Key derivable signature and its application in blockchain stealth address

Stealth address protocol (SAP) is widely used in blockchain to achieve anonymity. In this paper, we formalize a key derivable signature scheme (KDS) to capture the functionality and security requirements of SAP. We then propose a framework to construct key separation KDS, which follows the key separation principle as all existing SAP solutions to avoid the reuse of the master keys in the derivation and signature component. We also study the joint security in KDS and construct a key reusing KDS framework, which implies the first compact stealth address protocol using a single key pair. Finally, we provide instantiations based on the elliptic curve (widely used in cryptocurrencies) and on the lattice (with quantum resistance), respectively.


Introduction
Modern blockchain is a distributed ledger that allows transactions among different users.Typically, the ledger is in the form of a key-value storage, where the key is the user's address; and the value is the balance of this address.For engineering simplicity, the address is usually a public, efficient encoding of a group element over a certain elliptic curve.This group element is also used as a public key.To spend from this address, one simply needs to provide a digital signature and post the transaction to the blockchain.This method has been used by main cryptocurrency platforms (Nakamoto 2008;Wood 2014;Sasson et al. 2014;Wood 2016;Gilad et al. 2017).
A main drawback of the above design is the lack of privacy, i.e., everyone can figure out the transactions.Stealth address protocol (SAP), adopted by Monero, Bytecoin and Samourai Wallet (Saberhagen 2012;Noether and Mackenzie 2016), is a common cryptographic approach to hide the identity of the receiver.To date, those platforms have a combined market cap of 3.1 billion US dollars.In a nutshell, a stealth address can be seen as a derived public key from the user's master public key.In a Monero-like protocol, for an address bG , where b is a field element and G is the group generator, its stealth address is in the form of (r + b)G , where r is randomly chosen by the sender and shared with the receiver via key exchange scheme.Early designs adopted this idea and modified the protocol when suffering from security risks (Saberhagen 2012(Saberhagen , 2013;;Noether and Mackenzie 2016;Courtois and Mercer 2017), which lacks a formalized algorithm definition, and a security model including security/privacy requirements and capturing adversary capabilities.
In 2019, Liu et al. made the first attempt to define a crypiographic tool to formalize SAP named publicly derived public key scheme (PDPKS), and proposed an instantiation based on pairing friendly curve (Liu et al. 2019b).However, the definition in PDPKS does not allow for signing with user's master keys.This may create a discrepancy with the widespread application of SAP.When deploying SAP in a widely-used blockchain, there are already numerous transactions in the system that have been signed by users' master keys.These transactions are publicly accessible and permanently recorded on the blockchain.Therefore, it is important for the SAP to have a well-defined approach to handling master key signatures and related security measures to ensure the continued safety and privacy of the system.In addition, the security model of PDPKS allows the adversary to corrupt the derived secret keys, which imposes a strong security requirement that is rarely targeted in subsequent stealth address protocols (Feng et al. 2020;Yu 2020).There is still a lack of cryptographic formalization that should match the SAP usage in blockchain, and a security model capturing the basic security requirements of Monero-like SAPs and the stronger security proposed in PDPKS, respectively.
On the other side, current SAPs and PDPKS are all dual-key schemes, that is, a scan key pair to share and check the stealth address, and a spend key pair to sign and verify transactions.This design is for security concern, especially using the principle of key separation (i.e., independence of keys, which is essential in cryptography) to avoid the reuse of the master key pair.However, key reusing is also possible with well-defined security.It implies a compact SAP using single key pair for simpler systems and broader application scenarios.We can deploy such a compact SAP into popular single-key cryptocurrency systems, especially Bitcoin.There is still a lack of such design after 10 years of SAP deployment.
In addition, current constructions of SAP and PDPKS are built on concrete assumptions.For example, Monero-like protocols use the discrete logarithm problem on the elliptic curve and the latest PDPKS construction (Liu et al. 2020) exploits the trapdoor function on the lattice.It is desirable to design a framework based on crypto primitives that captures multiple instantiations according to the application.Thus, the motivation of this paper is to revise a better formal definition to abstract SAP, propose framework constructions, and support key reusing for compact schemes.

Our results
This paper analyzes the main existing stealth address protocols and the concept of publicly derived public key scheme.We improve this cryptographic tool into the key derivable signature scheme (KDS), and propose general frameworks and instantiations.Specifically, our contributions can be summarized as follow:

KDS Scheme and Security Model.
We first introduce and formalize a KDS scheme and its security model to capture the functionality and security requirements of SAP.Compared to the similar concept PDPKS, KDS allows signing with master keys, which can better match SAP application scenarios on the blockchain; secondly, we revise the existential unforgeable (EUF) and public key unlinkable (UNL) security proposed in PDPKS accordingly, to allow the adversary to access the signing oracle via the master key and win the game by forging a master key signature.We enforce the basic security EUF/UNL of KDS to its strong version strong-EUF/strong-UNL (SUNF/SUNL), by considering the derived secret key leakage.

