ERC-5564 - Stealth Addresses

Introduction

Stealth addresses are a way of protecting the privacy of recipients in cryptocurrency transactions.
They allow a sender to non-interactively generate a new address for the recipient, making it look like as if the sender interacted with some random account.

On this page, we'll explore the basics of stealth addresses and how they work.
The following is based on ERC-5564 which outlines a basis framework for implementing stealth addresses.

How to receive stealth transactions?

In order to signal your ability to receive stealth transactions, you need a stealth meta-address.
The stealth meta-address consitsts of two different public keys (that can be compressed to 33 bytes each), the spending and the viewing public key, which are used by senders to send funds to the stealth address of the respective user.

  • The stealth meta-address can be publicly shared and used by others to generate stealth addresses on behalf of the owner.
  • The stealth meta-address does not reveal any information about future stealth addresses that are generated on behalf of the owner.
  • The corresponding private keys must be kept private. Only the viewing key can be shared with trusted third parties.

The viewing key secures your privacy, while the spending key secures access to funds.

Let's generate an example stealth meta-address


Essentially, the stealth meta-address is just the same as 2 standard Ethereum addresses combined.
The prefix `st:eth:` tells us that this is a stealth meta-address used on the Ethereum mainnet (see EIP-3770).



How to send to a stealth meta-address?

In order to send funds to someone's stealth address you need the recipient's stealth meta-address. Using the stealth meta-address of the recipient, one can derive the information necessary to perform the stealth transaction.

Let's go trough a quick example of how the final stealth address is derived.
We have Alice, who wants to send funds to the stealth address of Bob.

  • Alice takes the stealth meta-address of Bob and inputs it into some ERC-5564 compatible interface.
  • The interface takes the stealth meta-address, generates a random number and, after some elliptic curve operations, returns the stealth address of the recipient together with an announcement.
  • Alice can then send funds to the derived stealth address and publish the additional information retrieved. After that, she can be sure that Bob has every required information to find the stealth address and access it. All of this can be done in the background, hidden from the user, giving the user the feeling of sending to a stealth meta-address using a single transaction.
  • The announcement is published so that Bob can use it to find the stealth address Alice sent to and then derive the private key that controls that address.
  • The View Tag will allow Bob to speed up the parsing process to find his stealth address and will be included in the metadata field.

You can try it out here. Input a stealth meta-address and get all the info necessary to then execute a transaction.

Head over to Etherscan and use the contract on this address to send ETH and publish the announcement. The view tag is included in the metadata.
The contract simply emits an Announcement event, every time the `announce` function is executed.

⚠️ Only try it on the Sepolia testnet ⚠️



How do I know that someone sent to a stealth address that I can access?

Parsing. You have to go trough all announcements and check if the respecitive announcement, applied to your viewing private key, can unlock a valid stealth address.
While the viewing private key is used to find your stealth address, the spending private key is used to access those funds.
Therefore, the viewing private key can be given to a trusted parsing-provider that takes over the pasing job.
Finally, if successfully, the parsing provider returns the announcement that can then be used, together with the spending private key, to access the stealth address.

You can try it out here. Input your spending public key and your viewing private key and let the service start parsing.




