Stealth Addresses

For stealth addresses, we use the scheme from https://eprint.iacr.org/2018/990.pdf.

A user's canonical address, which we will refer to as "the user's canonical address", or $C$ for short, is a Baby Jubjub curve element defined as $C = \text{vk} \times G$.

A user's stealth address is any pair of Baby Jubjub points $(H_1, H_2) \in \mathbb{G}^2$ such that $\text{vk} \times H_1 = H_2$. There are many stealth addresses for any given user. Without any other information, the association between any two stealth addresses cannot be determined without access to the underlying viewing key.

Before randomizing a user's canonical address $C$, it needs to be mapped to a pair of points $C \rightarrow (G, C)$. We refer to this $(G, C)$ pair as the "canonical stealth address" even though it's not really a "stealth address" because we haven't randomized it yet.

To randomize a stealth address pair $S = (H_1, H_2)$, we sample a random scalar $s \leftarrow \mathbb{F}_r$ and scalar-multiply into both curve elements, i.e. $S' = (s \times H_1, s \times H_2)$. Note that any user may randomize any stealth address without knowing the underlying viewing key or canonical address. All they need is a random number generator and an existing stealth address. We sometimes call this "re-randomization".

Given a user's viewing key $\text{vk}$, we say the $\text{vk}$ "owns" a stealth address if the address was generated from $\text{vk}$. We check this using the equation below:

$$8 \times (\text{vk} \times H_1 - H_2) = (0, 1)$$

By $(0, 1)$, we specifically mean the curve point $(0, 1)$, which is the "zero", or "additive identity" element of Baby Jubjub's curve group (not the prime-order subgroup). This gives the user a way to trace their own transactions.

Security Requirements

We have three requirements from the stealth address scheme

Inability to extract viewing key from Canonical Address

This is easy to see under the assumption that the discrete log problem is hard in Baby Jubjub.

Inability to extract viewing key from Stealth Address

We require that the attacker can never extract the viewing key from stealth addresses. This is the "unforgeability" requirement from from https://eprint.iacr.org/2018/990.pdf. A security proof can be found there.

Inability to link Stealth Addresses

We require that, given two stealth addresses, an attacker cannot tell whether or not they correspond to the same viewing key. This is the "indistinguishability" requirement from https://eprint.iacr.org/2018/990.pdf. A security proof can be found there.

Note that this property implies that it's also impossible for an attacker to link a given stealth address and canonical address because we can trivially reduce this problem to the problem of linking two stealth addresses by mapping the canonical address $\text{C}$ to its corresponding "canonical stealth address" $(\text{G}, \text{C})$.