Post Quantum Fuzzy Stealth Signatures and Applications

Private payments in blockchain-based cryptocurrencies have been a topic of research, both academic and industrial, ever since the advent of Bitcoin. Stealth address payments were proposed as a solution to improve payment privacy for users and are, in fact, deployed in several major cryptocurrencies today. The mechanism lets users receive payments so that none of these payments are linkable to each other or the recipient. Currently known stealth address mechanisms either (1) are insecure in certain reasonable adversarial models, (2) are inefficient in practice or (3) are incompatible with many existing currencies. In this work, we formalize the underlying cryptographic abstraction of this mechanism, namely, stealth signatures with formal game-based definitions. We show a surprising application of our notions to passwordless authentication defined in the Fast IDentity Online (FIDO) standard. We then present SPIRIT, the first efficient post-quantum secure stealth signature construction based on the NIST standardized signature and key-encapsulation schemes, Dilithium and Kyber. The basic form of SPIRIT is only secure in a weak security model, but we provide an efficiency-preserving and generic transform, which boosts the security of SPIRIT to guarantee the strongest security notion defined in this work. Compared to state-of-the-art, there is an approximately 3.37x improvement in the signature size while keeping signing and verification as efficient as 0.2 ms. We extend SPIRIT with a fuzzy tracking functionality where recipients can outsource the tracking of incoming transactions to a tracking server, satisfying an anonymity notion similar to that of fuzzy message detection (FMD) recently introduced in [CCS 2021]. We also extend SPIRIT with a new fuzzy tracking framework called scalable fuzzy tracking that we introduce in this work. This new framework can be considered as a dual of FMD, in that it reduces the tracking server's computational workload to sublinear in the number of users, as opposed to linear in FMD. Experimental results show that, for millions of users, the server only needs 3.4 ms to filter each incoming message which is a significant improvement upon the state-of-the-art.


Introduction
Cryptocurrencies provide support for trustless and publicly verifiable payments. The sender of a payment posts a transaction onto a public ledger called blockchain. In the most basic form, the transaction specifies the sender and receiver's respective public keys (or addresses), and the transaction is authorized by the sender via a digital signature wrt. their public key. E-commerce [eco], donation platforms [donc, dona, donb], gaming platforms [ega], etc., are just some of the popular  that is compatible with Schnorr, ECDSA and other group based signature schemes predominantly used in currencies today?
• Can we have an efficient stealth signature scheme secure with unbounded key exposure that is post-quantum secure?
A caveat of the stealth address mechanism is that a recipient (online or offline) has to parse through a large number (hundreds of thousands per day) of transactions to identify those that send coins to one-time addresses corresponding to his master address. A workaround was proposed in [vS], where a recipient can delegate identification of incoming payments to a semi-trusted third party server called the tracking server. To do so, the recipient can generate a so-called tracking key from his secret key and provide it to the tracking server. The tracking key allows the tracking server to identify or track all incoming payments to the recipient using the tracking key, and later notify the recipient of these exact payments. On the other hand, such a tracking key should not enable the tracking server to generate one-time secrets for the concerned one-time addresses. Prior works [ADE + 20, LYW + 19, LLN + 20] omit this important tracking functionality in their formalization of stealth signatures.
