 Research
 Open access
 Published:
Key derivable signature and its application in blockchain stealth address
Cybersecurity volume 7, Article number: 43 (2024)
Abstract
Stealth address protocol (SAP) is widely used in blockchain to achieve anonymity. In this paper, we formalize a key derivable signature scheme (KDS) to capture the functionality and security requirements of SAP. We then propose a framework to construct key separation KDS, which follows the key separation principle as all existing SAP solutions to avoid the reuse of the master keys in the derivation and signature component. We also study the joint security in KDS and construct a key reusing KDS framework, which implies the first compact stealth address protocol using a single key pair. Finally, we provide instantiations based on the elliptic curve (widely used in cryptocurrencies) and on the lattice (with quantum resistance), respectively.
Introduction
Modern blockchain is a distributed ledger that allows transactions among different users. Typically, the ledger is in the form of a keyvalue storage, where the key is the user’s address; and the value is the balance of this address. For engineering simplicity, the address is usually a public, efficient encoding of a group element over a certain elliptic curve. This group element is also used as a public key. To spend from this address, one simply needs to provide a digital signature and post the transaction to the blockchain. This method has been used by main cryptocurrency platforms (Nakamoto 2008; Wood 2014; Sasson et al. 2014; Wood 2016; Gilad et al. 2017).
A main drawback of the above design is the lack of privacy, i.e., everyone can figure out the transactions. Stealth address protocol (SAP), adopted by Monero, Bytecoin and Samourai Wallet (Saberhagen 2012; Noether and Mackenzie 2016), is a common cryptographic approach to hide the identity of the receiver. To date, those platforms have a combined market cap of 3.1 billion US dollars. In a nutshell, a stealth address can be seen as a derived public key from the user’s master public key. In a Monerolike protocol, for an address \(b{{\mathcal {G}}}\), where b is a field element and \({{\mathcal {G}}}\) is the group generator, its stealth address is in the form of \((r+b){{\mathcal {G}}}\), where r is randomly chosen by the sender and shared with the receiver via key exchange scheme. Early designs adopted this idea and modified the protocol when suffering from security risks (Saberhagen 2012, 2013; Noether and Mackenzie 2016; Courtois and Mercer 2017), which lacks a formalized algorithm definition, and a security model including security/privacy requirements and capturing adversary capabilities.
In 2019, Liu et al. made the first attempt to define a crypiographic tool to formalize SAP named publicly derived public key scheme (PDPKS), and proposed an instantiation based on pairing friendly curve (Liu et al. 2019b). However, the definition in PDPKS does not allow for signing with user’s master keys. This may create a discrepancy with the widespread application of SAP. When deploying SAP in a widelyused blockchain, there are already numerous transactions in the system that have been signed by users’ master keys. These transactions are publicly accessible and permanently recorded on the blockchain. Therefore, it is important for the SAP to have a welldefined approach to handling master key signatures and related security measures to ensure the continued safety and privacy of the system. In addition, the security model of PDPKS allows the adversary to corrupt the derived secret keys, which imposes a strong security requirement that is rarely targeted in subsequent stealth address protocols (Feng et al. 2020; Yu 2020). There is still a lack of cryptographic formalization that should match the SAP usage in blockchain, and a security model capturing the basic security requirements of Monerolike SAPs and the stronger security proposed in PDPKS, respectively.
On the other side, current SAPs and PDPKS are all dualkey schemes, that is, a scan key pair to share and check the stealth address, and a spend key pair to sign and verify transactions. This design is for security concern, especially using the principle of key separation (i.e., independence of keys, which is essential in cryptography) to avoid the reuse of the master key pair. However, key reusing is also possible with welldefined security. It implies a compact SAP using single key pair for simpler systems and broader application scenarios. We can deploy such a compact SAP into popular singlekey cryptocurrency systems, especially Bitcoin. There is still a lack of such design after 10 years of SAP deployment.
In addition, current constructions of SAP and PDPKS are built on concrete assumptions. For example, Monerolike protocols use the discrete logarithm problem on the elliptic curve and the latest PDPKS construction (Liu et al. 2020) exploits the trapdoor function on the lattice. It is desirable to design a framework based on crypto primitives that captures multiple instantiations according to the application. Thus, the motivation of this paper is to revise a better formal definition to abstract SAP, propose framework constructions, and support key reusing for compact schemes.
Our results
This paper analyzes the main existing stealth address protocols and the concept of publicly derived public key scheme. We improve this cryptographic tool into the key derivable signature scheme (KDS), and propose general frameworks and instantiations. Specifically, our contributions can be summarized as follow:
KDS Scheme and Security Model.
We first introduce and formalize a KDS scheme and its security model to capture the functionality and security requirements of SAP. Compared to the similar concept PDPKS, KDS allows signing with master keys, which can better match SAP application scenarios on the blockchain; secondly, we revise the existential unforgeable (EUF) and public key unlinkable (UNL) security proposed in PDPKS accordingly, to allow the adversary to access the signing oracle via the master key and win the game by forging a master key signature. We enforce the basic security EUF/UNL of KDS to its strong version strongEUF/strongUNL (SUNF/SUNL), by considering the derived secret key leakage.
KDS Frameworks and Instantiations.
We give two KDS frameworks. To achieves this, two barriers should be addressed: the first one is the lack of a cryptographic primitive to capture the key derivation; the second one is the key reuse problem in KDS. To address the first issue, we define a key derivation scheme (KDV), as well as its relinkability and leakageresistance. Relinkability of KDV requires that the derived public key does not leak information about master public key, whereas leakageresistance is a stronger security and requires that the derived secret key does not leak information about the master secret key. We then overcome the second problem with two design approaches:

Key Separation KDS (KSKDS) Framework The first approach is a KSKDS following key separation principle. Our framework is based on a KDV, a public key encryption (PKE), and a canonical identification protocol (CID). Specifically, we use the KDV to extract the derived key pair from user’s master key pair, use FujisakiOkamoto transformation on PKE to get a KEM to share and check the stealth addresses, and use FiatShamir transformation on CID to construct a signature scheme to sign and verify transactions. An EUF and UNL secure KSKDS requires that the KDV is relinkable, the PKE is indistinguishable under chosenplaintext attack (INDCPA) and indistinguishable of keys under chosenplaintext attack (IKCPA); and the CID should be secure against impersonation under keyonly attack (IMPKOA) and honestverifier zeroknowledge (HVZK). Further, if the KDV also satisfies leakageresistance, then we can obtain a strong KSKDS satisfying SEUF and SUNL security. We give a KSKDS instantiation on the elliptic curve, and a strong KSKDS instantiation on the lattice.

Key Reusing KDS (KRKDS) Framework To enable a KRKDS, where a single master key pair is reused for both key derivation and signature, we resort to the techniques of joint security (Haber and Pinkas 2001). We construct a jointly secure and key private combined signature and key encapsulation mechanism (CSK) using CID, PKE and random oracles (RO). This construction follows an observation that the RO plays a similar role to key separation in our KSKDS framework. We then construct a (strong) KRKDS by combining such a CSK scheme with a relinkable (and leakageresistant) KDV scheme. To illustrate the effectiveness of our result, we give the first compact stealth address protocol instantiation which can be deployed in widely used cryptocurrencies such as Bitcoin to provide privacy protection.
The comparison between our work and other SAP solutions is shown in Table 1.
Related work
There has been a lot of recent work based on Monerolike stealth address. For example, Yu (2020) proposed a solution allowing for multiple addresses within one wallet, Liu et al. (2019a) proposed a latticebased linkable ring signature scheme with stealth address, and Wang et al. (2024) proposed a universally composable (UC) linkable ring signature supporting stealth address. Motivated by these works, we present a formalized KDS definition and a security model to capture the essence of stealth address.
Another line of research on stealth address is based on publicly derived public key schemes (PDPKS), which is designed to maintain security even when derived keys have been corrupted. Liu’s team first proposed this definition (Liu et al. 2019b), and later extended it to latticebased (Liu et al. 2020) and UC (Zhu et al. 2023) settings. However, they do not consider the keyreusing property, which is essential to achieve a compact stealth address protocol that can be deployed into most blockchains, not just specially designed systems such as Monero. We revised their model and discuss the joint security in blockchain stealth address.
Joint security ensures the security of the cryptographic tools in the case of key reusing, and can significantly simplify the system and reduce storage in engineering implementations. Haber and Pinkas (2001) introduced the concept of the jointly secure combined public key scheme in 2001, which combines a signature scheme and an encryption scheme using the same key pair. Prior works mainly focus on combined signature and encryption schemes, such as ElGamalbased signature and encryption (Vasco et al. 2008), Schnorr and ECIES (Degabriele et al. 2012), and blind Schnorr signature and Schnorrsigned ElGamal encryption (Fuchsbauer et al. 2020). Adding a derivation algorithm based on such a combined scheme may lead to novel application scenarios, such as our key derivable signature. Chen et al. (2021) proposed a hierarchical integrated signature and encryption (HISE) scheme, in which the encryption component used a derived key pair from the signature key pair.
Paper organization
This paper is organized as follows: “Preliminaries” section reviews the crypto primitives; “Key derivable signature scheme” section presents our key derivable signature scheme (KDS) definition and security model, and compares it with prior works; “The construction of (strong) key separation key derivable signature scheme” section describes our key derivation scheme (KDV) definition and the framework to construct (strong) KSKDS; “The construction of (strong) key reusing key derivation scheme” section improves this framework to construct KRKDS; “Conclusion” section concludes the paper.
Preliminaries
Canonical identification protocol (CID)
Definition 1
(Canonical Identification Protocol) A canonical identification (CID) protocol with commitment space COM, challenge space CH, and response space RSP consists of a triple of PPT algorithms \((\mathsf {CID.Gen},\mathsf {CID.P}=\left( \mathsf {P_1},\mathsf {P_2}),\right.\) \(\left. \mathsf {CID.V}=(\mathsf {V_1},\mathsf {V_2})\right)\) as follows:

\(\mathsf {CID.Gen}(pp)\rightarrow {(pk,sk)}\): The key generation takes the public parameters pp as input and outputs a public key pk and a secret key sk.

\(\mathsf {CID.P}=(\mathsf {P_1},\mathsf {P_2})\): The prover is a twostage algorithm that takes a secret key sk. \(\mathsf {P_1}\) takes the secret key sk as input and outputs a commitment \(com\in {COM}\) and a state \(\textsf{st}\); \(\mathsf {P_2}\) takes the secret key sk, a commitment \(com\in {COM}\), a challenge \(ch\in {CH}\) and a state \(\textsf{st}\) as input and outputs a response \(rsp\in {RSP}\).

