To prepare for situations in which the TEE infrastructure experiences failures and users must recover their notes in a completely self-contained manner, the protocol also provides an encryption scheme—i.e., a “manual exit” path—that allows the recipient to scan and decrypt onchain events directly to locate their own UTXOs.To this end, each transaction includes encrypted metadata, and this metadata is encrypted with a symmetric key derived from an ECDH-based shared secret using the sender’s viewing key and the recipient’s viewing key. Specifically, suppose Alice sends funds to Bob. Let Alice’s viewing private key and public key be denoted by vsk_a and vpk_a, and Bob’s viewing private/public keys be denoted by vsk_b and vpk_b. All of these are defined on an elliptic curve as:vpka=VSKa⋅G,vpkb=VSKb⋅G_vpka_=VSK_a_⋅G,_vpkb_=VSK_b_⋅GIf vpk_b were simply exposed onchain and used directly for ECDH, then as soon as the recipient’s viewing public key becomes publicly known, the recipient’s identity for a specific transaction would be exposed. To prevent this, Privacy Boost introduces an ephemeral viewing public key similar to what is used in stealth addresses. Alice generates a random value r locally and then computes her own ephemeral viewing public key and Bob’s ephemeral viewing public key as follows:ephvpka=vpka⋅r,ephvpkb=vpkb⋅r_ephvpka_=_vpka_⋅r,_ephvpkb_=_vpkb_⋅rNext, Alice computes a shared secret S using her viewing private key and Bob’s ephemeral public key:S=ECDH(ephvpkb, vska)S=ECDH(_ephvpkb_, _vska_)By the commutativity and linearity of elliptic-curve operations, the following equivalence holds:S=ECDH(ephvpkb, vska)=ECDH(vpkb⋅r, vska)=ECDH(vskb⋅G⋅r, vska)=ECDH(vskb, vska⋅G⋅r)=ECDH(vskb, ephvpka)_S_=ECDH(_ephvpkb_, _vska_)=ECDH(_vpkb_⋅r, _vska_)=ECDH(_vskb_⋅G⋅r, _vska_)=ECDH(_vskb_, _vska_⋅G⋅r)=ECDH(_vskb_, _ephvpka_)In other words, Bob can also compute the same shared secret S using his viewing private key vsk_b and ephvpk_a, which Alice has included onchain. The core of this encryption mechanism is to derive a symmetric key from this shared secret and use it to decrypt the metadata.The encrypted payload of the transaction can be thought of as having approximately the following structure:Copy
Inside the ciphertext, it contains the random value required to compute the UTXO, as well as the composition of the preimage of UTXO (CommitmentPublicKey, token, value).Therefore, even if a problem occurs with the TEE instances responsible for transaction relaying and indexing, the user can always manually scan chain events, decrypt the UTXOs they own, and generate their own ZK proofs to withdraw funds from the pool.