I don't want too many "own addresses" in my wallet

After installing Zcash4win, I clicked “New T-address” and “New Z-address” respectively, and generated two new addresses in addition to the default “own address”. Then I sent most of my balance in the default T-address to ShapeShift for exchanging and transferring to MyEtherWallet via the default “own address”. After the transaction was complete, I found another newly-created T-address in my wallet, which was not generated manually by myself. The new T-address was apparently generated automatically to contain some small change resulting from the transaction. I now have 4 addresses (3 T-addresses and 1 Z-address) in my wallet.

This is the first time I have conducted a transaction through my Zcash4win wallet. Is this normal? Will a new T address automatically generated every time I conclude a transaction? Why doesn’t the “small change” automatically return to my default “own address”? This is a little confusing and frustrating.

This is “standard” behavior for T-addresses that Zcash inherited from Bitcoin. I’d actually prefer to change this behavior so that change returns to the sending address, and new addresses would only be generated when the user explicitly requests them. It sounds like you would prefer to use addresses in that matter. Is that correct? I filed zcash ticket #2675 to track this feature request.

Here’s a long story as to why Zcash and Bitcoin behave this way:

Early on many people thought it had fairly good privacy, because anyone could create an address at any time. However, the record of all transactions is public, including sender, recipient, amounts, and any stipulations put on those funds by Bitcoin Script. (In Zcash this is also true when transferring funds between T-addresses.)

In Bitcoin and Zcash, all funds live in “unspent outputs”. The transparent outputs in Zcash are the same as Bitcoin’s and they’re called “utxos”. If you have a 3 BTC utxo (you can think of a utxo like a cash bill) and wanted to spend 1 BTC out of address A, you have to split the utxo into a new 1 BTC utxo and a 2 BTC “change” UTXO, and assign the 1 BTC utxo to your intended recipient. But where do you assign the change? To me it seems most logical and convenient to assign it back to the sending address A. However, because the Bitcoin blockchain is fully transparent, this meant it would be easy to tell which output was for the recipient, and which was change. So for a desire for privacy, Bitcoin wallets tend to assign the change to a newly created address. It turns out this doesn’t provide much privacy at all, and analysis of the blockchain can deduce which outputs are change anyway, but early on people didn’t anticipate that very well.

This actually has several terrible consequences. First of all, some users would back up their wallets, then send some BTC which would generate new change addresses with new secret keys which weren’t backed up, then delete their wallet believing that their backup had saved everything. This destroyed their funds. Their assumption was quite reasonable, but the overly complicated behavior of the wallet violated their simpler, reasonable expectations (this is a common recipe for security failures in usability). [1]

Another consequence is that users can’t treat Bitcoin addresses or (current) Zcash T-addresses like “accounts” where they can separate their funds into different tranches and track them separately, for example “monthly expenditures”, “general savings”, “mortgage downpayment”, etc… So if you want to do that kind of accounting, Bitcoin addresses and (current) Zcash T-addresses don’t help you in that regard.

In Zcash we have Z-addresses which have very strong privacy, so the wallet sends change back to the sending address. This means a Z-address can be used for your own accounting purposes. You can have one for HODLing, one for your monthly bills, etc… You can list their transaction history separately, give them out separately to counterparties, etc… Also, if you back up a Z-address, you can rest assured that you will be able to recover all funds at that address at any time in the future without making a new backup. Very important.

Since Zcash has Z-addresses which provide strong privacy, I think it could be a good change to switch T-addresses to send change back to the sending address. Then a user could treat T-addresses and Z-addresses similarly in terms of backup and accounting. The drawback is marginally worse “privacy” for T-addresses, but those already don’t have privacy, just as Bitcoin addresses don’t. They are already vulnerable to blockchain analytics, so it’s seems like a waste to sacrifice backup and “sensible accounting” for the illusion of privacy.

[1] It many Bitcoin wallets with BIP32 “hierarchical deterministic wallets” this backup problem is solved because all new addresses get generated from the same secret seed which is backed up. This “fixes” the backup problem by adding complexity (BIP32 generation) to overcome overly complicated behavior (random change addresses) which provides no real privacy, and still makes the user’s life more complicated (no accounting support). Zcashd doesn’t have this behavior yet, but we should add it because the “backup mistake” is a disasterous experience for users.