\(\mathsf {CID.V}=(\mathsf {V_1},\mathsf {V_2})\): The verifier is a twostage algorithm that takes a public key pk as input. \(\mathsf {V_1}\) takes the public key pk as input, chooses a random challenge \(ch\xleftarrow {\$}{CH}\) and sends it to the prover. \(\mathsf {V_2}\) takes the public key pk and the conversation transcript (com, ch, rsp) as input and outputs a deterministic decision, 1 (acceptance) or 0 (rejection).
We denote the conversation transcript (com, ch, rsp) as \(\textsf{P}(sk)\leftrightarrow \textsf{V}(pk)\). Here, (pk, sk) represents the (public key, secret key) pair generated by \(\mathsf {CID.Gen}(pp)\), and \((com, ch, rsp):=\textsf{P}(sk)\leftrightarrow \textsf{V}(pk)\) denotes the information exchanged between \(\mathsf {CID.P}\) and \(\mathsf {CID.V}\) throughout the CID protocol interaction under (pk, sk).
Security against impersonation under keyonly attacks (IMPKOA) serves as a basic security for CID. It guarantees that adversaries cannot impersonate the prover to deceive an honest verifier without having access to the secret key.
Definition 2
(IMPKOA Security) A CID protocol \(\textsf{CID}=\left( \mathsf {CID.Gen},\mathsf {CID.P},\right.\) \(\left. \mathsf {CID.V}\right)\) is IMPKOA secure, if there exists a negligible function \(negl(\cdot )\) such that the advantage \(\textsf{Adv}_{\textsf{CID},\mathcal {A}}^{\mathsf {IMP{}\textsf{KOA}}}(pp)\le {negl(\lambda )}\)^{Footnote 1} for any PPT adversary \(\mathcal {A}\). The advantage is defined as follows:
where \(\textsf{G}^{\mathsf {IMP{}KOA}}_{\textsf{CID},\mathcal {A}}(pp)\) is describe as in Fig. 1.
Honestverifier zeroknowledge (HVZK) is a formalization of the property where adversaries do not gain any additional knowledge from honest interactions.
Definition 3
(HVZK) A CID protocol is HVZK if there exists a PPT algorithm \(\textsf{Sim}\) and a negligible function \(negl(\cdot )\) such that the advantage \(\textsf{Adv}_{\textsf{CID},\mathcal {A}}^{\textsf{HVZK}}(pp)\) \(\le {negl(\lambda )}\) for any PPT adversary \(\mathcal {A}\). The advantage \(\textsf{Adv}_{\textsf{CID},\mathcal {A}}^{\textsf{HVZK}}(pp)\) is defined as follows:
Key privacy of public key encryption
The key privacy of a public key encryption scheme is effectively captured by the property known as “indistinguishability of keys under chosenplaintext attack” (IKCPA). It ensures that adversaries, under a chosenplaintext attack, are unable to distinguish ciphertexts generated by different encryption keys.
Definition 4
(IKCPA Security) A PKE scheme \(\textsf{PKE}=\left( \mathsf {PKE.Gen},\mathsf {PKE.Enc},\right.\) \(\left. \mathsf {PKE.Dec}\right)\) is IKCPA secure if there exists a negligible function \(negl(\cdot )\) such that the advantage \(\textsf{Adv}^{\mathsf {IK{}CPA}}_{\textsf{PKE},\mathcal {A}}(pp)\le {negl(\lambda )}\) for any PPT adversary \(\mathcal {A}\). The advantage \(\textsf{Adv}^{\mathsf {IK{}CPA}}_{\textsf{PKE},\mathcal {A}}(pp)\) is defined as follows:
where the IKCPA game \(\textsf{G}^{\mathsf {IK{}CPA}}_{\textsf{PKE},\mathcal {A}}(pp)\) is described as Fig. 2.
Key derivable signature scheme
Algorithm definition
In this section, we introduce the key derivable signature (KDS). This scheme enables the generation of derived key pairs from the master key pair. Our formal definition of KDS is as follows:
Definition 5
(Key Derivable Signature) A KDS scheme with message space M consists of following algorithms:

\(\mathsf {KeyGen(pp)}\rightarrow (mpk, msk)\). The key generation algorithm takes the public parameters pp as input and outputs a master public key/secret key pair (mpk, msk).

\(\textsf{DpkDerive}(mpk)\rightarrow {dpk}\). The public key derivation algorithm takes a master public key mpk and outputs a derived public key dpk.

\(\textsf{DpkCheck}(mpk,msk,dpk)\rightarrow {0/1}\). The derived public key checking algorithm takes a master key pair (mpk, msk) and a derived public key dpk as input, and outputs a bit b, where \(b=1\) means that dpk is a derived key generated from mpk and \(b=0\) means not.

\(\textsf{DskDerive}(mpk,msk,dpk)\rightarrow dsk\). The secret key derivation algorithm takes a master key pair (mpk, msk) and a derived public key dpk as input, and outputs a derived secret key dsk.

\(\textsf{Sign}(sk, m)\rightarrow \sigma\). The signing algorithm takes a secret key sk (a master secret key msk or a derived secret key dsk) and a message \(m\in {M}\) as input, and outputs a signature \(\sigma\).

\(\textsf{Verify}(pk,m, \sigma )\rightarrow {0/1}\). The verification algorithm takes as a public key pk (a master public key mpk or a derived public key dpk), a message m and a signature \(\sigma\) as input, and outputs a bit b, where \(b=1\) means that the signature is valid and \(b=0\) means not.
Additionally, the above algorithms must satisfy the following correctness properties:

For any \((mpk,msk)\leftarrow {\textsf{KeyGen}(pp)}\), there exists a negligible function \(negl(\cdot )\) such that
$$\begin{aligned} \Pr _{dpk\leftarrow {\textsf{DpkDerive}}(mpk)}[\textsf{DpkCheck}(mpk,msk,dpk)\ne 1]\le {neg(\lambda )}. \end{aligned}$$ 
For any \((mpk,msk)\leftarrow {\textsf{KeyGen}(pp)}\) and \(m\in {M}\), there exists a negligible function \(negl(\cdot )\) such that
$$\begin{aligned} \Pr _{\sigma \leftarrow {\textsf{Sign}(msk,m)}}[\textsf{Verify}(mpk,m,\sigma )\ne 1]\le {neg(\lambda )}. \end{aligned}$$ 
For \((mpk,msk)\leftarrow {\textsf{KeyGen}(pp)}\) and \(m\in {M}\),
$$\begin{aligned} \begin{aligned} \Pr _{dpk\leftarrow {\textsf{DpkDerive}}(mpk)}&[\textsf{Verify}(dpk,m,\sigma )\ne 1dsk\leftarrow {\textsf{DskDerive}(mpk,msk,mpk)},\\ &\sigma \leftarrow {\textsf{Sign}(dsk,m)}]\le {neg(\lambda )}. \end{aligned} \end{aligned}$$
KDS is a revised definition of PDPKS, the security model of PDPKS is detailed in A. The major difference is that we consider a master key/derived key signature algorithm, while PDPKS only allows signing with derived keys. This change is motivated by practical considerations. In most existing blockchain systems, except for those specifically designed for stealth address schemes (such as Monero), there is no definition or transaction procedure related to derived keys. Transactions are signed using master keys, recorded onchain, and publicly accessible. When deploying stealth address on such blockchains, it is necessary to have a welldefined approach to handling master key signatures and related security measures to ensure the safety and privacy of the system. According to our KDS definition, the stealth address protocol can be deployed as a plugin. It effectively protects the identity privacy while allowing users to still utilize master key signatures without affecting their token balance in permanent addresses. The stealth address works as follows:
For a sender Alice (A), who wants to send a transaction to a receiver Bob (B), A first runs \(\textsf{DpkDerive}(mpk_B)\rightarrow {dpk_B}\) to derive a stealth address for B, where \(mpk_B\) is B’s master public key. Then A runs \(\textsf{Sign}(sk_A, m_A)\rightarrow \sigma _A\) to send a transaction, where \(sk_A\) can be either A’s master secret key or derived secret key, and \(m_A\) records the information such as the amount and receiver address \({dpk_B}\). To receive the transaction, B actively monitors the blocks and runs \(\textsf{DpkCheck}(mpk_B,msk_B,dpk')\rightarrow {0/1}\) to check all potential \(dpk'\), until finding his derived address \(dpk_B\) and the corresponding transaction. Then he validates the transaction by using \(\textsf{Verify}(pk_A,m_A', \sigma _A')\rightarrow {0/1}\). To spend the coin in \(dpk_B\), B runs \(\textsf{DskDerive}(mpk_B,msk_B,dpk_B)\rightarrow dsk_B\) to derive the secret key \(dsk_B\). Then he can use \(\textsf{Sign}(dsk_B, m_B)\rightarrow \sigma _B\) to sign a transaction spending the coin. Anyone else can validate the transaction by using \(\textsf{Verify}(dpk_B,m_B', \sigma _B')\rightarrow {0/1}\).
Security model
In this section, we provide a formal security model to capture the security and privacy requirements of KDS. We need to consider two cases motivated by the security risks of cryptocurrencies:

1.
The adversary should not be able to forge the receiver’s master/derived key signatures to steal their balance.

2.
The adversary should not be able to trace the receiver’s permanent address from the derived address.
Security We provide basic security properties: existential unforgeability (EUF) and public key unlinkability (UNL), as well as the stronger security properties: strong existential unforgeability (SEUF) and strong public key unlinkability (SUNL) of KDS, by distinguishing the adversary’s capabilities.
The EUF security property states that an adversary, with access to the signature algorithm and derived public key checking algorithm, cannot produce a valid forgery. A more detailed definition is as follows:
Definition 6
(EUF Security) A KDS scheme \(\textsf{KDS}=\left( \textsf{KeyGen},\textsf{DpkDerive},\right.\) \(\left. \textsf{DpkCheck},\textsf{DskDerive},\textsf{Sign},\textsf{Verify}\right. )\) is EUF secure, if there exists a negligible function \(negl(\cdot )\) such that the advantage \(\textsf{Adv}_{\textsf{KDS},\mathcal {A}}^{\textsf{EUF}}(pp)\le {negl(\lambda )}\) for any PPT adversary \(\mathcal {A}\). The advantage is defined as follows:
where the EUF game \(\textsf{G}^{\textsf{EUF}}_{\textsf{KDS},\mathcal {A}}(pp)\) is described as in Fig. 3.
The UNL security states that an adversary, even with access to the signature algorithm and derived public key checking algorithm, cannot distinguish which of two master public keys was used to derive a specific derived public key. A more detailed definition is as follows:
Definition 7
(UNL Security) A KDS scheme \(\textsf{KDS}=\left( \textsf{KeyGen},\textsf{DpkDerive},\right.\) \(\left. \textsf{DpkCheck},\textsf{DskDerive},\textsf{Sign},\textsf{Verify}\right. )\) is UNL secure, if there exists a negligible function \(negl(\cdot )\) such that the advantage \(\textsf{Adv}^{\textsf{UNL}}_{\textsf{KDS},\mathcal {A}}(pp)\le {negl(\lambda )}\) for any PPT adversary \(\mathcal {A}\). The advantage \(\textsf{Adv}^{\textsf{UNL}}_{\textsf{KDS},\mathcal {A}}(pp)\) is defined as follows:
where the UNL game \(\textsf{G}_{\textsf{KDS},\mathcal {A}}^{\textsf{UNL}}(pp)\) is described as in Fig. 4.
The strongEUF (SEUF) and strongUNL (SUNL) security, which correspond to EUF and UNL security, respectively, provide the adversary with the additional capability of querying the secret key derivation algorithm. Their more detailed definitions are as follows:
Definition 8
(SEUF Security) A KDS scheme \(\textsf{KDS}=\left( \textsf{KeyGen},\textsf{DpkDerive},\right.\) \(\left. \textsf{DpkCheck},\textsf{DskDerive},\textsf{Sign},\textsf{Verify}\right. )\) is SEUF secure, if there exists a negligible \(negl(\cdot )\) such that the advantage \(\textsf{Adv}_{\textsf{KDS},\mathcal {A}}^{\textsf{SEUF}}(pp)\le {negl(\lambda )}\) for any PPT adversary \(\mathcal {A}\). The advantage is defined as follows:
where the SEUF game \(\textsf{G}^{\textsf{SEUF}}_{\textsf{KDS},\mathcal {A}}(pp)\) is described as in Fig. 3.
Definition 9
(SUNL Security) A KDS scheme \(\textsf{KDS}=\left( \textsf{KeyGen},\textsf{DpkDerive},\right.\) \(\left. \textsf{DpkCheck},\textsf{DskDerive},\textsf{Sign},\textsf{Verify}\right. )\) is UNL secure, if there exists a negligible function \(negl(\cdot )\) such that the advantage \(\textsf{Adv}^{\textsf{SUNL}}_{\textsf{KDS},\mathcal {A}}(pp)\le {negl(\lambda )}\) for any PPT adversary \(\mathcal {A}\). The advantage \(\textsf{Adv}^{\textsf{SUNL}}_{\textsf{KDS},\mathcal {A}}(pp)\) is defined as follows:
where the SUNL game \(\textsf{G}_{\textsf{KDS},\mathcal {A}}^{\textsf{UNL}}(pp)\) is described as in Fig. 4.
There are several differences between our security model and PDPKS’s. First, we allow the adversary to access \(O_{Sig}\) with the master key and win the game by forging the master key signatures. This modification captures the fact that an adversary can request transactions or look up transactions signed by a user with his master key from the blockchain ledger, and steal the balance in the user’s permanent address by forging his master key signature. Second, we define security as the basic security (EUF/UNL) and the strong security (SEUF/SUNL) by dividing adversary capabilities. In the basic security, we limit the adversary can only access \(O_{Dpk}\) and \(O_{Sig}\), as considered in most SAP works. In the strong security, the adversary has an additional access to \(O_{Dsk}\), which captures the assumption that user leaks his derived secret key, as PDPKS considered.
The construction of (strong) key separation key derivable signature scheme
In this section, we define a key derivation scheme (KDV) to extract derived keys from a master key pair, and propose a framework to construct (strong) key separation KDS (KSKDS) as illustrated in Fig. 5.
Key derivation scheme
Definition 10
(Key Derivation Scheme) A KDV scheme consists of a triple PPT algorithms \((\mathsf {KDV.Gen},\mathsf {KDV.Dpk},\mathsf {KDV.Dsk},\mathsf {KDV.Chk})\) as follows:

