Who Needs Bitcoin Change Addresses Anyway?
Few topics in Bitcoin cause more confusion, anxiety, and loss of money than change addresses. They seem counterintuitive and unnecessary. They're a major contributor to wallet software complexity. When used improperly, they can de-anonymize not just the payer but other parties as well.
Given the many problems with change addresses, why do they exist in the first place? This article explains what change addresses are, why they're essential to Bitcoin, and how to protect your money and privacy.
If change addresses seem confusing, you may be working under some false assumptions about how Bitcoin works. Try this simple test to see for yourself.
Alice buys Bob‘s computer for 1.05 BTC. Her wallet contains 2.23 BTC stored in a single address. Assuming no fee is involved, how much of Alice’s money will be involved in the transaction?
- A: 1.05 BTC
- B: 2.23 BTC
- C: Not enough information
If you answered A, then you may view Bitcoin as a kind of bank account in which a transaction debits an arbitrary amount of money from one account and credits it to another. This is a very common view that is unfortunately incorrect.
If you answered B, you probably know about change addresses, but don‘t understand why they exist. What you know isn’t enough to prevent you from losing money in certain situations.
The correct answer is C: not enough information. After reading this article, you‘ll understand why this is the case and what information would be needed to find the exact amount of Alice’s payment.
Bitcoin is a Cash System
Humans have been using cash for thousands of years, and cash is still important in most parts of the world. Every cash system assigns a face value to a token that can be used as payment. Paper bank notes and metal coins are examples of tokens we've all used since childhood.
Bitcoin is a cash system that replaces physical tokens with digital tokens called coins (or more technically, unspent transaction outputs - UTXOs). When you receive a payment, you accept one or more of these digital coins. When you make a payment, you reassign ownership of one or more of your coins. A single address can hold multiple coins at the same time. Likewise, a transaction may gather coins from the same address, or multiple addresses.
Many cash transactions generate change. For example, if you pay for $64.89 worth of groceries with four $20 bills, the checker owes you $15.11 in change. To make a cash payment, we try to find enough bank notes to meet or exceed the payment amount. Any amount in excess of the required payment is returned as change.
The same holds true for Bitcoin transactions. Change is received by directing it to a designated change address. Change not recovered by a change address is claimed by miners as a transaction fee.
Bitcoin needs change addresses because Bitcoin is a cash system. For more, see Bitcoin: Think of it as Electronic Cash.
Wallets Reinforce Misconceptions
Software wallets attempt to hide Bitcoin's deep connection to cash by presenting an interface similar to the one used by online banking services. Payment amounts appear to be deducted from your wallet balance and added to the wallet balance of your payee.
As we've already seen, this is not how Bitcoin transactions work. Instead, your wallet digitally signs and broadcasts a transaction to the network. The transaction reassigns ownership of one or more of your coins to your payee, returning any change to an address controlled by the wallet.
Although wallets handle change for you automatically, they can vary greatly in exactly how this is done. Failure to understand the differences can lead to confusion and loss of money.
Wallets and Change Addresses
Three main strategies for handling change have been adopted by wallet developers. Each one has different implications for privacy and security.
- Single Address Wallets use one address for receiving both payments and change. Addresses can be added by importing a private key or manually adding a new receiving address. Examples of Single Address Wallets include Blockchain.info and MultiBit.
- Random Address Pool Wallets use a pool of randomly-generated addresses to receive payments and change. If a transaction generates change, it is sent to the next available unused address, causing a new address to be added to the pool. The best-known example of an Address Pool Wallet is Bitcoin Core.
- Deterministic Address Pool Wallets use a pool of deterministically-generated addresses to receive payments and change. Given a particular unique seed, these wallets always generate the same sequence of addresses. Examples include Electrum and Armory.
Wallets can adopt new change-handling behavior depending on user settings and other state. For example, importing a paper wallet into MultiBit results in a two-key system in which change may alternately be sent to the original address and the paper wallet address, a situation with critical implications for security. Likewise, Electrum permits users to send all change to the same address, effectively creating a Single Address Wallet.
Why Not Use the Same Address?
It may seem odd that wallets would generate a new address to accept change. Why not return change to the same address? Why the apparently useless complexity of address pools?
The main reason is privacy. By necessity, every Bitcoin transaction becomes part of a permanently viewable global ledger called the block chain. Maintaining privacy in this system depends on a strict separation between addresses and personal identities, a model referred to as pseudonymity.
Imagine that a transaction moves a coin from Address A to Address B. If change is returned to the sending address, the block chain makes it trivial to deduce that the person controlling Address A paid the person controlling Address B. If two payments are made, both payees can easily be identified. And so on.
An observer able to link a real-world identity to Addresses A, B, or C may be able to deduce the identities of the other parties as well.
Now imagine that a transaction moves a coin from address A to Address B, but directs change to Address C. Without additional information, the only thing an outside observer can conclude is that a payment to the person controlling Address B and/or C was made. Given another transaction from Address C, the picture becomes even less clear.
An observer trying to link real-world identities to Bitcoin addresses must gather more secondary information and work harder when all parties direct change to one-use addresses.
This isn't the end of the story. As transactions generate change, eventually this change will be recombined to make purchases. Bringing coins from various change addresses together into a single transaction suggests (but does not by itself prove) a link to a common user. Countering this problem requires that additional privacy-enhancing steps be taken. CoinJoin offers one solution, but this is still an area of active research.
Change addresses open the door to loss of funds through several avenues. The most serious problem is that many Bitcoin users are unaware of the existence of change addresses in the first place. However, change addresses can cause problems even for users who understand them.
Discussion forums like the Bitcoin subreddit are filled with stories of users who either lost money or thought they lost money through change addresses. For some specific scenarios based on these stories, and ways to avoid them, see Five Ways to Lose Money with Bitcoin Change Addresses.
Back to Alice and Bob
Given a basic understanding of Bitcoin as a cash system, we can return the the problem of deciding how much of Alice's money will be involved in a payment to Bob.
We have no way to know whether a Alice‘s wallet contains a coin with a face value of the payment amount (1.05 BTC). As a result, we can’t say for sure if this will be the amount of Alice's payment.
Although Alice's address could just happen to contain only one coin, we have no reason to think this is the case, either. For example, her address may contain dozens of coins with face values totaling 2.23 BTC.
To answer the question, we‘d need to know the values of each coin at Alice’s address. Not only that, but we‘d need to know exactly how Alice’s wallet selects coins when making payments.
Like any cash payment, Bitcoin transactions often generate change. This change must be claimed by a change address or lost. The methods that change addresses are created and used lead to important implications for privacy and security. As a Bitcoin user, you owe it to yourself to understand change and how your wallet handles it.