A downside of the above tracking method is that we fully give up anonymity/unlinkability with regards to the tracking server who learns exactly which payments are addressed to the recipient. While there is a natural and obvious tension between the anonymity goal of unlinkability and functional goal of trackability, a recent work of Beck et al. [BLMG21] attempts to strike a balance between these notions. They introduce the concept of fuzzy message detection (FMD), where a tracking server can approximately detect messages meant for a recipient with adjustable degree of uncertainty. More specifically, their notion of detection is fuzzy in the sense that messages meant for the recipient are always correctly identified, but there is recipient-controlled false positive rate (baked into the fuzzy tracking key) which causes messages meant for other users to be misclassified as being meant for the recipient. Thus, the tracking server cannot decide with certainty if a detected message is actually intended for the recipient or not. This mechanism makes it necessary for the sender of the message to include additional fuzzy tracking information and the tracking server possesses a fuzzy tracking key. In principal, applying their technique to enable fuzzy tracking of one-time addresses in stealth signatures is straightforward. However, relying on their schemes comes with considerable drawbacks. While their first scheme (FMD 2 ) is efficient, it relies on the pre-quantum DDH assumption. Their second scheme (FMD frac ) relies on heavy tools like garbled circuits that lead to an unacceptable size-blowup of the sender's message. On the other hand, there are signalling detection or retrieval schemes [MSS + 21, LT21] for fully private tracking instead of fuzzy tracking, but all of them require linear work at the server side which doesn't scale to thousands or millions of users. We discuss their schemes and ours in Appendix B and present a comparison in Table 2. This leads us to ask: • Can we have a stealth signature scheme with efficient fuzzy tracking in the post-quantum setting and scalable to hundreds of thousands (or even millions) of users?

Our Contributions
We summarize our contributions below. Modular Framework. We introduce Spirit (in Section 6.1), the first practically efficient postquantum stealth signature scheme secure without key-exposure 2 . Towards this goal, we consider the lattice-based Dilithium [LDK + 20] signature scheme, which is the winner of the NIST standardization competition and most likely candidate to be adopted into cryptocurrencies. Without changing the signature scheme in any way, we augment Dilithium with additional algorithms to obtain Spirit so that it now supports one-time key derivations and tracking. Next, we show how one can generically transform (in Section 5) a stealth signature scheme that is secure without key-exposure into a scheme that is secure with unbounded key-exposure. Thus we can upgrade Spirit into one that is practically efficient and secure with unbounded key-exposure. Both Spirit and its upgrade are compatible with cryptocurrencies that would support Dilithium signature verification and no additional scripting is required.
Furthermore, we construct a stealth signature scheme (in Appendix D) that is compatible with group-based schemes like Schnorr, and ECDSA which are used in most of the currencies today. However, it only guarantees security with bounded key-exposure: It tolerates an a-priori number of one-time secret key leakage. Fuzzy Constructions. We then present two fuzzy stealth signature schemes (using Spirit), both of which are the first efficient and post-quantum candidates.
In the first construction (in Section 6.2), we take a similar approach as FMD from [BLMG21]. But we reduce its overhead from O(λ) to 1 bit per signal by making novel use of ciphertext compression techniques [BDGM19]. Additionally, we show how to allow finer false-positive rates without requiring heavy tools like garbled circuits as in [BLMG21].
We then present a new scalable framework for fuzzy tracking (in Section 4.4) followed by an efficient construction (in Section 6.3) in the random oracle model. This framework can be viewed as a 'dual' version of FMD mechanism from [BLMG21]. Intuitively, it is a trade-off between efficiency and usability: By limiting the users' ability to choose false-positive rates, we are able to reduce the tracking server's computational work to an amount which is sublinear in the total number of users. This compares very favourably with prior works, where the server needs to take a linear scan of each user's tracking key [BLMG21, MSS + 21, LT21]. Implementation. We implemented Spirit, post-quantum FMD, and scalable fuzzy tracking based on Dilithium, Kyber, and Falcon with anonymized open-source code [imp]. We test them with different parameter sets on an ordinary laptop as presented in Table 3 and Table 4 (in Appendix B). Experiment results show that our stealth signature with strongest security only yields a 4.09 KB signature, while the verification time is less than 0.2 ms. Similarly, our scalable fuzzy tracking mechanism only takes 3.42 ms to filter each incoming message in the setting with millions of users. Application to FIDO. As our final contribution, we surprisingly apply our stealth address notion to FIDO2 standard passwordless authentication schemes (formally defined in [BBCW21]). We show how manufacturers can implement device authenticators that not only provide post-quantum security but require limited secure memory (one master secret key), support global revocation (as defined in [HLW22]), multi-device credentials [All22], and can be used to implement asynchronous remote key generation ([FGK + 20]).

