[HN Gopher] Thoughts on Ethereum's Stealth Address
___________________________________________________________________
Thoughts on Ethereum's Stealth Address
Author : tolani_somoye
Score : 56 points
Date : 2023-01-21 16:25 UTC (6 hours ago)
(HTM) web link (vitalik.eth.limo)
(TXT) w3m dump (vitalik.eth.limo)
| zaroth wrote:
| Stealth addresses are super simple bit of crypto and also pretty
| easy to implement.
|
| When Peter Todd wrote a paper describing the technique for
| Bitcoin in Jan 2014 I wrote the first implementation. [1, 2]
|
| At the time I wanted to call them re-usable addresses, because
| the published address by the person wanting to receive funds is
| truly and privately re-usable. This is super useful for writing
| static addresses in places (like GitHub pages or on business
| cards) which don't implicitly divulge the full transaction
| history for that address. So for example taking donations for
| your open source project without having to show a public record
| of all those donations.
|
| The trade-off of not having to provide a server for generating
| one-time addresses is that the receiver has to scan the whole
| blockchain and perform a bit of work to check if each one might
| actually be for them.
|
| Anything you do to reduce this scanning burden also reduces the
| privacy of the scheme, necessarily.
|
| So although the usability of the paying semantics are fantastic,
| the usability of receiving requires network and computation.
| Typical PIR trade-off.
|
| However, one thing I really love is that on the receiving side
| you can have just one private key which will allow you to
| discover all sent funds. Under the hood on the blockchain no
| addresses are actually being reused.
|
| So you have to scan for your funds, but they will all be there
| with just one key to keep secure and one public address that can
| be "paid-to" without being able to actually lookup any
| transactions that were actually sent to that address.
|
| I don't know if they ever standardized an address form to use
| this scheme in Bitcoin but in my opinion it is a really fantastic
| way to use a public blockchain.
|
| At the time, I tried and failed to write the receiver-side
| scanning code into bitcoind because I didn't know enough C++.
|
| [1] - https://www.mail-archive.com/bitcoin-
| development@lists.sourc...
|
| [2] - https://gist.github.com/jspilman/8396495
| Gigachad wrote:
| This reminds me of how bitmessage works. You'd not know if a
| message was for you without trying to decrypt it so you just
| attempt to decrypt every message. They reduced the burden by
| using "streams" where your address might be on "stream 7" and
| everyone could tell a message was for stream 7 but not who for
| on that stream. So you'd only have to decrypt everything on the
| stream your address is on. With the more users being on a
| stream, the more anonymous it is but the more network and cpu
| work it is.
| jcpham2 wrote:
| Sounds like Monero/zcash being appropriated by Ethereum
|
| If appropriated is to harsh, how about integrated instead?
| DennisP wrote:
| Monero uses ring signatures, which as far as I know haven't
| gotten much traction on Ethereum so far, since gas payments
| undermine their privacy.
|
| Zcash uses zksnarks, which have advanced considerably since
| Zcash launched. Ethereum's zkrollups use more recent types of
| zksnarks.
|
| Stealth addresses "using elliptic curve cryptography were
| originally introduced in the context of Bitcoin by Peter Todd
| in 2014," according to Vitalik's post.
| [deleted]
| tolani_somoye wrote:
| Read vitaliks article, not sure how to feel about it yet.
| Animats wrote:
| So Etherium needs improved money-laundering support for NFTs?
| pjkundert wrote:
| Equating the desire for privacy with criminality says more
| about you than the object of your contempt.
| mnd999 wrote:
| Of course it does. That's a large chunk of the model.
| yokem55 wrote:
| Money laundering is a crime that (ab)uses privacy. But privacy
| is not in itself a crime.
| dleslie wrote:
| Given the uses for crypto in practice, it's a safe bet that
| the majority of use will be for illegal activities.
| nobody9999 wrote:
| >Given the uses for crypto in practice, it's a safe bet
| that the majority of use will be for illegal activities.
|
| For the moment, that appears to be a good bet.
|
| I'm not aware of any _current_ practical use case for
| cryptocurrency, that government-backed currencies don 't
| provide, other than purchasing illegal goods and services.
|
| That said, government-backed currencies are _also_ used for
| doing so as well, except _cash_ transactions require
| physical proximity while cryptocurrencies do not.