\(\mathsf {KDV.Gen}(pp)\rightarrow {(mpk,msk,\mathcal {R})}\):The key generation algorithm takes the public parameters as input and outputs a master public key/secret key pair (mpk, msk) and a deterministic polynomialtime verifiable relationship \(\mathcal {R}\).

\(\mathsf {KDV.Dpk}(mpk,\mathcal {R})\rightarrow {dpk}\): The public key derivation generation algorithm takes a master public key mpk and a deterministic polynomialtime verifiable relationship \(\mathcal {R}\) as input, selects a random number \(r\xleftarrow {\$}R\),^{Footnote 2} and outputs a derived public key \(dpk:=\mathsf {DKV.Dpk}(mpk,\mathcal {R};r)\).

\(\mathsf {KDV.Dsk}(mpk,msk,\mathcal {R})\rightarrow {dsk}\): The secret key derived generation algorithm takes a master public/secret key pair (mpk, msk) and a deterministic polynomialtime verifiable relationship \(\mathcal {R}\), selects a random number \(r\xleftarrow {\$}R\) and outputs a derived secret key \(dsk:=\mathsf {KDV.Dsk}(mpk,msk,\mathcal {R};r)\).

\(\mathsf {KDV.Chk}(pk,sk,\mathcal {R})\rightarrow {0/1}\):The validity checking algorithm takes a public/secret key pair (pk, sk) and a deterministic polynomialtime verifiable relationship \(\mathcal {R}\) and outputs a bit b, where \(b=1\) means that \((pk,sk)\in {\mathcal {R}}\) and \(b=0\) means that \((pk,sk)\notin {\mathcal {R}}\)
Additionally, the above algorithms must satisfy the following correctness:

For any \((mpk,msk,\mathcal {R})\leftarrow {\mathsf {KDV.Gen}}(pp)\),
$$\begin{aligned} \mathsf {KDV.Chk}(mpk,msk,\mathcal {R})=1. \end{aligned}$$ 
For any \((mpk,msk,\mathcal {R})\leftarrow {\mathsf {KDV.Gen}}(pp)\) and \(r\in {R}\),
$$\begin{aligned} \mathsf {KDV.Chk}(dpk,dsk,\mathcal {R})=1, \end{aligned}$$where \(dpk:=\mathsf {KDV.Dpk}(mpk,\mathcal {R};r)\) and \(dsk:=\mathsf {KDV.Dsk}(mpk,msk,\mathcal {R};r)\)

For any \((mpk,msk,\mathcal {R})\leftarrow {\mathsf {KDV.Gen}}(pp)\), if \(r\ne {r'}\), then
$$\begin{aligned} \mathsf {KDV.Chk}(dpk,dsk,\mathcal {R})=0, \end{aligned}$$where \(dpk:=\mathsf {KDV.Dpk}(mpk,\mathcal {R};r)\) and \(dsk:=\mathsf {KDV.Dsk}(mpk,msk,\mathcal {R};r')\).
For a key generation algorithm \(\textsf{Gen}\), if the relationship \(\mathcal {R}:=\{(pk,sk)(pk,sk)\leftarrow {\textsf{Gen}(pp)}\}\) is polynomialtime verifiable, we can define a KDV for \(\textsf{Gen}\) as follows:

\(\mathsf {KDV.Gen}(pp)\rightarrow {(mpk,msk,\mathcal {R})}\): It runs \((mpk,msk)\leftarrow {\textsf{Gen}(pp)}\) and extracts a deterministic polynomialtime verifiable relation \(\mathcal {R}:=\{(pk,sk)(pk,sk)\leftarrow {\textsf{Gen}(pp)}\}\). Then outputs \((mpk,msk,\mathcal {R})\).
Security. We define the relinkability and leakresistance for KDV. Relinkability states that a derived public key \(dpk:=\mathsf {KDV.Dpk}(mpk,\mathcal {R};r)\) can be relinked to \(mpk'\ne {mpk}\). It ensures that dpk does reveal any information about the master public key mpk. Leakresistance states that derived public/secret key pairs (dpk, dsk) do not reveal any information about the master secret key msk.
Definition 11
(Relinkability) A KDV scheme \(\textsf{KDV}=\left( \mathsf {KDV.Gen},\mathsf {KDV.Dpk},\right.\) \(\left. \mathsf {KDV.Dsk},\mathsf {KDV.Chk}\right)\) is relinkable, if there exists a PPT “relink” algorithm \(\textsf{Rel}\) and a negligible function \(negl(\cdot )\) such that \(\textsf{Adv}_{\textsf{KDV},\mathcal {A}}^{\textsf{RLink}}(pp)\le {negl(\lambda )}\) for any PPT adversary \(\mathcal {A}\). The advantage is defined as follows:
where the game \(\textsf{G}^{\textsf{RLink}}_{\textsf{KDV},\mathcal {A}}(pp)\) is described as Fig. 6.
Definition 12
(Leakage Resistance) A KDV scheme \(\textsf{KDV}=\left( \mathsf {KDV.Gen},\right.\) \(\left. \mathsf {KDV.Dpk},\mathsf {KDV.Dsk},\mathsf {KDV.Chk}\right)\) is leakage resistant, if there exist a PPT algorithm \(\textsf{Alt}=(\mathsf {Alt_1},\mathsf {Alt_2})\) and a negligible function \(negl(\cdot )\) such that the advantage \(\textsf{Adv}_{\textsf{KDV},\mathcal {A}}^{\textsf{LR}}(pp)\le {negl(\lambda )}\) for any PPT adversary \(\mathcal {A}\). The advantage is defined as follows:
where the game \(\textsf{G}^{\textsf{LR}}_{\textsf{KDV},\mathcal {A}}(pp)\) is described as Fig. 6.
A framework to construct (strong) KSKDS
We propose a KSKDS framework that is based on a canonical identification protocol \(\textsf{CID}\), a public key encryption \(\textsf{PKE}\), and a key derivation scheme \(\textsf{KDV}\).
Let \(\textsf{CID}=(\mathsf {CID.Gen},\mathsf {CID.P},\mathsf {CID.V})\) be a CID protocol and \(\textsf{KDV}=(\mathsf {KDV.Gen},\) \(\mathsf {KDV.Dpk},\mathsf {KDV.Dsk},\mathsf {KDV.Chk})\) be a KDV scheme for \(\textsf{CID}\). Let \(\textsf{PKE}=(\mathsf {PKE.Gen},\) \(\mathsf {PKE.Enc}, \mathsf {PKE.Dec})\) be a PKE scheme. We compose them to construct a KSKDS as shown in Algorithm 1. We use FiatShamir transformation (FS) on \(\textsf{CID}\) to get a signature scheme, use FujisakiOkamoto transformation (FO) on \(\textsf{PKE}\) to get a KEM. This KEM scheme is used to generated the k which is the randomness used to generated the derivable key pair. G, H and \(H_1\) are random oracles.
Remark. Note that constructing KSKDS using SIG, KEM, and KDV is also feasible. However, our approach prefers to build upon more fundamental cryptographic primitives, and this method is particularly useful for designing the KRKDS algorithm in “The construction of (strong) key reusing key derivation scheme” section.
Security. We then discuss the security of the above KSKDS construction.
Theorem 1
Let \(\textsf{CID}\) be an IMPKOA secure CID protocol with HVZK. Let \(\textsf{KDV}\) be a relinkable KDV scheme for \(\textsf{CID}\). Let \(\textsf{PKE}\) be an INDCPA secure PKE scheme. Let G, H and \(H_1\) are random oracles. Then, the KSKDS scheme is EUF secure in the random oracle model.
Proof
Assume toward contradiction that there exists a PPT adversary \(\mathcal {A}\) that breaks the EUF security of the KSKDS scheme with noticeable probability. That is, the following advantage is noticeable:
We consider two different cases and construct PPT adversary \(\mathcal {B}\) or \(\mathcal {C}\) against the IMPPOA security of \(\textsf{CID}\), respectively:
Case 1 (\(pk^*=mpk\)). \(\mathcal {A}\) generate the valid forge signature for mpk. We then construct \(\mathcal {B}\) to attack \(\textsf{CID}\) as follows:

Setup Phase The IMPKOA challenger generates a pair of public/secret keys \((spk,ssk)\leftarrow {\mathsf {CID.Gen}}(pp)\). The IMPKOA adversary \(\mathcal {B}\) receives spk and public parameters pp. It runs \((epk,esk)\leftarrow \mathsf {PKE.Gen}(pp)\) and extracts a deterministic polynomial time verifiable relationship \(\mathcal {R}:=\{(pk,sk)(pk,sk)\leftarrow {\mathsf {CID.Gen}(pp)}\}\). Let \(mpk:=spkepk\mathcal {R}\) and \(msk:=sskesk\). It sends mpk to \(\mathcal {A}\) and initializes three query lists \(L_{H_1}\), \(L_{Dpk}\) and \(L_{Sig}\) as empty sets. Let \(\textsf{Sim}\) be a PPT algorithm defined as in the Definition 3.

Challenge Phase The challenger picks a challenge \(ch^*\xleftarrow {\$}{CH}\) and sends it to \(\mathcal {B}\).

Query Phase For each \(\mathcal {A}\)’s query m and (m, c), \(O_{G}\) and \(O_{H}\) return H(m) and H(m, c), respectively. Additionally, \(O_{H_1}\), \(O_{Dpk}\) and \(O_{Sig}\) are simulated by the adversary \(\mathcal {B}\) as follows:

\(O_{H_1}(com,m)\): At beginning, the adversary \(\mathcal {B}\) picks \(i^*\xleftarrow {\$}{[1,q_{H_1}]}\). For \(\mathcal {A}\)’s ith (\(i\ne {i^*}\)) query (com, m), if there exists \((comm,ch)\in {L_{H_1}}\), it returns ch. Otherwise, it randomly selects ch and lets \(L_{H_1}=L_{H_1}\cup \{(comm,ch)\}\); then returns \(h_1\). Specially, for \(\mathcal {A}\)’s \(i^*\)th query (com, m),^{Footnote 3} it returns \(ch^*\) and lets \(L_{H_1}=L_{H_1}\cup \{(comm,ch^*)\}\).