KDS Frameworks and Instantiations.
We give two KDS frameworks.To achieves this, two barriers should be addressed: the first one is the lack of a cryptographic primitive to capture the key derivation; the second one is the key reuse problem in KDS.To address the first issue, we define a key derivation scheme (KDV), as well as its re-linkability and leakage-resistance.Re-linkability of KDV requires that the derived public key does not leak information about master public key, whereas leakage-resistance is a stronger security and requires that the derived secret key does not leak information about the master secret key.We then overcome the second problem with two design approaches: • Key Separation KDS (KS-KDS) Framework The first approach is a KS-KDS following key separation principle.Our framework is based on a KDV, a public key encryption (PKE), and a canonical identification protocol (CID).Specifically, we use the KDV to extract the derived key pair from user's master key pair, use Fujisaki-Okamoto transformation on PKE to get a KEM to share and check the stealth addresses, and use Fiat-Shamir transformation on CID to construct a signature scheme to sign and verify transactions.An EUF and UNL secure KS-KDS requires that the KDV is re-linkable, the PKE is indistinguishable under chosen-plaintext attack (IND-CPA) and indistinguishable of keys under chosen-plaintext attack (IK-CPA); and the CID should be secure against impersonation under key-only attack (IMP-KOA) and honest-verifier zero-knowledge (HVZK).Further, if the KDV also satisfies leakage-resistance, then we can obtain a strong KS-KDS satisfying SEUF and SUNL security.We give a KS-KDS instantiation on the elliptic curve, and a strong KS-KDS instantiation on the lattice.

• Key Reusing KDS (KR-KDS) Framework
To enable a KR-KDS, where a single master key pair is reused for both key derivation and signature, we resort to the techniques of joint security (Haber and Pinkas 2001).We construct a jointly secure and key private combined signature and key encapsulation mechanism (CSK) using CID, PKE and random oracles (RO).This construction follows an observation that the RO plays a similar role to key separation in our KS-KDS framework.We then construct a (strong) KR-KDS by combining such a CSK scheme with a re-linkable (and leakage-resistant) KDV scheme.To illustrate the effectiveness of our result, we give the first compact stealth address protocol instantiation which can be deployed in widely used cryptocurrencies such as Bitcoin to provide privacy protection.
The comparison between our work and other SAP solutions is shown in Table 1.

Related work
There has been a lot of recent work based on Monero-like stealth address.For example, Yu (2020) proposed a solution allowing for multiple addresses within one wallet, Liu et al. (2019a) proposed a lattice-based linkable ring signature scheme with stealth address, and Wang et al. (2024) proposed a universally composable (UC) linkable ring signature supporting stealth address.Motivated by these works, we present a formalized KDS definition and a security model to capture the essence of stealth address.
Another line of research on stealth address is based on publicly derived public key schemes (PDPKS), which is designed to maintain security even when derived keys have been corrupted.Liu's team first proposed this definition (Liu et al. 2019b), and later extended it to latticebased (Liu et al. 2020) and UC (Zhu et al. 2023) settings.However, they do not consider the key-reusing property, which is essential to achieve a compact stealth address protocol that can be deployed into most blockchains, not just specially designed systems such as Monero.We revised their model and discuss the joint security in blockchain stealth address.
Joint security ensures the security of the cryptographic tools in the case of key reusing, and can significantly simplify the system and reduce storage in engineering implementations.Haber and Pinkas (2001) introduced the concept of the jointly secure combined public key scheme in 2001, which combines a signature scheme and an encryption scheme using the same key pair.Prior works mainly focus on combined signature and encryption schemes, such as ElGamal-based signature and encryption (Vasco et al. 2008), Schnorr andECIES (Degabriele et al. 2012), and blind Schnorr signature and Schnorr-signed ElGamal encryption (Fuchsbauer et al. 2020).Adding a derivation algorithm based on such a combined scheme may lead to novel application scenarios, such as our key derivable signature.Chen et al. (2021) proposed a hierarchical integrated signature and encryption (HISE) scheme, in which the encryption component used a derived key pair from the signature key pair.

