STELS Protocol

A Privacy-Preserving Transaction Layer for Ethereum & L2s

Litepaper v0.4 – 03 June 2025
Authors Dr. A. Vermeer, Dr. L. Nguyen, M. Peeters, K. Sharma, and the STELS Core Engineering Team

Download PDF

Abstract

Blockchain transparency has accelerated innovation but simultaneously eroded transactional privacy, exposing sensitive commercial information and undermining user sovereignty. Existing privacy solutions—mixers, shielded-pool roll-ups, confidential transactions—either jeopardise legal compliance or break composability with the wider Ethereum ecosystem. STELS (Stealth-Ephemeral-Layered Security) introduces a modular privacy layer that integrates seamlessly with smart contracts, preserves fee market incentives, and allows selective disclosure for auditors.

We combine three primitives:

  1. Stealth Addresses (ERC-5564) to decouple public identities from payment endpoints.

  2. Ephemeral Relayer Auctions to mask order-flow and mitigate front-running.

  3. zk-Gas Vouchers (Groth16) to anonymise fee payments without a new trust anchor.

Our contributions are three-fold: (i) a formally provable unlinkability model with advantage ε≤2⁻¹²⁸, (ii) an end-to-end reference implementation in Solidity 0.8.24 and Circom 2.1.9, and (iii) empirical benchmarks on Arbitrum Sepolia demonstrating <150 k gas swap execution and 6 ms proof generation on consumer hardware. The protocol is designed for incremental deployment: wallets can adopt stealth scanning in isolation, dApps can integrate delegate-calls without ABI changes, and roll-ups may swap the zk-Voucher for native paymasters.

Motivation

Blockchain’s radical transparency, while valuable for auditability, has resulted in substantial privacy erosion. Studies by Makarov et al. (2023) estimate that 62 % of Ether transfers can be clustered to real-world identities through heuristic analysis alone. Mixers such as Tornado Cash offered partial relief but suffer from regulatory censure and composability dead-ends.  STELS seeks to restore user agency by enabling fine-grained, opt-in privacy primitives that integrate natively with the existing Ethereum execution environment.

Contributions

  1. Formal Model. We define a composable privacy framework parameterised by unlinkability ε, front-run success probability p, and information leakage ℓ bits.

  2. Protocol Design. We present STELS—a three-layer scheme marrying stealth addresses, relayer auctions, and zk-Gas Vouchers.

  3. Reference Implementation. Full Solidity contracts and Circom circuits are released under MIT/Apache-2.

  4. Evaluation. We benchmark gas costs, latency, and proof sizes on multiple L2 test-nets and perform security analysis under the Universal Composability (UC) framework.

Problem Statement & Objectives

Let A be a set of externally owned accounts (EOAs) on chain C. A transaction correlation function corr : A × A → {0,1} outputs 1 if two addresses are deemed linked by an adversary 𝒜 using publicly available data. The objective is to design a protocol Π such that for any PPT adversary 𝒜, the probability:

where ε ≤ 2⁻¹²⁸. Additional goals include:

  • Front-run resilience: probability that an adversary can reorder an encrypted intent before execution p < 10⁻⁴.

  • Fee unlinkability: mutual information I(sender; gasPayer) ≤ ℓ = ⌈log₂ gas⌉.

  • Regulatory compliance: existence of a poly-time algorithm exportAudit(txid) that outputs a non-interactive proof binding txid to a user-controlled audit key.

Stealth Addresses & EIP-5564

First introduced by Buterin (2014) for early Ethereum privacy discussions and later formalised in EIP-5564 [4], stealth addresses leverage Elliptic Curve Diffie–Hellman (ECDH) to derive one-time recipient addresses. Unlike Zcash’s shielded pool or Monero’s sub-addresses, EIP-5564 is specifically crafted for Ethereum’s account model and gas constraints.

Account Abstraction (ERC-4337)

ERC-4337 [5] introduces UserOperation mempools enabling smart-contract wallets to define custom verification logic. STELS builds upon this by embedding zk-Voucher burn logic in the paymaster flow.

Network-Layer Privacy

Dandelion++ [6] mitigates timing correlation in Bitcoin by separating transactions into stem and fluff phases. STELS adopts a similar Poisson delay strategy at the relayer layer.

Zero-Knowledge Gas Obfuscation

Groth16-based SNARKs [7] offer succinct proofs with constant verification overhead. Tornado Cash and Zcash leverage similar constructs for value privacy; STELS repurposes them for fee privacy.

Research Methodology

This section documents the empirical and theoretical approach undertaken to derive the STELS design.

Threat Modelling Workshops

We conducted three formal STRIDE workshops with stakeholders (wallet vendors, compliance officers, and white‑hat MEV researchers) to enumerate adversarial capabilities. The resultant attack matrix informed parameter choices for ε, p, and ℓ.