\(O_{Dpk}(dpk)\): For each \(\mathcal {A}\)’s query \(dpk=(c,sdpk)\) to \(O_{Dpk}\), the adversary \(\mathcal {B}\) calculates \(m:={\mathsf {PKE.Dec}(esk,c)}\). If \(m=\bot\) or \(\mathsf {PKE.Enc}(esk,m;G(m))\ne {c}\), it returns 0. It calculates \(k:=H(m,c)\), if \(sdpk=\mathsf {KDV.Dpk}(spk,\mathcal {R};k)\), it returns 1 and lets \(L_{Dpk}:=L_{Dpk}\cup \{dpk\}\). Otherwise,it returns 0.

\(O_{Sig}(pk,m)\): For each \(\mathcal {A}\)’s query (pk, m) to \(O_{Sig}\), if \(pk=(c,sdpk)\in {L _{Dpk}}\) or \(pk=mpk\), \(\mathcal {B}\) keeps running \((com,ch,rsp)\leftarrow \textsf{Sim}(sdpk)\) or \((com,ch,rsp)\leftarrow \textsf{Sim}(spk)\) respectively until there does not exist \(com'\ne {com}\) and \(ch'\ne {ch}\) such that \((com'm,ch)\in {L_{H_1}}\) and \((comm,ch')\in {L_{H_1}}\). It returns \(\sigma :=(com,ch,rsp)\) and sets \(L_{H_1}=L_{H_1}\cup \{(comm,ch)\}\) and \(L_{Sig}=L_{Sig}\cup \{(pk,m)\}\). Otherwise, it returns \(\bot\).


Output Phase When \(\mathcal {A}\) outputs \((pk^*,m^*,\sigma ^*)\), \(\mathcal {B}\) parses \(\sigma ^*\) as \((com^*,ch'^*,\) \(rsp^*)\) and outputs \((com^*,rsp^*)\).
Since the adversary \(\mathcal {B}\) has the secret key esk of the \(\textsf{PKE}\), the simulation of \(O_{Dpk}\) is perfect. Since \(H_1\) is a random oracle, the simulation of \(O_{H_1}\) is perfect. Additionally, \(\mathcal {B}\) simulates the oracle \(O_{Sig}\) without using of ssk. Because \(\textsf{CID}\) is HVZK, the probability that the simulation of \(O_{Sig}\) can be distinguished by the adversary \(\mathcal {A}\) is at most \(q_{Sig}\cdot \textsf{Adv}_{\textsf{CID},\mathcal {A}}^{\textsf{HVZK}}\). Then for Case 1, we have (detailed derivation can be found in E):
where \(q_{H_1}\), \(q_{Sig}\) are the numbers of \(\mathcal {A}\)’queries to \(O_{H_1}\) and \(O_{Sig}\), respectively.
Case 2 (\(pk^*\in {L_{Dpk}}\)). \(\mathcal {A}\) generate the valid forge signature for a \(dpk\in {L_{Dpk}}\). We then construct \(\mathcal {C}\) to attack \(\textsf{CID}\). Naturally, the challenge public key for \(\mathcal {C}\) is a derived key which belongs to \(L_{Dpk}\). Therefore \(\mathcal {C}\) needs to generate related master public key of the challenge public key by using the relinkability of \(\textsf{KDV}\). The details of \(\mathcal {C}\) are as follows:

Setup Phase The IMPKOA challenger generates a key pair \((dspk,dssk)\leftarrow \mathsf {CID.Gen}(pp')\). The IMPKOA adversary \(\mathcal {C}\) receives dspk and public parameters pp. It runs \((epk,esk)\leftarrow {\mathsf {PKE.Gen}(pp)}\) and extracts a deterministic polynomialtime verifiable relationship \(\mathcal {R}:=\{(pk,sk)(pk,sk)\leftarrow \mathsf {CID.Gen}(pp)\}\). It runs \((spk,k^*)\leftarrow \textsf{Rel}(dspk,\mathcal {R})\) and lets \(mpk:=spkepk\mathcal {R}\). Then, it sends mpk and pp to \(\mathcal {A}\) and initializes query lists \(L_H\), \(L_{H_1}\), \(L_{Dpk}\) and \(L_{Sig}\) as empty sets. Let \(\textsf{Sim}\) be a PPT algorithm defined as in the Definition 3.

Challenge Phase The challenger generates a challenge \(ch^*\) and sends it to \(\mathcal {C}\).

Query Phase For each \(\mathcal {A}\)’ query m to \(O_{G}\), it returns \(r=G(m)\). \(O_{H_1}\), \(O_{Dpk}\) and \(O_{Sig}\) are simulated as in the construction of \(\mathcal {B}\). Additionally, \(O_{H}\) is simulates by the adversary \(\mathcal {C}\) as follows:

\(O_{H}(m,c)\): The adversary \(\mathcal {C}\) picks \(j^*\xleftarrow {\$}{[1,q_{H}]}\). For \(\mathcal {A}\)’s jth (\(j\ne {j^*}\)) query (m, c) to \(O_{H}\), if there exists \((mc,k)\in {L_{H_1}}\), it returns k. Otherwise, it randomly selects k and lets \(L_{H}=L_{H}\cup \{(mc,k)\}\); then returns \(h_1\). Specially, for \(\mathcal {A}\)’s \(j^*\)th query (m, c),^{Footnote 4} it returns \(k^*\) and lets \(L_{H}=L_{H}\cup \{(mc,k^*)\}\).


Output Phase When \(\mathcal {A}\) outputs \((pk^*,m^*,\sigma ^*)\), \(\mathcal {C}\) parse \(\sigma ^*\) as \((com^*,ch'^*,rsp^*)\) and outputs \((com^*,\sigma ^*)\).
Applying the same reasoning as in Case 1, the simulation of \(O_{Dpk}\) and \(O_{H_1}\) is perfect and the simulation of \(O_{Sig}\) can be distinguished by the adversary \(\mathcal {A}\) with probability at most \(q_{Sig}\cdot \textsf{Adv}_{\textsf{CID},\mathcal {A}}^{\textsf{HVZK}}(pp)\). Since the relinkability of \(\textsf{KDV}\) and \(O_{H}\) is also a random oracle, the \((mpk,dspk,k^*)\) and the simulation of \(O_H\) can be distinguished by \(\mathcal {A}\) with probability at most \(\textsf{Adv}_{\textsf{CID},\mathcal {A}}^{\textsf{RLink}}(pp)\). Then for Case 2, we have (detailed derivation can be found in E):
Put these results together,
Thus, the KSKDS scheme is EUF secure in the random oracle model. \(\square\)
Theorem 2
Let \(\textsf{CID}\) be an IMPKOA secure CID protocol with HVZK. Let \(\textsf{KDV}\) be a relinkable and leakageresistant KDV scheme for \(\textsf{CID}\). Let \(\textsf{PKE}\) be an INDCPA secure PKE scheme. Let G, H and \(H_1\) are random oracles. Then, the KSKDS scheme is SEUF secure in the random oracle model.
Proof
This theorem can be proved using the same proof strategy for Theorem 1. We put the full proof in E for selfcompleteness. \(\square\)
Theorem 3
Let \(\textsf{CID}\) be an IMPKOA secure CID protocol with HVZK. Let \(\textsf{KDV}\) be a relinkable KDV scheme for \(\textsf{CID}\). Let \(\textsf{PKE}\) be an INDCPA secure and IKCPA secure PKE scheme. Let G, H and \(H_1\) are random oracles. Then, the KSKDS scheme is UNL secure in the random oracle model.
Proof
Assume toward contradiction that there exists a PPT adversary \(\mathcal {A}\) that breaks the UNL security of the KSKDS scheme. We can construct a PPT adversary \(\mathcal {B}\), breaking the IKCPA security of the \(\textsf{PKE}\) scheme, we put the full proof in E for selfcompleteness. \(\square\)
Theorem 4
Let \(\textsf{CID}\) be an IMPKOA secure protocol with HVZK. Let \(\textsf{KDV}\) be a relinkable and leakageresistant KDV scheme for \(\textsf{CID}\). Let \(\textsf{PKE}\) be an INDCPA secure and IKCPA secure PKE scheme. Let G, H and \(H_1\) are random oracles. Then, the KSKDS scheme is SUNL secure in the random oracle model.
Proof
One can use the same proof strategy for Theorems 2 and 3 to prove this theorem. We give the full proof in E for selfcompleteness. \(\square\)
Instantiation
Finally, we give two instantiations of our KSKDS framework with EUF/UNL security and SEUF/SUNL security, respectively.
A KSKDS instantiation on the elliptic curve
We instantiate the \(\textsf{CID}\) in Algorithm 1 to the Schnorr underlying identification protocol, which is HVZK and IMPKOA secure, the full proof could be derived from Pointcheval and Stern (1996); we instantiate the \(\textsf{PKE}\) to ECElgamal, which is INDCPA secure and IKCPA private (this is noted in Naor and Reingold 1997; Cramer and Shoup 1998 and fully treated in Tsiounis and Yung 1998). Let \({pp}=(E,\mathcal {G},q)\) be system parameters specifying a secure elliptic curve E with a generator \(\mathcal {G}\) that generates a secure cyclic subgroup \(\mathbb {G}\) with prime order q. Then we propose a \(\textsf{KDV}\) instantiation on the elliptic curve as follows:

\(\mathsf {KDV.Dpk}(pp)\rightarrow {(B,b,\mathcal {R})}\): It randomly chooses \(b\in {\mathbb {Z}_q}\) and calculates \(B=b\cdot {\mathcal {G}}\). Let \(\mathcal {R}:=\{(pk,sk)pk=sk\cdot \mathcal {G},sk\in {\mathbb {Z}_q}\}\). Then, it outputs \((B,b,\mathcal {R})\).

\(\mathsf {KDV.Dpk}(B,\mathcal {R})\rightarrow {\tilde{B}}\): It randomly chooses \(r\in {\mathbb {Z}_q}\) and outputs \(\tilde{B}:=r\cdot {B}\)

\(\mathsf {KDV.Dsk}(B,b,\mathcal {R})\rightarrow {\tilde{b}}\): It randomly chooses \(r\in {\mathbb {Z}_q}\) and outputs \(\tilde{b}:=r\cdot {b}\mod q\).

\(\mathsf {KDV.Chk}(pk,sk,\mathcal {R})\rightarrow {\tilde{b}}\): It checks whether \((pk,sk)\in \mathcal {R}\). If \((pk,sk)\in \mathcal {R}\), it outputs 1. Otherwise, outputs 0.
This \(\textsf{KDV}\) is relinkable since we can construct \(\textsf{Rel}\) as follow: It takes as input \(\tilde{B}\), and randomly chooses \(a\in {\mathbb {Z}_{q}}\). It calculates \(B'=a\cdot {\tilde{B}}\) and \(r'=a^{1}\), then outputs \((B',r')\).
A strong KSKDS instantiation on the lattice
We first propose a \(\textsf{CID}\) instantiation on the lattice using trapdoor generation algorithm \(\textsf{TrapGen}\) defined in Alwen and Peikert (2009), Boyen (2010) and preimage sample algorithm \(\textsf{SamplePre}\) proposed in Gentry et al. (2008):

\(\mathsf {CID.Gen}(pp).\) The algorithm runs \((\textbf{A},\mathbf {T_{A}})\leftarrow \textsf{TrapGen}({pp})\), then outputs the public key \(\textbf{A}\) and the secret key \(\mathbf {T_A}\).