Paper organization
This paper is organized as follows: "Preliminaries" section reviews the crypto primitives; "Key derivable signature scheme" section presents our key derivable signature scheme (KDS) definition and security model, and compares it with prior works; "The construction of (strong) key separation key derivable signature scheme" section describes our key derivation scheme (KDV) definition and the framework to construct (strong) KS-KDS; "The construction of (strong) key reusing key derivation scheme" section improves this framework to construct KR-KDS; "Conclusion" section concludes the paper.

Canonical identification protocol (CID)
Definition 1 (Canonical Identification Protocol) A canonical identification (CID) protocol with commitment space COM, challenge space CH, and response space RSP consists of a triple of PPT algorithms (CID.Gen, CID.P = (P 1 , P 2 ), Table 1 The comparison between our work and other SAP solutions Here, Sign msk means the construction contains a master key signature algorithm.Framework means the construction is based on crypto primitives rather than concrete assumptions.Compact means the construction is key reusing rather than key separation

SAP
The verifier is a two-stage algo- rithm that takes a public key pk as input.V 1 takes the public key pk as input, chooses a random challenge ch $ ← − CH and sends it to the prover.V 2 takes the public key pk and the conversation transcript (com, ch, rsp) as input and outputs a deterministic decision, 1 (acceptance) or 0 (rejection).
We denote the conversation transcript (com, ch, rsp) as P(sk) ↔ V(pk) .Here, (pk, sk) represents the (pub- lic key, secret key) pair generated by CID.Gen(pp) , and (com, ch, rsp) := P(sk) ↔ V(pk) denotes the information exchanged between CID.P and CID.V throughout the CID protocol interaction under (pk, sk).Security against impersonation under key-only attacks (IMP-KOA) serves as a basic security for CID.It guarantees that adversaries cannot impersonate the prover to deceive an honest verifier without having access to the secret key.Honest-verifier zero-knowledge (HVZK) is a formalization of the property where adversaries do not gain any additional knowledge from honest interactions.
Definition 3 (HVZK) A CID protocol is HVZK if there exists a PPT algorithm Sim and a negligible function negl(•) such that the advantage Adv HVZK CID,A (pp) ≤ negl( ) for any PPT adversary A .The advantage Adv HVZK CID,A (pp) is defined as follows:

Key privacy of public key encryption
The key privacy of a public key encryption scheme is effectively captured by the property known as "indistinguishability of keys under chosen-plaintext attack" (IK-CPA).It ensures that adversaries, under a chosenplaintext attack, are unable to distinguish ciphertexts generated by different encryption keys.where the IK-CPA game G IK−CPA PKE,A (pp) is described as Fig. 2.

Algorithm definition
In this section, we introduce the key derivable signature (KDS).This scheme enables the generation of derived key pairs from the master key pair.Our formal definition of KDS is as follows: Definition 5 (Key Derivable Signature) A KDS scheme with message space M consists of following algorithms: • KeyGen(pp) → (mpk, msk) .The key generation algorithm takes the public parameters pp as input and outputs a master public key/secret key pair (mpk, msk).• DpkDerive(mpk) → dpk .The public key derivation algorithm takes a master public key mpk and outputs a derived public key dpk.• DpkCheck(mpk, msk, dpk) → 0/1 .The derived public key checking algorithm takes a master key pair (mpk, msk) and a derived public key dpk as input, and outputs a bit b, where b = 1 means that dpk is a derived key generated from mpk and b = 0 means not.• DskDerive(mpk, msk, dpk) → dsk .
The secret key derivation algorithm takes a master key pair (mpk, msk) and a derived public key dpk as input, and outputs a derived secret key dsk.
• Sign(sk, m) → σ .The signing algorithm takes a secret key sk (a master secret key msk or a derived secret key dsk) and a message m ∈ M as input, and outputs a signature σ. • Verify(pk, m, σ ) → 0/1 .The verification algorithm takes as a public key pk (a master public key mpk or a derived public key dpk), a message m and a signature σ as input, and outputs a bit b, where b = 1 means that the signature is valid and b = 0 means not.
Additionally, the above algorithms must satisfy the following correctness properties: • For any (mpk, msk) ← KeyGen(pp) , there exists a negligible function negl(•) such that • For any (mpk, msk) ← KeyGen(pp) and m ∈ M , there exists a negligible function negl(•) such that • For (mpk, msk) ← KeyGen(pp) and m ∈ M , KDS is a revised definition of PDPKS, the security model of PDPKS is detailed in A. The major difference is that we consider a master key/derived key signature algorithm, while PDPKS only allows signing with derived keys.This change is motivated by practical considerations.In most existing blockchain systems, except for those specifically designed for stealth address schemes (such as Monero), there is no definition or transaction procedure related to derived keys.Transactions are signed using master keys, recorded on-chain, and publicly accessible.When deploying stealth address on such blockchains, it is necessary to have a well-defined approach to handling master key signatures and related security measures to ensure the safety and privacy of the system.According to our KDS definition, the stealth address protocol can be deployed as a plug-in.It effectively protects the identity privacy while allowing users to still utilize master key signatures without affecting  For a sender Alice (A), who wants to send a transaction to a receiver Bob (B), A first runs DpkDerive(mpk B ) → dpk B to derive a stealth address for B, where mpk B is B's mas- ter public key.Then A runs Sign(sk A , m A ) → σ A to send a transaction, where sk A can be either A's mas- ter secret key or derived secret key, and m A records the information such as the amount and receiver address dpk B .To receive the transaction, B actively monitors the blocks and runs DpkCheck(mpk B , msk B , dpk ′ ) → 0/1 to check all potential dpk ′ , until finding his derived address dpk B and the corresponding transac- tion.Then he validates the transaction by using

