Comment on page
A user's stealth address is any pair of Baby Jubjub points
. There are many stealth addresses for any given user. Without any other information, the association between any two stealth addresses cannot be determined without access to the underlying viewing key.
Before randomizing a user's canonical address
, it needs to be mapped to a pair of points
. We refer to this
pair as the "canonical stealth address" even though it's not really a "stealth address" because we haven't randomized it yet.
To randomize a stealth address pair
, we sample a random scalar
and scalar-multiply into both curve elements, i.e.
. Note that any user may randomize any stealth address without knowing the underlying viewing key or canonical address. All they need is a random number generator and an existing stealth address. We sometimes call this "re-randomization".
Given a user's viewing key
, we say the
"owns" a stealth address if the address was generated from
. We check this using the equation below:
, we specifically mean the curve point
, which is the "zero", or "additive identity" element of Baby Jubjub's curve group (not the prime-order subgroup). This gives the user a way to trace their own transactions.
We have three requirements from the stealth address scheme
This is easy to see under the assumption that the discrete log problem is hard in Baby Jubjub.
We require that the attacker can never extract the viewing key from stealth addresses. This is the "unforgeability" requirement from from https://eprint.iacr.org/2018/990.pdf. A security proof can be found there.
We require that, given two stealth addresses, an attacker cannot tell whether or not they correspond to the same viewing key. This is the "indistinguishability" requirement from https://eprint.iacr.org/2018/990.pdf. A security proof can be found there.
Note that this property implies that it's also impossible for an attacker to link a given stealth address and canonical address because we can trivially reduce this problem to the problem of linking two stealth addresses by mapping the canonical address
to its corresponding "canonical stealth address"