Perpetual Protocol 🥨

Posted on Feb 09, 2023Read on Mirror.xyz

Stealth Addresses Explained (And How To Use Them)

A simple explainer of stealth addresses, the plans for making them standardized for Ethereum and a walkthrough of how to use stealth addresses on Optimism today!

When looking at the overall DeFi market, privacy-preserving protocols only make up a very small part of it by total value locked. According to statistics provided by DeFiLlama, just 0.52% of the entire TVL is attributed to privacy applications, with Aztec and Tornado Cash taking the lion’s share. 

Cryptocurrencies hold a lot of potential for many reasons. One key reason is that cryptocurrencies can become fully digital, permissionless and private forms of money. However, in ETH’s current state, you actually have more privacy with a bank account. But that will soon change, with an indication that stealth addresses may eventually become the norm on Ethereum. 

The history of stealth addresses goes back to 2014, first proposed for Bitcoin and was implemented by Monero and other so-called ‘privacy coins’. The technique has recently received attention again after Vitalik Buterin published a deep dive into stealth addresses, explaining that “one of the largest remaining challenges in the Ethereum ecosystem is privacy”. 

https://twitter.com/VitalikButerin/status/1616527030790623233

To give some more background to this post, researcher and “open source maxi” Toni Wahrstätter proposed a draft Ethereum Improvement Proposal (EIP) back in August 2022 to use zk-SNARKs for ERC-721 tokens (aka NFTs) to enable private transfers for these types of tokens. Wahrstätter’s draft eventually led to the appearance of EIP-5564, which proposed using stealth addresses instead of zk-SNARKs on Buterin’s recommendation that they are a much more “lightweight way” to achieve what was set out. 

While EIP-5564 itself outlines a standardized way of creating stealth addresses on Ethereum to provide privacy benefits for different token standards, Buterin’s post goes into a lot of detail about the cryptography behind them and their potential uses in the future, such as how to make stealth addresses compatible with social recovery wallets, function across chains, and quantum resistant.

But what exactly are stealth addresses? How can they help with privacy? 

Instead of your wallet address being published onto the blockchain, a disposable one-time address is used to receive each transaction. It’s important to note that they do not hide transaction amounts. So an easy way to think of it: you’re generating a fresh address for each transaction, but each of these addresses can still be controlled from the same private key. You can access tokens sent to your stealth address, without exposing links to your wallet’s public addresses or other transactions. 

Stealth addresses differ from mixers like Tornado Cash because the latter obfuscate your funds by mixing your deposit with the deposits of other people into a pool of ETH or some other ERC-20 token. The drawback of this approach is that you must select a certain pool size to blend in with others, e.g., deposit to the 1 ETH pool. The technique attempts to break linkability, so your funds are mixed with others and then you can withdraw to a fresh address to prevent anyone from tracking the destination of your funds. 

But there is one similarity between stealth addresses and mixers like Tornado Cash: you have to follow best practices to enjoy the privacy benefits. For example, if you send funds from a stealth address or withdraw funds from a Tornado Cash pool to an address that others already know is yours, then the entire purpose of using these tools is defeated. 

When somebody sends you some tokens, what they’re basically doing is using the public keys in your address along with some random data to generate a unique one-time public key, or in other words, a stealth address. This address is recorded on transactions and on the blockchain, while your original address isn’t. The key advantage from the user’s perspective is that it now becomes impossible for the network or an outside observer to connect these random codes back to the originating wallets.

How Can Stealth Addresses Help a Normal user?

  1. If you’re collecting donations. For a completely transparent standard Ethereum address, a donor may see other transactions received and decide not to contribute. However, with stealth addresses, the recipient’s financial activity is never visible, so this could make them more likely to donate because they’re unable to determine the amount of donations received already. 

  2. Businesses could also use stealth addresses to pay their contributors or employees. In a highly competitive industry, they may not want their competitors to know how much they are paying their workforce. If your competitors don't know how much your employees are being paid, then it’s harder to make a better offer and poach them. 

  3. If you have some alpha and don’t want to leak it to the world. Stealth addresses can be used to place trades or make investments privately, putting up an obstacle for on-chain analyzooors from snooping on your blockchain activity (although timing analysis and filtering addresses that have received a certain amount of tokens can narrow it down).

What are the Downsides? 