Security model
In this section, we provide a formal security model to capture the security and privacy requirements of KDS.We need to consider two cases motivated by the security risks of cryptocurrencies: 1.The adversary should not be able to forge the receiver's master/derived key signatures to steal their balance.2. The adversary should not be able to trace the receiver's permanent address from the derived address.
Security We provide basic security properties: existential unforgeability (EUF) and public key unlinkability (UNL), as well as the stronger security properties: strong existential unforgeability (SEUF) and strong public key unlinkability (SUNL) of KDS, by distinguishing the adversary's capabilities.The EUF security property states that an adversary, with access to the signature algorithm and derived public key checking algorithm, cannot produce a valid forgery.A more detailed definition is as follows: Definition 6 (EUF Security) A KDS scheme KDS = (KeyGen, DpkDerive, DpkCheck, DskDerive, Sign, Verify) is EUF secure, if there exists a negligible function negl(•) such that the advantage Adv EUF KDS,A (pp) ≤ negl( ) for any PPT adversary A .The advantage is defined as follows: where the EUF game G EUF KDS,A (pp) is described as in Fig. 3.
The UNL security states that an adversary, even with access to the signature algorithm and derived public key checking algorithm, cannot distinguish which of two master public keys was used to derive a specific derived public key.A more detailed definition is as follows: Definition 7 (UNL Security) A KDS scheme KDS = (KeyGen, DpkDerive, DpkCheck, DskDerive, Sign, Verify) is UNL secure, if there exists a neg- ligible function negl(•) such that the advantage Adv UNL KDS,A (pp) ≤ negl( ) for any PPT adversary A .The advantage Adv UNL KDS,A (pp) is defined as follows: where the SUNL game G UNL KDS,A (pp) is described as in Fig. 4.
There are several differences between our security model and PDPKS's.First, we allow the adversary to access O Sig with the master key and win the game by forging the master key signatures.This modification captures the fact that an adversary can request transactions or look up transactions signed by a user with his master key from the blockchain ledger, and steal the balance in the user's permanent address by forging his master key signature.Second, we define security as the basic security (EUF/UNL) and the strong security (SEUF/SUNL) by dividing adversary capabilities.In the basic security, we limit the adversary can only access O Dpk and O Sig , as considered in most SAP works.In the strong security, the adversary has an additional access to O Dsk , which cap- tures the assumption that user leaks his derived secret key, as PDPKS considered.
The construction of (strong) key separation key derivable signature scheme In this section, we define a key derivation scheme (KDV) to extract derived keys from a master key pair, and propose a framework to construct (strong) key separation KDS (KS-KDS) as illustrated in Fig. 5.
Security.We define the re-linkability and leak-resistance for KDV.Re-linkability states that a derived public key dpk := KDV.Dpk(mpk, R; r) can be relinked to mpk ′ � = mpk .It ensures that dpk does reveal any infor- mation about the master public key mpk.Leak-resistance states that derived public/secret key pairs (dpk, dsk) do not reveal any information about the master secret key msk.

A framework to construct (strong) KS-KDS
We propose a KS-KDS framework that is based on a canonical identification protocol CID , a public key encryption PKE , and a key derivation scheme KDV.
Let CID = (CID.Gen, CID.P, CID.V) be a CID protocol and KDV = (KDV.Gen, KDV.Dpk, KDV.Dsk, KDV.Chk) be a KDV scheme for CID .Let PKE = (PKE.Gen, PKE.Enc, PKE.Dec) be a PKE scheme.We compose them to construct a KS-KDS as shown in Algorithm 1.We use Fiat-Shamir transformation (FS) on CID to get a signa- ture scheme, use Fujisaki-Okamoto transformation (FO) on PKE to get a KEM.This KEM scheme is used to gener- ated the k which is the randomness used to generated the derivable key pair.G, H and H 1 are random oracles.

