Paper 2020/548

Blockchain Stealth Address Schemes

Gary Yu

Abstract

In a blockchain system, address is an essential primitive which is used in transaction. The $\textit{Stealth Address}$, which has an underlying address info of two public keys ($A,B$ ), was developed by Monero blockchain in 2013, in which a one-time public key is used as the transaction destination, to protect the recipient privacy. At almost same time, $\textit{hierarchical deterministic wallets}$ scheme was proposed as $\textit{bip-32}$ for Bitcoin, which makes it possible to share an $\textit{extended public key}$ ($K,c$) between sender and receiver, where $K$ is a public key and $c$ is a 256-bits chain code, and only receiver knows the corresponding private key of this $K$. With the $\textit{bip-32}$ scheme, the sender may derive the child public key $K_i$ with the child number $i$ by him/herself, without needing to request a new address for each payment from the receiver, make each transaction have a different destination key for privacy. This paper introduces an improved stealth address scheme which has an underlying address data of $(A_i,B_i,i)$, where $i$ is a child number and $i\in [0,2^{31}-1]$. The sender gets the receiver’s address info $(A_i,B_i,i)$, generates a random secret number $r\in [0,2^{64}-1]$ and calculate a Pedersen commitment \(C=A_iB_ih^{R^{'}.x}\) where \(R^{'}=B_i^r\), then the sender may use this commitment $C$ or \(Hash(C)\) as the destination key for the output and packs the \((R,i)\) somewhere into the transaction. This improved stealth address scheme makes it possible to manage multiple stealth addresses in one wallet, therefore the user is able to share different addresses for different senders.

Note: This is the blockchain stealth address schemes research. First edition published at May 2019, and later revised the name, added the robust multi-key stealth address introduction and updated the references.