A stealth address is a fresh, one-time account that only the recipient can recognize and spend from. The payer derives it from a public link, so the chain records a transfer to a brand-new key with nothing tying it back to you.

Two keys, not one

A Jat identity is a pair of Ed25519 keys, not a single wallet. A scan key lets you detect which payments are yours, and a spend key lets you move them. Publishing both public halves as a link lets anyone pay you, while only the holder of the private halves can find and claim what arrives. See keys and the scan model.

How a one-time address is derived

Each payment runs an Elliptic Curve Diffie Hellman exchange between an ephemeral key the payer generates and your published scan key. Both sides arrive at the same shared secret, which is hashed and added to your spend key to produce a one-time public key:

shared   = ECDH(ephemeral_priv, scan_pub)      // payer side
shared   = ECDH(ephemeral_pub,  scan_priv)     // recipient side, same value
tweak    = H(shared)
STEALTH  = SPEND_pub + tweak · B               // the one-time address

The payer funds STEALTH and publishes the ephemeral public key in a small on-chain announcement. Later you recompute the same tweak with your scan key, confirm the address is yours, and reconstruct the matching private scalar spend + tweak to sign for it. This is pure key math, with no zero-knowledge proof involved.

Note

Because the address is derived per payment, two payments to the same link land on two unrelated accounts. An observer sees transfers to fresh keys, not a reused receiving wallet.

View tags make scanning fast

Naively, finding your payments means running the ECDH step against every announcement. Jat publishes a one-byte view tag alongside each announcement, derived from the same shared secret. Your scanner checks the tag first and only does the full derivation on the roughly 1 in 256 that match, which cuts the work to scan a busy stream by orders of magnitude.

Announcements

The on-chain announcer program stores one record per payment under a program derived address keyed by the ephemeral point, holding the ephemeral key, the view tag, and the scheme. Records are write-once, so a duplicate ephemeral key is rejected rather than overwriting an earlier payment. An indexer enumerates these records by account type and hands the raw list to your browser, which scans locally with your scan key. The indexer never sees your keys. See the fee relayer for how a fresh stealth account pays its first transaction fee.

What it hides, and what it does not

Stealth addressing breaks the on-chain link between payer and recipient: the graph shows a payment to a new key, not to you. On its own it does not hide the amount, and consolidating many stealth balances into one wallet can re-link them. To unlink the payout from your specific deposit and break consolidation, claim into the fixed-denomination pool. The two layers are designed to be used together. The honest limits are spelled out in privacy and threat model.