Algorithm 1 Key Separation Key Derivation Signature Scheme
Remark.Note that constructing KS-KDS using SIG, KEM, and KDV is also feasible.However, our approach prefers to build upon more fundamental cryptographic primitives, and this method is particularly useful for designing the KR-KDS algorithm in "The construction of (strong) key reusing key derivation scheme" section.
Security.We then discuss the security of the above KS-KDS construction.
Theorem 1 Let CID be an IMP-KOA secure CID proto- col with HVZK.Let KDV be a re-linkable KDV scheme for CID .Let PKE be an IND-CPA secure PKE scheme.Let G, H and H 1 are random oracles.Then, the KS-KDS scheme is EUF secure in the random oracle model.
Proof Assume toward contradiction that there exists a PPT adversary A that breaks the EUF security of the KS- KDS scheme with noticeable probability.That is, the following advantage is noticeable: We consider two different cases and construct PPT adversary B or C against the IMP-POA security of CID , respectively: Case 1 ( pk * = mpk ).A generate the valid forge signature for mpk.We then construct B to attack CID as follows: • Setup Phase The IMP-KOA challenger generates a pair of public/secret keys (spk, ssk) ← CID.Gen(pp) .• O H 1 (com, m) : At beginning, the adversary B picks B keeps running (com, ch, rsp) ← Sim(sdpk) or (com, ch, rsp) ← Sim(spk) respectively until there does not exist com ′ � = com and ch ′ � = ch such that (com ′ ||m, ch) ∈ L H 1 and B parses σ * as (com * , ch ′ * , rsp * ) and outputs (com * , rsp * ).
Since the adversary B has the secret key esk of the PKE , the simulation of O Dpk is perfect.Since H 1 is a random oracle, the simulation of O H 1 is perfect.Additionally, B simulates the oracle O Sig without using of ssk.Because CID is HVZK, the probability that the simulation of O Sig can be distinguished by the adversary A is at most q Sig • Adv HVZK CID,A .Then for Case 1, we have (detailed derivation can be found in E): where q H 1 , q Sig are the numbers of A'queries to O H 1 and O Sig , respectively.
Case 2 ( pk * ∈ L Dpk ).A generate the valid forge signa- ture for a dpk ∈ L Dpk .We then construct C to attack CID .Naturally, the challenge public key for C is a derived key which belongs to L Dpk .Therefore C needs to gener- ate related master public key of the challenge public key by using the re-linkability of KDV .The details of C are as follows: • Setup Phase The IMP-KOA challenger generates a key pair (dspk, dssk) ← CID.Gen(pp ′ ) .The IMP- KOA adversary C receives dspk and public param- eters pp.It runs (epk, esk) ← PKE.Gen(pp) and extracts a deterministic polynomial-time verifiable relationship R := {(pk, sk)|(pk, sk) ← CID.Gen(pp)} .It runs (spk, k * ) ← Rel(dspk, R) and lets mpk := spk||epk||R .Then, it sends mpk and pp to A and initializes query lists L H , L H 1 , L Dpk and L Sig as empty sets.Let Sim be a PPT algorithm defined as in the Definition 3.
3 Without loss of generality, we assume that (com, m) has not been queried.
Applying the same reasoning as in Case 1, the simulation of O Dpk and O H 1 is perfect and the simulation of O Sig can be distinguished by the adversary A with probabil- ity at most q Sig • Adv HVZK CID,A (pp) .Since the re-linkability of KDV and O H is also a random oracle, the (mpk, dspk, k * ) and the simulation of O H can be distinguished by A with probability at most Adv RLink CID,A (pp) .Then for Case 2, we have (detailed derivation can be found in E): Put these results together, Thus, the KS-KDS scheme is EUF secure in the random oracle model.
Theorem 2 Let CID be an IMP-KOA secure CID pro- tocol with HVZK.Let KDV be a re-linkable and leakage- resistant KDV scheme for CID .Let PKE be an IND-CPA secure PKE scheme.Let G, H and H 1 are random oracles.Then, the KS-KDS scheme is SEUF secure in the random oracle model.
Proof This theorem can be proved using the same proof strategy for Theorem 1.We put the full proof in E for selfcompleteness.
Theorem 3 Let CID be an IMP-KOA secure CID proto- col with HVZK.Let be a re-linkable KDV scheme for CID .Let PKE be an IND-CPA secure and IK-CPA secure PKE scheme.Let G, H and H 1 are random oracles.Then, the KS-KDS scheme is UNL secure in the random oracle model.
Proof Assume toward contradiction that there exists a PPT adversary A that breaks the UNL security of the KS-KDS scheme.We can construct a PPT adversary B , breaking the IK-CPA security of the PKE scheme, we put the full proof in E for self-completeness.Theorem 4 Let CID be an IMP-KOA secure protocol with HVZK.Let KDV be a re-linkable and leakage-resist- ant KDV scheme for CID .Let PKE be an IND-CPA secure and IK-CPA secure PKE scheme.Let G, H and H 1 are ran- dom oracles.Then, the KS-KDS scheme is SUNL secure in the random oracle model.
Proof One can use the same proof strategy for Theorems 2 and 3 to prove this theorem.We give the full proof in E for self-completeness.

