The UTXO Model: What are Addresses and Transactions in Bitcoin?

2021-06-24

There is usually some confusion around the term "address" in Bitcoin. This confusion seems to stem from a fundamental misunderstanding about how the Bitcoin ledger is structured and how transactions work to update the state of this ledger. In this article, we will discuss the UTXO Model in Bitcoin and its implications are for the usability, privacy, and scalability of the network. We will also dive into future improvements that may be coming to the storage and manipulability of UTXOs and the UTXO set.

What is a UTXO?

Before we answer this, lets picture transactions in Bitcoin to get a better understanding about the structure of the system. Bitcoin can be thought of as a list of transactions, and these transactions are composed of inputs, outputs, and a cryptographic proof that proves authorization to move the funds in the inputs to the outputs. There is also a transaction fee, which is defined as the difference between the sum of the inputs minus the sum of the outputs, so it is implicitly carried and never explicitly appears in a transaction. A transaction can have as many inputs as it wants and as many outputs as it wants (though there are still size restrictions). All inputs in the system have to come from the output of another transaction, and thus transaction outputs can have one of two states: spent, or unspent.

The acronym UTXO stands for Unspent Transaction Output, and the UTXO set is the set of all transaction outputs that have yet to be spent. Put another way, bitcoins live in the UTXO set. You can think of each UTXO of being a unique coin worth a unique amount.

How does Spending a UTXO Work?

Given that a transaction output atomically moves from unspent to spent, there are some unintuitive ways in which Bitcoin transactions are created. Imagine you have a UTXO worth $50, and you want to buy $20 worth of gas. How can you partially spend that $50? The answer is, you can't. If you want to send $20 to the gas station, you have to spend the whole $50, but you can pay two people simultaneously. This gives $20 to the gas station, and $30 (minus the transaction fee) to a new address that you create. This practice is often called generating a change address. Now the old UTXO you had has been atomically spent, but you still control a UTXO worth $30. Similarly, if you have two UTXOs worth $10 dollars, you can create a transaction with two inputs that pays the gas station $20 dollars. This means that having a distribution of different UTXO values can be good. If you have too many small UTXOs, it can be expensive to put lots of inputs into transactions you want to create (remember, in Bitcoin you pay for how many bytes large your transaction is! More inputs means more bytes). If you have two few large UTXOs, it can damage your privacy (do you really want to pay for a meal with a UTXO worth thousands?). It also usually requires extra transactions to consolidate your funds, and it removes the possibility of making a payment that does not require change. Since change addresses can link unrelated payments and must be paid for when making a transaction, it is best to avoid change when possible.

So What are Addresses?

An address is probably poorly named, and a holdover from when Bitcoin was younger and terminology was still loose and being worked on. It is better to think of an address as an invoice: single use contracts that bind some money to a specific key that you control. Technically, addresses can be reused, but this is not considered best practice. Addresses can be generated for free, and reuse can reduce your privacy while offering no benefit (other than perhaps convenience). Modern software controls the creation of new addresses for users, but all addresses in Bitcoin are public, and you can send to any address you want.

Modern addresses use a format called bech32, and start with the prefix bc1. The address functionally locks any funds sent to it with a script. When you spend bitcoin out of a UTXO, you attach a proof that fulfills the script corresponding to the address, and you are then allowed to move the funds to new UTXOs. Whatever Bitcoin wallet you use will generate all of this for you, and handle creating new addresses from a single master key that you can backup.

How Do I Keep Track of All These UTXOs?

Luckily, Bitcoin is just software, and it keeps track of all UTXOs in your wallet for you. Although this system sounds complicated, modern wallet software has a very good backup user story. All of these addresses and UTXOs are generated by a master backup key that you can write down or otherwise store securely. If you ever lost your computer, you can read this backup key into any standard Bitcoin wallet, and it will automatically scan the UTXO set and find all of your UTXOs. While explaining this may seem complicated, the design is rather elegant. Although the Bitcoin blockchain is always growing since it is an append only ledger, the UTXO set grows and shrinks with use. As of today, the UTXO set is a little larger than 4.5 GB (with nearly 75 million UTXOs!), as opposed to the nearly 400 GB blockchain. By forcing transaction outputs to be atomically spent, it makes it easier for the software to prune unecessary data, as well as avoid nasty edge and race conditions.

You Mentioned Improvements. What Did You Mean?

As I said before, the UTXO set is less than 5 GB, which is pretty manageable, but still not very small. As Bitcoin scales to global use, the number of UTXOs will explode, making the UTXO set unweildy to users and miners trying to verify the state of the system. Luckily, software developers have anticipated this problem and have been working on a system called UTreeXO (get it?) that will solve the problem.

UTreeXO is a cryptographic accumulator that uses a set of perfect Merkle Trees to shrink the size of the UTXO set from gigabytes to kilobytes. Explaining Merkle Trees is a little beyond the scope of this blog, but basically a Merkle Tree uses a hash function (in the case of Bitcoin this is SHA256) to commit to a set of items. When you want to prove inclusion in this set (by, say, spending a UTXO), you only have to provide data equal to the log of the size of the set. Since hash functions are irreversible, the Merkle Tree construction allows you to efficiently prove inclusion in a set without revealing the whole set. You can condense an arbitrarily sized Merkle Tree down to a single 32 byte integer. This remarkable improvement could allow the entire UTXO set to fit inside a single QR code, and will easily allow it to fit inside the memory of future phones or other small IoT devices that need to validate Bitcoin transactions. Although Merkle Trees are well understood (indeed, they are used extensively throughout Bitcoin already!), the software needs to be optimized and tested well before it can be deployed inside the Bitcoin network. Luckily, since this change does not influence the consensus among nodes, it can be deployed whenever users wish to. If you wanted to, you could run it today, though it would not be advisable if you are controlling large funds from that node.

Conclusion

In short, Bitcoin's UTXO set is unintuitive, but rather simple. It provides scalability and reliability to the management of the best monetary asset the world has ever seen. With improvements like UTreeXO, the UTXO set will continue to scale and will allow even more nodes to validate the entire monetary supply of the world.