Technical Overview
Let us first recall the group-based stealth signature scheme of [vS]: Given a cryptographic group G = ⟨g⟩ of prime order p, the master public key is mpk : is the master secret key, and mtk := a is the tracking key. To re-randomize mpk to a one-time address (i.e., one-time public key), the sender samples a uniformly random r ←$ Z p and computes opk := g H(h r 0 ) · h 1 ∈ G where H : G → Z p is a hash function modelled as a random oracle. Additionally, the sender attaches tracking information tki := g r ∈ G to the opk. To derive the corresponding one-time secret key osk from msk, the receiver computes osk := H(tki a ) + b ∈ Z p with the help of tki. Now, opk and osk satisfy the discrete-log relation opk = g osk , hence the receiver can sign (for e.g., Schnorr or ECDSA) any message with osk to output a signature which can be verified with corresponding opk. An additional mechanism is that mtk := a can be given to a tracking server for tracking: By comparing whether opk ? = g H(tki mtk ) · h 1 , the tracking server can determine whether opk links to the issuer of mtk.
Taking a closer look, this approach to build stealth signature apparently can be generically decomposed to a linearly homomorphic one-way function f : D → M where f(x + y) = f(x) + f(y), and a key-exchange protocol (KE 1 , KE 2 , KE 3 ), where KE i denotes the i-th message function: ct 1 ∈ C 1 ←KE 1 (r 1 ), (ct 2 ∈ C 2 , K ∈ K) ←KE 2 (r 2 , ct 1 ), where r 1 , r 2 are two user's secrets, and K is the agreed-upon key. Here, C 1 , C 2 , and K represent the first message space, second message space, and the key space, respectively. Now, let mpk := ct 1 := KE 1 (r 1 ), B := f(b) and msk := (r 1 , b), mtk := r 1 . To publish a one-time address, the sender can just compute (ct 2 , K) ← KE 2 (r 2 , ct 1 ) and publish Since they obey the relation f(osk) = opk, we can leverage this to sign and verify. The tracking mechanism still works by checking if We will now adapt this blueprint to construct a stealth signature in lattice setting.

Spirit: Lattice-based Stealth Signature
To make our protocol both efficient and practical, we would like to use optimized NIST winners as our building blocks. In this work, we choose Dilithium as the underlying digital signature considering that it is one of most popular signature schemes in NIST [LDK + 20]. We call the resulting stealth signature scheme Spirit. Basically, it follows the above approach: In Dilithium, the public key is a Module Learning With Errors (MLWE) [BGV12] sample t := As 1 + s 2 where its secret-error pair (s 1 , s 2 ) (both chosen from a suitable short distribution) acts as the secret key. Since MLWE involves only linear operations, we have that Yet, even though adding samples is approximately linearly homomorphic, this addition will increase error rates or lengths for both s 1 and s 2 . Typically, the s 1 and s 2 are generated by sampling their coefficients uniformly with absolute value at most η (for some small parameter η). The increased norm of the new secrets (s 1 + s ′ 1 , s 2 + s ′ 2 ) will incur additional running time during signing due to the so-called "Fiat-Shamir with Abort" mechanism of Dilithium. To alleviate this issue, we only prove Spirit to be existential unforgeable. This will give us better parameters to balance between security and efficiency. Looking ahead, we point out that Spirit can be transformed to a strongly existentially unforgeable scheme using a generic compiler which we will introduce later.
Apart from a linearly homomorphic one-way functions, we still need a key-exchange protocol. However, this key-exchange needs some additional properties. Specifically, we need a non-interactive key-exchange (NIKE) protocol which is substantially stronger than KE we depicted above. The starting point is that it needs to be anonymous under chosen plaintext attacks (CPA), which means given the message ct 2 , the adversary cannot link it to the ct 1 used to generate ct 2 . This is for stealth signatures as we don't want our one-time address to be linkable to the original master public address. This security notion is formalized as unlinkability.