Instantiation
Finally, we give two instantiations of our KS-KDS framework with EUF/UNL security and SEUF/SUNL security, respectively.

A KS-KDS instantiation on the elliptic curve
We instantiate the CID in Algorithm 1 to the Schnorr underlying identification protocol, which is HVZK and IMP-KOA secure, the full proof could be derived from Pointcheval and Stern (1996); we instantiate the PKE to EC-Elgamal, which is IND-CPA secure and IK-CPA private (this is noted in Naor and Reingold 1997; Cramer and Shoup 1998 and fully treated in Tsiounis and Yung 1998).Let pp = (E, G, q) be system parameters specifying a secure elliptic curve E with a generator G that gener- ates a secure cyclic subgroup G with prime order q.Then we propose a KDV instantiation on the elliptic curve as follows: and outputs b := r • b mod q.
• KDV.Chk(pk, sk, R) → b : It checks whether This KDV is re-linkable since we can construct Rel as follow: It takes as input B , and randomly chooses a ∈ Z q .It calculates B ′ = a • B and r ′ = a −1 , then out- puts (B ′ , r ′ ).

A strong KS-KDS instantiation on the lattice
We first propose a CID instantiation on the lattice using trapdoor generation algorithm TrapGen defined in Alwen and Peikert (2009), Boyen (2010) and pre-image sample algorithm SamplePre proposed in Gentry et al. ( 2008): • CID.Gen(pp).The algorithm runs (A, T A ) ← TrapGen(pp) , then outputs the public key A and the secret key T A .
• CID.P 1 (A) → (com, st) .CID.P 1 randomly chooses t ← Z n q , computes com = At and generates the state st .It sends com to verifier V.
• CID.V 1 (A, com) → ch .On receiving com = At from P , CID.V 1 randomly chooses r ∈ Z q and x ∈ Z n q .Calculates u = Ax and returns ch := (r, u).
This CID is HVZK and IMP-KOA secure, the full proof could be derived from Lyubashevsky (2012).We then instantiate the PKE in Algorithm 1 to LWEPKE, which is IND-CPA secure and IK-CPA private (Regev 2009); and propose a re-linkable and leakage-resistant KDV inspired by the lattice-based PDPKS scheme (Liu et al. 2020): DeleRight is a trapdoor delegation algorithm defined by Liu et al. (2020).This KDV is re-linkable and leakage- resistant, we give the proof sketch in D. The construction of (strong) key reusing key derivation scheme In "The construction of (strong) key separation key derivable signature scheme" section we propose a framework to construct KS-KDS.It is a dual-key framework that follows the key separation principle.We observe that the random oracles in our framework play a similar separation role.Therefore, in this section we revise the key generation part to obtain a key reusing KDS (KR-KDS) framework as shown in Fig. 7.

A framework to construct (strong) KR-KDS
We construct a KR-KDS based on a canonical identification protocol CID and a public key encryption PKE shar- ing the same key generation algorithm Gen , and a key derivation scheme KDV.
We put the full algorithm in B for self-completeness.Remark We remark that our KR-KDS framework contains a combined signature and KEM scheme (CSK): let SIG = FS(CID, H 1 ) = (Gen, Sign, Verify) , KEM = FO(PKE, H ) = (Gen, KEM.Enc, KEM.Dec) , then we obtain a CSK scheme CSK = (Gen, Sign, Verify, KEM.Enc, KEM.Dec) .This is a novel framework to con- struct CSK that is jointly secure.It has independent interests outside of stealth address, which we present further discussion in C.
Security Our KR-KDS construction has EUF/UNL security when KDV is UNL secure, and SEUF/SUNL security when KDV is UNL and IND secure.
Theorem 5 Let CID be and IMP-KOA secure CID proto- col with HVZK.Let PKE be an IND-CPA secure and IK- CPA secure PKE scheme.Let KDV be a re-linkable KDV scheme for CID and PKE .Let G, H and H 1 be random ora- cles.Then the KR-KDS scheme is EUF and UNL secure in the random oracle model.
Proof The proof is similar to Theorems 1 and 3. We put the proof sketch in E.
Theorem 6 Let CID be and IMP-KOA secure CID pro- tocol with HVZK.Let PKE be an IND-CPA secure and IK-CPA secure PKE scheme.Let KDV be a re-linkable and leakage-resistant KDV scheme for CID and PKE .Let G, H and H 1 be random oracles.Then the KR-KDS scheme is SEUF and SUNL secure in the random oracle model.
Proof The proof is similar to Theorems 2 and 4. We put the proof sketch in E.

