stealth address - nicolas courtois€¦ · stealth address and key management techniques in...
TRANSCRIPT
![Page 1: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/1.jpg)
Stealth Address and Key Management Techniques
in Blockchain Systems
Nicolas T. Courtois1
and Rebekah Mercer1,2
1University College London, UK2Clearmatics Ltd, London, UK
![Page 2: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/2.jpg)
Crypto Coin Privacy
2 Courtois Mercer ICISSP'17
Topics
Bitcoin vs. Monero
Privacy / anonymity:
– for senders [Ring Signatures]
– for receivers [Stealth Address methods]
– for the transaction amount [CT]
$
Chaum e-cash
XCT=Confidential Transactions, not studied here
![Page 3: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/3.jpg)
Crypto Coin Privacy
3 Courtois Mercer ICISSP'17
Confused
]
“un-trace-able” “un-link-able”
?
![Page 4: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/4.jpg)
Crypto Coin Privacy
4 Courtois Mercer ICISSP'17
Monero
Privacy / anonymity:
– for senders [Ring Signatures]
– for receivers [Stealth Address]
– for the transaction amount [CT]
=> “un-linkable” transactions
![Page 5: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/5.jpg)
Crypto Coin Privacy
5 Nicolas T. Courtois 2009-2016
Pb In Bitcoin
Q: Does Monero remove this????
![Page 6: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/6.jpg)
**Bitcoin vs. Monero
private key = b
public PK= b.G
H(PK) => 01…
Transaction
PK1 PK2
H(PK3) H(PK4)
1.74582 BTC
1.99 BTC same user?
same user?
0.29394 BTC
spend key bview key v
spend pub B=b.G view pub V=v.G
H(r.V).G+B, R
1OOO MNR
1OO MNR to D21…
1OO MNR to 2A7…
1OO MNR to Z93…
1OO MNR to P32…
random R=r.Gpublish R with tx
One Time Destination key
Trackingkey v, B
![Page 7: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/7.jpg)
Crypto Coin Privacy
7 Courtois Mercer ICISSP'17
Motivation
![Page 8: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/8.jpg)
Crypto Coin Privacy
8 Nicolas T. Courtois 2009-2016
Blockchain Anonymity – for UsersPrivacy/Anonymity is NOT a concern for the 90% honest people?
WRONG: Asymmetry of information
corporations always win, customers always lose
market manipulation and big data used by criminal business
your life insurance will be overpriced
a self-driving car will kill you after being hacked by the mafia
![Page 9: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/9.jpg)
Crypto Coin Privacy
9 Nicolas T. Courtois 2009-2016
Blockchain Anonymity – for Financial Institutions!
Blockchain technology WILL NEVER be adopted by banks if it INCREASES the disclosures => need for anonymity solutions.
Advanced crypto solutions:
• Mixes, Exchanges, Altcoins/Side Chains/Offchain Storage
• Stealth Addresses (attributed to Peter Todd)
• Confidential Transactions (CT) by Maxwell
• Ring signatures:
• Zero knowledge proofs,
• Attribute-based encryption,
• Multiparty computation on encrypted data,
• Etc.
![Page 10: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/10.jpg)
Crypto Coin Privacy
10 Courtois Mercer ICISSP'17
Monero Fundamentals
![Page 11: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/11.jpg)
Crypto Coin Privacy
11 Nicolas T. Courtois 2009-2016
def: UTXO=Unspent Tx Output
Transaction 12
PK1
H(PK3) H(PK4)
1.99 BTC
Transaction 25
spent not spent
yetblockchain
![Page 12: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/12.jpg)
Bitcoin and Monero
private key = b
public PK= b.G
spend key bview key v
spend pub B=b.G view pub V=v.G
PK=H(r.V).G+B, R
1OO MNR to PK7
One Time Destination PK
Same Principle:1. Money is attributed to PK,2. You know the ECDL of this PK
=>can spend the money!
In Monero the blockchain knows NOTHING except money is flowing between ‘fresh’ pseudonyms PK. (also publishes R).
