August 01, 2022

By stringhandler

Stealth addresses for non-interactive payments

Mimblewimble, the blockchain technology that Tari’s base layer is based on, requires two parties to interactively negotiate a transaction together. For most use cases this works well. In fact, when you’re paying another person, they are probably online and waiting for the exchange to happen. But there are cases where you are not sure if the recipiant’s wallet is even online, for example paying to a cold wallet, or donating to a fund.

Tari implements one-sided payments or non-interactive payments through the use of Tariscript, a scripting language built on top of basic Mimblewimble. Through the use of ECDH, you can share the blinding factor required by Mimblewimble, and attach a spending script that allows an owner of a public key to spend it.

At some point in the future, the receiving wallet can come online and scan the blockchain for the one sided payments addressed to it. This works really well, but because the public key in the attached Tariscript is in the clear, an outside observer can see when funds move. Note: they cannot know the amounts, only that the funds belong to a given public key.

To address that, Tari has added Stealth Addresses, sometimes referred to as one-time addresses, to non-interactive payments. In this scheme, the public key in the Tariscript is hidden by adding a random nonce. Wallets, in the same scanning procedure used for one-sided payments, recover funds sent to them by multiplying the public random nonce with their private receiving address (through ECDH). If the result matches the stealth address in the Tariscript, the funds are theirs, and they can spend it.

For more information on stealth addresses in Tari, see the RFC