Topic: Important Wallet Feature Request (Read 1303 times)

Those examples were off the top of my head and admittedly a little... silly. But the point was this: making the entire issue of change completely invisible does not necessarily make life easier for noobs. Indeed, this also touches on other issues besides change - the general problem is control of keys. How do you allow users to manage their addresses while simultaneously preventing noobs from accidentally compromising either security or privacy? This is a complex issue and I'm sure you've given it a lot more thought than I have. All I'm saying is, the Satoshi client has chosen a rather extreme solution: making the management of addresses completely invisible and pooling all the user's money in a somewhat metaphysical entity called a 'wallet'. I'm not entirely sure that's the most noob-friendly approach, but maybe I'm wrong.




This is what I don't understand. Why does change reuse invisibly link all the funds in the wallet? As it stands today, a newly generated change address would show up in any taint analysis as once-removed from the original address. Furthermore, services like blockchain.info can guess (admittedly with varying success) which outputs represent the actual transaction and which is the change. So, is the generation of a new change address really that beneficial to privacy? As I mentioned above, the real issue is choosing which outputs to use when creating an outgoing transaction. As long as the client doesn't let me choose, I will always end up accidentally tainting my addresses with each other, creating links between new change addresses and older receiving addresses, and so on.


EDIT: It occurs to me that you may be referring to a situation where the same change address is always used, regardless of the address from which the transaction is sent. If I have multiple addresses in my wallet, but one of them is always used as a constant change address, then indeed that address will link all the others together.
But that's not what I meant. I was referring to a situation in which every time a transaction is sent from a certain address, the change is returned to that same address. That way, every address is only linked to itself, and separate addresses in the wallet are like separate mini-wallets. Links between the addresses will only be created if I need to send a sum which is bigger than what I have in any one address, but obviously this problem exists with the current system as well. I could split my money into a thousand different change addresses, only to link them all together whenever I make an outgoing transaction of a large sum, thus negating any privacy advantage.

This is an argument for deterministic wallets, and is largely orthogonal to change. If you're going to highly structure your assumptions about Mr. Nooberg you might as well have him importing keys and not realizing that they instantly invalidate his backups or getting new addresses but mostly intending to use old ones but messing up, or what have you.

Which is also true even if there isn't any change just because of funds being sent to other addresses.  Presumably Mr. Loanshark will say wtf, and then they'll figure it out.  Again you're assuming a very specific level of knoweldge just enough to get in this specific trouble... in this case you're also assuming they'll give up at the first, really obvious sign of trouble.

If this is a usecase that you think matters a "Generate proof of signature authority" would be a lot more foolproof, not just against a specific Mrs. Noobisky but against all possible Noobiskies, and could also do things like generate the proof in zero knoweldge so Mr. loanshark doesn't actually learn which coins are mrs. nobodies unless that was desired, and doesn't learn anything more about the value then meeting the required test.

Flipping your hypothetical right around, of Mrs. Noobisky constantly reuses the change address its usually trivial to determine the entirety of their holdings, even unintentionally.  Mrs. Noobisky intends to show Mr. Loanshark a single address assigned just enough coin to satisfy him, but the change reuse has invisibly linked all of Mrs. Noobisky's funds without her releasing it and now Mr. Loanshark realizes that she's been holding back on her ability to pay and goes and takes her computer and slits her throat. Good job, you just killed Mrs. Noobisky, you bastard!

Yup.  People need to make backups, but this will be less of an issue when we switch to HD wallets.  Until then, it is very, very easy to back the wallet up automatically.


LOL.  So many things wrong with this scenario...  At least it does a good job illustrating the real problem, which is:  Noobs shouldn't be making assumptions about how the system works while using websites that provide access to the messy guts of the system.

I'm sure we could find use cases to disprove that without going to the debugging console... Here's two off the top of my head:

- Mr. Nooberg is not a complete noob; he actually realizes the importance of regular wallet backups. However, he figures backing up is only critical after making a change to the wallet, like generating a new address. He doesn't know that if he has done 101 outgoing transactions since his last backup, he now has money in a change address that isn't backed up. If Mr. Nooberg's hard drive failed tomorrow morning, he would be doomed to a life of squalid poverty.

- Mrs. Noobisky wants to prove to her friendly neighbourhood loanshark that she has 100 BTC in her wallet to back up her gambling losses. She sends him her public key (she only has one address in her wallet), assuming that's where her money is kept. She doesn't realize all her money is in some invisible change address. Mr. Loanshark uses a block explorer and discovers that Mrs. Noobisky has 0 BTC in the address she gave him. He feels betrayed, and Mrs. Noobisky is forced to skip town and spend the rest of her life hiding in Tijuana.

I bet other people could think of better examples...

Change is totally noob-friendly, in the UI.

It would be great if you could elaborate on this. I had always speculated that if some people sent change back to the sending address, that might actually increase privacy a little bit for people who don't.

I will also point out that this issue is a little moot as long as the user can't pick a sending address. If I have one address I tell the world about and another address I wish to use as anonymously as possible, it can be quite a headache to prevent bitcoin-qt from intermingling outputs from both these addresses (or change addresses once-removed from these addresses) in one outgoing transaction. I learnt that lesson the hard way 



True, but this is part of a bigger issue. There are plenty of other mistakes noobs can make because they don't understand how change works. Bitcoin-qt should strive to make the whole issue of change more noob-friendly.

