Stealth Address

The Stealth Address System

https://gyazo.com/e6cd4d66d24640f84afa8768d19b58f1

BSAP (Basic Stealth Address Protocol)

sender: A = aG

receiver: B = bG

sender and receiver can compute a shared secret c using the ECDH:

c = H(abG) = H(aB) = H(bA)

senderはephermeral destination addressのcGへ送金。

receiverはprivate keyのcを知っているのでbGに送ることができる。

issues

1. ephemeral destination address は固定されているので両者をリンキングしやすい。

2. private key cを両者で共有している分、senderはpayment取り消し可能。

ISAP (Improved Stealth Address Protocol)

sender: an ephemeral key pair: R = rG -> transmits it with the transaction

receiver: B = bG

Both the sender and receiver can compute a shared secret c using the ECDH:

c = H(rbG) = H(rB) = H(bR)

senderはephemral destination addressのcG + Bに送金。

receiverのみがそのprivate keyのc+bを知っているので送金可能。

DKSAP(Dual-Key Stealth Address Protocol)

receiver

scan public key: S = sG

spend public key: B = bG

sender

ephemeral key pair: R = rG

transmits it with the tx

Both can compute a shared secret

c = H(rsG)=H(rS)=H(sR)

cG+Bに送金

⬆️のアドレスはcG+B or (c+b)Gで計算可能。

つまり、auditorにsとBをシェアすれば着金を確認することが可能。

targetのstealth addressを知ることができるので、

ただし、spendはprivate keyのc+bを知らないと無理。

Faster Dual-Key Stealth Address for Blockchain-Based Internet of Things Systems

https://gyazo.com/de2f7f612273b78d09efb8b6e12ce7c3

modified DKSAP in aztec

A stealth address has two public/private key pairs.

a scan key: V = vG

an issue key: S = sG

sender

generates an ephemral key pair: B = bG

constructs a DH shared secret x = H(vbG) = H(bV) = H(vB)

note's spending key - destination

Q = S + xG (i.e. private key: s + x)

それぞれのnoteごとにephemeral key Bはpublish。

つまり、

Qからは直接SやVへリンクしない。

scan keyによりspendできない権限でwalletに発行されたnoteを見ることができる。

viewing key : note decryption

a : x mod p

Refs

Private Keys in Monero

Private spend key -> One-time private keys for stealth addresses

Can a One-Time public key be used for more than one payment?

stealth addressの衝突は不可能

同じstealth address利用はキーイメージの衝突に。