43
11
For example I have an address (A) with 20 BTC and send 9 BTC to address (B). Bitcoin will create a "change" portion of the transaction where the remaining 11 BTC goes to address (C).
Why not send the change back to A?
Instead of:
Initial balance: A: 20 BTC B: 0 BTC C: 0 BTC Transaction Pair: A -> B 9 BTC A -> C 11 BTC End result A: 0 BTC B: 9 BTC C: 11 BTC
Why not?
Initial balance: A: 20 BTC B: 0 BTC Transaction Pair: A -> B 9 BTC A -> A 11 BTC End result A: 11 BTC B: 9 BTC
39
Two reasons:
So whoever sent to your "A" address can't claim to have sent you 31 bitcoins ("See! Look on block explorer, there are two transactions sending to "A", one for 20 bitcoins and one for 11-- send me back the extra 11!")
Using a new change address makes it more difficult for other people to track of how many bitcoins you have or where you're spending them.
4Sending the change somewhere else makes it look like you spend your whole balance, which is not the case. It can be very confusing for beginning users. I think this should be an opt-in option for the default client. – Steven Roose – 2013-04-29T13:25:48.687
4I also think separate change addresses are a very bad "feature". Sending back to the same address would prevent paper wallets becoming obsolete when a part of them is spent. Obfuscating payment flow should also not be part of the "official" bitcoin client. Keeping the ledger straightforward would lend Bitcoin more legitimacy. – yippy_yay – 2013-11-19T13:04:34.977
22It also conceals which output is the "spend" and which is the "change". – David Schwartz – 2011-10-18T22:41:32.137
26The preventing a false claims would be of dubious value. Transactions are irreversable anyways and the transaction will clearly indicate the coins went from A to A. The second part of your answer plus David clarification seems most likely rational. – DeathAndTaxes – 2011-10-19T13:48:16.387
1@DeathAndTaxes, so basically Gavin's first point is wrong/invalid? – Pacerier – 2014-03-20T19:55:09.660
1 I agree with @Steven Roose. Look this address: https://blockchain.info/address/175fTMj3sNZANncHTGEGw4SAims14ZDxNX I sent 5 mBTC from 175fTMj3sNZANncHTGEGw4SAims14ZDxNX to 1JGZbBj5iuxzskxAxRmoQgKZXoDehGEA6r and then my client creates an address 15taCtq1Mj76wuweVjnvrmKxSt3gKMVXqJ to receive the left 0.8 mBTC. But my client shows only two addresses: 1GzeYtD8KGVw7LmWCtsQ7wMX3Me7KUBwna and 175fTMj3sNZANncHTGEGw4SAims14ZDxNX. Both with zero balance. But my bitcoin-qt shows I have 0.8 mBTC balance. It is very weird and confusing.
Look this too: http://bitzuma.com/posts/five-ways-to-lose-money-with-bitcoin-change-addresses/ It's hard to final user. I prefer like before.
@DeathAndTaxes, Do you mean that if we are inventing a new coin that doesn't need a "concealing advantage", it would be more beneficial to have only one target? – Pacerier – 2014-09-18T11:50:54.290
@Pacerier, I do hope so! :) That security-through-obscurity argument looks incredibly silly. But it still seems somewhat nontrivial to prove being the sender of a tx. (esp. with multiple inputs); see e.g. https://bitcoin.stackexchange.com/questions/18502/is-there-a-way-to-prove-ownership-of-a-transaction
18
While the other answers are slightly true, there's another reason. Addresses which have been spent are inherently less secure than unspent addresses. This is because, when spending on an address, you reveal the public key to the address. This means that in order to steal those funds, you only need to find the private key, whereas normally you'd need to break the hash and find the private key.
Both of these tasks are extremely difficult, so for now it's not much of a concern if you send to spent addresses. The problem arises with the theoretical quantum computer. ECDSA, the technology which secures your private key, is extremely easy for quantum computers to reverse. The hash isn't. Therefore, when quantum computers become popular used addresses will become exponentially less secure.
More info at https://bitcoin.stackexchange.com/a/7134/11666
Also: https://bitcointalk.org/index.php?topic=153302.0
In the BitcoinTalk post, the concern brought up about hackers cracking transactions between broadcast and inclusion in blocks is reasonable. Fortunately, honest miners include the first transaction first regardless of fee, so that attack is foiled. It is also prevented by the fact that it would still take quite some time to crack the public key.