Instantiation
We then improve the two KS-KDS instantiations in "Instantiation" section to KR-KDS schemes.

The KR-KDS instantiation on the elliptic curve
We still use the Schnorr CID , EC-Elgamal encryption and our elliptic curve KDV in "Instantiation" section to instantiate KR-KDS, since their key pair have the same relation.It implies a Schnorr-based compact stealth address protocol that can be used in the single-key cryptocurrency systems that support Schnorr signature such as Bitcoin (support from 2021.11),BCH and Polkadot Wuille et al. (2021).The full algorithm in shown follows: Let pp = (E, G, q) be system parameters specifying a secure elliptic curve E with a generator point G that gen- erates a secure cyclic subgroup G with prime order q.Then the CKDS scheme can be described as follows: and lets pk := (E, G, q, B) and sk := (b, pk) .Then, it returns (pk, sk).Lets ch := H 1 (f (com x )||f (com y )||m) where com x/y denotes the x/y-coordinate of com and f (•) is a con- version function that converts a field element into a bit-string.It computes rsp := z + hb ′ mod q and returns (ch, rsp) unless rsp = 0 or ch = 0 .In this lat- ter case the whole procedure is repeated.
Remark.Our solution is a framework that can have multiple instantiations, such as using EC-IES instead of EC-Elgamal.EC-IES satisfies the requirements set forth in "The construction of (strong) key reusing key derivation scheme" section and is jointly secure with Schnorr (Degabriele et al.

The strong KR-KDS instantiation on the lattice
Unlike the KR-KDS implementation on the elliptic curve, we cannot use the same components as in the lattice instantiation in "Instantiation" section to construct the KR-KDS scheme.This is because our CID and KDV use a lattice basis and its trapdoor as a public and secret key pair, while LWEPKE use a different relation.We then propose a trapdoor encryption algorithm instead of LWEPKE: According to the parameters of learning with errors problem (LWE) and the chosen ciphertext-secure encryption scheme constructed by Micciancio and Peikert (2012) , G ∈ Z n×nk q is a gadget matrix for large enough prime power q = p e and k = O(logn) = O(logq) .A ⊥ denotes the transpose of A .We give a PKE scheme PKE = (PKE.Gen, PKE.Enc, PKE.Dec) as follows:

Conclusion
Stealth address protocol, a cryptographic technique widely used in blockchain systems, lacks formalized definition, theoretical analysis and frameworks.Additionally, there is no existing work that studies the key reuse in such a crypto primitive that contains both a derivation scheme and a signature scheme.In this paper, we fill all these gaps.We proposed a key derivable signature scheme (KDS) to formalize the stealth address protocol, and propose frameworks and the first compact scheme by constructing a jointly secure and key private CSK.Our construction can not only effectively simplify the stealth address protocol and privacy-preserving blockchain systems, but it also has the potential to be deployed into existing widely used cryptocurrency systems to provide privacy protection.
Appendix A: Security models of PDPKS Definition 13 (PDPKS Liu et al. 2019b) A PDPKS scheme with message space M consists of following algorithms: • Setup(1 ) → pp .The setup algorithm takes the security parameters 1 as input and outputs public parameters pp.• KeyGen(pp) → (mpk, msk) .The key generation algorithm takes the public parameters pp as input and outputs a master public key/secret key pair (mpk, msk).• DpkDerive(mpk) → dpk .The public key derivation algorithm takes a master public key mpk and outputs a derived public key dpk.
• DpkCheck(mpk, msk, dpk) → 0/1 .The derived public key checking algorithm takes a master key pair (mpk, msk) and a derived public key dpk as input, and outputs a bit b, where b = 1 means that dpk is a derived key generated from mpk and b = 0 means not.• DskDerive(mpk, msk, dpk) → dsk .
The secret key derivation algorithm takes a master key pair (mpk, msk) and a derived public key dpk as input, and outputs a derived secret key dsk.O H both are simulated by lazy sampling because B does not have the secret key of PKE .B also simulates O Dpk in the same way as in the proof of Theorem 3. Thus, it simulates O Dpk without using the secret key of PKE .Since G, H and H 1 are different random oracles, these simulations can only be distinguished with negligible probability by A even in the case of key reusing.Thus, we can demon- strate the KR-KDS scheme is (S)EUF secure in the random oracle model.

