Keys and Stealth Addresses

An introduction to Nocturne's anonymous addressing scheme

The core mechanism that allows generalized contract calls through Nocturne is a scheme for re-randomizable addresses, which we call stealth addresses.

Vitalik wrote a blog a while back about a scheme he calls "stealth addresses". Our scheme has similar functionality, but is cheaper, more flexible, and leads to better UX.

The main idea is to separate the ability to "view" transactions and the ability to "sign" transactions into two separate "private keys" - a viewing key and a spending key.

To avoid complicating key management, the viewing key can be derived from the spending key, but the spending key cannot be derived from the viewing key. In other words:

• Someone with access to only a user's viewing key can trace the user's transactions, but cannot spend the user's funds.

• Someone with access to the user's spending key can spend the user's funds and trace their transactions

• Someone without access to either key cannot trace the user's transactions or spend their funds.

From the viewing key, we then derive an associated address, which we refer to as the canonical address. A user's canonical address is analogous to a user's Ethereum address - it serves as a pseudonym that uniquely identifies an account.

However, unlike an Ethereum address, any user can randomize any other user's canonical address into a one-time stealth address without access to the user's viewing key. This stealth address refers to the same account as the canonical address, however, third parties cannot determine the association without access to the corresponding viewing key (i.e. it "looks random") . In the same manner, any user can also re-randomize any stealth address and generate new stealth addresses.

Consider a user Alice. She can generate any number of one-time stealth addresses that can only be linked via their viewing key.

Let's say Alice has a friend named Bob. She trusts Bob, so Alice shares her canonical address with him. He can generate stealth addresses to pay Alice without revealing her canonical address or knowing her viewing key.

Now consider a third user named Charlie who's a stranger to Alice, so Alice doesn't want to give him her canonical address. Instead, Alice can give him one of her stealth addresses, or he can get one from Bob. Then, if Charlie wants to pay Alice, he can re-randomize the stealth address and pay Alice using the re-randomized address.