UTXO
![Page 13: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/13.jpg)
Crypto Coin Privacy
13 Nicolas T. Courtois 2009-2016
Monero - Covert Creation of SecretsIn Monero the blockchain knows NOTHING about the receiver identity=A,B, (the sender does use A,B).
The blockchain sees only PKand the extra number R (helps to unlock what is inside).
Principle: The receiver will have a “magical method” to
compute the private key for this one-time PK.
Based on DH + extra pieces.
PK=H(r.V).G+B, R
One Time Destination PK
![Page 14: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/14.jpg)
Crypto Coin Privacy
14 Courtois Mercer ICISSP'17
Stealth Address Method[s]
(several variants)
basic variant first
![Page 15: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/15.jpg)
CompSec COMPGA01
15
EC Diffie-Hellman
Alice a Bob b
a.G
b.G
shared key:
ab.G = ba.G
Alice computation: a.(b.G).
Bob’s computation: b.(a.G).
![Page 16: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/16.jpg)
Crypto Coin Privacy
16 Courtois Mercer ICISSP'17
Stealth Address = “Invisible” Recipient• Based on ideas by user=ByteCoin [Bitccoin forum]. “Untraceable transactions […] are inevitable.”
17/4/2011. Expanded and re-developed on 6/1/2014 by Peter Todd.
A Method to protect the recipient [nobody knows I sent money to this recipient]
BTW. it is largely“permission-less”…
![Page 17: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/17.jpg)
*Who is using Stealth Address?
• Dark Wallet, open source BTC wallet,
– implements 102-chars long S.A. + coin mixing.
• Monero
– Market cap $20M=>$100M recently
• Vertcoin QT client
– Market Cap: $1M
• Shadow cash,
– Market cap $2M
“permission-less!”
![Page 18: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/18.jpg)
Crypto Coin Privacy
18 Courtois Mercer ICISSP'17
Stealth Address = “Invisible” Recipient• Using Diffie-Hellman. Sender=a Receiver=b private keys.
• Sender Sender/A knows the recipient’s public key b.G mod P and Rec/B knows Send/A’s public key a.G mod P.
• Sender/A computes S=ab.G.
• A computes H(S) and generates a deterministic new bitcoin private key SK_transfer=H(S). Transfer address E = H’( H(S).G ).
• A sends bitcoins to this address (Send/A could take money back!)
![Page 19: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/19.jpg)
Crypto Coin Privacy
19 Courtois Mercer ICISSP'17
Stealth Address = “Invisible” Recipient• Using Diffie-Hellman. Sender=a Receiver=b private keys.
• Sender Sender/A knows the recipient’s public key b.G mod P and Rec/B knows Send/A’s public key a.G mod P.
• Sender/A computes S=ab.G.
• A computes H(S) and generates a deterministic new bitcoin private key SK_transfer=H(S). Transfer address E = H’( H(S).G ).
• A sends bitcoins to this address (Send/A could take money back!)
• Due to DH magic, Rec/B also knows this private key H(b.(a.G)).
• B takes the money and transfers them to a new addresses,
![Page 20: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/20.jpg)
Crypto Coin Privacy
20 Courtois Mercer ICISSP'17
Stealth Address = “Invisible” Recipient• Using Diffie-Hellman. Sender=a Receiver=b private keys.
• Sender Sender/A knows the recipient’s public key b.G mod P and Rec/B knows Send/A’s public key a.G mod P.
• Sender/A computes S=ab.G.
• A computes H(S) and generates a deterministic new bitcoin private key SK_transfer=H(S). Transfer address E = H’( H(S).G ).
• A sends bitcoins to this address (Send/A could take money back!)
• Due to DH magic, Rec/B also knows this private key H(b.(a.G)).
• B takes the money and transfers them to a new addresses, quickly!!!!
![Page 21: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/21.jpg)
Crypto Coin Privacy
21 Courtois Mercer ICISSP'17
Security• Risk:
– The sender can spend! [Todd Jan 2014]
– Both know private key SK_transfer=H(S).
– Like 24h time to think about and change his mind.