But anonymity under chosen plaintext attacks will not even suffice yet for our applications. We will require a stronger notion of anonymity under plaintext checking attacks (PCA). Here, the adversary is given an additional oracle which allows him to check whether a ciphertext-plaintext pair is valid or not. To see why this is necessary, consider an adversary who is trying to link some (opk, tki) to mpk. Such an adversary will be able to sample ct 2 ←$ C 2 , K ←$ K to generate (opk ′ , tki ′ ), which can then be published to see if the tracking check passes. It turns out that anonymity under plaintext checking attacks is sufficient for this setting. However, we currently don't have a simple construction satisfying anonymity under plaintext checking attacks. As a consequence, we use an even stronger key-exchange protocol which is anonymous under chosen ciphertext attacks (CCA), namely, it is ANOCCA-secure (formalized in Definition C.7). Fortunately, the recent standardized KEM by NIST, Kyber [SAB + 20], can be slightly modified to be ANOCCA-secure [GMP22] and we use Kyber in the concrete instantiation. There are multiple technical details not covered in this outline, for instance, besides tki, the one-time address opk itself also needs to be anonymous. We refer to Section 6.1 for detailed construction and analysis.
So far, we briefly mentioned two important security notions for stealth signatures, namely unforgeability and unlinkability (Section 4 for formalization). However, we note that we only formalize these two notions as unforgeability without key-exposure and unlinkability without keyexposure, respectively. It turns out the above approach to build stealth signatures (as well as in Spirit) is no longer secure if a one-time secret key osk leaks: Suppose the sender learns osk somehow, he can instantly recover msk as if he knows r 1 which is used to generate corresponding opk.

Generic Transformation: Security with Key-exposure
As mentioned above and noticed in prior works [LYW + 19,NMRL16], leaking one-time secret keys is almost as bad as leaking the master secret key. This is a potential issue in current practical stealth signature schemes [vS] and it is costly to avoid. For instance, if we are willing to use techniques implying hierarchical identity based encryption (HIBE), we could have a stealth signature scheme secure with key-exposure attacks by using pairing [BF01, LYW + 19], lattice basis delegation [ABB10, LLN + 20], or non-black box tools [DG17]. All of above techniques are several orders of magnitude slower in computational time, or orders of magnitude larger in signature or one-time public key size. The reason we don't have a simple solution to this issue is that one-time secret keys are usually a linear function of the msk as mentioned in [LRR + 19]. Apparently we can achieve security with bounded key-exposure by adding more secrets in msk where bounded key-exposure means msk remains secure if the number of leaked osk is smaller than some 'a priori bound' and we show a candidate construction in Appendix D. However, any generic-group based techniques to prevent unbounded key-exposure should imply IBE which is known to be impossible using only black-box techniques [PRV12,SGS21].
In this work, we provide a conceptually simple, generic, and powerful black-box compiler to tackle this problem in the context of stealth signatures (in Section 5): We use a short chain of signatures [Mer90] to compile any stealth signature SS w/o secure without key-exposure into a strong stealth signature SS w secure with unbounded key-exposure. The high level idea is to break this 'linear' relation between osk and msk. Specifically, instead of generating osk directly, with the help of an additional digital signature DS, we generate osk := (σ 1 , sk, vk), where σ 1 ← SS w/o .Sign(osk ′ , vk) and (vk, sk) ← DS.Gen(λ). Note that osk ′ is the one-time secret key in the scheme SS w/o . Intuitively, since osk has a non-linear relation with msk, the adversary cannot recover msk from osk as SS w/o is unforgeable. To sign a message m, it runs σ 2 ← DS.Sign(sk, m) and outputs the final signature σ := (σ 1 , σ 2 , vk). Similarly, to verify σ just use opk to verify the signature σ 1 on vk and use vk to verify the signature σ 2 on m. Compared to original stealth signature SS w/o , our compiled one SS w incurs slightly larger signature size and longer verification time, but in turn is far more efficient than above HIBE-related techniques.
