# Spending

The outline of the protocol is as follows:

- Create a stealth address for the recipient based upon the recipient’s public key, using a value
*r*, as described in Multi-Asset Shielded Pools. - To enable the recipient to derive the corresponding stealth private key, it is necessary to distribute
*r*to the recipient. To do this, use the Diffie-Hellman protocol with the recipient's public reading key and an ephemeral sender key to derive a shared secret*K,*which can then be used to encrypt*r.*

In more detail, and omitting certain steps, the Spending transaction is as follows:

- The sender retrieves the recipient’s
*SpendP ubKey, ReadP ubKey.* - The sender generates a random
*r.* - The sender calculates
*stealthAddress = r · SpendP ubKey*.

– Note that, as described above, the recipient's corresponding private key will be

*r · SpendP rivKey*which will only be known to the recipient.- To obtain the private key, it is necessary to distribute
*r*to the recipient. - To distribute
*r*to the recipient, it is first necessary to derive a shared secret*K*known only to the sender and recipient. The sender achieves this as follows:

– Generate an ephemeral

*DH*keypair*eP rivKey, eP ubKey.*– Compute shared secret

*K = eP rivKey · ReadP ubKey*. That is, standard ECDH.- The sender can then use the shared secret
*K*to encrypt a message*m*to the recipient to create a ciphertext*C*, where*m*(which includes*r*and the amount) generates the UTXO commitment. - The ephemeral public key
*eP ubKey*and the ciphertext*C*are then published via an on-chain event.

An advantage to this approach is that the Sender does not need to obtain the Recipient’s stealth address for each transaction.

Last modified 2mo ago