– The receiver MUST be active, ONLINE.
move money ASAP to another account before Sender takes it back.
active/real time=>easier to trace, poor anonymity, – good for catching criminals who ask for ransoms.
![Page 22: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/22.jpg)
Crypto Coin Privacy
22 Courtois Mercer ICISSP'17
Security (contd)• Increased disclosure:
– Here Recipient/B knows public key b.G in advance (public directory? or e.g. disclosed to any user who visits a recipient web site).
– In bitcoin it is not disclosed [NSA: pls crack ECDSA/ECDL in 1 second vs. 1 year].
• Nobody knows who is the recipient of a given transaction or we cannot relate it with Recipient/B public key b.G even though it is in a public directory.
• Recipient/B is anonymous only if he can hide his network presence (e.g. using TOR) when spending his attributions [issuing digital signatures]. – He needs to be careful about how he is spending the money:
next address not stealth, not protected!
![Page 23: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/23.jpg)
Crypto Coin Privacy
23 Courtois Mercer ICISSP'17
Improved
Asymmetric Stealth Address
Method
![Page 24: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/24.jpg)
Crypto Coin Privacy
24 Courtois Mercer ICISSP'17
Improved Stealth Address = Stronger Spending Key
Sender/A and Recipient/B share this common secret:
A shared bitcoin private key for A/B
H(S) = H( ab.G )
One can derive a stronger/more interesting private key like:
e = H(S)+b
Asymmetry here: Recipient/B will be the ONLY person to know b.
Yet Sender/A CAN compute the corresponding public key [and he knows the recipient, other people don’t].
E = H(S).G+b.G
Later he just sends money to H’(E).
*inevitably E will be revealed when this money is spent further.
***Only A and B can know if this E is valid [variant of DDH problem].
One Time Destination key
One Time Spending key
Sender cannot spend anymore!
![Page 25: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/25.jpg)
CompSec COMPGA01
25
*Improved Stealth – DH View
Payer/Sender a Receiver b
a.G
b.G
shared key:
ab.G = ba.G
Sender: S=a.(b.G). Send bitcoins to E=H(S).G+b.G.
Receiver: H(S)=H(b.(a.G)). Private key e=H(S)+b!!!
![Page 26: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/26.jpg)
CompSec COMPGA01
26
****variant with random nonce-keypair
Payer/Sender r Receiver b
r.G
b.G
shared key:
rb.G = br.G
Sender: S=r.(b.G). Send bitcoins to E=H(S).G+b.G.
Receiver: H(S)=H(b.(r.G)). Private key e=H(S)+b!!!
![Page 27: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/27.jpg)
Crypto Coin Privacy
27 Courtois Mercer ICISSP'17
Stealth Address - Drawbacks• Must monitor ALL transactions in blockchain!!!!
Download last few months: 1 day on a PC.
![Page 28: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/28.jpg)
Crypto Coin Privacy
28 Courtois Mercer ICISSP'17
Yet Stronger:
2xKey Stealth Address
Method
decouples “masking” from DH mechanism used when spending
![Page 29: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/29.jpg)
Crypto Coin Privacy
29 Courtois Mercer ICISSP'17
2-Key Stealth Address
• Current private key bwill become 2 values:
user Private User Key = b,v• 2 keys playing a different role,
b is “more” secret.
* b,a in CryptoNote 2.0 paper by Nic van Sab.
spend key bview key v
spend pub B=b.G view pub V=v.G
![Page 30: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/30.jpg)
Crypto Coin Privacy
30 Courtois Mercer ICISSP'17
2-Key Stealth Address
• Current private key bwill become 2 values:
user Private User Key = b,v• 2 keys playing a different role,
b is “more” secret.
• One of them = v = View is given to a proxy entity to implement painful blockchain checks for us and notify us that payment has arrived.
Tracking Key= v, b.G (removes anonymity).
* b,a in CryptoNote 2.0 paper by Nic van Sab.
spend key bview key v
spend pub B=b.G view pub V=v.G
a.k.a. ‘Scan pubkey’
![Page 31: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/31.jpg)
Crypto Coin Privacy
31 Courtois Mercer ICISSP'17
2-Key Stealth Address
• Current private key bwill become 2 values:
user Private User Key = b,v• 2 keys playing a different role,
b is “more” secret.
