Skip to main content

Overview

StealthAddress implements EIP-5564 stealth addresses for privacy-preserving, non-interactive address generation. Senders can generate one-time addresses that only the intended recipient can detect and spend from, without requiring any prior communication.

How It Works

EIP-5564 stealth addresses use ECDH (Elliptic Curve Diffie-Hellman) key exchange:
  1. Recipient publishes meta-address - Concatenation of spending and viewing public keys (66 bytes)
  2. Sender generates ephemeral key pair - One-time keys for this payment
  3. Sender computes shared secret - ECDH between ephemeral private key and recipient’s viewing public key
  4. Sender derives stealth address - Combines shared secret with recipient’s spending public key
  5. Sender announces on-chain - Publishes ephemeral public key and view tag
  6. Recipient scans announcements - Uses view tag for fast filtering (~6x faster), verifies matches
  7. Recipient computes stealth private key - Combines spending private key with shared secret to spend

API

generateMetaAddress

Creates a 66-byte stealth meta-address from spending and viewing public keys.
Throws InvalidPublicKeyError if either public key is not 33 bytes.

parseMetaAddress

Parses a 66-byte meta-address into its component public keys.
Throws InvalidStealthMetaAddressError if meta-address is not 66 bytes.

generateStealthAddress

Generates a stealth address from a meta-address using an ephemeral private key.
Returns:
  • stealthAddress - 20-byte Ethereum address
  • ephemeralPublicKey - 33-byte compressed public key (publish on-chain)
  • viewTag - 1-byte view tag for fast scanning (publish on-chain)
Throws StealthAddressGenerationError if:
  • Ephemeral private key is not 32 bytes
  • Meta-address is invalid
  • Cryptographic operation fails

checkStealthAddress

Checks if a stealth address announcement belongs to the recipient.
Returns:
  • isForRecipient - true if the stealth address belongs to this recipient
  • stealthPrivateKey - 32-byte shared secret hash (use with computeStealthPrivateKey)
The view tag enables fast rejection: ~255/256 non-matching addresses are rejected after a single byte comparison, before expensive EC operations.

computeStealthPrivateKey

Computes the full stealth private key for spending.
Implements: stealthPrivateKey = (spendingPrivateKey + hashedSharedSecret) mod n

compressPublicKey

Compresses a 64-byte uncompressed public key to 33-byte compressed format.

decompressPublicKey

Decompresses a 33-byte compressed public key to 64-byte uncompressed format.

computeViewTag

Extracts the view tag (first byte) from a hashed shared secret.

parseAnnouncement

Parses announcement data into ephemeral public key and view tag.

Types

StealthMetaAddress

66-byte stealth meta-address (spending public key + viewing public key).

SpendingPublicKey

33-byte compressed secp256k1 public key for deriving stealth addresses.

ViewingPublicKey

33-byte compressed secp256k1 public key for scanning the blockchain.

EphemeralPublicKey

33-byte one-time public key generated by sender and announced on-chain.

ViewTag

Single byte (0-255) for fast rejection of non-matching stealth addresses.

GenerateStealthAddressResult

CheckStealthAddressResult

StealthAnnouncement

Constants

Errors

StealthAddressError

Base error for all stealth address operations.

InvalidStealthMetaAddressError

Thrown when meta-address format or length is invalid.

InvalidPublicKeyError

Thrown when public key format or length is invalid.

StealthAddressGenerationError

Thrown when stealth address generation fails.

InvalidAnnouncementError

Thrown when announcement format is invalid.

Privacy Considerations

View Tag Tradeoff: The view tag reduces scanning overhead by ~6x but leaks 1 byte of the shared secret. This is considered acceptable for the performance benefit. Key Separation: Use separate spending and viewing keys. The viewing key can be delegated to a scanning service without risking funds. On-chain Privacy: Stealth addresses are unlinkable to the recipient’s public identity. Only the recipient (with viewing key) can identify which payments are theirs. Metadata Leakage: The sender’s identity may still be linkable through transaction graph analysis, timing, or gas funding patterns.

See Also