Eigen Address Anonymity

Eigen Network
3 min readJul 13, 2022

Eigen ZKZRU adopts a fast dual key exchange-based stealth address scheme for address anonymity. Check out the tutorial https://ieigen.github.io/#/docs/usage/StealthAddress.

In general, the Stealth address and Nullifier are two widely used anonymous transaction schemes. Compared to Nullifier used by Tornado Cash and AZTEC, Stealth address is account-friendly. Stealth address enables the sender to send the money to an “invisible” recipient, and the real recipient can derive the private key of the “invisible” recipient’s address.

The widely-used Stealth Address protocol is Dual-Key StealthAddress Protocol (DKSAP), which is designed for a wallet solution ShadowSend uses two pairs of keys, a scan key pair and a spend keypair to provide decentralized anonymous currency. However, The drawback of DKSAP is that it requires the receiver to continuously calculate and determine whether it is the real receiver of the transaction until it detected a transaction that matches. In this process, the receiver needs to perform many time-consuming elliptic curve scalar multiplication operations, which limits the application of DKSAP. Some new Enhanced DKSAP protocols proposed a more efficient approach to eliminate the intensive curve scalar multiplication . We optimize the Enhanced DKSAP protocol by binding the txdata to random r, so even the same stealth address can also be reused.

In The Enhanced DKSAP protocol shown in Figure 1, the recipient have m key pair (b_i, B_i) and one view key pair (v, V) on group (𝔾, p, g), m hash function H_i, i ∈ [0, m] for the previous key, and none of those keys will be open. A proxy server/audit is necessary to monitor the transactions on chain, which includes some R value and computes the pk’, and check whether pk’ matches pk from the corresponding transaction. For each public key pk , only the receiver can calculate the private key :

Figure 1

When a Sender would like to send a transaction to a Receiver in a stealth mode, The Enhanced DKSAP protocol works as follows:

  1. The Receiver has m key pair (b_i, B_i) and one view key pair (v, V) on group (𝔾, p, g), m hash function H_i, i ∈ [0, m]
  2. The server/auditor needs to know v to help the receiver continuously scan transactions on the chain
  3. The sender generates a random rr from ℤ_p, and calculates r =H(txdata||rr)
  4. The sender uses a one-time nonce pair R = rG and calculates the value S = rV , then the ephemeral public key pk can be calculated by:

5. The sender uses this ephemeral public key pk as the destination key for the output and packs the R into the transaction.

6. The server/auditor checks every passing transaction, and gets the transaction destination key pk and R, then calculates pk’:

7. if pk = pk’, The server/auditor packs the pk’ into the transaction and sends it to the receiver

8. The receiver can collect the payments by calculating the ephemeral public key sk:

That’s how we cut off the linkage between the sender and receiver. Check out the tutorial https://ieigen.github.io/#/docs/usage/StealthAddress.