No it shouldn't, doing so completely screws up the privacy model— not just for the user in question but for all users. This creates long term risk for all Bitcoin users because it increases the viability of blacklisting schemes.

Already dumpprivkey is hidden inside a debugging console. This is not where some clueless noob is going to stumble into it by accident. Its there for a reason.

The correct way to accommodate that use case is to _never_ make single address "paper wallets", but instead to make multi-address seed paper wallets. Armory does this fine today.

At the very least, Bitcoin-qt should show the change address as soon as it has been used, to alert users that their wallet contains more than just that first receive-address that was generated at first launch.

The current behaviour of Bitcoin-qt with regards to change addresses is really opaque for new users.

ok, what is incorrect in my procedure? or is it just a general "don't use btc until you are 100% sure of what you are doing"?

because i've read much about creating a paper wallet, but until i try it, i won't be able to know for sure. so i won't ever be able to take my money away from exchange (and i don't want to leave them there).

This is certainly a good feature to have.
But an even more important and general solution is to let the user choose where to send the change. This is possible in other wallets and I can't see why it hasn't been implemented in Bitcoin-qt. The default should be to return the change to the sending address - despite the disadvantages, this is the best way to keep noobs from losing their money. More advanced users will be able to choose whether to send the change to a different address or create a new one. 

ok, i'm going to create a paper wallet in the weekend, and i want to be sure i don't lose my money (and i didn't clearly understand what OP said in the newb procedure).

since this is the first time i'm creating a paper wallet, this is what i wanted to do: create a paper wallet, go to an exchange site send 0.0001 btc to my paper wallet, using a btc client (which one do you suggest?) to import the private key, send back the 0.0001 btc back to exchange to verify everything has gone smooth. at this point, i'm going to repeat the whole procedure with all the XXX btc i have on the exchange site, correct?

i'm asking this because i didn't understand what this change address stuff (see quote) is about

That option is already there in the Blockchain.info wallets (among the "Create Backup" tab). I don't know about other e-wallets. Which one you are using?

Yes, it should be as easy as that. Just make sure you're sending to the correct address.

This is the biggest part of Bitcoin that I don't understand too well.  I am very much a Newb, but have been reading voraciously about all subjects.  If someone could expand upon my questions, I would appreciate it.

I keep my BTC in cold storage.  I have 5 BTC, and I have them situated in 5 different key pairs, 1 bitcoin apiece.  I have not spent anything or tried to move anything yet.  But when I do --- I assume that if I wanted to sell one, I suppose I would use localbitcoins maybe, but I also have a Coinbase account.  So let's assume the question is for both options.  I'm selling someone a half bitcoin on localbitcoins, and I'm also separately going to sell a half bitcoin through Coinbase.

My assumption would be that if I wanted to sell a half a bitcoin to someone, I'd grab one of the five address sets I have, and I'd move .5 BTC from one of these addresses.  I would also generate a new set of public/private keys for the change transaction. 

Is it going to be relatively straightforward for me to accomplish that transaction?

Move .5 BTC from address 1xxxxxxxxxxxxxxxxxyyyyyyyyyyyyyyyyzzzzzz to address of buyer:  1tttttttttttttttttttuuuuuuuuuuuuuuuuuuubbbbbbbbbbbbbbbbbb
Send change of .5 BTC to my new address of :  1qqqqqqqqqqqqqqqqqrrrrrrrrrrrrrrrrrrrrrrrppppppppppppppppp?

This is what I am scared of --- change transactions.  There isn't a ton of readily available information about them in my opinion.  Thanks for any help!

There will be lots of new security features coming out and also brand new wallets. Security and ease of use is a big issue, and is probably one of the biggest hurdles that will have to be overcome for popular mainstream use.

maybe these kind of features will build in. remember, we are at v. 0.8.5. now. there is alot work to do.

Hi

Please, please please could we have this feature. A button (albeit password protected) that says PRINT PAPER WALLET !!

It's a statistical certainty that noobs who don't know about the dreaded CHANGE ADDRESSES are going to loose coins. Guaranteed.

****************** Standard Noob coin loss procedure *****************

[1] - acquire some coins (say 5 bitcoins)
[2] - spend a *tiny amount* of their inventory (say 0.2 bitcoins)
[3] - copy their address and do a dumpprivkey, create paper wallet
[4] - feel "safe" cos they've now got their paper wallet which they regard as their *primary* backup
[5] - get their wallet trashed somehow or migrate to a new wallet using their "safe" paper wallet
[6] - import the paper wallet to the new wallet, only to find they've almost nothing left cos Satoshi client sent most of their funds to a change address without telling them and they didn't realise they needed to do:

wallet passphrase xxxx 600
listaddressgroupings
dumpprivkey (for each address in listaddressgroupings)

All this misery could be avoided with the single most important command ever instituted in a wallet:

PRINT PAPER WALLET

... that recursively dumps all the private keys corresponding to the addresses in listaddressgroupings

Cheers

Pete