5

According to the cryptonote white paper, a stealth address of the form P = H_s(rA)G + B. My question is, why is the hash function necessary? It seems that P=rA + B would work just as well. Using a hash function makes scanning the blockchain for your incoming tx's more difficult, since you have to perform a hash for every transaction on the blockchain.

Give two transactions sent to the same user, P_1-P_2=(r_1-r_2)A=a(R_1-R_2), but I don't see how that opens any attack vectors.

Am I missing something?

Christopher King
  • 3,120
  • 13
  • 64

1 Answers1

5

In your system although the recipient can still find his transaction using R, he would also need to know r for deriving the corresponding private key.

You could fix that by making r also public, and still only the user would be able to derive the private key ra+b, but then everyone in the network can figure out that the recipient was the address (A,B)... Using the hash eliminates the need to publish r and thus preserves the recipient's privacy.

user141
  • 3,327
  • 11
  • 33