Stealth addresses are super simple bit of crypto and also pretty easy to implement.
When Peter Todd wrote a paper describing the technique for Bitcoin in Jan 2014 I wrote the first implementation. [1, 2]
At the time I wanted to call them re-usable addresses, because the published address by the person wanting to receive funds is truly and privately re-usable. This is super useful for writing static addresses in places (like GitHub pages or on business cards) which don’t implicitly divulge the full transaction history for that address. So for example taking donations for your open source project without having to show a public record of all those donations.
The trade-off of not having to provide a server for generating one-time addresses is that the receiver has to scan the whole blockchain and perform a bit of work to check if each one might actually be for them.
Anything you do to reduce this scanning burden also reduces the privacy of the scheme, necessarily.
So although the usability of the paying semantics are fantastic, the usability of receiving requires network and computation. Typical PIR trade-off.
However, one thing I really love is that on the receiving side you can have just one private key which will allow you to discover all sent funds. Under the hood on the blockchain no addresses are actually being reused.
So you have to scan for your funds, but they will all be there with just one key to keep secure and one public address that can be “paid-to” without being able to actually lookup any transactions that were actually sent to that address.
I don’t know if they ever standardized an address form to use this scheme in Bitcoin but in my opinion it is a really fantastic way to use a public blockchain.
At the time, I tried and failed to write the receiver-side scanning code into bitcoind because I didn’t know enough C++.
This reminds me of how bitmessage works. You'd not know if a message was for you without trying to decrypt it so you just attempt to decrypt every message. They reduced the burden by using "streams" where your address might be on "stream 7" and everyone could tell a message was for stream 7 but not who for on that stream. So you'd only have to decrypt everything on the stream your address is on. With the more users being on a stream, the more anonymous it is but the more network and cpu work it is.
Penumbra has a scheme for trustless 3rd party scanning that they use for private addresses that you might be interested in. It uses a "Fuzzy Massage Detection" cryptographic protocol that is analogous to a Bloom filter, so you can delegate the scanning to a full node and ask a stream of transactions, which include all the transactions you care about plus some other false positives. https://protocol.penumbra.zone/main/crypto/fmd.html
This is already doable with most wallets today. Most wallets enable you to create 2^64 addresses from the same seed phrase. These are hardened and can't be linked together by just creating them.
So if Alice wants to send Bob an NFT, Bob creates a new address (recoverable with the same seed phrase) and Alice sends it there. Bob can then fund the wallet with tornado cash to use the NFT.
It's a stupidly complex way to achieve privacy and Tornado Cash is illegal. That's why we need private by default chains like Aztec & Aleo
Tornado cash is illegal for US citizens. Not illegal for anyone else. And a lawsuit against the overreach of the Treasury department will likely make it legal again.
What exactly is the "overreach" argument? In terms of statutory authority, the Treasury hasn't done anything particularly unusual in adding a known money-laundering vehicle to the OFAC list.
All tornado notes generate a proof that you can use to show where it came from. It’s the same as monero, another privacy coin which is not illegal.
There is a long list of issues here but tornado is just a program. The users of that program can use it for good or bad. They sanctioned the creators and Tornado is still chugging along. It’s equivalent to banning cryptography because money launderers encrypt their messages.
Here is a good summary of the argument against Treasury by Coin Center
None of this amounts to an "overreach" argument. Again: statutorily, where has the Treasury Department mis-stepped?
You'll note that all kinds of entities, including full banks, are on the OFAC list[1]. This doesn't amount to a blanket ban on banking, and "it's just a bank, there are others" is not an argument that anyone finds convincing.
Pretty straightforward — Treasury said we couldn't use a particular
computer program rather than interact with a particular entity, and that's outside their authority.
I think there are procedural issues not statutory ones. Procedure can undermine the statutory one, in this case there is a requirement for an entity to be able to argue on its own behalf to be removed from the sanctions list, this is not possible with the Tornado Cash contract addresses.
There is also the issue of determining how it is a Foreign Asset to begin with. Is it based on the developer they identified? They have to prove that it was not deployed by an American which probably cannot be proven by the nodes (maybe records of an API could do it, but not when running your own nodes)
The previously linked article makes 4 arguments but this is the one I find most compelling:
even Treasury’s own regulations and past executive orders limit the applicability of sanction controls to transactions with persons, entities, or their property. The Tornado Cash sanction was made without statutory and also without regulatory authority. It was made contrary to law.
regurgitating anti encryption talking points to justify regulating other people’s wallets, I guess it’s only natural to oppose financial privacy when your economic policies depend on having the right to other people’s money.
I'm very pro-encryption. I'm not convinced that sanctions against Tornado Cash pose a serious risk to E2EE or other civically important (necessary!) applications of encryption.
I don’t need to justify my right to privacy to prevent you from violating it. Come up with a better defence than the redistribution of consequences, this not the EU.
The EVM can actually check digital signatures, hashes, lamport signatures etc.
The problem is that once Bob actually spends something from this address, everyone knows that Bob controls the address. Because if Alice can calculate an address for Bob, so can anyone else.
Monero uses ring signatures, which as far as I know haven't gotten much traction on Ethereum so far, since gas payments undermine their privacy.
Zcash uses zksnarks, which have advanced considerably since Zcash launched. Ethereum's zkrollups use more recent types of zksnarks.
Stealth addresses "using elliptic curve cryptography were originally introduced in the context of Bitcoin by Peter Todd in 2014," according to Vitalik's post.
When Peter Todd wrote a paper describing the technique for Bitcoin in Jan 2014 I wrote the first implementation. [1, 2]
At the time I wanted to call them re-usable addresses, because the published address by the person wanting to receive funds is truly and privately re-usable. This is super useful for writing static addresses in places (like GitHub pages or on business cards) which don’t implicitly divulge the full transaction history for that address. So for example taking donations for your open source project without having to show a public record of all those donations.
The trade-off of not having to provide a server for generating one-time addresses is that the receiver has to scan the whole blockchain and perform a bit of work to check if each one might actually be for them.
Anything you do to reduce this scanning burden also reduces the privacy of the scheme, necessarily.
So although the usability of the paying semantics are fantastic, the usability of receiving requires network and computation. Typical PIR trade-off.
However, one thing I really love is that on the receiving side you can have just one private key which will allow you to discover all sent funds. Under the hood on the blockchain no addresses are actually being reused.
So you have to scan for your funds, but they will all be there with just one key to keep secure and one public address that can be “paid-to” without being able to actually lookup any transactions that were actually sent to that address.
I don’t know if they ever standardized an address form to use this scheme in Bitcoin but in my opinion it is a really fantastic way to use a public blockchain.
At the time, I tried and failed to write the receiver-side scanning code into bitcoind because I didn’t know enough C++.
[1] - https://www.mail-archive.com/bitcoin-development@lists.sourc...
[2] - https://gist.github.com/jspilman/8396495