2

Lets say user A wants to send bitcoin to user B stealth address.

  1. What is exactly user B's stealth address? Is it his public key? Since User A needs to multiply his private key with user B's public key based on Elliptic Curve Diffie-Hellman so I assume user A is receiving the complete point which is user B's public key.

  2. User A shoud calculate PrivA * PublicB which results in a coordinate. As far as I know this point will be used by multiplying it to the publicB and a nonce and that will be sent to the network. If what I am saying is correct, how can I multiply this coordinate with PublicB since both of them are points. Do we only get one axis of this point from the diffie hellman's calculation?

abeikverdi
  • 854
  • 8
  • 21
  • Very good question. Pybitcointools has [code](https://github.com/vbuterin/pybitcointools/blob/master/bitcoin/stealth.py) for it FWIW – Wizard Of Ozzie May 07 '15 at 15:50

1 Answers1

3

What is exactly user B's stealth address? Is it his public key?

In the simplest stealth address scheme, yes. The exact encoding depends on the implementation; DarkWallet's is described in their wiki.

how can I multiply this coordinate with PublicB since both of them are points?

Correct, S = PrivA * PublicB = PrivB * PublicA is a point. We want an integral shared secret. ECDH tells you to use the x coordinate of S as the shared secret, but in Bitcoin it's done differently. Instead int(sha256(compress(S))) is used:

  1. serialize S in compressed form as per SEC 1's Elliptic-Curve-Point-to-Octet-String Conversion
  2. take its SHA-256 digest
  3. interpret the result as a 256-bit big-endian integer

This integer, c, is then used by A to calculate a public key PublicB + c*G to which A spends, and by B to calculate its private key (PrivB + c) * G from which B can redeem (where G is the base point generator).

Note that there's a problem with this "simplest" scheme. The only way that B's wallet software can see if a UTXO is redeemable by B (to keep track of the wallet's balance) is by doing the math above, which requires PrivB. In other words, it makes watching-only wallets impossible (and cold wallets impractical).

One solution to this is to use one PublicB/PrivB pair for ECDH, but a different PublicB2/PrivB2 pair for deriving the spend/redeem keys. Now you can keep PrivB in your watching-only wallet, and PrivB2 in your cold wallet. On the down side, B's stealth address is now twice as long, containing both PublicB and PublicB2.

Christopher Gurnee
  • 2,493
  • 15
  • 22