\(\textsf {CID.P}_1(\textbf{A})\rightarrow {(com,\textsf{st})}\). \(\textsf {CID.P}_1\) randomly chooses \({\textbf {t}}\leftarrow \mathbb {Z}_q^n\), computes \({com}=\textbf{A} {\textbf {t}}\) and generates the state \(\textsf{st}\). It sends com to verifier \(\textsf {V}\).

\(\textsf {CID.V}_1(\textbf{A},com)\rightarrow {ch}\). On receiving \(com=\textbf{At}\) from \(\textsf {P}\), \(\textsf {CID.V}_1\) randomly chooses \(r\in {\mathbb {Z}_{q}}\) and \(\textbf{x}\in {\mathbb {Z}_q^n}\). Calculates \(\textbf{u}=\textbf{A}\textbf{x}\) and returns \(ch:=(r,\textbf{u})\).

\(\textsf {CID.P}_2(\textsf{st},\textbf{A},\mathbf {T_A},com,ch)\rightarrow {rsp}\). On receiving \(ch:=(r,\textbf{u})\), \(\textsf {CID.P}_2\) runs \(\mathbf {x'}\leftarrow \textsf{SamplePre}(\textbf{A}, \mathbf {T_A}, \textbf{u})\), and computes and returns \(rsp=\textbf{t}+r\mathbf {x'}\).

\(\textsf {CID.V}_2(\textbf{A},com,ch,rsp)\rightarrow {1/0}\). On receiving \(rsp=\textbf{t}+r\mathbf {x'}\), \(\textsf {CID.V}_2\) computes and checks \(com+r\cdot {\textbf{u}}=\textbf{A}\cdot {rsp}\). It accepts the proof when the check passes.
This \(\textsf{CID}\) is HVZK and IMPKOA secure, the full proof could be derived from Lyubashevsky (2012). We then instantiate the \(\textsf{PKE}\) in Algorithm 1 to LWEPKE, which is IND
CPA secure and IKCPA private (Regev 2009); and propose a relinkable and leakageresistant \(\textsf{KDV}\) inspired by the latticebased PDPKS scheme (Liu et al. 2020):

\(\mathsf {KDV.Gen}(pp)\rightarrow (\textbf{A},\mathbf {T_A},{{\mathcal {R}}})\): It runs \((\textbf{A},\mathbf {T_{A}})\leftarrow \textsf{TrapGen}({pp})\), then outputs the master public key \(\textbf{A}\), the master secret key \(\mathbf {T_A}\), and a relation \({{\mathcal {R}}}:=\{(pk,sk)pk\cdot {sk}=0\}\).

\(\mathsf {KDV.Dpk}(\textbf{A},{{\mathcal {R}}})\rightarrow {\textbf{F}}\): It randomly chooses \(\textbf{B}\in {\mathbb {Z}_{q}^{n\times {m}}}\) and \(\textbf{R}\in {\{1,1\}}^{m\times {m}}\) and calculates \(\textbf{F}=[\textbf{B}\mathbf {BR+A}]\). Returns \(\textbf{F}\).

\(\mathsf {KDV.Dsk}(\textbf{A},\mathbf {T_A},{{\mathcal {R}}})\rightarrow {\mathbf {T_F}}\): It randomly chooses \(\textbf{B}\in {\mathbb {Z}_{q}^{n\times {m}}}\) and \(\textbf{R}\in {\{1,1\}}^{m\times {m}}\) and calculates \(\mathbf {T_F}\leftarrow {\textsf{DeleRight}(\textbf{A},\mathbf {T_A},\textbf{B}, \textbf{R},\textsf{GP})}\). Returns \(\mathbf {T_F}\).

\(\mathsf {KDV.Chk}(\textbf{F}',\mathbf {T_F}',{{\mathcal {R}}})\rightarrow 0/1\): it returns 1 if \((\textbf{F}',\mathbf {T_F}')\in {{\mathcal {R}}}\), and returns 0 otherwise.
\(\textsf{DeleRight}\) is a trapdoor delegation algorithm defined by Liu et al. (2020). This \(\textsf{KDV}\) is relinkable and leakageresistant, we give the proof sketch in D.
The construction of (strong) key reusing key derivation scheme
In “The construction of (strong) key separation key derivable signature scheme” section we propose a framework to construct KSKDS. It is a dualkey framework that follows the key separation principle. We observe that the random oracles in our framework play a similar separation role. Therefore, in this section we revise the key generation part to obtain a key reusing KDS (KRKDS) framework as shown in Fig. 7.
A framework to construct (strong) KRKDS
We construct a KRKDS based on a canonical identification protocol \(\textsf{CID}\) and a public key encryption \(\textsf{PKE}\) sharing the same key generation algorithm \(\textsf{Gen}\), and a key derivation scheme \(\textsf{KDV}\).
Let the \(\textsf{CID}=(\textsf{Gen},\mathsf {CID.P},\mathsf {CID.V})\) is IMPKOA secure and HVZK, the \(\textsf{PKE}=(\textsf{Gen},\mathsf {PKE.Enc}, \mathsf {PKE.Dec})\) is INDCPA and IKCPA secure, and \(\textsf{KDV}=(\textsf{Gen},\mathsf {KDV.Dpk},\mathsf {KDV.Dsk},\mathsf {KDV.Chk})\) is a KDV scheme for \(\textsf{CID}\). Then we can construct a KRKDS by simply replacing \((epk,esk)=(spk,ssk)\rightarrow (pk,sk)\) in Algorithm 1. The \(\textsf{KeyGen}\) algorithm of the KRKDS scheme is as follows:

\(\textsf{KeyGen}(\textsf{GP})\rightarrow {(pk,sk)}\): It runs \(\textsf{Gen}(pp)\) to gets (pk, sk) and returns them.
We put the full algorithm in B for selfcompleteness.
Remark We remark that our KRKDS framework contains a combined signature and KEM scheme (CSK): let \(\textsf{SIG}=\textsf{FS}(\textsf{CID},H_1)=(\textsf{Gen},\textsf{Sign},\textsf{Verify})\), \(\textsf{KEM}=\textsf{FO}(\textsf{PKE},H)=(\textsf{Gen},\mathsf {KEM.Enc},\mathsf {KEM.Dec})\), then we obtain a CSK scheme \(\textsf{CSK}=(\textsf{Gen},\textsf{Sign},\textsf{Verify},\mathsf {KEM.Enc},\mathsf {KEM.Dec})\). This is a novel framework to construct CSK that is jointly secure. It has independent interests outside of stealth address, which we present further discussion in C.
Security Our KRKDS construction has EUF/UNL security when \(\textsf{KDV}\) is UNL secure, and SEUF/SUNL security when \(\textsf{KDV}\) is UNL and IND secure.
Theorem 5
Let \(\textsf{CID}\) be and IMPKOA secure CID protocol with HVZK. Let \(\textsf{PKE}\) be an INDCPA secure and IKCPA secure PKE scheme. Let \(\textsf{KDV}\) be a relinkable KDV scheme for \(\textsf{CID}\) and \(\textsf{PKE}\). Let G, H and \(H_1\) be random oracles. Then the KRKDS scheme is EUF and UNL secure in the random oracle model.
Proof
The proof is similar to Theorems 1 and 3. We put the proof sketch in E. \(\square\)
Theorem 6
Let \(\textsf{CID}\) be and IMPKOA secure CID protocol with HVZK. Let \(\textsf{PKE}\) be an INDCPA secure and IKCPA secure PKE scheme. Let \(\textsf{KDV}\) be a relinkable and leakageresistant KDV scheme for \(\textsf{CID}\) and \(\textsf{PKE}\). Let G, H and \(H_1\) be random oracles. Then the KRKDS scheme is SEUF and SUNL secure in the random oracle model.
Proof
The proof is similar to Theorems 2 and 4. We put the proof sketch in E. \(\square\)
Instantiation
We then improve the two KSKDS instantiations in “Instantiation” section to KRKDS schemes.
The KRKDS instantiation on the elliptic curve
We still use the Schnorr \(\textsf{CID}\), ECElgamal encryption and our elliptic curve \(\textsf{KDV}\) in “Instantiation” section to instantiate KRKDS, since their key pair have the same relation. It implies a Schnorrbased compact stealth address protocol that can be used in the singlekey cryptocurrency systems that support Schnorr signature such as Bitcoin (support from 2021.11), BCH and Polkadot Wuille et al. (2021). The full algorithm in shown follows:
Let \(pp=(E,\mathcal {G},q)\) be system parameters specifying a secure elliptic curve E with a generator point \(\mathcal {G}\) that generates a secure cyclic subgroup \(\mathbb {G}\) with prime order q. Then the CKDS scheme can be described as follows:

\(\textsf{KeyGen}(E,\mathcal {G},q)\rightarrow {((E,\mathcal {G},q,B),b)}\): It picks \(b\xleftarrow {\$}{\mathbb {Z}_{q}}\), calculates \(B={b}\cdot {\mathcal {G}}\mod p\) and lets \(pk:=(E,\mathcal {G},q,B)\) and \(sk:=(b,pk)\). Then, it returns (pk, sk).

\(\textsf{DpkDerive}(pk)\rightarrow {(c,(E,\mathcal {G},q,\tilde{B}))}\): It picks \(r\xleftarrow {\$}{\mathbb {Z}_{q}}\) and calculates \(c:=(c_1,c_2)\), where \(c_1=G(r)\cdot {\mathcal {G}}\) and \(c_2=rG(r)\cdot {B}\). Lets \(k=H(rc)\) and \(\tilde{B}:=k\cdot {B}\). Then, it returns \((c,\tilde{B})\).

\(\textsf{DpkCheck}(pk,sk,(c,\tilde{B}))\rightarrow {1/0}\): It calculates \(r=c_2/(b\cdot {c_1})\mod q\). If \(c_1=G(r)\cdot {\mathcal {G}}\), \(c_2=rG(r)\cdot {B}\) and \(\tilde{B}=H(rc)\cdot {B}\), returns 1. Otherwise 0.

\(\textsf{DskDerive}(pk,sk,(c,\tilde{B}))\rightarrow {dsk/\bot }\): If \(\textsf{DpkCheck}(pk,sk,(c,\tilde{B}))=1\), it calculates \(r=c_2/(b\cdot {c_1})\mod q\) and lets \(\tilde{b}=H(r,c)\cdot {b}\). Then, it returns \(dsk:=(\tilde{b},pk)\). Otherwise, it returns \(\bot\).

\(\textsf{Sign}(sk/dsk,m)\rightarrow {\sigma }\): It parse sk (or dsk) as \(b'\) and pk. It picks \(z\xleftarrow {\$}{\mathbb {Z}_{q}}\) and calculates \(com:=z\cdot {\mathcal {G}}\). Lets \(ch:=H_1(f(com_x)f(com_y)m)\) where \(com_{x/y}\) denotes the x/ycoordinate of com and \(f(\cdot )\) is a conversion function that converts a field element into a bitstring. It computes \(rsp:=z+hb'\mod q\) and returns (ch, rsp) unless \(rsp=0\) or \(ch=0\). In this latter case the whole procedure is repeated.

