litecoin/doc/mweb/stealth-addresses.md

Stealth Addresses

Transacting on the MWEB happens via stealth addresses. Stealth addresses are supported using the Dual-Key Stealth Address Protocol (DKSAP). These addresses consist of 2 secp256k1 public keys (A_i, B_i) where A_i is the scan pubkey used for identifying outputs, and B_i is the spend pubkey.

Notation

• G = Curve generator point
• Bold uppercase letter (A, A_i, etc.) represents a secp256k1 public key
• Bold lowercase letter (a, a_i, etc.) represents a scalar
• A letter in single quotes ('K') represents the ASCII value of the character literal
• HASH32(x | y | z) represents the standard 32-byte BLAKE3 hash of the conjoined serializations of x, y, and z
• HASH64(m) represents the BLAKE3 hash of m using a 64-byte output digest
• SWITCH(v, r) represents the pedersen commitment generated using a blind switch with value v and key r.

Address Generation

Unique stealth addresses should be generated deterministically from a wallet's seed using the following formula (using G = generator point):

1. Generate master scan keypair (a, A) using HD keychain path m/1/0/100'
2. Generate master spend keypair (b, B) using HD keychain path m/1/0/101'
3. Choose the lowest unused address index i
4. Calculate one-time spend keypair (b_i, B_i) as:
   b_i = b + HASH32(A | i | a)
   B_i = b_i*G where G refers to the curve generator point
5. Calculate one-time scan keypair (a_i, A_i) as:
   a_i = a*b_i
   A_i = a_i*G where G refers to the curve generator point

Outputs

Outputs consist of the following data:

• C_o - The pedersen commitment to the value.
• Output message, m, consisting of:
  • K_o - The receiver's one-time public key.
  • K_e - The key exchange public key.
  • K_s - The sender's public key.
  • t - The view tag. This is the first byte of the shared secret.
  • v' - The masked value.
  • n' - The masked nonce.
• A signature of the m using the sender's key k_s.
• A rangeproof of C_o that also commits to the m.

Output Construction

To create an output for value v to a receiver's stealth address (A_i,B_i):

1. Generate a random sender keypair (k_s, K_s). # TODO: Can we generate this deterministically?
2. Derive the nonce n as the first 16 bytes of HASH32('N'|k_s)
3. Derive the sending key s = HASH32('S'|A_i|B_i|v|n)
4. Derive the shared secret e = HASH32('D'|s*A_i). The view tag t is the first byte of e.
5. Calculate the receiver's one-time public key K_o = B_i + HASH32('O'|e)*G
6. Calculate the key exchange pubkey K_e = s*B_i
7. Derive the 64-byte mask m = HASH64(e)
8. Encrypt the value using v' = v ⊕ m[32,39]
9. Encrypt the nonce using n' = n ⊕ m[40,55]
10. Calculate the commitment C_o = SWITCH(v, m[0,31]).
11. Generate the rangeproof for C_o, committing also to m.
12. Sign m using the sender key k_s.

Output Identification

NOTE: the wallet must keep a map B_i->i of all used spend pubkeys and the next few unused ones.

To check if an output belongs to a wallet:

1. Calculate the ECDHE shared secret e = HASH32('D'|a*K_e)
2. If the first byte of e does not match the view tag t, the output does not belong to the wallet.
3. Calculate the one-time spend pubkey: B_i = K_o - HASH('O'|e)*G
4. Lookup the index i that generates B_i from the wallet's map B_i->i. If not found, the output does not belong to the wallet.
5. Derive the 64-byte mask m = HASH64(e)
6. Decrypt the value v = v' ⊕ m[32,39] where m[32,39] refers to bytes 32-39 (0-based big-endian) of the 64 byte mask m.
7. Verify that SWITCH(v,m[0-31]) ?= C_o
8. Decrypt the nonce n = n' ⊕ m[40,55].
9. Calculate the send key s = HASH32('S'|A_i|B_i|v|n)
10. Verify that K_e ?= s*B_i.

If all verifications succeed, the output belongs to the wallet, and is safe to use.

The spend key can be recovered by k_o = HASH32('O'|e) + a_i.