| mhluongo wrote:
| Sending money is a pretty clear use case. Ukraine
| received a bunch of international crypto donations last
| year, for example.
|
| Your lack of imagination doesn't mean something is just
| for "illegal activities".
| RandomLensman wrote:
| Ukraine uses(used) normal funding markets and is
| accessible via standard transfer avenues. Not sure why
| crypto is needed - certainly billions being transferred
| to Ukraine are not in crypto.
| pcthrowaway wrote:
| I actually think there are plenty of legitimate uses of
| cryptocurrency, and that it is being used in those ways
| today.
|
| But the Ukraine example is a strange one to me, only
| because I'm unclear on the legality of funding the war
| efforts of another country.
| dumbfoundded wrote:
| This is already doable with most wallets today. Most wallets
| enable you to create 2^64 addresses from the same seed phrase.
| These are hardened and can't be linked together by just creating
| them.
|
| So if Alice wants to send Bob an NFT, Bob creates a new address
| (recoverable with the same seed phrase) and Alice sends it there.
| Bob can then fund the wallet with tornado cash to use the NFT.
|
| It's a stupidly complex way to achieve privacy and Tornado Cash
| is illegal. That's why we need private by default chains like
| Aztec & Aleo
| tromp wrote:
| That seems different though, since Bob needs to give out a new
| address for each transfer.
|
| With stealth addresses, once Bob published his public address,
| multiple senders can transfer to Bob without further
| interaction by Bob.
| monero-xmr wrote:
| Tornado cash is illegal for US citizens. Not illegal for anyone
| else. And a lawsuit against the overreach of the Treasury
| department will likely make it legal again.
| woodruffw wrote:
| What exactly is the "overreach" argument? In terms of
| statutory authority, the Treasury hasn't done anything
| _particularly_ unusual in adding a known money-laundering
| vehicle to the OFAC list.
| alphanullmeric wrote:
| regurgitating anti encryption talking points to justify
| regulating other people's wallets, I guess it's only
| natural to oppose financial privacy when your economic
| policies depend on having the right to other people's
| money.
| woodruffw wrote:
| I'm very pro-encryption. I'm not convinced that sanctions
| against Tornado Cash pose a serious risk to E2EE or other
| civically important (necessary!) applications of
| encryption.
| alphanullmeric wrote:
| I don't need to justify my right to privacy to prevent
| you from violating it. Come up with a better defence than
| the redistribution of consequences, this not the EU.
| monero-xmr wrote:
| All tornado notes generate a proof that you can use to show
| where it came from. It's the same as monero, another
| privacy coin which is not illegal.
|
| There is a long list of issues here but tornado is just a
| program. The users of that program can use it for good or
| bad. They sanctioned the creators and Tornado is still
| chugging along. It's equivalent to banning cryptography
| because money launderers encrypt their messages.
|
| Here is a good summary of the argument against Treasury by
| Coin Center
|
| https://www.coincenter.org/coin-center-is-suing-ofac-over-
| it...
| woodruffw wrote:
| None of this amounts to an "overreach" argument. Again:
| _statutorily_ , where has the Treasury Department mis-
| stepped?
|
| You'll note that all kinds of entities, including full
| banks, are on the OFAC list[1]. This doesn't amount to a
| blanket ban on banking, and "it's just a bank, there are
| others" is not an argument that anyone finds convincing.
|
| [1]: https://sanctionssearch.ofac.treas.gov/
| monero-xmr wrote:
| The previously linked article makes 4 arguments but this
| is the one I find most compelling:
|
| _even Treasury's own regulations and past executive
| orders limit the applicability of sanction controls to
| transactions with persons, entities, or their property.
| The Tornado Cash sanction was made without statutory and
| also without regulatory authority. It was made contrary
| to law._
| woodruffw wrote:
| I've read that post a couple of times, and even wrote a
| response to it[1]!
|
| TL;DR: The Treasury Department doesn't care that Tornado
| Cash is "just" a computer program, because a computer
| program is an instrument made and operated by human
| beings. Even an autonomous program does not escape this,
| for the same reason that you can't escape a murder charge
| by throwing a bomb into the air and claiming gravity as a
| defense.
