The co-founder of Ethereum, Vitalik Buterin has disclosed a plausible solution to what he describes as the “largest remaining challenge” for Ethereum’s privacy.
It is common knowledge that all data placed on a “public blockchain” are public by default, Buterin, in a blog post on January 20th acknowledged the need for a privacy solution. In the blog post, he came up with the idea of “stealth addresses,” which he claimed has the potential to protect users by potentially making peer-to-peer transactions, non-fungible token (NFT) transfers, and Ethereum Name Service (ENS) registrations anonymous.
What is a Stealth Addresses System?
A Stealth address system is a transactional option where one-time addresses are created for each transaction by either of the transacting parties and the sender sends it into this generated wallet. All of this is done in an effort to hide public blockchain transactions.
Explaining this, Buterin in the blog post made use of two fictional characters (Alice and Bob) to explain how the stealth address system would work. According to him, in a bid to make the transaction anonymous, “Bob sends Alice (or registers on ENS) some kind of “address” encoding how someone can pay him, and that information alone is enough for Alice (or anyone else) to send him the asset.”
How are transactions conducted using Stealth addresses?
Although the stealth address can be created by either of the transacting parties, only the receiver has total control over the wallet and its assets. The receiver generates and keeps the spending key and generates a stealth meta-address through this key. The receiver then sends the generated meta-address to the sender (or registers it on ENS) to conduct some sort of computation on the meta-address which will generate the stealth address. It is the generated stealth address to which the assets will be sent. While sending the assets, the sender uploads some additional cryptographic (an ephemeral pubkey) data on-chain. This will help the receiver locate the particular address that belongs to them.
Below are the stages a stealth address transaction undergoes:
- The receiver generates its root spending key and stealth meta-address.
- The receiver then adds an ENS record to register as the stealth meta-address for xyz.eth.
- The sender searches for the receiver’s stealth meta-address on ENS. (the sender must have known that it is xyz.eth)
- The sender proceeds to generate an ephemeral key that is known to only them, and they use it once (to generate this specific stealth address).
- The sender uses an algorithm that combines their ephemeral key and the receiver’s meta-address to generate a stealth address, and assets can be sent to the generated address.
- The sender then generates their ephemeral public key and uploads it on the ephemeral public key registry (this can be done in the same transaction as the first transaction sending assets to this stealth address).
- For the receiver to locate the stealth address belonging to them, they need to scan the ephemeral public key registry for the entire list of ephemeral public keys published by anyone for any reason since the last time they did the scan.
- For each ephemeral public key, the sender will make attempts to combine it with their root spending key to generate a stealth address and check if there are any assets in that wallet address. If there are, the sender then computes the spending key for that address and remembers it.
The success of this is reliant on two uses of cryptographic trickery. To create a shared secret, two algorithms are needed: one that utilizes the sender’s secret information (their ephemeral key) and the receiver’s public information (their meta-address), and another algorithm that utilizes the receiver’s secret information (their root spending key) and the sender’s public information (their ephemeral public key). There are numerous ways to accomplish this; one of the outcomes that helped establish the area of modern cryptography is the Diffie-Hellman key exchange.
However, according to Buterin, a shared secret by itself is insufficient because both the sender and the receiver may spend from this address if a private key is just generated from the shared secret. Buterin in the blog also added that they could have left it and relied on the receiver to send the funds to a different location but relying on the receiver to do this will be ineffective and will unnecessarily weaken security.
Therefore, Buterin added a key blinding mechanism: a pair of algorithms that allow the sender to combine the shared secret with the receiver’s meta-address and the receiver to combine the shared secret with their root spending key. As a result, both parties can generate the stealth address and the spending key for that address without establishing a visible connection between the stealth address and the sender’s meta-address (or between one stealth address and another).
Stealth addresses and paying transaction fees
The Ethereum co-founder stated that transaction fees can be paid using ZK-SNARKs, a cryptographically secure technique with built-in privacy features.
Buterin noted that “this costs a lot of gas, an extra hundreds of thousands of gas merely for a single transfer,” emphasizing that this may cause issues of its own in the short run.
Trusting specialized transaction aggregators is another brilliant strategy mentioned by Buterin. Users can buy a set of “tickets” that can be used to pay for on-chain transactions from these aggregators. A user gives the aggregator one of the tickets, encoded using a Chaumian blinding method when they need to spend an NFT in a stealth address that doesn’t contain anything else.
Buterin asserts that the stealth address offers a different type of privacy than that of Tornado cash which is currently sanctioned by the U.S. Office of Foreign Asset Control (OFAC). He stated that “Tornado Cash can hide transfers of mainstream fungible assets such as ETH or major ERC20s […] but it’s very weak at adding privacy to transfers of obscure ERC20s, and it cannot add privacy to NFT transfers at all.”
Today, simple stealth addresses can be readily built and might significantly improve practical user privacy on Ethereum. “They do require some work on the wallet side to support them.