Appendix E.6: Theorem.6
Proof Sketch: assume toward contradiction that there exists a PPT adversary A breaking the (S)UNL security of the KR-KDS scheme.Then one can construct a PPT adversary B or C , breaking the IK-CPA security of the PKE scheme.The simulations of oracles are similar to the proof of Theorem 3 (Theorem 4).Since G, H and H 1 are different random oracles, these simulations can only be distinguished with negligible probability by A even in the case of key reusing.Thus, we can demonstrate the KR-KDS scheme is (S)UNL secure in the random oracle model.

Definition 2 (
IMP-KOA Security) A CID protocol CID = (CID.Gen, CID.P, CID.V) is IMP-KOA secure, if there exists a negligible function negl(•) such that the advantage Adv IMP−KOA CID,A (pp) ≤ negl( ) 1 for any PPT adversary A .The advantage is defined as follows: where G IMP−KOA CID,A (pp) is describe as in Fig. 1.

Fig. 2
Fig. 2 IK-CPA game for PKE 1 .To spend the coin in dpk B , B runs DskDerive(mpk B , msk B , dpk B ) → dsk B to derive the secret key dsk B .Then he can use Sign(dsk B , m B ) → σ B to sign a transaction spending the coin.Anyone else can validate the transaction by using Verify(dpk B , m ′ B , σ ′ B ) → 0/1.

Fig. 3
Fig. 3 EUF security and SEUF security of KDS with differences highlight in bold

Fig. 4
Fig.4UNL security and SUNL security of KDS with differences highlight in bold • KDV.Dpk(mpk, R) → dpk : The public key deri- vation generation algorithm takes a master public key mpk and a deterministic polynomial-time verifiable relationship R as input, selects a random number r $ ← − R, 2 and outputs a derived public key dpk := DKV.Dpk(mpk, R; r).

Fig. 5 A
Fig. 5 A Framework to Construct KDS.Rectangles hold the crypto primitives, with security/privacy properties highlight in gray.Diamonds hold transformation algorithms

Fig. 6
Fig.6The re-linkability and leakage-resistance game for the KDV scheme KDV The IMP-KOA adversary B receives spk and public param- eters pp.It runs (epk, esk) ← PKE.Gen(pp) and extracts a deterministic polynomial time verifiable relationship R := {(pk, sk)|(pk, sk) ← CID.Gen(pp)} .Let mpk := spk||epk||R and msk := ssk||esk .It sends mpk to A and initializes three query lists L H 1 , L Dpk and L Sig as empty sets.Let Sim be a PPT algorithm defined as in the Definition 3. • Challenge Phase The challenger picks a challenge ch * $ ← − CH and sends it to B. • Query Phase For each A 's query m and (m, c), O G and O H return H(m) and H(m, c), respectively.Addition- ally, O H 1 , O Dpk and O Sig are simulated by the adver- sary B as follows: (dpk) : For each A 's query dpk = (c, sdpk) to O Dpk , the adversary B calculates m := PKE.Dec(esk, c) .If m = ⊥ or PKE.Enc(esk, m; G(m)) � = c , it returns 0. It calculates k := H (m, c) , if sdpk = KDV.Dpk(spk, R; k) , it returns 1 and lets L Dpk := L Dpk ∪ {dpk} .Otherwise,it returns 0. • O Sig (pk, m) : For each A 's query (pk, m) to O Sig , if pk = (c, sdpk) ∈ L Dpk or pk = mpk ,
2012): Lemma 1 (Degabriele et al. 2012) ECIES-KEM and EC-Schnorr are jointly secure in the random oracle model, if the gap-DLP problem and gap-DH problem are both hard.

Sign msk EUF/UNL SEUF/SUNL Framework Compact
= (P 1 , P 2 ) : The prover is a two-stage algo- rithm that takes a secret key sk.P 1 takes the secret key sk as input and outputs a commitment com ∈ COM and a state st ; P 2 takes the secret key sk, a commit- ment com ∈ COM , a challenge ch ∈ CH and a state st as input and outputs a response rsp ∈ RSP.

•
Challenge Phase The challenger generates a challenge ch * and sends it to C. • Query Phase For each A ' query m to O G , it returns r = G(m) .O H 1 , O Dpk and O Sig are simulated as in the construction of B .Additionally, O H is simulates by the adversary C as follows: •