Why do you believe breaking a key pair is easier than breaking a crypto hash? – Basic – 2014-12-17T18:25:27.957
http://en.wikipedia.org/wiki/Elliptic_curve_cryptography#Quantum_computing_attacks – Eric Pauley – 2014-12-22T03:54:28.910
@Basic, because the Public key is generated from the Private key via SHA256 algorithm, which is vulnerable to quantum computer attack. While the Bitcoin address is generated from the Publik key by using both SHA256 and RIPEMD160 algorithms and potantial hackers will need to attack 2 different encryptions. – Sulevus – 2018-01-04T20:25:09.793
@Sulevus If you encrypt/hash something multiple times, it doesn't necessarily make it more secure... It depends entirely on how the two systems preserve entropy across multiple operations. – Basic – 2018-01-05T14:33:31.603
8
The idea of the change addresses is an attempt to make transactions anonymous. Unfortunately, bitcoin transactions are not anonymous, even with the use of change addresses:
When you have a wallet filled with change addresses, transactions will be forced to use some of those change addresses to fill transactions you want to make. The fact that the receiver is the same, and that the time of transaction is the same means that an outside observer will have a high confidence that those addresses belong to the same person. If all of those addresses only received bitcoins from a single address, it will be very clear they are change addresses for that address.
What the above means is that your addresses become deanonymized when they are used. This makes your privacy basically worthless because anyone can look back a couple years and see everyone you paid or received money from.
This is not necessarily a bad thing, as the tracability of transactions will make it harder for governments to justify fighting the adoption of bitcoins.
While you might gain a tiny bit of privacy for a short period of time using change addresses, there is a HUGE downside: it makes backing up your money intractable. If you want to back up an address, you can do that easily. Just encrypt your wallet and copy it to various devices (your phone, external HD, USB drive, paper wallet, etc). If change addresses are used tho, you must copy to all your backups (as painful as printing out a new paper wallet) every time you make a transactions. That is intractable.
That intractability I think is a HUGE problem for bitcoins. People need a secure way of being "their own bank" and change addresses make bitcoins broken for most people.
UPDATE: Deterministic wallets somewhat solve this problem by allowing you to determine all of the wallet's potential addresses from a single seed value. This allows you to backup once, and restore at any later time by using the seed to generate and check addresses until you're sure you haven't used any beyond the ones you checked. Armory, Electrum, and CarbonWallet all use deterministic wallets.
I really like this answer, but it seems like it would be better provided under another question. Gavin's answer is 100% true, and this answer would be better for a question about the anonymity of change addresses. – Colin Dean – 2013-12-09T14:02:47.920
@BT , so how does Dark Wallet work then? – Pacerier – 2014-03-20T19:59:03.060
@Pacerier I don't know much about Dark Wallet, but there can certainly be much more complicated schemes that keep addresses more anonymous. This would involve things like staggered transactions and sophisticated transaction mixing. These aren't your average transactions. They're complex techniques and they're just as useful without the use of change addresses. – B T – 2014-09-17T22:04:40.587
@ColinDean, Is the "quandary" typo in your profile intentional? – Pacerier – 2014-09-18T11:56:08.737
@BT, However, adding the use of change addresses does increase the cost of unanonymizing right? – Pacerier – 2014-09-18T11:56:27.350
@Pacerier Yes, but while I'm not entirely sure how much the cost is raised, I'm thinking the theoretical limit is doubling the cost. Tho in normal scenarios where that address is eventually used in conjunction with another change address, the cost in determining that is basically negligible. – B T – 2014-09-18T19:13:59.983
7and is there an option in the client to turn this off (i.e. send back to the original address)? – Thilo – 2011-10-20T01:14:52.127
1
Related: http://bitcoin.stackexchange.com/questions/736/how-does-change-work-in-a-bitcoin-transaction
– Thilo – 2011-10-20T01:16:04.4301Is there any solution than? I would also prefer when the change come back to the original address. – user1059931 – 2013-12-09T13:18:50.487
5
I've got a 'noprivacy' branch at https://github.com/gavinandresen/bitcoin-git that sends change back to the funding address, but it confuses the heck out of the 'accounts' code and makes for confusing-looking transaction lists.
– gavinandresen – 2011-10-21T18:58:04.450