Additionally, we show this compiler can also leverage SS w/o with existential unforgeability to SS w with strong unforgeability via a small tweak: Instead of signing on m, we sign as σ 2 ← DS.Sign(sk, m||σ 1 ). This prevents strong unforgeability attacks of SS w because: Assuming vk in σ is not altered, a different σ ′ 1 ̸ = σ 1 will lead to a forgery (m||σ ′ 1 , σ 2 ) of DS in SS w . Therefore, Spirit can also be leveraged in this way to be strongly unforgeable with key-exposure. This gives us the first practical post-quantum SS w secure with key-exposure.

Fuzzy Tracking
We will now turn to the issue that in the above constructions, the tracking mechanism will leak the users' metadata to the tracking servers, i.e., the tracking server will know exactly which mtk belongs to which specific (opk, tki). As discussed above, to address this problem, Beck et al. [BLMG21] proposed a mechanism named fuzzy message detection (FMD): The server is given a fuzzy tracking key ftk instead of mtk to filter incoming fuzzy tracking information ftki for its users. Here, ftki is attached with (opk, tki). Specifically, for unmatched ftki and ftk, they will be linked with probability roughly ρ.
Transforming their scheme to post-quantum world is non-trivial as there are still two potential obstacles in the lattice setting: First, it is not practically efficient since its ftki is as large as O(n · |ct|)bit where |ct| = poly(λ). This is highly undesirable in practise as our expectation is something like O(λ) + n. The other problem is the uniformly-ambiguous (recalled in Appendix C) encryption, as it is unclear how to extend the random oracle based approach in [BLMG21], to the lattice setting due to the presence of noise. We show that these two obstacles are related and can be resolved simultaneously. For simplicity, assume n = 1 for the moment. Recall that in Regev encryption with modulus q, the ciphertext is composed of two parts, a vector c 1 ∈ Z ℓ q and a scalar c 2 ∈ Z q . The secret key is s ∈ Z ℓ q and decryption consists of rounding after a linear operation: where e < B < q 4 is a bounded error. This is not just bad for efficiency (as we need additional n log q bits to encrypt n more bits), but also for security: With the correct secret key s, s T c 1 − c 2 is distributed as a Gaussian around q 2 or 0; With a wrong key s * , s T * c 1 − c 2 is distributed uniformly random over the entire domain Z q . These two cases are clearly distinguishable by an adversary.
Our solution will be to compress c 2 into a single bit, which doesn't convey enough information about the distribution. Hence this idea will solve both of the above problems simultaneously. Brakerski et al. [BDGM19] introduced rate-1 packed Regev encryption which can compress each c 2 to just one bit but require an additional offset scalar z ∈ Z q in the header. Thus to to encrypt n bits, the ciphertext after compression is (c 1 , z, w 1 , . . . , w n ) where w i ∈ {0, 1}. To make the offset z statistically close to uniformly random (in our setting pseudorandom doesn't suffice because the adversary gets the secret key), we require super-polynomial noise-modulus ratio of Learning With Errors (LWE) [Reg05] which makes the scheme slightly less efficient. This gives us a lattice-based fuzzy tracking scheme (and ambiguous encryption), and surprisingly, it doesn't rely on heuristic assumptions like random oracles which are necessary in [BLMG21].

Scalable Fuzzy Tracking
We observe that in the above FMD style tracking, the server's computational work is O(N ) with N users and is not scalable when thousands (or millions) of users are using the service of the server. We provide a framework for scalable fuzzy tracking which we view as a dual version of FMD [BLMG21], where the server's work is sublinear. In this framework, we weaken the requirement that the falsepositive rate can be adaptively changed by users. Instead, it is fixed in advance in this setting. This weakening is reasonable as it was shown in [SPB21] that an adversary can mount statistical attacks if users have varying false positive rates. To circumvent such attacks it was suggested that all users have high enough false positivity rates as even a small subset of low rate users can affect unlinkability for the entire pool of users. Therefore we can fix the false positivity rate to be a high enough value for everyone. For example, as calculated in [SPB21], the false-positive rate ρ is better to be as large In this case, we can make the server's overhead O(ρN ) for each incoming message which was at least O(N ) in prior works [BLMG21, MSS + 21, LT21]. We let the tracking server run FTKGen in the beginning to publish fuzzy public key fpk and secretly hold the fuzzy tracking key ftk. For each ftki received from senders, the tracking server will expand ftki to a list of size t composed of potential users' master public keys to which ftki may belong to. The tracking server can then store (opk, tki) to the mailbox of each candidate in this list. Crucially, the master public keys of other potential candidates should remain uncontrollable to either the sender or the server. Otherwise the sender might manipulate the chance of each key appearing in the list. This additional property is named unbiasedness. This rules out the trivial solution, where for instance the sender just sends directly a range of master public keys including the targeted mpk.