FAQs

What is a stealth address?
Stealth addresses are regular Ethereum addresses that are generated by the sender in a non-interactive manner, with the knowledge that only the intended recipient will be able to access it. This approach allows the sender to avoid direct interaction with a specific entity, such as xyz.eth, and instead communicate through a fresh account that is not linked to the respective entity.
What's the benefit of using stealth addresses?
The use of stealth addresses enables the recipient of a transaction to remain anonymous, thereby preventing any on-chain links between the identity of the sender and the recipient. By utilizing stealth addresses, senders can send funds to recipients without revealing the fact that such a transaction has taken place to anyone else.
What is meant by "non-interactively"?
Stealth addresses do not require recipients to set up fresh new addresses for all potential senders. Instead, users must only generate a personal stealth meta-address once, which can then be used by other users to derive stealth addresses from it. Of course, nothing prevents users from just exchanging fresh addresses for every interaction manually, though, stealth addresses make such scenarios much more user-friendly.
What are some potential use cases for stealth addresses?
Stealth addresses offer significant potential for use in political donations, where senders may wish to avoid creating an on-chain connection to the recipient. For instance, by employing stealth addresses, one can contribute to an organization while enabling the organization to remain anonymous. To external observers, stealth transactions appear identical to regular transactions to a new address. An equivalent level of privacy can be achieved if senders use an encrypted channel to reach out to recipients and request newly generated addresses. However, this approach would necessitate the recipient to be active for every potential sender.
What is a stealth meta-address?
The stealth meta-address is a publicly shareable address that users can use to signal their willingness to engage in stealth address transactions. Senders use the stealth meta-address to derive distinct stealth addresses for their recipients. Wallet applications may provide UIs that allow users to simply input the stealth meta-address of another user and send directly to the (on-the-fly) generated stealth address, while emitting the necessary announcement.
Why is the stealth meta-address so long?
Stealth meta-addresses consist of two (different) public keys, the spending and the viewing public key. Both public keys can be compressed to 33 bytes, so the stealth meta-address has a length of 66 bytes. Notably, ERC-5564 is agnostic to different cryptographic schemes and allows users to generate stealth meta-addresses with an arbitrarily length (eg. lattice-based crypto).
Why do I need a spending and a viewing key for a stealth address?
While the viewing private key allows users to locate/find stealth addresses, the spending private key is used to derive the stealth private key that can eventually access the funds on the stealth address. Therefore, the viewing private key can be shared with trusted parsing providers who may assist in finding active stealth addresses that belong to oneself. The spending private key, on the other hand, must be kept private at all times.
What is ERC-5564 and ERC-6538?
Stealth Addresses have been known for more than 10 years now, however, without agreeing on a standardized way to use them, we cannot leverage the small, but for some use cases, sufficient privacy gains that stealth addresses offer. In essence, ERC-5564 serves to standardize the Messenger contract, which is necessary to trigger the event that provides recipients with the information needed to locate their stealth addresses (through parsing). By having a central place to "subscribe" to in order to stay up-to-date with incoming stealth transactions, users can safely engage in such transactions, knowing that the recipient doesn't have to experiment with different cryptographic methods to derive the final stealth address. While ERC-5564 establishes the basic framework for stealth addresses, it also enables the implementation of specific stealth address methods that use different cryptographic schemes, such as secp256k1, to build upon this foundation and take advantage of the standardized Messenger contract.
ERC-6538 represents the Registry Contract that serves as a central place for users to store and publish their stealth meta-addresses. Furthermore, the registry's goal is to enable smart contracts access to users' stealth meta-addresses in programmatic manners.
What is there to be standardized?
Stealth addresses require senders to be sure that recipients are aware of the cryptographic scheme being used so that they can ultimately locate their own stealth addresses. By generalizing stealth addresses and providing different stealth address implementations (that use different cryptographic schemes) a central place to publish the information required by recipients to locate their stealth addresses, ERC-5564 acts as a basis-framework for all sorts of cryptographic schemes that allow stealth addresses.
You cannot expect users to copy n' paste private keys!?
The above statement is true, but it only serves as a proof of concept (PoC). In order to avoid forcing users to engage directly with their plain-text private keys, there are alternative methods available for productive uses. One such method is the use of RFC 6979, which defines deterministic signatures. This method can be utilized to generate an application-specific key pair for the user. Here's how it works: The user logs into the website or application and signs a pre-defined and constant string, such as "This is a message to access your stealth address wallet on website xyz.com." The signature is then sliced into different parts and the individual parts are hashed to derive the private keys. These private keys are the spending and viewing keys required by ERC-5564. The corresponding public keys can then be directly registered into the Stealth-Meta Address Registry. Overall, this approach ensures that users do not have to directly engage with their private keys, making the process more secure and user-friendly.
How close to production?
Stealth addresses have already been implemented and brought to the Ethereum mainnet (and certain L2s) by the team of ScopeLift under the name of Umbra. Umbra uses a slightly different mechanism to generate stealth addresses compared to the one specified in the secp256k1 implementation in ERC-5564, though, it's a great tool to already try out stealth addresses in a production environment.

Resources