\(\textsf{Verify}((E,\mathcal {G},q,B'),m,\sigma )\rightarrow {1/0}\): If \(ch\ne {0}\) and \(rsp\in {\mathbb {Z}_{q}}\), it computes \(com'=rsp\cdot {\mathcal {G}}ch\cdot {B'}\) and \(ch'=H_1(f(com'_x)f(com'_y)m)\). If \(ch'=ch\), it returns 1. Otherwise, it returns 0.
Remark. Our solution is a framework that can have multiple instantiations, such as using ECIES instead of ECElgamal. ECIES satisfies the requirements set forth in “The construction of (strong) key reusing key derivation scheme” section and is jointly secure with Schnorr (Degabriele et al. 2012):
Lemma 1
(Degabriele et al. 2012) ECIESKEM and ECSchnorr are jointly secure in the random oracle model, if the gapDLP problem and gapDH problem are both hard.
The strong KRKDS instantiation on the lattice
Unlike the KRKDS implementation on the elliptic curve, we cannot use the same components as in the lattice instantiation in “Instantiation” section to construct the KRKDS scheme. This is because our \(\textsf{CID}\) and \(\textsf{KDV}\) use a lattice basis and its trapdoor as a public and secret key pair, while LWEPKE use a different relation. We then propose a trapdoor encryption algorithm instead of LWEPKE:
According to the parameters of learning with errors problem (LWE) and the chosen ciphertextsecure encryption scheme constructed by Micciancio and Peikert (2012), let \(\mathcal {D}:=D_{\mathbb {Z},\omega (\sqrt{logn})}^{\bar{m}\times {nk}}\), \(\textbf{G}\in {\mathbb {Z}_{q}^{n\times {nk}}}\) is a gadget matrix for large enough prime power \(q=p^{e}\) and \(k=O(logn)=O(logq)\). \(\textbf{A}^{\bot }\) denotes the transpose of \(\textbf{A}\). We give a PKE scheme \(\textsf{PKE}=(\mathsf {PKE.Gen},\mathsf {PKE.Enc},\mathsf {PKE.Dec})\) as follows:

\(\mathsf {PKE.Gen}(pp)\rightarrow {(\textbf{A},\mathbf {T_A})}\): it randomly chooses \(\mathbf {A_1}\in {\mathbb {Z}_q^{n\times {\bar{m}}}}\) and \(\textbf{R}\leftarrow {\mathcal {D}}\). Then lets \(\mathbf {A_2}=\mathbf {A_1R} \mod q\), \(\textbf{A}=[\mathbf {A_1}\mathbf {A_2}]\) and \(\mathbf {T_A}=[\textbf{R}^{\bot }\textbf{I}]^{\bot }\). Returns \((\textbf{A},\mathbf {T_A})\).

\(\mathsf {PKE.Enc}(\textbf{A}=[\mathbf {A_1}\mathbf {A_2}],\textbf{s})\rightarrow {c}\): it samples \(\mathbf {e_1}\leftarrow {D_{\mathbb {Z},\alpha {q}}^{\bar{m}}}\) and \(\mathbf {e_2}\leftarrow {D_{\mathbb {Z},\alpha {q}}^{nk}}\). And calculates \(c_1:=\textbf{s}\mathbf {A_1}+\mathbf {e_1}\) and \(c_1:=\textbf{s}\textbf{G}+\textbf{s}\mathbf {A_2}+\mathbf {e_2}\).

\(\mathsf {PKE.Dec}(\mathbf {T_A}=[\textbf{R}\textbf{I}],c=(c_1,c_2))\rightarrow {\textbf{s}/\bot }\): it calculates \(\textbf{sG}+\mathbf {e_1}\textbf{R}+\mathbf {e_2}=c_2+c_1\cdot {\textbf{R}}\) and \(\textbf{s}\leftarrow {\textbf{sG}+\mathbf {e_1}\textbf{R}+\mathbf {e_2}}\).
Conclusion
Stealth address protocol, a cryptographic technique widely used in blockchain systems, lacks formalized definition, theoretical analysis and frameworks. Additionally, there is no existing work that studies the key reuse in such a crypto primitive that contains both a derivation scheme and a signature scheme. In this paper, we fill all these gaps.
We proposed a key derivable signature scheme (KDS) to formalize the stealth address protocol, and propose frameworks and the first compact scheme by constructing a jointly secure and key private CSK. Our construction can not only effectively simplify the stealth address protocol and privacypreserving blockchain systems, but it also has the potential to be deployed into existing widely used cryptocurrency systems to provide privacy protection.
Notes
The \(\lambda\), which appears here and later in this paper, is a security parameter. It is determined by pp.
R is determined by \(\mathcal {R}\) and mpk.
Without loss of generality, we assume that (com, m) has not been queried.
Without loss of generality, we assume that (m, c) has not been queried.
References
Alwen J, Peikert C (2009) Generating shorter bases for hard random lattices. In: STACS. LIPIcs, vol 3, pp 75–86
Boyen X (2010) Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more. In: Proceedings of the 13th international conference on practice and theory in public key cryptography—PKC’10. LNCS 6056, pp 499–517
Chen Y, Tang Q, Wang Y (2021) Hierarchical integrated signature and encryption:(or: Key separation vs. key reuse: enjoy the best of both worlds). In: 27th international conference on theory and application of cryptology and information security, ASIACRYPT 2021. Springer Science and Business Media Deutschland GmbH, pp 514–543
Courtois NT, Mercer R (2017) Stealth address and key management techniques in blockchain systems. In: Proceedings of the 3rd international conference on information systems security and privacy—volume 1: ICISSP, pp 559–566
Cramer R, Shoup V (1998) A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
Degabriele JP, Lehmann A, Paterson KG, Smart NP, Strefler M (2012) On the joint security of encryption and signature in EMV. In: Cryptographers’ track at the RSA conference. Springer, pp 116–135
Feng C, Tan L, Xiao H, Yu K, Qi X, Wen Z, Jiang Y (2020) PDKSAP: perfected doublekey stealth address protocol without temporary key leakage in blockchain. In: 2020 IEEE/CIC international conference on communications in China (ICCC Workshops). IEEE, pp 151–155
Fuchsbauer G, Plouviez A, Seurin Y (2020) Blind Schnorr signatures and signed ElGamal encryption in the algebraic group model. In: Annual international conference on the theory and applications of cryptographic techniques. Springer, pp 63–95
Gentry C, Peikert C, Vaikuntanathan V (2008) Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the fortieth annual ACM symposium on theory of computing, pp 197–206
Gilad Y, Hemo R, Micali S, Vlachos G, Zeldovich N (2017) Algorand: scaling byzantine agreements for cryptocurrencies. In: Proceedings of the 26th symposium on operating systems principles, pp 51–68
Haber S, Pinkas B (2001) Securely combining publickey cryptosystems. In: Proceedings of the 8th ACM conference on computer and communications security, pp 215–224
Liu Z, Nguyen K, Yang G, Wang H, Wong DS (2019a) A latticebased linkable ring signature supporting stealth addresses. In: European symposium on research in computer security. Springer, pp 726–746
Liu Z, Yang G, Wong DS, Nguyen K, Wang H (2019b) Keyinsulated and privacypreserving signature scheme with publicly derived public key. In: 2019 IEEE European symposium on security and privacy (EuroS &P). IEEE, pp 215–230
Liu W, Liu Z, Nguyen K, Yang G, Yu Y (2020) A latticebased keyinsulated and privacypreserving signature scheme with publicly derived public key. In: European symposium on research in computer security. Springer, pp 357–377
Lyubashevsky V (2012) Lattice signatures without trapdoors. In: EUROCRYPT. Lecture notes in computer science, vol 7237, pp 738–755
Micciancio D, Peikert C (2012) Trapdoors for lattices: simpler, tighter, faster, smaller. In: Advances in cryptology—EUROCRYPT’12. LNCS 7237. Springer, pp 700–718
Nakamoto S (2008) Bitcoin: a peertopeer electronic cash system. Consulted
Naor M, Reingold O (1997) Numbertheoretic constructions of efficient pseudorandom functions. In: 38th Annual symposium on foundations of computer science. Proceedings
Noether S, Mackenzie A (2016) Ring confidential transactions. Ledger 1:1–18
Paterson KG, Schuldt JC, Stam M, Thomson S (2011) On the joint security of encryption and signature, revisited. In: International conference on the theory and application of cryptology and information security. Springer, pp 161–178
Pointcheval D, Stern J (1996) Security proofs for signature schemes. In: EUROCRYPT 96, pp 387–398
Regev O (2009) On lattices, learning with errors, random linear codes, and cryptography. J ACM (JACM) 56(6):1–40
Saberhagen NV (2012) CryptoNote v 1.0
Saberhagen NV (2013) CryptoNote v 2.0
Sasson EB, Chiesa A, Garman C, Green M, Miers I, Tromer E, Virza M (2014) Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE symposium on security and privacy. IEEE, pp 459–474
Tsiounis Y, Yung M (1998) On the security of ElGamal based encryption
Vasco MIG, Hess F, Steinwandt R (2008) Combined (identitybased) public key schemes. IACR Cryptol. ePrint Arch. 2008:466
Wang X, Zhu C, Liu Z (2024) A universally composable linkable ring signature supporting stealth addresses. Mathematics 12(3):491
Wood G (2014) Ethereum: a secure decentralised generalised transaction ledger. Ethereum Proj Yellow Pap 151(2014):1–32
Wood G (2016) Polkadot: vision for a heterogeneous multichain framework. White Pap 21(2327):4662
Wuille P, Nick J, Ruffing T (2021) BIP 340: Schnorr signatures for secp256k1. https://github.com/bitcoin/bips/blob/master/bip0340.mediawiki
Yu G (2020) Blockchain stealth address schemes. IACR Cryptol. ePrint Arch. 2020:548
Zhu C, Wang X, Liu Z (2023) Universally composable keyinsulated and privacypreserving signature scheme with publicly derived public key. In: Inscrypt’23
Acknowledgements
We would like to thank the anonymous reviewers and editors for detailed comments and useful feedback. This work was supported by the National Key Research and Development Program of China (Grant No. 2022YFB2702701).
Funding
National Key Research and Development Program of China (Grant No. 2022YFB2702701).
Author information
Authors and Affiliations
Contributions
WRD, LZY and LXH completed the drafted manuscripts of the paper. ZZF and WKP participated in problem discussions. All authors read and approved the final manuscripts.
Corresponding author
Ethics declarations
Competing interests
The authors declare no competing interests.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix A: Security models of PDPKS
Definition 13
(PDPKS Liu et al. 2019b) A PDPKS scheme with message space M consists of following algorithms:

\(\textsf{Setup}(1^\lambda )\rightarrow {\textsf{pp}}\). The setup algorithm takes the security parameters \(1^\lambda\) as input and outputs public parameters \(\textsf{pp}\).

\(\mathsf {KeyGen(pp)}\rightarrow (mpk, msk)\). The key generation algorithm takes the public parameters pp as input and outputs a master public key/secret key pair (mpk, msk).

\(\textsf{DpkDerive}(mpk)\rightarrow {dpk}\). The public key derivation algorithm takes a master public key mpk and outputs a derived public key dpk.

\(\textsf{DpkCheck}(mpk,msk,dpk)\rightarrow {0/1}\). The derived public key checking algorithm takes a master key pair (mpk, msk) and a derived public key dpk as input, and outputs a bit b, where \(b=1\) means that dpk is a derived key generated from mpk and \(b=0\) means not.

\(\textsf{DskDerive}(mpk,msk,dpk)\rightarrow dsk\). The secret key derivation algorithm takes a master key pair (mpk, msk) and a derived public key dpk as input, and outputs a derived secret key dsk.

\(\textsf{Sign}(sk, m)\rightarrow \sigma\). The signing algorithm takes a secret key sk (a derived secret key dsk) and a message \(m\in {M}\) as input, and outputs a signature \(\sigma\).