Since mpk of each user can be large, in our construction we hash mpk ∈ K to some small hint ∈ T (while making |T | ≥ N ) and use the hint to locate each user's mailbox. Our scheme is based on the underlying INDCPA encryption of Kyber, except that we use non-prime modulus. For instance, assuming the hint contains n = ⌈log N ⌉ bits, i.e., b := hint ∈ {0, 1} n , to generate ftki, the sender modifies the Kyber512's ciphertext ct := (c 1 , c 2 ) to ct ′ := (c ′ 1 , c ′ 2 ) as follows: where ct (and ct ′ ) encrypts hint i as the plaintext, denotes the i-th target mpk as the intended recipient.
For ftki := ct ′ , the tracking server decrypts ct ′ using the key sk = s as follows: for ∀j ∈ [t], to get t potential hints. To argue privacy, intuitively, since s remains random to the sender, the decrypted hint for j ̸ = i would also be random to the sender as However, to prove unbiasedness we mentioned above, we need to be careful because standard regularity lemma seems hard to apply with such small noise parameter and modulus in ideal lattices. Our solution is to rely on the specific structure of the corresponding cyclotomic polynomial and show that even s T x j 0 is not close to a uniformly random polynomial but there's enough entropy to make hint j uniformly random over {0, 1} n as long as n is much smaller than the degree of the polynomial.

From Stealth Addresses to FIDO
We will now describe how stealth addresses fit into FIDO-based passwordless authentication. The FIDO standard specifies ways of using device-based tokens (authenticators) for online authentication.
The protocol is a simple challenge-response where the authenticator creates a signature under the server's challenge. The server verifies the signature against a public key stored during the registration phase. Thus, the token uses different public keys per server to ensure privacy, which poses a challenge for memory-constrained devices. The common practice is to use key wrapping or a key derivation function to generate the signing key ad-hoc during the authentication process, where the server provides additional information (e.g., the ciphertext wrapping the signing keys or random value for the derivation function) for the re-computation.
Applying stealth addresses to this setting would use the same idea. The authenticator only needs to store the master secret key msk and the tracking key mtk. During the registration phase, the server would receive a one-time public key opk and send it to the token during authentication. The authenticator can then reconstruct the corresponding one-time secret key osk and respond to the server's challenge. Interestingly, due to our strong key-exposure notions, one-time keys can be leaked without compromising the unforgeability of non-leaked keys. Thus, we can use the same keys on multiple devices owned by the user, implementing the concept of FIDO multi-device credentials [All22].
Contrary to existing solutions, the public keys do not have to be generated on-token. The user platform (e.g., browser, second token) can generate the one-time public key opk without msk by just using the master public key mpk. What we just described is also called asynchronous remote key generation [FGK + 20], a solution that cleverly uses two devices to solve the token loss problem. After an initialization phase, one of the authenticators is put into cold storage while registration (in the name of both) is done using the primary token. In case of loss, the authenticator in storage can create a valid response to the server's challenge. Using stealth addresses provides the same feature without a complicated initialization step.