• One of them = v = View is given to a proxy entity to implement painful blockchain checks for us and notify us that payment has arrived.
Tracking Key= v, b.G (removes anonymity).
• Receiver has Public User key= b.G, v.G.
* b,a in CryptoNote 2.0 paper by Nic van Sab.
spend key bview key v
spend pub B=b.G view pub V=v.G
Advertised/provided/listed by the receiver, NOT visible in the blockchain transactions!
![Page 32: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/32.jpg)
Crypto Coin Privacy
32 Courtois Mercer ICISSP'17
slight improvement
Monero 2xStealth Address
Method
![Page 33: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/33.jpg)
Crypto Coin Privacy
33 Courtois Mercer ICISSP'17
Again• sender avoids using ANY permanent identity a A.
• instead he uses a random ephemeral ‘nonce keypair’ rand publishes R=r.G together with the current transaction.
• a subtle point, made clear by Todd 06 Jan 2014. (other sources use notation P=e.G for the same thing).
![Page 34: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/34.jpg)
Crypto Coin Privacy
34 Courtois Mercer ICISSP'17
Better Stealth Address used in Monero• Recipient/B has Private User Key = b,v
• Proxy has Tracking Key= v, b.G (removes anonymity).
• Receiver Public User key= b.G, v.G.
• Let S=v.(r.G) = r.(v.G). Sender random r, publishes R=r.G with this tx.
• Proxy and Receiver can compute v.(r.G) for every tx done by any A.
• Sender/A can do r.(v.G).
• A sends bitcoins to E=b.G+H(S).G.
• Proxy does not know e.
• Proxy can compute E and see transactions (view key for this tx).
• Only the recipient has b (spend key for this tx).
– Private key e=b+H(S) allows to spend the bitcoins sent to E.
*fixed a was replaced by random r
![Page 35: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/35.jpg)
Bitcoin vs. Monero
private key = b
public PK= b.G
H(PK) => 01…
Transaction
PK1 PK2
H(PK3) H(PK4)
1.74582 BTC
1.99 BTC same user?
same user?
0.29394 BTC
spend key bview key v
spend pub B=b.G view pub V=v.G
H(r.V).G+B, R
1OOO MNR
3OO MNR to D21…
4OO MNR to 2A7…
3OO MNR to Z93…
1OO MNR to P32…
random R=r.Gpublish R with tx
One Time Destination key
Trackingkey v, B
![Page 36: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/36.jpg)
Privacy – Good?
1OOO MNR
3OO MNR to D21…
4OO MNR to 2A7…
3OO MNR to Z93…
1OO MNR to P32…
At this moment: NO WAY to know which outputs are “change” and which are Recipient addresses
![Page 37: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/37.jpg)
Pb3.
1OOO MNR
3OO MNR to D21…
4OO MNR to 2A7…
3OO MNR to Z93…
1OO MNR to P32…
LATER:
one input of a new tx,=>was same user,
most probably
![Page 38: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/38.jpg)
Privacy?
1OOO MNR
3OO MNR to D21…
4OO MNR to 2A7…
3OO MNR to Z93…
1OO MNR to P32…
Spending reveals information and compromises privacy
=>these 2 outputs ARE LINKED now!!
![Page 39: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/39.jpg)
Myth ExposedPaper by Monero labs: Adam Mackenzie, Surae Noether and Monero Core Team: “Improving Obfuscation in the CryptoNote Protocol”, Jan’15https://lab.getmonero.org/pubs/MRL-0004.pdf
Citations: “CryptoNote is very traceable” […] “users can receive CryptoNote-based cryptocurrencieswith no concern for their privacy, they cannot necessarily spend those currencies without releasing some information about their past transactions”
(similar to bitcoin)
![Page 40: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/40.jpg)
Crypto Coin Privacy
40 Courtois Mercer ICISSP'17
Security?• Fact: Hundereds of millions of dollars were stolen in Bitcoin
thefts…
• Attack 25: brain wallets
![Page 41: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/41.jpg)
41
Our Paper [CECC 2016]
![Page 42: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/42.jpg)
Crypto Coin Privacy
42 Courtois Mercer ICISSP'17
Security?
