🥯Bagel

Security Model

Understanding bagel's privacy and security guarantees

Security Model

bagel implements a robust security model with strong cryptographic guarantees to provide privacy and security for your wallet & transactions.

The direct stealth address approach offers excellent security with these strengths:

  • Cryptographic Soundness: Uses well-established cryptographic primitives (Ed25519, X25519, HMAC-SHA256)
  • Private Key Separation: Viewing and spending keys are separated, limiting exposure
  • Ephemeral Key Usage: One-time keys for each transaction minimize attack surface
  • No Smart Contract Risk: Avoids vulnerabilities in complex smart contract logic
  • On-Chain Privacy: Transaction linkability is significantly reduced

Recoverability:

The deterministic stealth address approach provides complete recoverability:

  • Deterministic Derivation: As long as a user has their viewing private key and spending private key, they can recover all stealth addresses
  • No External Dependencies: Recovery doesn't depend on external services or third parties
  • Cross-Device Recovery: Keys can be backed up using standard seed phrases and restored on any device
  • Historical Transaction Recovery: Users can scan the chain with their viewing key to find all past transactions

Stealth Address Architecture

The core of bagel's privacy model is its stealth address implementation:

  • Each transaction generates a unique stealth address derived from:
    • Ephemeral key (generated per transaction)
    • Recipient's viewing public key
    • Recipient's spending public key
  • Only the recipient with the correct viewing private key can discover these payments
  • A unique "tag" is generated for each transaction, enabling efficient payment scanning
  • Funds sent to stealth addresses can only be accessed by the recipient with the matching spending private key

Cryptographic Implementation

bagel implements robust cryptography using the following standards:

  • Key Exchange: X25519 Diffie-Hellman for secure shared secret generation.
  • Key Conversion: Proper conversion between Ed25519 and X25519 formats using the Noble Curves library.
  • Transaction Security: Direct transfers to cryptographically derived stealth addresses - Blowfish and Lighthouse integration is coming soon.

Transaction Flow Security

Send Flow

  1. Sender generates ephemeral keypair
  2. Computes shared secret using their ephemeral private key and recipient's viewing public key
  3. Creates stealth address using the shared secret and recipient's spending public key
  4. Transfers funds directly to the stealth address
  5. Publishes ephemeral public key to registry for recipient discovery

Receive Flow

  1. Recipient scans ephemeral keys registry
  2. Computes the same shared secret using their viewing private key and the sender's ephemeral public key
  3. Re-derives the same stealth address
  4. Verifies the stealth address balance
  5. Transfers funds from the stealth address to their desired wallet using the derived stealth private key

Secure Storage

How Bagel protects your private keys

On this page