\(\textsf{Verify}(pk,m, \sigma )\rightarrow {0/1}\). The verification algorithm takes as a public key pk (a derived public key dpk), a message m and a signature \(\sigma\) as input, and outputs a bit b, where \(b=1\) means that the signature is valid and \(b=0\) means not.
Definition 14
(EUF Security of PDPKS Liu et al. 2019b) A PDPKS scheme \(\textsf{PDPKS}=\left( \textsf{Setup},\right.\) \(\left. \textsf{KeyGen},\textsf{DpkDerive},\textsf{DpkCheck},\textsf{DskDerive},\textsf{Sign},\textsf{Verify}\right. )\) is EUF secure, if there exists a negligible function \(negl(\cdot )\) such that the advantage \(\textsf{Adv}_{\textsf{PDPKS},\mathcal {A}}^{\textsf{EUF}}(1^\lambda )\le {negl(\lambda )}\) for any PPT adversary \(\mathcal {A}\). The advantage is defined as follows:
where the EUF game \(\textsf{G}^{\textsf{EUF}}_{\textsf{PDPKS},\mathcal {A}}(1^\lambda )\) is described as in Fig. 8.
Definition 15
(MPKUNL Security of PDPKS Liu et al. 2019b) A PDPKS scheme \(\textsf{PDPKS}=\left( \textsf{Setup},\textsf{KeyGen},\textsf{DpkDerive},\textsf{DpkCheck},\textsf{DskDerive},\textsf{Sign},\textsf{Verify}\right. )\) is MPKUNL secure, if there exists a negligible function \(negl(\cdot )\) such that the advantage \(\textsf{Adv}^{\mathsf {MPK{}UNL}}_{\textsf{PDPKS},\mathcal {A}}(1^\lambda )\le {negl(\lambda )}\) for any PPT adversary \(\mathcal {A}\). The advantage \(\textsf{Adv}^{\mathsf {MPK{}UNL}}_{\textsf{PDPKS},\mathcal {A}}(1^\lambda )\) is defined as follows:
where the UNL game \(\textsf{G}_{\textsf{PDPKS},\mathcal {A}}^{\mathsf {MPK{}UNL}}(1^\lambda )\) is described as in Fig. 9.
Appendix B: Key reusing key derivable signature
Appendix C: Combined signature and key encapsulation scheme
A combined signature and key encapsulation scheme (CSK) consists of the following PPT algorithms:

\(\mathsf {CSK.Gen}(pp)\rightarrow {(pk,sk)}\): The key generation algorithm takes the public parameters pp as input and outputs a pair of public/secret keys (pk, sk).

\(\mathsf {CSK.Enc}(pk)\rightarrow {(c,k)}\): The encapsulation algorithm takes a public key pk as input and outputs a ciphertext \(c\in {C}\) and a key \(k\in {K}\).

\(\mathsf {CSK.Dec}(sk,c)\rightarrow {k/\bot }\): The decapsulation algorithm takes a secret key sk and a ciphertext c as input, and outputs a key k or a rejection symbol \(\bot\).

\(\mathsf {CSK.Sig}(sk,m)\rightarrow {\sigma }\): The signing algorithm takes a secret key sk and a message m as input, and outputs a signature \(\sigma\).

\(\mathsf {CSK.Ver}(pk,m,\sigma )\rightarrow {0/1}\): The verification algorithm takes a public key pk, a message m and a signature \(\sigma\) as input, and outputs 1 or 0.
Appendix C.1: Security
We say that a CSK scheme is jointly secure if it is both INDCCA &CMA and EUFCMA &CCA secure. The INDCCA &CMA denotes indistinguishability of the KEM component under an adaptive chosen ciphertext attack in the presence of an additional signing oracle. The EUFCMA &CCA denotes existential unforgeability of the signature component under an adaptive chosen message attack in the presence of an additional decapsulation oracle (Paterson et al. 2011).
Appendix C.2: Keyprivacy of CSK
There is no explicit definition of keyprivacy of CSK has been proposed in prior work, we denote it by IKCCA &CMA property, capture the indistinguishability of keys under chosenciphertext attack in the presence of an additional signature oracle.
Appendix C.3: A framework to construct CSK
We construct a jointly secure and key private CSK from a canonical identification protocol \(\textsf{CID}\) with IMPKOA security and HVZK, and an encryption scheme \(\textsf{PKE}\) with INDCPA security and IKCPA privacy that shares the same key generation algorithm \(\textsf{KeyGen}\).
Let \(\textsf{CID}=(\mathsf {CID.Gen},\mathsf {CID.P},\mathsf {CID.V})\), \(\textsf{PKE}=(\mathsf {PKE.Gen},\mathsf {PKE.Enc}, \mathsf {PKE.Dec})\), then a CSK scheme \(\textsf{CSK}=(\mathsf {CSK.Gen},\mathsf {CSK.Enc},\mathsf {CSK.Dec},\mathsf {CSK.Sig},\mathsf {CSK.Ver})\) is constructed as Algorithm 3.
Claim 1
Let \(\textsf{CID}\) be an IMPPOA secure CID protocol with HVZK. Let \(\textsf{PKE}\) be an INDCPA and IKCPA secure PKE scheme. Let G, H, and \(H_1\) be random oracle. Then the CSK scheme \(\textsf{CSK}\) is INDCCA & CMA and IKCCA & CMA secure in the random oracle model.
Proof
Based on existing results, the KEM part of the CSK scheme is INDCCA and IKCCA secure in the random oracle model. Assume toward contradiction that there exists a PPT adversary \(\mathcal {A}\) breaking the INDCCA & CMA and IKCCA & CMA security of the KRKDS scheme. Then one can construct a PPT adversary \(\mathcal {B}\), breaking the INDCCA security of the KEM scheme. \(\mathcal {B}\) can simulate \(O_{Sig}\) with lazy sampling of \(O_{H_1}\) and the algorithm \(\textsf{Sim}\) in the Definition 3. Since the \(\textsf{CID}\) is HVZK, the simulation can only be distinguished by \(\mathcal {A}\) with negligible probability. Thus, we prove the Claim. \(\square\)
Claim 2
Let \(\textsf{CID}\) be an IMPPOA secure CID protocol with HVZK. Let \(\textsf{PKE}\) be a OWCPA secure PKE scheme. Let G, H, and \(H_1\) be random oracle. Then the CSK scheme \(\textsf{CSK}\) is EUF & CMA secure in the random oracle model.
Proof
Based on existing results, the SIG part of the CSK scheme is EUFCMA secure. Assume toward contradiction that there exists a PPT adversary \(\mathcal {A}\) breaking the EUF & CMA security of the KRKDS scheme. Then one can construct a PPT adversary \(\mathcal {B}\), breaking the EUFCMA security of the SIG scheme. \(\mathcal {B}\) can simulate \(O_{Dec}\) with lazy sampling of \(O_{G}\) and \(O_{h}\) in the Definition 3. Since the \(\textsf{PKE}\) is OWCPA secure, the simulation can only be distinguished by \(\mathcal {A}\) with negligible probability. Thus, we prove the Claim. \(\square\)
Appendix D: The KSKDS instantiation on the lattice
We prove our latticebased KDV is relinkable and leakageresistant based on the properties of algorithms \(\textsf{TrapGen}\), \(\textsf{DeleRight}\), and \(\textsf{DeleLeft}\) (Gentry et al. 2008).
For any \(dpk=\textbf{F}\), we construct the \(\textsf{Rel}\) algorithm as follow: it takes as input \(\textbf{F}=[\mathbf {F_1}\mathbf {F_2}]\), randomly chooses \(\textbf{R}\in {\{1,1\}}^{m\times {m}}\), lets \(\textbf{B}=\mathbf {F_1}\) and \(\textbf{A}=\mathbf {F_2}\textbf{BR}\), then returns \((\textbf{A},\textbf{B}\textbf{R})\). In addition, let \(\textsf{DeleRight}\) and \(\textsf{DeleLeft}\) are trapdoor delegation algorithms which are defined by Liu et al. (2020). We can construct a PPT algorithm \(\textsf{Alt}=(\mathsf {Alt_1}, \mathsf {Alt_2})\) as follows:

\(\mathsf {Alt_1}(pp,\textbf{A})\rightarrow {(\mathbf {BR}, \mathbf {T_B})}\): it takes as inputs the public parameters pp and a public key \(\textbf{A}\). It runs \((\textbf{B},\mathbf {T_B})\leftarrow {\textsf{TrapGen}(pp)}\) and randomly chooses \(\textbf{R}\in {\{1,1\}}^{m\times {m}}\). Then returns \((\mathbf {BR}, \mathbf {T_B})\).

\(\mathsf {Alt_2}(pp,\textbf{A}, \mathbf {BR}, \mathbf {T_B})\rightarrow {(\textbf{F},\mathbf {T_F})}\): it takes as input \((\mathbf {BR}, \mathbf {T_B})\) and calculates \(\textbf{F}=[\textbf{B}\textbf{BR}+\textbf{A}]\) and \(\mathbf {T_F}\leftarrow {\textsf{DeleLeft}(\textbf{B},\textbf{A},\mathbf {T_B},\textbf{BR}+\textbf{A},pp)}\) and returns \(\mathbf {T_{F}}\).
Appendix E: Proofs
Appendix E.1: Theorem.1
Case 1 According to the definitions of EUF and IMPKOA, we have
and
where \(q_{Sig}\) is the number of \(\mathcal {A}\) queries to \(O_{Sig}\). If \(\textsf{Verify}(mpk,m^*,\sigma ^*)=1\), \(ch'^*=H_1(com^*,m^*)\). Moreover,
Due to the randomness of \(O_{H_1}\),
where CH is the size of \(H_1\)’s range. Since \(O_{H_1}\) is simulated by \(\mathcal {B}\) as above,
where \(q_{H_1}\) is the number of \(\mathcal {A}\)’s queries to \(O_{H_1}\).
Combining these results, we have:
Case 2 According to the definitions of EUF and IMPKOA, we have
and
If \(pk^*=(c^*,dspk)\in {L_{Dpk}}\), there exists \((m^*c^*,k^*)\in {L_{H}}\) such that \(dpk^*=\mathsf {KDV.Dpk}(spk,\mathcal {R};k^*)\) and \(c^*:=\mathsf {PKE.Enc}(epk,m^*;G(m^*))\). Therefore,
In addition,
where \(q_{H}\) is the number of \(\mathcal {A}\)’s queries to \(O_{H}\) and \(q_{H_1}\) is the number of \(\mathcal {A}\)’s queries to \(O_{H_1}\).
Similar to the analysis in Case 1, we can get
Put these results together,
Appendix E.2: Theorem.2
Proof
Assume toward contradiction that there exists a PPT adversary \(\mathcal {A}\) breaking the SEUF security of the KSKDS scheme. Then one can construct a PPT adversary \(\mathcal {B}\) (or \(\mathcal {C}\)), breaking the IMPKOA security of the \(\textsf{CID}\) scheme, in the same way as Theorem 1 except that \(O_{H}\) and \(O_{Dsk}\) are simulated as follows:

\(O_{H}(m,c)\):

For each \(\mathcal {A}\)’s query (m, c) to \(O_{H}\), if \(c=\mathsf {PKE.Enc}(epk,m;G(m))\), \(\mathcal {B}\) runs \((k,aux)\leftarrow \mathsf {Alt_1}(spk,\mathcal {R})\) and \((sdpk,dsk)=\mathsf {Alt_2}(spk,\mathcal {R},k,aux)\). Let \(dpk:=(c,sdpk)\), \(L_{H}=L_H\cup \{(mc,k)\}\) and \(L_{Dsk'}=L_{Dsk'}\cup \{(dpk,dsk)\}\), where \(L_{Dsk'}\) is initialized as a empty set at beginning. If \(c\ne \mathsf {PKE.Enc}(epk,m;G(m))\) and there exists \((mc,k)\in {L_{H}}\), it returns k. Otherwise, it randomly picks k and sets \(L_{H}=L_H\cup \{(mc,k)\}\). Then, it returns k

\(\mathcal {C}\) picks \(i^*\xleftarrow {\$}{[1,q_H]}\). For each \(\mathcal {A}\)’s ith (\(i\ne {i^*}\)) query (m, c) to \(O_{H}\), \(\mathcal {C}\) simulates \(O_{H}\) like \(\mathcal {B}\). If \(i=i^*\), \(O_{H}\) is simulated by \(\mathcal {C}\) in the same way as in the previous proof of Theorem 1.