• Attack 26: bad randoms
![Page 43: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/43.jpg)
Groups and ECC
43
One Attack with 2 Usersrandom a: must be kept secret!
random a
RNG
R=a.P
s= (H(m)+dr) / a
mod n
r
(r,s)
same a used twice => detected in public blockchain =>(s1a-H(m1))/d1 = r =(s2a-H(m2))/d2 mod n=> r(d1-d2)+a(s1-s2)=H(m2)-H(m1) mod n
each person can steal the other person’s bitcoins!
has happened 100s times in Bitcoin
![Page 44: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/44.jpg)
Cryptographic Security of ECDSA in Bitcoin
Second Major Outbreak – May 2014
Android RNGbug
![Page 45: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/45.jpg)
Cryptographic Security of ECDSA in Bitcoin
Third Major Outbreak December 2014
200,000 USD stolenby an “ethical thief” at Blockchain.info
![Page 46: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/46.jpg)
Cryptographic Security of ECDSA in Bitcoin
Our Online Database
![Page 47: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/47.jpg)
Cryptographic Security of ECDSA in Bitcoin
cf.
eprint.iacr.org/2014/848/
More AdvancedAttacks:
![Page 48: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/48.jpg)
Crypto Coin Privacy
48 Courtois Mercer ICISSP'17
This Paper [ICISSP 2017]
• a new more robust Stealth Address technique
• resistant to compromise of SEVERAL (up to m-1) private spending keys(!) e.g. keys compromised during the spending, SCA, bad randoms, theft/malware etc.
![Page 49: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/49.jpg)
Crypto Coin Privacy
49 Courtois Mercer ICISSP'17
Monero Stealth Address
spend key bview key v
spend pub B=b.G view pub V=v.G
![Page 50: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/50.jpg)
Crypto Coin Privacy
50 Courtois Mercer ICISSP'17
Monero Stealth Address
do better?
spend key bview key v
spend pub B=b.G view pub V=v.G
![Page 51: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/51.jpg)
Crypto Coin Privacy
51 Courtois Mercer ICISSP'17
Robust Stealth Address [new]• Recipient/B has Private User Key = b1-bm ,v
• Proxy has Tracking Key= v + all the Bi
• Receiver Public User key= B1=b1.G-Bm=bm.G .
• Let S=v.(r.G) = r.(v.G). Sender random r, publishes R=r.G with this tx.
• Proxy and Receiver can compute v.(r.G) for every tx done by sender.
• Sender/A can do r.(v.G).
• A sends bitcoins to E= H1(S).B1 + . . . + Hm(S). Bm + H0(S).G.
• Only the recipient has the b1-bm (spend key for this tx).
– Private key e=H1(S).b1+ . . . + Hm(S).bm + H0(S) allows to spend.
– Leakage of just one such key => cannot spend.
– The attacker needs to steal m such keys in order to spend coins.
![Page 52: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/52.jpg)
Crypto Coin Privacy
52 Courtois Mercer ICISSP'17
Security Theorem [this paper]Our new more robust Stealth Address technique is
resistant to compromise of SEVERAL (up to m-1) private spending keys(!) e.g. keys compromised during the spending, SCA, bad randoms, theft/malware etc.
![Page 53: Stealth Address - Nicolas Courtois€¦ · Stealth Address and Key Management Techniques in Blockchain Systems Nicolas T. Courtois1 and Rebekah Mercer1,2 1University College London,](https://reader031.vdocuments.us/reader031/viewer/2022030623/5aea805b7f8b9a3b2e8cc064/html5/thumbnails/53.jpg)
Crypto Coin Privacy
53 Courtois Mercer ICISSP'17
Pros and Cons• Stronger against thefts / incidents.
• No blockchain expansion.
• Keys expanded m times.
• Broken with compromise of m private keys.
• Same level of privacy [one key v for audit], no improvement