Stealth address guide: Keeping crypto transactions private

While public blockchain records show only wallet addresses and amounts, they do not fully protect users' identities. Stealth addresses use public-private key combinations to hide flows of funds from prying eyes. This method of shielding incoming transactions has faced scrutiny, but it may soon increase privacy on Ethereum. Here is the lowdown on stealth addresses.

What are stealth addresses?

A common misconception is that all cryptocurrencies are impenetrably anonymous. After all, a sender only needs a recipient's address. Each address is a randomly generated string of alphanumeric characters depending on the cryptocurrency. For instance, a Bitcoin address includes 27-34 characters beginning with 1, 3, or bc1. The address of the first-ever BTC user is 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa.

Yet the identity protection features of blockchain technology are not flawless. As a distributed ledger, a blockchain network is like a shared database. The parties' addresses and amounts are publicly available –  anyone can see them via a blockchain explorer site like Blockchair. Thus, anonymity is lost if an address owner's identity is discovered.

Suppose you set up a crowdfunding campaign. Through crypto, you can receive funds from anywhere in the world. But there is a catch: once you make your address public, it is associated with your identity so that anyone can track all the incoming and outgoing payments.

Three ways anonymity on Bitcoin may be compromised. Source: Delfr.com

Stealth addresses solve this problem through a unique identifier for each transaction. Such wallet addresses are used only once, even when multiple transactions reach the same recipient. Serving as a proxy, they boost anonymity in the crypto space.

The concept of one-time addresses involving dynamic public and private keys was proposed by Peter Todd in 2014. Some stealth addresses are generated via the elliptic-curve Diffie-Hellman protocol, a scheme for establishing shared secrets over insecure channels.

With stealth addresses, parties transact privately while the recipient accesses their transactions using a special spending key. As Ethereum CEO Vitalik Buterin put it, "Stealth addresses give the same privacy properties as… generating a fresh address for each transaction, but without requiring any interaction."

Reasons for generating one-time addresses

The public ledger technology provides pseudonymity, not anonymity — it is still possible to discover the identities of the parties. Security is compromised when your name or other data is linked to your cryptocurrency wallet publicly. These cases are not limited to sharing addresses online – if you transfer crypto from a platform where you have undergone KYC verification, that address is a point of privacy failure.

The possibility of tracing transactions to wallets could seem disappointing, but there is nothing inherently sinister about it. This peculiarity lets blockchain analytics firms and law enforcement spot and thwart scams, money-laundering schemes, and other financial crimes. Unfortunately, it also attracts malevolent actors.

Placing your address behind a stealth address will confuse any would-be trackers. It will work like a post office box for mail or a VPN network that masks your computer's IP address. With your personal information reliably hidden, incoming transactions won't be traceable anymore.

Benefits of stealth addresses

Using a stealth address is not the only way to protect privacy, but it outshines existing alternatives. For example, coinjoin – batching transactions with other users – is imperfect. This method only works for Bitcoin and requires finding another BTC holder for a joint transaction.

Another workaround is a coin mixer. For example, Tornado Cash, recently blacklisted by the US Treasury, uses smart contract technology. Its mixer contract splits the deposited crypto into smaller denominations and lumps them with other users' deposits. However, it can only hide mainstream ERC-20 tokens and has also been involved in crypto heists.

Stealth addresses could unlock privacy for many use cases, including transactions with NFTs, POAPs (digital badges or collectibles created via the namesake protocol), and ENS domains. Vitalik Buterin explains, "For example, if Bob wants to receive POAPs, then Bob could give his POAP wallet (or even a not-very-secure web interface) his viewing key to scan the chain and see all of his POAPs, without giving this interface the power to spend those POAPs."

How stealth address system works

Stealth addresses are created via various protocols, such as Monero. They are also generated within some crypto wallets. However, adding this feature to wallets is controversial, as many providers are wary of regulatory implications.

Existing stealth address schemes: Monero

Monero – a blockchain with enhanced privacy – relies on a three-tier system. Aside from stealth addresses, it includes ring signatures and RingCT. Its obfuscation methods make transfers untraceable and complicate tying them back to individual users.

Ring signatures conceal transactions by involving multiple public keys, or outputs, pulled from the blockchain via triangular distribution. As all ring members are equal, no observer can deduce which one belongs to your account. The true spend is thereby muddled.

RingCT (Ring Confidential Transactions) is a feature adopted by Monero in 2017. It conceals amounts, origins, and destinations via enhanced ring signatures – Multi-layered Linkable Spontaneous Anonymous Group signatures.

How Monero ring signatures work. Source: blog.pantherprotocol.io

Monero users do not have to create a new stealth address for each transaction, and they can adjust the level of transparency based on their needs. Upon creating an account, they receive the following:

  • A private view key for displaying all transactions to their account.
  • A private spend key for initiating payments.
  • A Public Address for receiving payments, generated using the two keys above.

To receive funds privately within the Monero ecosystem, a user publishes their Public Address once. All incoming transactions then go to shielded addresses on the blockchain. On the other hand, a sender creates a unique, single-use destination address for each transaction. No interaction with the recipient is required.

Only the parties involved know where the funds go. There is no way of connecting those transactions to the recipient's Public Address or any other addresses involved.

Users may share their view key to let others see their balance. On the other hand, some wallets are set up as "view-only" – i.e., without a spend key. As a result, they can neither sign transactions nor see outgoing payments. The use cases include validating transactions to hardware wallets (creating transactions to be signed offline) and monitoring incoming donations. Developers also use such view-only wallets when they write libraries for payment validation.

