Key Derivation & Stealth Addresses

Key Derivation

There are two main components of each Hinkal account:

• The Spending Keys are used to spend notes of the associated account.

• The Viewing Keys are used to decrypt user commitments.

The Spending Keys (also referred to as Shielded Keys) are generated using Ethereum accounts by having users sign a message and deriving the Hinkal keys from the signed message. This process leverages Ethereum's ECDSA (Elliptic Curve Digital Signature Algorithm) signature scheme, which uses the secp256k1 elliptic curve. When a user signs a message with their Ethereum private key, it produces a deterministic signature that can be used as entropy for key derivation. The signature format follows Ethereum's standard (r, s, v) components, where 'r' and 's' are the signature values and 'v' is the recovery identifier. This ensures that as long as someone has access to their Ethereum account, they will be able to access their Hinkal account by signing the same message and reproducing the identical signature.

The Viewing Keys in Hinkal Protocol are deterministically derived from the user's private spending key using the libsodium cryptographic library and its crypto_box_seed_keypair function. The private spending key, which is a 32-byte hexadecimal string generated from the user's Ethereum signature, serves as the seed for creating a Curve25519-based encryption key pair. The derivation process involves converting the spending private key into a byte array and using it as entropy to generate both a private viewing key and its corresponding public viewing key through libsodium's deterministic key generation algorithm.

Stealth Addresses

Stealth addresses are a fundamental privacy primitive in Hinkal Protocol that enable recipient anonymity by generating unique, unlinkable addresses for each transaction. They ensure that external observers cannot determine the recipient of a transaction or link multiple transactions to the same user.

A user’s canonical public key, which we will denote as C, is defined on BabyJubjub as:

$$C = vk * G$$

where vk is the user’s private shielded key and G is the BabyJubjub generator point.

A user’s stealth address is represented as a pair of BabyJubjub points $(H_0,H_1) \in F^2$ such that

$$vk * H_0 = H_1$$

This ensures that many possible stealth addresses can correspond to a single viewing key. To derive random stealth address, one should pick random number z (referred to as randomization) and make z elliptic curve shifts from (C, G):

$$(C, G) \to (z * C, z* G) \to (H_0, H_1)$$

We also define stealth address commitment (abusing notation, we also call this simply "stealth address") according to $Poseidon_4(H_{0x}, H_{0y}, H_{1x}, H_{1y}))$

According to Fauzi et al. it is impossible for an outsider to:

1. Link two stealth addresses with each other. In other words, find that they originate from the same private shielded key.

2. Extract the private shielded key from the stealth address.