How stealth addresses work in Monero

by
John
from John D. Cook on (#71PWX)

alice_monero.jpg

Suppose Alice runs a confidential restaurant. Alice doesn't want there to be any record of who visited her restaurant but does want to get paid for her food. She accepts Monero, and instead of a cash register there are two QR codes on display, one corresponding to her public view keyA and the other corresponding to her public spend keyS.

How Bob buys his burger

A customer Bob walks into the restaurant and orders a burger and fries. When Bob pays Alice, here's what's going on under the hood.

Bob is using software that generates a random integerr and multiplies it by a pointG on an elliptic curve, specifically ed25519, obtaining the point

R = rG

on the curve. The software also multiplies Alice's view keyA, a point on the same elliptic curve, byr, then runs a hash functionH on the producerA that returns an integerk.

k =H(rA).

Finally, Bob's software computes the point

P =kG +S

and sends Alice's cash register, i.e. her crypto wallet, the pair of points (P,R). The pointP is astealth address, an address that will only be used this one time and cannot be linked to Alice or Bob [1]. The pointR is additional information that helps Alice receive her money.

How Alice gets paid

Alice and Bob share a secret: both know k. How's that?

Alice's public view keyA is the product of her private view key a and the group generatorG [2]. So when Bob computesrA, he's computingr(aG). Alice's software can multiply the point R bya to obtaina(rG).

rA =r(aG) =a(rG) =aR.

Both Alice and Bob can hash this point-which Alice thinks of asaR and Bob thinks of asrA-to obtaink. This is ECDH: elliptic curve Diffie-Hellman key exchange.

Next, Alice's software scans the blockchain for payments to

P =kG +S.

Note thatP is on the blockchain, but only Alice and Bob know how to factorP intokG +S because only Alice and Bob knowk. And only Alice can spend the money because only she knows the private keys corresponding to the public spend keyS where

S =sG.

She knows

P =kG +sG = (k +s)G

and so she has the private key (k +s) corresponding toP.

Related posts

[1] Bob sends money to the address P, so there could be some connection between Bob and P on the Monero blockchain. However, due to another feature of Monero, namely ring signatures, someone analyzing the blockchain could only determine that Bob is one of 16 people who may have sent money to the address P, and there's no way to know who received the money. That is, there is no way, using only information on the blockchain, who received the money. A private investigator who saw Bob walk into Alice's restaurant would have additional information outside the blockchain.

[2] The key assumption of elliptic curve cryptography is that it's computationally infeasible to divide" on an elliptic curve, i.e. to recovera from knowledge ofG and aG. You could recovera by brute force if the group were small, but the elliptic curve ed25519 has on the order of 2255 points, and a is some integer chosen randomly between 1 and the size of the curve.

The post How stealth addresses work in Monero first appeared on John D. Cook.
External Content
Source RSS or Atom Feed
Feed Location http://feeds.feedburner.com/TheEndeavour?format=xml
Feed Title John D. Cook
Feed Link https://www.johndcook.com/blog
Reply 0 comments