The outline of the protocol is as follows:
  • Create a stealth address for the recipient based upon the recipient’s public key, using a value r, as described in Multi-Asset Shielded Pools.
  • To enable the recipient to derive the corresponding stealth private key, it is necessary to distribute r to the recipient. To do this, use the Diffie-Hellman protocol with the recipient's public reading key and an ephemeral sender key to derive a shared secret K, which can then be used to encrypt r.
In more detail, and omitting certain steps, the Spending transaction is as follows:
  • The sender retrieves the recipient’s SpendP ubKey, ReadP ubKey.
  • The sender generates a random r.
  • The sender calculates stealthAddress = r · SpendP ubKey.
– Note that, as described above, the recipient's corresponding private key will be r · SpendP rivKey which will only be known to the recipient.
  • To obtain the private key, it is necessary to distribute r to the recipient.
  • To distribute r to the recipient, it is first necessary to derive a shared secret K known only to the sender and recipient. The sender achieves this as follows:
– Generate an ephemeral DH keypair eP rivKey, eP ubKey.
– Compute shared secret K = eP rivKey · ReadP ubKey. That is, standard ECDH.
  • The sender can then use the shared secret K to encrypt a message m to the recipient to create a ciphertext C, where m (which includes r and the amount) generates the UTXO commitment.
  • The ephemeral public key eP ubKey and the ciphertext C are then published via an on-chain event.
An advantage to this approach is that the Sender does not need to obtain the Recipient’s stealth address for each transaction.
Last modified 2mo ago