Simulation Environment

Using go‑ethereum v1.29.0 patched with Flashbots SUAVE modules, we simulated 10 000 transactions across 128 virtual nodes. Packet traces were analysed via Wireshark to compute empirical deanonymisation rates.

Formal Verification

We modelled the protocol in the Tamarin Prover to establish unlinkability under the Decisional Diffie–Hellman (DDH) assumption and soundness of the zk‑Voucher construct. Proof sketches are included in Appendix D.

Benchmarking

Gas metrics were captured on Arbitrum Sepolia and zkSync Era test‑nets. Proof generation times were measured on an Intel i7‑13700H (12 cores) and Apple M2 Pro.

Cryptographic Foundations


Stealth Address Derivation

System Architecture

High‑Level Workflow


Component Breakdown

Protocol Specification - Data structures

State Machines

We model each smart contract as a labelled transition system (LTS). For example, the Executor has states

\${\text{Idle},\text{Pending},\text{Executed}}\$ with transition function:

$$$ (\text{Pending}, \sigma') & s=\text{Idle}\land\operatorname{verify}(\sigma)=1,\

(\text{Executed}, \bot) & s=\text{Pending}\land\text{burnVoucher}=1,\ (\text{Idle}, \bot) &

\text{otherwise.} \end{cases}$$

Algorithm 1 — Relayer Dutch Auction

Smart‑Contract Implementation

Full contract listings are provided below.

Executor.sol

Please view the PDF to get the code.

Security & Privacy Analysis

Model

We adopt the Universal Composability (UC) framework with the global ledger gLedger. Adversary 𝒜

controls the P2P network and any subset of relayers. We prove that the STELS ideal

functionality 𝔽_STELS emulates the real‑world protocol Π_STELS with negligible advantage.

Proof Sketch for Unlinkability

Using a sequence‑of‑games argument, we replace the ECDH shared secret in announcements with a

uniform random scalar. By DDH, games are indistinguishable; therefore, the view tag leaks at most

8 bits. Detailed transitions are enumerated in Appendix D.

Front‑Run Resistance

We model the Dutch auction as a sealed‑bid first‑price auction. Let γ be the probability a malicious

miner reorders a bundle. Because the executor signature binds (stealth, blockNum) , any

replacement requires stealth priv‑key knowledge. Hence γ≈0 under ECDLP.

zk‑Voucher Soundness

Soundness inherits directly from Groth16; any forged proof implies knowledge of discrete log in pairing

group $\mathbb{G}_1$ with probability ≤ 2⁻¹²⁸.

Compliance & Regulatory Considerations

We engage with EU MiCA and US FinCEN guidelines. STELS enables selective disclosure via exportAudit(txid) for suspicious activity while maintaining privacy for benign users. A comparative analysis versus Tornado Cash’s design is provided.

Discussion & Limitations

Relay Trust Assumptions: While relayers see encrypted intents, metadata leakage via packet size remains. Research into mixnets could mitigate this.

Proof System Choice: Groth16 requires a trusted setup; future work will explore Halo 2 or Spartan.

Future Work

Future Work

  1. Post‑Quantum Migration: Prototype CRYSTALS‑Dilithium ephemerals.

  2. Cross‑Chain Privacy: SP‑1 succinct proofs for state attestation across roll‑ups.

  3. Decentralised Relayer DAO: Tokenised reputational staking.

15 Conclusion

STELS concretely demonstrates that privacy and composability need not be mutually exclusive within

Ethereum’s execution paradigm. Through rigorous formal analysis, open‑source reference code, and

empirical benchmarking, we hope to catalyse widespread adoption of privacy‑by‑default tooling.

16 References

[1] EIP‑5564: Stealth Addresses. Ethereum Improvement Proposals, 2022.

[2] V. Buterin et al., “ERC‑4337: Account Abstraction”. 2023.

[3] Makarov, I., et al. “Blockchain Analytics and De‑Anonymisation.” Financial Cryptography, 2023.

[4] K. Baumann, “Stealth Address Utilities.” GitHub Pages, 2024.

[5] Alchemy, “What is Account Abstraction (ERC‑4337)?”, 2023.

[6] V. Fanti et al., “Dandelion++: Lightweight Cryptocurrency Networking.” SIGSAC ’18.

[7] B. Groth, “On the Size of Pairing‑Based Non‑Interactive Arguments.” EUROCRYPT 2016.

[8] Flashbots, “SUAVE Specification.” GitHub, 2024.

[9] J. Bos et al., “CRYSTALS‑Dilithium: Lattice‑Based Signatures.” EUROCRYPT 2018.

(Additional 25 references in Appendix E.)