Despite seeing the public key on Monero, an observer cannot link it to Alice or Bob. Source: Monero YouTube channel

Vitalik's stealth address vision

In January 2023, Vitalik Buterin proposed adding them to the Ethereum ecosystem to address privacy concerns, one of its largest remaining challenges. Here is how he describes this scheme in his "Incomplete guide to stealth addresses," reviewed by Ben DiFrancesco, Matt Solomon, Toni Wahrstätter, and Antonio Sanso.

Creating stealth addresses on Ethereum

Suppose Alice wants to send some ETH to Bob privately. It is impossible to hide the transfer, but concealing Bob's identity is more feasible. Either party to this transaction can create a stealth address that the recipient (Bob) will control. For Alice, this requires a special public key and a key only the sender knows.

Bob does not have to generate a new address for each transaction, and he does not have to interact with Alice at all if he registers his meta address on ENS — Ethereum's Domain Name System. Here is how such stealth addresses work.

Stealth address payment workflow. Source: vitalik.ca
  1. Bob generates a root spending key and a stealth meta address for his Ethereum name (e.g., bob.eth). He passes the meta address to Alice or records it in ENS.
  2. Knowing the meta address (or after looking it up in ENS), Alice creates Bob's stealth address via a computation involving a single-use ephemeral key only she knows.
  3. Alice transfers ETH to Bob's stealth address. In the process, Alice generates and publishes an ephemeral public key – an on-chain piece of cryptographic data.
  4. Bob scans the registry of all ephemeral public keys to discover the recipient address. In the process, each ephemeral public key is combined with his root spending key to generate a stealth address and check if it holds any assets. Once a match is found, Bob generates and memorizes the spending key for that address.
Scanning an ephemeral public key registry. Source: medium.com

What about transaction fees?

One of the obstacles to this implementation is the Ethereum gas fees. When digital assets, whether fungible or non-fungible, land in a stealth address, it is otherwise empty. The owner cannot transfer what he received elsewhere. As their stealth address only contains what the sender transferred, they have no ETH to pay for the network gas.

Sending ETH from the main wallet is possible but undesirable. Such a transaction would create a publicly visible link, defeating the purpose of the stealth address. Buterin mentions two solutions – a type of zero-knowledge proofs (ZK-SNARKs) and specialized transaction aggregators. The first option is prohibitively expensive – "hundreds of thousands of gas just for a single transfer."

Aggregators (aka "searchers") let you buy a set of "tickets" at once and use them to pay for transactions on-chain. To transfer assets from a stealth address, one would submit an encoded pre-paid ticket to the aggregator. The latter would include their transaction in a bundle repeatedly until it was accepted in a block. This method does not involve additional fees and has few trust and regulatory concerns due to its purpose.

Spending and viewing keys

Thanks to the elliptic curve technology, users do not have to manage everything with one root spending key. Instead, they may use a spending key and a viewing key, with the latter showing its owner's stealth addresses without enabling spending.

More efficient scanning

Adding a view tag to each ephemeral public key makes scanning their sets easier. This view tag may be minuscule – just one byte of the shared secret. According to Buterin's estimates, this would speed up Bob's calculations to create and check the full address to 1/256 of the original time. Computing the shared secret would only require one elliptic curve multiplication for each ephemeral public key.

Ethereum stealth addresses vs. quantum threat

The advent of quantum computers could make elliptic curves vulnerable to interference. If this threat materializes, cryptocurrencies would have to adopt quantum-resistant algorithms. Buterin suggests two alternatives – elliptic curve isogenies and lattices.

The first option would provide immunity to discrete logarithm attacks. On the downside, it uses highly complex mathematics that attackers might exploit. The mathematics in lattices is far more straightforward, but such stealth address schemes may require larger keys.

Finally, creating a stealth address scheme may be possible using "generic black-box primitives: basic ingredients that lots of people need for other reasons." In cryptography, the term "black box" means users can only determine a system's input and output behavior, but not its internal workings.

This method is not ideal, either. The first problem lies with the parallel algorithms ensuring the sender, not the recipient, can generate the spending key. Secondly, the ingredients will not be basic after all – they may not be simpler than those required to build a public-key encryption system.

Regulatory issues and other concerns

Stealth addresses have drawn heat from regulators and tax authorities as they break tracking heuristics. Theoretically, such non-public addresses may be used for all kinds of illicit behavior, from money laundering to terrorist financing to drug trade.

Tax evasion is another concern. Governments and regulators are developing measures to detect violators, such as Operation Hidden Treasure. This Internal Revenue Service (IRS) initiative launched in 2021 is aimed at taxpayers who under-report crypto-related transactions.

Any obfuscating technique is a double-edged sword. While boosting anonymity in line with crypto's initial promise, it may benefit dishonest or nefarious parties. Yet despite crypto scams making headlines, most users are honest – per Chainanalysis’ estimates, only 0.15% of all transactions in 2021 were used for illicit activity. The next year, while illicit volumes reached an all-time high amid the sanctions, it only rose to 0.24%.

Banning privacy coins

In January 2023, the Dubai authorities announced plans to ban all "anonymity-enhanced cryptocurrencies", following suit after Japan and South Korea. If more governments may implement similar measures, citing financial crime concerns, this could hinder mass adoption of crypto. Instead, CoinLoan CTO Max Sapelov says, "there should be more projects like Monero, as there is currently nearly no competition."

The need for simplification

Another problem with stealth addresses is the complexity for the user. In the absence of convenient front-end solutions, it may result in lag issues and high cost of multiple transactions unless they are batched. In the future, enhanced Layer 2 networks and Ethereum upgrades could make this method default and hassle-free. Meanwhile, Ether may eventually become a privacy coin.