As explained by Vitalik in his post, there’s a tradeoff between privacy and social recovery, where stealth addresses make it difficult to recover your funds in the event you lose the key or seed phrase. However, he notes that zero knowledge proofs can solve this in the long-term and for now it’s an acceptable trade-off if you lose access to your funds held in a stealth address, you’d have to give up your privacy to retrieve them or wait a long time. 

Transaction fees for ETH must be paid, which may reveal the true owner of a stealth address. For example, if you were to receive an NFT, then you cannot send it on to someone else without having some ETH in this address to cover the gas fees. Some potential solutions include a way to sponsor some ETH when receiving tokens to a stealth address or by making use of a mixer to fund the address with some ETH to cover the gas fees. 

Also, imagine you hold 0.50 ETH in a stealth address and another 0.50 ETH in another address that’s known to be yours. If you want to cash out say 0.75 ETH and you send ETH from both of these addresses to an exchange to swap for USDC, then it becomes clear to the exchange and a casual blockchain observer that you are the true owner of that stealth address. As mentioned earlier, you need to remain conscious of the limitations. 

The fight against online surveillance is never over. There are many other aspects of privacy to consider in addition to whether your ETH address is publicly known. Other than snooping on blockchain data and addresses, there are other weaknesses in the stack, such as RPCs, wallets, browsers, etc. Even with stealth addresses as the default on Ethereum, you’d still have to think about metadata leakage (such as your IP). 

To combat that, you’d have to use VPNs, privacy respecting RPCs, wallets with good features (such as BlockWallet or Frame), and alternative browsers such as Brave, Carbon or Status. For more tools, you can check out the Awesome Privacy website, which is a directory of privacy-respecting software and services. 

Stealth Addresses in Action with Umbra Cash

Now you know a bit more about stealth addresses, let’s look at how you can start using them right now on Optimism with Umbra Cash. But to deliver a maximal positive effect, stealth addresses should be a default for Ethereum addresses, which is exactly what EIP-5564 proposes.

Umbra Cash is a protocol that enables stealth addresses on multiple networks, including Arbitrum, Ethereum, Optimism and Polygon. The diagram below from Umbra encapsulates what was explained in the previous section. 

Source: Umbra

To get started, you’ll have to first connect your wallet and generate some ‘stealth keys’ by signing a message and submitting a transaction. After the transaction is confirmed, it saves the public keys on-chain so anyone can send you the supported tokens on Optimism privately (currently ETH, DAI, USDC and USDT). Since we’re on the Optimism network, the gas fees are super low (around $0.30 at the time of writing) to generate the stealth address. 

Now let’s say you want someone to send you some ETH. The payer can go to Umbra, select “Pay” then enter your address, the token they want to send and the amount (shown below). 

Once sent, you select “Receive” from the home page and Umbra will start scanning for funds (which may take a few minutes). After the scan is complete, you’ll then see the ETH you’ve been sent. You can then click on Withdraw and then enter an address to receive the ETH to.

No longer do you have to give out a unique address each time for best privacy. Umbra allows you to give out just one public address and receive ETH or other tokens to many other fresh addresses to become a blockchain ninja! 

And notice that when you check a blockchain explorer, there’s no record of 0.01 ETH being sent to the original address used to generate the stealth keys on Umbra. Although, an observer will see a record of the generation of those stealth keys (but not the actual addresses you withdraw to). For the sender, it will look like they’re sending 0.01 ETH to Umbra’s contract. 

Umbra will also warn you about bad practices with a pop-up if you try to withdraw to an address that might reduce your privacy. You should always withdraw to a fresh address (although you’ll need to fund it with ETH to cover gas somehow), an address that’s not publicly linked to your identity or a least desirable solution is to withdraw to an exchange address you control. 

But what about the receiver’s side? What does that look like on the blockchain? 

Well, a fresh address was generated and funded with 0.01 ETH on Umbra’s side, with no transaction history. Then this fresh address was triggered to send the 0.01 ETH to the withdrawal address (notice under the ‘To’ field in the screenshot below is the withdrawal address specified in Umbra).

It’s still early for EIP-5564 since it is in draft status, the second out of five stages an EIP must go through before it becomes added to the Ethereum protocol. Until then, Umbra Cash provides a way to regain some privacy when sending payments or using DeFi. Although it’s not a comprehensive solution to Ethereum’s lack of fungibility, EIP-5564 will certainly be a positive step in the right direction and help privacy to become less stigmatized in the future.

Links