4

If I understand things correctly from the whitepaper in order for Alice to send me monero she will use my two public keys A (public view key) and B (public spend key) which she gets from my address (A,B).

In order to generate the stealth address she then performs:

P = Hs(rA)G + B

using P as the generated stealth address.

The question: Is the part B a static part of every stealth address which can be created from my address (A,B)? So:

  1. Address: Random looking data + B
  2. Address: Random looking data + B
  3. ...

If this is true, couldn't Eve then scan the blockchain for every address which ends in B and be pretty sure that this stealth address is derived from my public known address (A,B) (which Eve also knows)?

I'm sure I'm missing sth. here, but I can't figure out what.

user3017
  • 43
  • 2

1 Answers1

2

It's not like last X bits equal to B. If you do elliptic curve addition or subtraction all the bits change. Any random number could be a sum of any two numbers. Same like 5 = 1 + 4 = 2 + 3 = ... but we're talking about really rally big numbers.

Eve can do P - B, and then what? Random looking data - B = some other random looking data.

Compare it against what to see if it's a match? Normally the scanning wallet does this but it can also compute the target because it knows the shared secret rA=aR because it knows the viewkey a. Without the viewkey you have nothing to compare against to see if it's a match.

JollyMort
  • 20,004
  • 3
  • 49
  • 105