Suppose Alice runs a secret restaurant. Alice does not want any record of who came to her restaurant but she does want to get paid for her meal. She accepts Monero, and instead of a cash register there are two QR codes on the display, one corresponding to public view key A and the second one accordingly public expenditure key S,
How does Bob buy his burgers?
A customer comes to Bob’s restaurant and orders a burger and fries. What’s going on under the hood when Bob pays Alice.
Bob is using software that generates a random integer R and multiplies it by one point Yes Getting points on an elliptic curve, specifically ed25519
R , RG
on the curve. The software also multiplies Alice’s visual key. AA point on the uniform elliptic curve, by Rthen runs a hash function h on yield RA which returns an integer Of,
Of , h,RA,
Finally, Bob’s software calculates the point
P , OfYes , S
and sends the pair of digits to Alice’s cash register, i.e. her crypto wallet (P, Rtalk P there is one inside addressAn address that will be used only once and cannot be associated with Alice or Bob [1]talk R There is additional information that helps Alice get her money.
How does Alice get paid?
Alice and Bob share a secret: both know Ofhow’s that?
Alice’s public view key A This is the product of his private view key A and group generator Yes [2]So when Bob calculates RAhe is computing R,AGAlice’s software can multiply things R By A To get A,RG,
RA , R,AG, A,RG, A.R.
Alice and Bob can both hash this point—which Alice thinks AR and bob thinks so RA-To get OfThis is ECDH: Elliptic Curve Diffie-Hellman Key Exchange,
Next, Alice’s software scans the blockchain for payment.
P , OfYes , S.
note that P is on the blockchain, but only Alice and Bob know how to factor P In KG , S Because only Alice and Bob know OfAnd only Alice can spend the money because only she knows the private key S Corresponding to Public Expenditure Key S Where?
S , S.G.
she knows
P , KG , S.G ,Of , S,Yes
And so he has the private key (Of , S) accordingly P,
related posts
[1] bob sends money to address PSo there may be some relation between Bob and P On the Monero blockchain. However, due to another feature of Monero, namely ring signatures, someone analyzing the blockchain can only determine that Bob is one of 16 people who may have sent money to the address. PAnd there is no way of knowing who received the money. That is, there is no way to know who received the money using only the information on the blockchain. A private investigator who saw Bob enter Alice’s restaurant would have additional information outside the blockchain.
[2] The main assumption of elliptic curve cryptography is that it is computationally impossible to “split” on an elliptic curve, i.e. to recover A with the knowledge of Yes And AGyou can recover A By brute force if the group were small, but the elliptic curve is on the order of ed25519 2255 points, and A is any integer chosen at random between 1 and the shape of the curve.
<a href