Thank you for the detailed explanation that enables me to understand the history behind this seeminlgy strange behavior, which is important for newbies like me. Yes, you are absolutely right that I’d actually prefer to change this behavior so that change returns to the sending address, and new addresses would only be generated when the user explicitly requests them. Hopefully Zcash developers would make the change. For the time being, I may have no choice but to back up every new automatically created T-address when a new transaction is conducted.

But there does not seem to have a way to merge funds of several T-addresses in my wallet without incurring transaction fees. In fact, the change in the newly-generated wallet is so small that it would probably be parked there forever.

Since Zcash has Z-addresses which provide strong privacy, I think it could be a good change to switch T-addresses to send change back to the sending address. Then a user could treat T-addresses and Z-addresses similarly in terms of backup and accounting. The drawback is marginally worse “privacy” for T-addresses, but those already don’t have privacy, just as Bitcoin addresses don’t. They are already vulnerable to blockchain analytics, so it’s seems like a waste to sacrifice backup and “sensible accounting” for the illusion of privacy.

While Z-addresses provide strong privacy, you are encouraging a use of them that would remove any gains your fancy crypto gives. Let’s say I decide to treat addresses as accounts and generate an address T1 for use with in person trades and T2 for use with internet purchases. I move funds from my cold storage Z address into T1 and T2. I make a bunch of transactions and eventually T1 and T2 are empty. Any merchant I deal with can see how often I make trades and how many funds I have used with 100% certainty. If I refill either of those addresses from Z1, that shielding doesn’t actually gain me any privacy; any merchant I’ve dealt with in the past will see funds arriving and can very easily track them. There is more than just an illusion being lost with your design. Analysis of the blockchain with unique change addresses can deduce probabilities for which output is the change. Analysis isn’t gaurenteed to break privacy.

[1] It many Bitcoin wallets with BIP32 “hierarchical deterministic wallets” this backup problem is solved because all new addresses get generated from the same secret seed which is backed up. This “fixes” the backup problem by adding complexity (BIP32 generation) to overcome overly complicated behavior (random change addresses) which provides no real privacy, and still makes the user’s life more complicated (no accounting support). Zcashd doesn’t have this behavior yet, but we should add it because the “backup mistake” is a disasterous experience for users.

While BIP 32 doesn’t have accounts, BIP 44 does. It was authored all the way back in 2014. Trezor’s implementation of accounts with BIP 44 is very user friendly and the “complexity” is really not much. It also allows for truely secure, one-time backups. You seem to be forgetting that your design still requires constant backups of the wallet file as new addresses are still generated randomly. Sure, there will be less churn in the key pool, but it is still there as users can still generate addresses whenever they want. Determinstic wallets are an improvement over randomly generated keys. Please don’t go backwards. Please just stick with the well established standard that Trezor and Ledger and all the other wallets I’ve ever actually put funds into use.

Also, re-using addresses worsens the privacy and network usage of SPV clients. With BIP44, my client just keeps track of the last used index for each account. When I open my wallet after being offline for a while, my wallet only has to ask peers about these tips. If the tip has a transaction associated with it, it generates the next address and checks that. I only ever need to refresh old addresses if I know they’ve been reused, but rescanning old addresses is not the default. With your design, I have to ask all my peers about every address I’ve ever used because they are being treated like accounts and there might be additional transactions on them. An SPV wallet could be coded to ask peers for transactions after a certain timestamp but that is a privacy leak that I don’t think we should be adding.

Please, reconsider your thoughts on change addresses. OP’s issues are better solved by a better UI, not by reusing addresses.

I’m not a zCash user, but as for change addresses, if the wallet has Coin Control then you should be able to specify your preferred change address(es) to use. Also, setting an address for a particular trading partner is up to you, and fine for identifying funds coming in from particular customers, and I do not see that exposes your privacy to the customer, if only the funds they themselves put there are ever there. If you pay various suppliers you would pay from any randomly selected, or a fresh address in your wallet.

I presume that zCash users are likely users of similar wallets in other currencies and I agree with WyseNinja, that the proposed changes are inadvisable, and would lead to dangerous practices by people who expect behaviour in common with the UTXO handling in other Electrum wallets, for example.