Suppose Alice runs a confidential restaurant. Alice doesn’t need there to be any document of who visited her restaurant however does wish to receives a commission for her meals. She accepts Monero, and as an alternative of a money register there are two QR codes on show, one similar to her public view key A and the opposite similar to her public spend key S.
How Bob buys his burger
A buyer Bob walks into the restaurant and orders a burger and fries. When Bob pays Alice, right here’s what’s occurring beneath the hood.
Bob is utilizing software program that generates a random integer r and multiplies it by a degree G on an elliptic curve, particularly ed25519, acquiring the purpose
R = rG
on the curve. The software program additionally multiplies Alice’s view key A, a degree on the identical elliptic curve, by r, then runs a hash operate H on the produce rA that returns an integer ok.
ok = H(rA).
Lastly, Bob’s software program computes the purpose
P = okG + S
and sends Alice’s money register, i.e. her crypto pockets, the pair of factors (P, R). The purpose P is a stealth handle, an handle that may solely be used this one time and can’t be linked to Alice or Bob [1]. The purpose R is further info that helps Alice obtain her cash.
How Alice will get paid
Alice and Bob share a secret: each know ok. How’s that?
Alice’s public view key A is the product of her personal view key a and the group generator G [2]. So when Bob computes rA, he’s computing r(aG). Alice’s software program can multiply the purpose R by a to acquire a(rG).
rA = r(aG) = a(rG) = aR.
Each Alice and Bob can hash this level—which Alice thinks of as aR and Bob thinks of as rA—to acquire ok. That is ECDH: elliptic curve Diffie-Hellman key change.
Subsequent, Alice’s software program scans the blockchain for funds to
P = okG + S.
Notice that P is on the blockchain, however solely Alice and Bob know the right way to issue P into kG + S as a result of solely Alice and Bob know ok. And solely Alice can spend the cash as a result of solely she is aware of the personal key s similar to the general public spend key S the place
S = sG.
She is aware of
P = kG + sG = (ok + s)G
and so she has the personal key (ok + s) similar to P.
Associated posts
[1] Bob sends cash to the handle P, so there may very well be some connection between Bob and P on the Monero blockchain. Nonetheless, as a result of one other function of Monero, particularly ring signatures, somebody analyzing the blockchain may solely decide that Bob is one in all 16 individuals who could have despatched cash to the handle P, and there’s no technique to know who obtained the cash. That’s, there isn’t any means, utilizing solely info on the blockchain, who obtained the cash. A non-public investigator who noticed Bob stroll into Alice’s restaurant would have further info outdoors the blockchain.
[2] The important thing assumption of elliptic curve cryptography is that it’s computationally infeasible to “divide” on an elliptic curve, i.e. to recuperate a from data of G and aG. You might recuperate a by brute pressure if the group had been small, however the elliptic curve ed25519 has on the order of two255 factors, and a is a few integer chosen randomly between 1 and the scale of the curve.
