You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 21, 2019. It is now read-only.
Alice derives Bob's stealth address, using the shared secret
Alice deposits the token into a ring for Bob's stealth address
Alice tells Bob which ring she deposited the token into
Bob waits for the ring to become ready / filled up / completed
Bob creates a ring signature for his stealth address
Bob withdraws the token from the ring using his stealth address
The number of other participants in the ring obscures the origin and destination of the token, an observer knows that each input can be linked to each output with a probability of 1/n where n is the number of participants. e.g. 2 participants = 50% chance that Alice sent to Bob. However, the observer knows that both Alice and Bob participated in an anonymous transaction as a sender and receiver respectively.
Assuming Alice knows Bob's Master Public Key this system requires only one message from Alice to Bob to synchronise enough state for Bob to recover his token. This contains the shared secret, or enough information to derive the shared secret, in addition to the address of the ring to withdraw the token from.
If Alice already knows Bob's Master Public Key it isn't necessary for Bob to first communicate with Alice, assuming stealth addresses are used.
It is possible for Alice to communicate indirectly and anonymously with Bob by submitting an encrypted blob using an ECDH shared secret between an ephemeral key pair and Bob's Master Public Key, Bob then scans all messages and tries to decrypt them. This means that Bob doesn't know who the sender is, only a 1/n probability (if multiple rings are used it may be possible for Bob to perform a set intersection on the senders of all rings to find the common denominator).
For the system to be audited bidirectionally, e.g. either Alice or Bob can disclose a secret that allows a third party to monitor all tokens transferred between them, they must use ECDH between their Master Keys then derive a shared secret then share secret with the auditor that along with both of their Master Public Keys, this allows the auditor to derive all of the receiving public keys on either side which can then be used to identify deposits and trace the total amount of money transferred.
The text was updated successfully, but these errors were encountered:
The number of other participants in the ring obscures the origin and destination of the token, an observer knows that each input can be linked to each output with a probability of
1/n
wheren
is the number of participants. e.g. 2 participants = 50% chance that Alice sent to Bob. However, the observer knows that both Alice and Bob participated in an anonymous transaction as a sender and receiver respectively.Assuming Alice knows Bob's Master Public Key this system requires only one message from Alice to Bob to synchronise enough state for Bob to recover his token. This contains the shared secret, or enough information to derive the shared secret, in addition to the address of the ring to withdraw the token from.
If Alice already knows Bob's Master Public Key it isn't necessary for Bob to first communicate with Alice, assuming stealth addresses are used.
It is possible for Alice to communicate indirectly and anonymously with Bob by submitting an encrypted blob using an ECDH shared secret between an ephemeral key pair and Bob's Master Public Key, Bob then scans all messages and tries to decrypt them. This means that Bob doesn't know who the sender is, only a 1/n probability (if multiple rings are used it may be possible for Bob to perform a set intersection on the senders of all rings to find the common denominator).
For the system to be audited bidirectionally, e.g. either Alice or Bob can disclose a secret that allows a third party to monitor all tokens transferred between them, they must use ECDH between their Master Keys then derive a shared secret then share secret with the auditor that along with both of their Master Public Keys, this allows the auditor to derive all of the receiving public keys on either side which can then be used to identify deposits and trace the total amount of money transferred.
The text was updated successfully, but these errors were encountered: