. If you want to spend part of its value, you need someone (e.g. a bank) to divide it into 2 banknotes for you. That's how "change" comes. (of course, we don't have a bank in bitcoin, but miners are doing such job)

Perhaps you are right. I am no expert on these matters - I try to understand them.

On what you say:

a) That's a very artificial limitation for an electronic payment system, wouldn't you agree?

b) 1 Bitcoin consists of millions of satoshis anyway - so again the fictional bank to do the division is quite redundant...

c) In terms of future-proofing, what's the chance that the coins remain undivided over the course of 10-20-30-40-50 years? They will be divided anyway, so? If the currency is successful it's almost a given that the vast majority of transactions will be conducted in fractional amounts. Why the need to divide them?

d) What about halvings in block reward that produce fractional coins to begin with?
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
I'm using it as a sort of privacy, I don't feel that I want to share my MAIN address with everyone for example.

Heh, speaking of privacy, we're not even supposed to -have- a main address. I'm guilty as well, of course.

Sorry, can't get you.

One of the ideas with bitcoin is that you generate a new address for every input you get. So you have no main address you just have bunch of addresses.


No, you don't know how bitcoin works at protocol level. It has nothing to do with privacy or quantum computing.

Bitcoin is like a banknote. You can only spend it as one piece. You can't cut it into 2 halves by yourself. If you want to spend part of its value, you need someone (e.g. a bank) to divide it into 2 banknotes for you. That's how "change" comes. (of course, we don't have a bank in bitcoin, but miners are doing such job)

! If you get an input of .1 you have spend it as .1 you can split it into several outputs though. So you can use it to pay .05 to someone and get .05 as change.
sr. member
Activity: 252
Merit: 250
I'm using it as a sort of privacy, I don't feel that I want to share my MAIN address with everyone for example.

Heh, speaking of privacy, we're not even supposed to -have- a main address. I'm guilty as well, of course.

Sorry, can't get you.
sr. member
Activity: 364
Merit: 250
I'm really quite sane!
I'm using it as a sort of privacy, I don't feel that I want to share my MAIN address with everyone for example.

Heh, speaking of privacy, we're not even supposed to -have- a main address. I'm guilty as well, of course.
legendary
Activity: 1792
Merit: 1111
No, you don't know how bitcoin works at protocol level. It has nothing to do with privacy or quantum computing.

Bitcoin is like a banknote. You can only spend it as one piece. You can't cut it into 2 halves by yourself. If you want to spend part of its value, you need someone (e.g. a bank) to divide it into 2 banknotes for you. That's how "change" comes. (of course, we don't have a bank in bitcoin, but miners are doing such job)
sr. member
Activity: 252
Merit: 250
I'm using it as a sort of privacy, I don't feel that I want to share my MAIN address with everyone for example.
legendary
Activity: 1708
Merit: 1049
We know that "change" in real life are useful because you give ten dollars and you get back change. However in Bitcoin you can send a precise amount of coins, so change is not really "necessary" - not even as an option. It's not needed and adds bloat out of nowhere.

Some say "change increase privacy so that's why it was placed in there". Surely, a protocol as transparent as bitcoin, wouldn't increase its privacy by any significant amount through change (not to mention that change can be linked during future spending). This is stuff that even a script can put together, deanonymizing transactions.

And why, if it is privacy-related, wouldn't one be able to control change spending so as to not be linked together?

So there has to be something else here that Satoshi saw.

I'm thinking it may be related to Quantum-Computing resistance. By moving the amount to the recipient + change to a new address (which hasn't yet published its public key), a good portion of the network's money will remain uncrackable by a quantum computer as the QC won't know the public key to extrapolate the private key.

If control of change is going to be implemented in future versions of Bitcoin, this quantum-resistance could be broken. Perhaps it should also be accompanied by a change in the private/public key algorithm to a quantum-resistant one.

Or, alternatively, introduce a button in the wallet that places one's funds into "quantum storage" - aggregating them automatically in a single address with no spends (that prevent QC cracking). One could even checkbox something like "automatic quantum storage" so that when one wants to spend money, one amount would go to the destination and the other would go to a new address with zero spends. Thus change control won't affect the principle of QC-resistance, if that's the rationale of Satoshi.
Jump to: