Proposal: Dual-Key Stealth Address Protocol

[wuyahuang]

Dual-Key Stealth Address Protocol

Grant category

• [x] Developer tools / services

Description

The first full working implementation of DKSAP(Dual-Key Stealth Address Protocol) was announced by a developer known as rynomster/sdcoin in 2014 for ShadowSend, a capable, efficient and decentralized anonymous wallet solution. The DKSAP has been implemented in a number of cryptocurrency systems since then, including Monero, Samourai Wallet, and TokenPay, just to name a few. The protocol takes advantage of two pairs of cryptographic keys, namely a ‘scan key’ pair and a ‘spend key’ pair, and computes a one-time payment address per transaction, as detailed below:

• The receiver has two private/public key pairs (s, S) and (b, B), where S = s·G and B = b·G are ‘scan public key’ and ‘spend public key’, respectively. Here G is the base point of an elliptic curve group.

• The sender generates an ephemeral key pair (r, R), where R = r·G, and transmits it with the transaction.

• Both the sender and receiver can compute a shared secret c using the ECDH: c = H(r·s·G) = H(r·S) = H(s·R), where H(·) is a cryptographic hash function.

• The sender uses c·G + B as the ephemeral destination address for sending the payment.

• The receiver actively monitors the blockchain and checks whether some transaction has been sent to the purported destination address c·G + B. Depending on whether the wallet is encrypted, the receiver can compute the same destination address in two different ways, i.e., c·G + B = (c + b)·G. If there is a match, the payment can be spent using the corresponding private key c + b. Note that the ephemeral private key c + b can only be computed by the receiver.

In DKSAP, if an auditor or a proxy server exists in the system, the receiver can share the ‘scan private key’ s and the ‘spend public key’ B with the auditor/proxy server so that those entities can scan the blockchain transaction on behalf of the receiver. However, they are not able the compute the ephemeral private key c + b and spend the payment.

Problem statement

Public ledgers are generally seen as “pseudo-anonymous” as addresses can be linked to one person although that person’s identity is unknown to the public. However, by combining this info with other data it is possible to discover the real-world identity behind the address. Many individuals and companies prefer to have an additional layer of security in order to keep their privacy. That’s where DKSAP comes to play.

• Target audience The main target audience is all privacy-sensitive blockchain users.

• Evidence for the need

  • Tornado.Cash - Privacy transaction protocol with 3,227,355 ETH deposited
  • Sotheby’s - $1billion private sales in 2021

Proposed solution

I want to develop an anonymous NFT contract based on DKSAP, and all NFT owner's public keys are encrypted by the receiver's scan public key. At the same time, users send the transaction through a relayer to ensure the anonymity of the transaction. The relayer will create a new account in which the public key is the recipient's encrypted address.

Impact

• In what ways does this benefit the broader Flow developer ecosystem?
  • Lower the threshold for flow developers to develop elliptic curve cryptography and an additional layer of security to keep their privacy.

Milestones and funding

• Total Estimated Duration: 6 weeks
• Total Costs: Flow worth $10,000

Milestone 1 — Implement DKSAP for Flow

• Estimated duration: 6 weeks
• FTE: 1
• Costs: 10,000 USD

Number	Deliverable	Specification
0.	License	Apache 2.0
1.	Documentation	I will provide both inline documentation of the code and a basic tutorial that explains how a user can send test transactions, which will show how the new functionality works.
2.	Testing Guide	Core functions will be fully covered by unit tests to ensure functionality and robustness. In the guide, I will describe how to run these tests.
3.	(Node.js)SDK: Client Tool	Development and testing of the basic abilities of the client tool, including computing a shared secret by ECDH, computing encrypted public key of the receiver, computing ephemeral private key(adding points in elliptic curve cryptography), and pushing transactions to relayer through HTTPS.
4.	(Candence)Smart contracts: Anonymous NFT	Development and testing of the core functions of the Anonymous NFT smart contract, including minting new NFT, transferring NFT, and burning NFT. In particular, it is important to note that the address of the owner stored in the contract is encrypted by the scan public key of the receiver. At the same time, when users need to perform the transfer or burn operations, the smart contract needs to verify the signature of the private key corresponding to this address on-chain.
5.	HTTPS Service: Node.js Relayer	Build an early-stage HTTPS service relayer including accepting requests from users and pushing transactions to NFT smart contract, and creating a new account if needed.

Team

Yahuang Wu

• Github address
• 7 years of internet R&D experience, participated in the development of several APPs with millions of Daily Active Users (Qunar, Snowball, Meiyou)
• Wrote 40 EOS technical articles list of technical articles
• Selected for the EOS Open Source Community Acknowledgments List list of selected lists
• Multiple EOS open-source repositories that submitted PRs were selected for the GitHub Archive Program
• Has 10 blockchain technology patents Patent List

Future Plans

• After the cadence implementation of DKSAP is fully tested, I will continue to improve the DKSAP implementation for the Flow ecosystems. At the same time, I will help other teams that need to use the DKSAP protocol to reduce development costs.
• Currently, user transactions are sent free of charge by relayer. The new blockchain account is also created by relayer for free. This is not possible in the production environment, so we need to modify the relayer in the future version. We can add a deposit function to NFT so that users can deposit tokens into the contract, and then transfer the token to realyer as transaction fees based on zero-knowledge proof.

[alxflw]

Thanks for the submission @wuyahuang. We'll review and get back to you soon!

[alxflw]

Hi @wuyahuang - we reviewed your proposal in detail and decided to pass because it is unclear if the impact on the developer ecosystem will be high enough.

Thanks for taking the time to submit your proposal and feel free to reach me directly on Discord in case you have further questions: alx-flw.find#6198.