Overview
A stealth address is a privacy technique that allows a recipient to publish a single, static public key (or address-like identifier) while receiving payments at unique, unlinkable on-chain addresses. Each sender who pays to a stealth address independently derives a fresh one-time address using cryptographic operations, ensuring that no outside observer can link multiple payments to the same recipient by examining the blockchain.
The concept of stealth addresses predates Bitcoin — it has roots in academic cryptography — but its application to Bitcoin has been discussed since at least 2014. The core idea addresses a fundamental tension: recipients want to share a stable identifier for receiving payments (like an email address), but reusing a single on-chain address destroys privacy by allowing anyone to see every payment received.
How Stealth Addresses Work
The basic stealth address protocol uses Elliptic Curve Diffie-Hellman (ECDH) to generate shared secrets between sender and recipient without any direct communication:
Recipient publishes: Stealth meta-address (S)
Contains: scan key (B_scan) + spend key (B_spend)
Sender (Alice) creates a payment:
1. Generate ephemeral key pair (r, R)
2. Compute shared secret: s = ECDH(r, B_scan)
3. Derive one-time address: P = B_spend + hash(s) * G
4. Send funds to address P
5. Publish R in the transaction (e.g., OP_RETURN or extra output)
┌──────────┐ R (ephemeral pubkey) ┌──────────┐
│ Alice │ ────────────────────────────────► │ Bob │
│ (sender) │ Payment to P │(receiver)│
│ │ ────────────────────────────────► │ │
└──────────┘ └──────────┘
│
Recipient (Bob) scans: │
1. For each transaction, extract R │
2. Compute s = ECDH(b_scan, R) │
3. Check if P == B_spend + hash(s) * G │
4. If match: compute private key to spend │
Stealth Addresses vs. Silent Payments
Silent Payments (BIP352) represent Bitcoin's most mature stealth addressing proposal. While the general concept of stealth addresses has existed for years, Silent Payments refine the approach specifically for Bitcoin's UTXO model:
| Aspect | Generic Stealth Address | Silent Payments (BIP352) |
|---|---|---|
| Ephemeral key publication | Requires OP_RETURN or extra output | Derived from sender's input keys |
| On-chain overhead | Extra data per transaction | No extra data |
| Sender requirements | Generate and publish ephemeral key | Use existing input keys |
| Scanning complexity | Check each transaction's OP_RETURN | Compute ECDH with each tx's inputs |
| Bitcoin-specific optimizations | Limited | Extensive (labels, light client hints) |
Silent Payments eliminate the need for a separate ephemeral key publication by instead deriving the shared secret from the sender's transaction input keys, which are already present in the transaction. This makes the stealth payment indistinguishable from a normal transaction on-chain.
Privacy Benefits
Stealth addresses defend against several common chain analysis techniques:
- Address reuse prevention: Every payment creates a new on-chain address, even when sent to the same logical recipient
- Unlinkable payments: An observer cannot determine that two transactions were sent to the same person
- Public solicitation safety: A recipient can post their stealth address publicly (websites, social media, print) without enabling surveillance of all their incoming payments
- No sender-recipient coordination: Unlike manually sharing a fresh address for each payment, stealth addresses require no back-and-forth communication
Challenges and Trade-offs
The primary challenge with stealth addresses is the scanning burden placed on recipients. Because each payment goes to a unique, previously unknown address, the recipient must check every transaction on the blockchain to determine if it belongs to them. This is computationally expensive and particularly challenging for lightweight wallets and mobile devices.
Other considerations include:
- Wallet support: Stealth address protocols require explicit wallet support for both sending and receiving
- Light client compatibility: Full scanning requires access to complete transaction data, which SPV nodes may not have
- Ecosystem adoption: The privacy benefits scale with adoption — if only a few users employ stealth addresses, their transactions may stand out rather than blend in
Related Concepts
- Silent Payments — Bitcoin's specific implementation of stealth addressing (BIP352)
- Elliptic Curve Cryptography — the mathematical foundation enabling shared secret derivation
- Chain Analysis — the surveillance methodology that stealth addresses counter
- Address — the on-chain identifier that stealth addresses make unique per payment
- PayNym — an alternative approach to reusable payment identifiers using BIP47