5

I am reading the technical "specification" for stealth addresses, available here. The core idea is described in the following paragraph:

Using Elliptic curve Diffie-Hellman (ECDH) we can generate a shared secret that the payee can use to recover their funds. Let the payee have keypair Q=dG. The payor generates nonce keypair P=eG and uses ECDH to arrive at shared secret c=H(eQ)=H(dP). This secret could be used to derive a ECC secret key, and from that a scriptPubKey, however that would allow both payor and payee the ability to spend the funds. So instead we use BIP32-style derivation to create Q'=(Q+c)G and associated scriptPubKey.

I understand everything except the last sentence. As far as I can tell, Q and c are known to the payee and payer so the keypair Q'=(Q+c)G is also known to both. How does Q' allow for only the payee to spend the funds? How does BIP32-style derivation work?

Janus Troelsen
  • 899
  • 8
  • 26
Randomblue
  • 783
  • 8
  • 18

3 Answers3

1

I believe there is a typo. It should instead read Q'=(d+c)G=Q+cG. The private part d+c is an offset of the payee's private part d, so only known to the payee. The public part is an offset cG, known to both.

Randomblue
  • 783
  • 8
  • 18
1

maybe this will help? https://bitcoin.org/en/developer-guide#hierarchical-deterministic-key-creation

or check the various BIP32 implementations (bitcore for example)

Ruben de Vries
  • 546
  • 4
  • 10
0

This algorithm generates a public key, which both parties know. It's just a public key, though, so only recipient has the ability to spend the funds.

According to the paper, Q is the recipient's stealth public key and c is the shared secret. The calculation Q'=(Q+c)G creates a shared public key derived from the receiver's stealth public key.

If the receiver's private stealth key is d, they can unlock the funds by calculating the new private key (d+c). The sender doesn't know d, so they have no way of calculating this value.

BIP32 HD wallets use the same idea. You can start with a private key, k, and a public key K = kG. Then, you start adding random numbers (hashes, actually) to both keys. As long as you add the same number to both the private and the public key, you maintain a working keypair. You can reveal your public key K, which allows others to addresses, but they cannot spend from those addresses without knowing the private key k.

William Swanson
  • 111
  • 2