Stealth Address
Disclaimer: This is a summary of patterns we have observed during our research and should not be considered any form of technical or investment advice. Also, the given “known examples” do not imply they are the best implementations of the said pattern or any superior to any other implementation of the pattern not listed.
Summary
Use a one-time address (aka., stealth address) for the transaction to protect the privacy of the parties involved in the payment.
Context
Sellers and buyers are engaged in multiple transactions and are concerned about their privacy.
Problem
How can transacting parties protect their privacy when engaging in a large number of transactions?
Forces
- Privacy – While a blockchain transaction is pseudonymous, it is possible to correlate transactions and reveal the real-world identity by linking transactions with other data (e.g., IP address). For example, by analysing the transaction graph, flow of tokens, and other external information, third parties could correlate the transactions and observe buyers’ and sellers’ behaviour and identify the entity behind an address.
- Volume – Buyers and sellers may engage in a large number of transactions.
- Traceability – Transacting parties and regulators expect to track the flow of tokens.
- Auxiliary information – Depending on the use case, buyers’ and sellers information may be available on-chain (e.g., seller credential) or off-chain (e.g., trade reports and census data).
Solution
Buyer’s and seller’s anonymity can be enhanced by using a one-time address referred to as the stealth address. The figure illustrates the sequence of activities required to generate a stealth address and share it between transacting parties using two techniques. Note that the buyer and seller roles in the figure are interchangeable. In the first technique, the seller creates a one-time address/account for each transaction on behalf of the buyer such that different transactions sent to the same recipient are unlinkable. The seller could inform the new account to the buyer off-chain, e.g., an invoice can contain the new address. The second technique shares a key/secret off-chain between the two parties that can be used to generate a new account for each future transaction. For example, a one-time secret can be shared between the parties to use as the seed to create a public-private key pair of a new account. Then the hash of that key can be used as a seed to create the next account. This could be extended to a hash chain, where each round of hashing produces a datum that can be used as the seed to create a new public-private key pair. However, this would mean both seller and buyer can spend the token as the private key for the account are known to both. This could be overcome by modifying the public-private key generation process as presented in the BIP-32 standard. A couple of other solutions could also be used to share the secret on-chain, e.g., reuse a public key, reuse a signature nonce, and the seller’s addressing requiring to have a specific prefix.
Benefits
- Privacy – As a new address is used for each transaction, it is not straightforward to correlate and trace transactions on the blockchain. This enhances the protection of the real-world identity of the recipient.
Drawbacks
- Traceability – As new addresses are created based on an off-chain secret, it is difficult to track transactions targeted to the same physical recipient.
- Volume – The recipient of payments will find it difficult to link, reconcile, redeem, and manage transactions as each transaction is linked to a different address. Moreover, transactions may still contain additional details such a product/service types and quantities, when aggregated, could reveal transacting parties behaviour and identity. Furthermore, if the recipient wants to later aggregate tokens without revealing its identity, it has to use token mixing services, which incur additional costs.
Related patterns
- Stealth addresses can be used with token registry and escrow patterns to hide the address of sellers and buyers.
Known uses
- Basic Stealth Address Protocol (BSAP) adopts the Elliptic Curve Diffie-Hellman (ECDH) protocol to deal with Bitcoin transactions. Improved Stealth Address Protocol (ISAP) is an upgraded version of BSAP with an additional key creation feature. The recipient is the only entity that can compute the private key for the temporary address to receive Bitcoin.
- To address overuse of private spending key, Dual-Key StealthAddress Protocol (DKSAP) is designed for a wallet solution ShadowSend uses two pairs of keys, a scan key pair and a spend keypair to provide decentralised anonymous currency.