\(O_{Dsk}(dpk)\): For each query dpk, if \(dpk=(c,sdpk)\in {L_{Dpk}}\), \(\mathcal {B}\)/\(\mathcal {C}\) checks the query list \(L_H\). If there exists \((mc,k)\in {L_{H}}\) such that \(c=\mathsf {PKE.Enc}(pk,m;G(m))\) and \(sdpk=\mathsf {KDV.Dpk}(spk,\mathcal {R};k)\), it finds \((sdpk,dsk)\in {L_{Dsk'}}\) and lets \(L_{Dsk}=L_{Dsk}\cup \{dsk\}\), where \(L_{Dsk}\) is initialized as \(\emptyset\). It returns dsk. Otherwise, it returns \(\bot\).
In the above simulation, \(\mathcal {B}\) and \(\mathcal {C}\) use the algorithm \(\textsf{Alt}\) to generate valid derived key pairs in advance. Thus, they can simulates \(O_{Dsk}\) without using ssk. According to the leakageresistance of \(\textsf{KDV}\), the simulation of \(O_{Dsk}\) can be distinguished by the adversary \(\mathcal {A}\) with negligible probability. Then, similar to the analysis in the previous proof of Theorem 1, we can demonstrate the the KSKDS scheme is SEUF security in the random oracle model. \(\square\)
Appendix E.3: Theorem.3
Proof
Assume toward contradiction that there exists a PPT adversary \(\mathcal {A}\) that breaks the UNL security of the KSKDS scheme. We can construct a PPT adversary \(\mathcal {B}\), breaking the IKCPA security of the \(\textsf{PKE}\) scheme, as follows:

Setup Phase The IKCPA challenger generates \((epk_0,esk_0)\leftarrow {\mathsf {PKE.Gen}(pp)}\) and \((epk_1,esk_1)\leftarrow {\mathsf {PKE.Gen}(pp)}\). \(\mathcal {B}\) receives \((epk_0,epk_1)\) and public parameters pp. \(\mathcal {B}\) extracts a deterministic polynomialtime verifiable relation \(\mathcal {R}:=\{(pk,sk)(pk,sk)\leftarrow \mathsf {CID.Gen}{(pp)}\}\) and calculates a derived key pair \((sdpk^*,sdsk^*)\). It runs \(\textsf{Rel}(sdpk^*,\mathcal {R})\) to generate \((spk_0,k_0^*)\) and \((spk_1,k_1^*)\), where \(spk_0\ne {spk_1}\). Let \(mpk_0=spk_0epk_0\mathcal {R}\), \(mpk_1=spk_1epk_1\mathcal {R}\). It sends \(mpk_0\) and \(mpk_1\) to \(\mathcal {A}\). The query lists \(L_{H}\),\(L_{G}\),\(L_{H_1}\),\(L_{Dpk,i}\) and \(L_{Sig,i}\) are initialized as empty sets, where \(i\in \{0,1\}\).

Challenge Phase The challenger picks \(b\xleftarrow {\$}\{0,1\}\) and \(\mathcal {B}\) randomly chooses \(m^*\in {M}\).The challenge ciphertext \(c^*\leftarrow \mathsf {PKE.Enc}(epk_b,m^*)\) is sent to \(\mathcal {B}\). Let \(dpk^*:=(c^*,sdpk^*)\). \(\mathcal {B}\) sends \(dpk^*\) to \(\mathcal {A}\).

Query Phase \(O_{G}\), \(O_{H}\), \(O_{H_1}\) \(O_{Dpk}\) and \(O_{Sig}\) are simulated as follows:

\(O_{G}(m)\): For each \(\mathcal {A}\)’s query m to \(O_G\), if there exist \((m,r)\in {L_G}\), it returns r. Otherwise, it randomly picks r and sets \({L_G}={L_G}\cup \{(m,r)\}\); then, returns r.

\(O_{H}(m,c)\): For each \(\mathcal {A}\)’s query (m, c) to \(O_H\), if there exist \((mc,k)\in {L_H}\), it returns k. Otherwise, it randomly picks k and sets \({L_H}={L_H}\cup \{(mc,k)\}\); then, returns r.

\(O_{H_1}(com,m)\): For each \(\mathcal {A}\)’s query (com, m) to \(O_{H_1}\), if there exist \(\left( comm,\right.\) \(\left. ch\right) \in {L_H}\), it returns ch. Otherwise, it randomly picks ch and sets \({L_{H_1}}={L_{H_1}}\cup \{(com,m)\}\); then, returns ch.

\(O_{Dpk}(dpk\ne {dpk^*},i)\): \(\mathcal {B}\) parse dpk as c and sdpk. If there exists \((mc,k)\in {L_H}\) such that \(\mathsf {PKE.Enc}(epk_i,m;G(m))=c\) and \(\mathsf {KDV.Dpk}(spk_i,\mathcal {R};k)=dpk\), it sets \(L_{Dpk,i}:=L_{Dpk}\cup \{dpk\}\) and returns 1. Otherwise, return 0.

\(O_{Sig} (pk,m,i)\): If \(pk=(c,sdpk)\in {L _{Dpk,i}}\) or \(pk=mpk_i\), \(\mathcal {B}\) keeps running \((com,ch,rsp)\leftarrow \textsf{Sim}(sdpk_i)\) or \((com,ch,rsp)\leftarrow \textsf{Sim}(spk_i)\) respectively until there does not exist \(com'\ne {com}\) and \(ch'\ne {ch}\) such that \((com'm,ch)\in {L_{H_1}}\) and \((comm,ch')\in {L_{H_1}}\). It returns \(\sigma :=(com,ch,rsp)\) and lets \(L_{H_1}=L_{H_1}\cup \{(comm,ch)\}\) and \(L_{Sig}=L_{Sig,i}\cup \{(pk,m)\}\). Otherwise, it returns \(\bot\).


Output Phase. When \(\mathcal {A}\) outputs a bit \(b'\), \(\mathcal {B}\) outputs \(b'\).
Due to the relinkability of \(\textsf{KDV}\), \(spk_i\) and spk can be distinguished by \(\mathcal {A}\) with probability at most \(\textsf{Adv}_{\textsf{CID},\mathcal {A}}^{\textsf{RLink}}(pp)\), where \((spk,ssk)\leftarrow {\mathsf {CID.Gen}(pp)}\). The simulation in Challenge Phase is perfect if \(\mathcal {A}\) does not query \(m^*\) to \(O_G\) and \(m^*c^*\) to \(O_{H}\). We define that \(\mathcal {A}\) query \(m^*\) to \(O_G\) or \(m^*c^*\) to \(O_{H}\) as the event \(\textsf{Event}\). Then we can construct a PPT adversary \(\mathcal {C}\) attacking OWCPA security of \(\textsf{PKE}\) such that
where \(q_H\) is the number of \(\mathcal {A}\)’s queries to \(O_{H}\) and \(q_G\) is the number of queries to \(O_{G}\). Using the same proof strategy for Theorem 1, we can get
where \(q_{Sig}\) is the number of \(\mathcal {A}\)’s queries to \(O_{Sig}\). \(\square\)
Appendix E.4: Theorem.4
Proof
Assume toward contradiction that there exists a PPT adversary \(\mathcal {A}\) breaking the SUNL security of the KSKDS scheme. Then one can construct a PPT adversary \(\mathcal {B}\), breaking the IKCPA security of the \(\textsf{CID}\) scheme, in the same way as Theorem 3 except that \(O_{H}\) and \(O_{Dsk}\) are simulated as follows:

\(O_{H}(m,c)\): For each \(\mathcal {A}\)’s query (m, c) to \(O_{H}\), if \(c=\mathsf {PKE.Enc}(epk_i,m;G(m))\), \(\mathcal {B}\) runs \((k,aux)\leftarrow \mathsf {Alt_1}(spk_i,\mathcal {R})\) and \((sdpk,dsk)=\mathsf {Alt_2}(spk_i,\mathcal {R},k,aux)\). Let \(dpk:=(c,sdpk)\), \(L_{H}=L_H\cup \{(mc,k)\}\) and \(L_{Dsk',i}=L_{Dsk',i}\cup \{(dpk,dsk)\}\), where \(L_{Dsk',i}\) (\(i\in \{0,1\}\)) is initialized as a empty set at beginning.

\(O_{Dsk}(dpk,i)\): For each query (dpk, i), if \(dpk=(c,sdpk)\in {L_{Dpk,i}}\), \(\mathcal {B}\) checks the query list \(L_H\). If there exists \((mc,k)\in {L_{H}}\) such that \(c=\mathsf {PKE.Enc}(epk_i,m;G(m))\) and \(sdpk=\mathsf {KDV.Dpk}(spk_i,\mathcal {R};k)\), it finds \((sdpk,dsk)\in {L_{Dsk',i}}\) and lets \(L_{Dsk,i}=L_{Dsk,i}\cup \{dsk\}\), where \(L_{Dsk,i}\) is initialized as \(\emptyset\). It returns dsk. Otherwise, it returns \(\bot\).
In the above simulation, \(\mathcal {B}\) uses the algorithm \(\textsf{Alt}\) to generate valid derived key pairs in advance. Thus, it can simulates \(O_{Dsk,i}\) without using \(ssk_i\). Then, similar to the analysis in the previous proofs of Theorems 2 and 3, we can demonstrate the the KSKDS scheme is SUNL in the random oracle model. \(\square\)
Appendix E.5: Theorem.5
Proof
Sketch: assume toward contradiction that there exists a PPT adversary \(\mathcal {A}\) breaking the (S)EUF security of the KRKDS scheme. Then one can construct a PPT adversary \(\mathcal {B}\) or \(\mathcal {C}\), breaking the IMPKOA security of the CID scheme. The simulations of oracles are similar to the proof of Theorem 1 (Theorem 2). Additionally, \(O_{G}\) and \(O_{H}\) both are simulated by lazy sampling because \(\mathcal {B}\) does not have the secret key of \(\textsf{PKE}\). \(\mathcal {B}\) also simulates \(O_{Dpk}\) in the same way as in the proof of Theorem 3. Thus, it simulates \(O_{Dpk}\) without using the secret key of \(\textsf{PKE}\). Since G, H and \(H_1\) are different random oracles, these simulations can only be distinguished with negligible probability by \(\mathcal {A}\) even in the case of key reusing. Thus, we can demonstrate the KRKDS scheme is (S)EUF secure in the random oracle model. \(\square\)
Appendix E.6: Theorem.6
Proof
Sketch: assume toward contradiction that there exists a PPT adversary \(\mathcal {A}\) breaking the (S)UNL security of the KRKDS scheme. Then one can construct a PPT adversary \(\mathcal {B}\) or \(\mathcal {C}\), breaking the IKCPA security of the PKE scheme. The simulations of oracles are similar to the proof of Theorem 3 (Theorem 4). Since G, H and \(H_1\) are different random oracles, these simulations can only be distinguished with negligible probability by \(\mathcal {A}\) even in the case of key reusing. Thus, we can demonstrate the KRKDS scheme is (S)UNL secure in the random oracle model. \(\square\)
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Wang, R., Li, Z., Lu, X. et al. Key derivable signature and its application in blockchain stealth address. Cybersecurity 7, 43 (2024). https://doi.org/10.1186/s4240002400231x
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s4240002400231x