## What it is

A Stealth Address protocol allows for the derivation of valid public keys by 3rd parties without knowledge of the connected private key.

Stealth Addresses are used in Blockchains to protected the privacy fund recipients. To do so, senders generate a new Stealth Address non-interactively to which they send funds. The recipient can spend the funds given that the generated Stealth Address is linked to a private key only the recipient has knowledge of.

## How it works

In our example, Alice wants to send funds to Bob in a privacy-preserving manner. She therefore generates a Stealth Address that’s linked to a private key Bob controls.

Throughout the writeup we’ll be working with an Elliptic Curve $E$ that is of order $q$ and has a generator $G$. All calculations are done $\bmod\ q$ if not stated otherwise.

As a first step, Alice and Bob both generate their private- and public keys.

To generate a private key, Alice samples a random value from $\mathbb{Z}_q$.

$a \overset{{\scriptscriptstyle\}}{\leftarrow} \mathbb{Z}_q$

She then multiplies this private key $a$ with the generator $G$ to derive her public key.

$A = aG$

Bob does the same and also samples a random value from $\mathbb{Z}_q$ which he uses as his private key.

$b \overset{{\scriptscriptstyle\}}{\leftarrow} \mathbb{Z}_q$

He then derives his public key by multiplying the private key $b$ with $G$.

$B = bG$

Next up, Alice and Bob both share their public keys with each other.

Using the public key they just received, both can derive a shared secret $S$ following the Elliptic Curve Diffie-Hellman protocol.

To do so, Alice multiplies Bob’s public key $B$ with her private key $a$.

\begin{aligned} S &= aB \\ &= abG \end{aligned}

Bob calculates the same $S$-value by multiplying Alice’s public key $A$ with his private key $b$.

\begin{aligned} S &= bA \\ &= baG \end{aligned}

Alice can now generate a new Stealth Address that’s linked to Bob’s private key $b$.

To do so, she first has to hash the shared secret $S$ via a cryptographic hash function $H$. The result of this operation is interpreted as a point on the curve $E$. She then multiplies this result with the curve generator $G$ and adds Bob’s public key $B$ to it.

$Pk_{st} = B + G \times H(S)$

This end result is the public key of the Stealth Address to which Alice can send funds to.

Bob can follow the same steps to derive the same Stealth Address public key.

$Pk_{st} = B + G \times H(S)$

Furthermore, Bob can calculate a private key he can use to spend the funds from the Stealth Address by hashing the shares secret $S$ with a cryptographic hash function $H$ to which he adds his private key $b$.

$Sk_{st} = b + H(S)$

### Stealth Address with View Key

The downside of the aforementioned Stealth Address implementation is that Bob needs to monitor the Blockchain to find transactions that were sent to Stealth Addresses he can control. This problem of active monitoring can be outsourced to a service provider by introducing the concept of a view key.

It’s important to note that this view key can only be used to find Stealth Address transactions. It can’t be used to spend funds from such addresses as it’s not the corresponding private key.

The Stealth Address protocol variation follows similar steps as the basic Stealth Address implementation described above.

First, Alice generates her private key $a$ by sampling a random value from $\mathbb{Z}_q$.

$a \overset{{\scriptscriptstyle\}}{\leftarrow} \mathbb{Z}_q$

She then calculates her public key $A$ by multiplying this private key $a$ with the generator $G$.

$A = aG$

Bob does the same and also samples his private key $b$ randomly from $\mathbb{Z}_q$.

$b \overset{{\scriptscriptstyle\}}{\leftarrow} \mathbb{Z}_q$

He also derives his public key $B$ by multiplying his private key $b$ with $G$.

$B = bG$

In addition to this, he also generates a view key. A randomly sampled value from $\mathbb{Z}_q$ is used as the view key’s private value.

$v \overset{{\scriptscriptstyle\}}{\leftarrow} \mathbb{Z}_q$

The view key’s public value is it’s private value $v$ multiplied by $G$.

$V = vG$

Following the stealth address protocol outlined above, Alice and Bob exchange their public keys $A$ and $B$ with each other. Bob also sends the public value of the view key $V$ to Alice.

Both can now derive a shared secret $S$. To do so, Alice multiplies her private key $a$ with the view key’s public value $V$.

\begin{aligned} S &= aV \\ &= avG \end{aligned}

Bob calculates the same, shared value $S$ by multiplying the view key’s private value $v$ with Alice’s public key $A$.

\begin{aligned} S &= vA \\ &= vaG \end{aligned}

Alice can now generate a valid Stealth Address by hashing the shared secret value $S$ with a cryptographic hash function $H$, the result of which is interpreted as a point on the curve $E$. This result is then multiplied by the generator $G$ to which Bob’s public key $B$ is added.

$Pk_{st} = B + G \times H(S)$

Alice can now send funds to this public key.

A third party can now use the view key to monitor the Blockchain for Stealth Addresses to which Bob has the spending key $b$. This is done by Bob handing the view key’s private value $v$ to the third party provider. The provider can then search for potential Stealth Addresses Bob controls by iterating over all the $S$ values and calculating the corresponding $Pk_{st}$.

$Pk_{st} = B + G \times H(S)$

Once a stealth address is found, Bob can be notified. He can then calculate the Stealth Addresses’ private key $Sk_{st}$ to be able to spend the funds.

$Sk_{st} = b + H(S)$

Again, it’s important to note that only Bob can spend the funds from the Stealth Address, as only he knows $b$. Knowledge of $v$ and $V$ only allows for the identification of Stealth Addresses, but not for the control of them.

## Why it works

To see, why Bob can control any Stealth Address someone else generated with his public key $B$ or his public view key $V$ we can expand the Stealth Address equation.

\begin{aligned} Pk_{st} &= B + G \times H(S) \\ &= bG + G \times H(S) \\ &= G(b + H(S)) \\ &= G(Sk_{st}) \end{aligned}

As can be seen, the public key $Pk_{st}$ is equal to the private key $Sk_{st}$ Bob calculates multiplied by the generator $G$ which is in alignment with the way private- and public keys are generated in regular Elliptic Curve Cryptography.

## References

The following resources have been invaluable for me to learn the concepts discussed in this article.

You should definitely give them a read if you want to dive deeper into the topic.