|
| [1]: https://blog.yossarian.net/2022/09/14/Tornado-Cash-
| and-bulle...
| monero-xmr wrote:
| I genuinely don't see any link between a bomb going off
| and a privacy protocol used to move financial assets.
|
| The government is not allowed to put a camera in my house
| and watch me 24/7. Sure, I might be committing crimes
| inside my house. But unless the government can convince a
| judge that they suspect me of committing crimes that
| justify such a camera, they cannot install said camera.
|
| Similarly, merely using a technique to obfuscate the
| origin of my own money is not enough to claim I am a
| criminal. I can do similar with gold coins and paper
| cash, and in high dollar amounts.
|
| Eventually I'll want to use my financial assets to
| purchase something, and at that point the receiver should
| ask me where I got my money (if legally required to) and
| with Tornado Cash I can fully explain the origin of my
| legal funds.
|
| Acting like Tornado itself is enabling crime is absurd.
| woodruffw wrote:
| > I genuinely don't see any link between a bomb going off
| and a privacy protocol used to move financial assets.
|
| The link is explained in the post: in both instances, a
| human is the prime mover. No court in the world draws a
| distinction between "Joe kills Bob" and "Joe builds a
| Bob-killing robot that kills Bob." Similarly, no court in
| the world is likely to draw a distinction between "North
| Korea launders money" and "North Korea uses an autonomous
| program to launder money." It simply isn't relevant.
|
| > Similarly, merely using a technique to obfuscate the
| origin of my own money is not enough to claim I am a
| criminal. I can do similar with gold coins and paper
| cash, and in high dollar amounts.
|
| To be clear: if attempt to obfuscate your cash
| transactions by structuring them beneath the limits that
| trigger CTR reporting, you're committing a crime. You can
| have reasonable opinions about whether that _ought_ to be
| a crime, but it is absolutely not legal in the current
| regulatory scheme to intentionally avoid your reporting
| requirements.
|
| > Acting like Tornado itself is enabling crime is absurd.
|
| We have a _precise, material_ example of Tornado enabling
| a _specific_ crime. That crime is _the_ reason it 's on
| the OFAC list, and it's stated in clear, precise language
| on the Treasury's site. Again: you can claim that Tornado
| is an instrument, and anything can be used to commit
| crime, but it is a matter of _fact_ that Tornado was both
| used to commit crimes _and_ made committing those crimes
| easier than they otherwise would have been (by
| sidestepping financial regulatory frameworks).
| monero-xmr wrote:
| I philosophically disagree that something known to be
| used for a crime, or known to make crimes easier, ipso
| facto means that thing should be banned. I see a lot of
| benefits to society with privacy solutions like Tornado
| Cash. I also like paper cash, gold coins, and guns for
| that matter, all of which have been documented to be used
| in crimes and all of which are legal.
|
| I believe the law requires presumption of innocence. We
| shall see what the judge says. I think your arguments are
| unconvincing and actually, when analyzed, see them as
| dangerous and given to statist authoritarian tendencies.
| mhluongo wrote:
| Pretty straightforward -- Treasury said we couldn't use a
| particular computer program rather than interact with a
| particular entity, and that's outside their authority.
| yieldcrv wrote:
| I think there are procedural issues not statutory ones.
| Procedure can undermine the statutory one, in this case
| there is a requirement for an entity to be able to argue
| on its own behalf to be removed from the sanctions list,
| this is not possible with the Tornado Cash contract
| addresses.
|
| There is also the issue of determining how it is a
| Foreign Asset to begin with. Is it based on the developer
| they identified? They have to prove that it was not
| deployed by an American which probably cannot be proven
| by the nodes (maybe records of an API could do it, but
| not when running your own nodes)
| woodruffw wrote:
| This is an interesting point, but is it uniformly true?
| The OFAC list also includes aircraft and boats, which
| presumably can't argue on their own behalf.
| zoklet-enjoyer wrote:
| Secret Network https://scrt.network/
| mhluongo wrote:
| It relies on trusted hardware (SGX) that's been shown to be
| insecure many times. Please don't trust your freedom to SGX.
| deevolution wrote:
| Or Monero.
___________________________________________________________________
(page generated 2023-01-21 23:01 UTC)