One problem with lost devices is that the public keys on the server side are still bound to the user's account. A simple but bothersome solution is for the user to contact all servers it used in the past and revoke the keys. A more flexible solution was proposed by Hanzlik, Loss, and Wagner [HLW22]. With the help of a revocation key published by the user, servers can identify public keys corresponding to lost tokens. Stealth addresses provide the same feature and even improve it a bit. One can identify one-time public keys generated using the same master public key mpk with the help of the tracking key mtk. In the FIDO scenario, a published mtk can be used to globally revoke a lost/stolen token while at the same time not allowing to create forger signature as required by the notions in [HLW22].
Releasing the tracking key mtk will allow everyone to link the one-time public keys, which is a privacy concern. Fuzzy tracking allows for more fine-tuned protection in the case of lost/stolen tokens. Instead of revoking public keys, servers could employ an additional policy-based mechanism to challenge authentications against public keys identified by fuzzy tracking. In other words, the user can hide the actual public key in a set of potential keys, and the server requires some additional authentication factors for those keys. Authenticating using the lost/stolen token will be impossible in such a scenario while at the same time providing extra privacy for the user that lost the device. respectively. We defer the reader to Appendix C for assumptions and analysis tools we use in this work. Apart from this, we make use of the following cryptographic primitives. Digital Signatures. A digital signature scheme DS, formally, has a key generation algorithm KGen(λ) that takes the security parameter λ and outputs the verification/signing key pair (vk, sk), a signing algorithm Sign(sk, m) inputs a signing key and a message m ∈ {0, 1} * and outputs a signature σ, and a verification algorithm Vf(vk, m, σ) outputs 1 if σ is a valid signature on m under the verification key vk, and outputs 0 otherwise. We require unforgeability, which guarantees that a PPT adversary cannot forge a fresh signature on a fresh message of its choice under a given verification key while having access to a signing oracle (that returns a valid signatures on the queried messages). Formally the notion can be captured in an experiment denoted by EUFCMA. Strong unforgeability refers to the case where the adversary is required to forge a fresh signature on not necessarily a fresh message. Formally the notion can be captured in an experiment denoted by sEUFCMA. Key Encapsulation Mechanism. A key encapsulation mechanism KEM, formally, has a key generation algorithm KGen(λ) that takes the security parameter λ and outputs a encaps key ek and a decaps key dk. An encapsulation algorithm Encaps(ek) inputs an encaps key and outputs a ciphertext C and agreed key K. Finally, we have a decapsulation algorithm Decaps(dk) inputs a decaps key and a ciphertext and outputs an agreed key K. Apart from INDCCA security, we additionally require its anonymous property which can be formally captured in Definition C.7 denoted by ANOCCA and it means the adversary cannot link any ciphertext C to its encaps key ek even being able to access a decaps oracle. Concretely, we use Kyber [SAB + 20] with the modification shown in Figure 6 of [GMP22].

Definitions of (Fuzzy) Stealth Signatures
In this section we first present our formal definitions for a stealth signature scheme, followed by how we can add-on fuzziness to the scheme. Note that stealth signatures were formalized in prior works [LYW + 19, LLN + 20], however our formalization of security is strictly stronger than theirs, and moreover we are the first to formalize tracking and fuzzy tracking for a stealth signature scheme. We will point out the exact differences 4 in the formalism as we introduce the security notions formally.
Below we present the definition of stealth signatures, that formalizes the tracking of keys which was absent in prior works. This formalization allows for tracking to be outsourced to third-party servers.
(mpk, msk, mtk) ← MKGen(λ): the master key generation algorithm takes as input the security parameter λ and outputs the master public key mpk, the master secret key msk, and the master tracking key mtk.
(opk, tki) ← OPKGen(mpk): the one-time public key generation algorithm takes as input the master public key mpk, and outputs the one-time public key opk and a tracking information tki. osk/ ⊥← OSKGen(msk, opk, tki): the one-time secret key generation algorithm takes as input the master secret key msk, the one-time public key opk, and the tracking information tki, and outputs a one-time secret key osk or a special symbol ⊥. true/false ← Track(mtk, opk, tki): the tracking algorithm takes as input the master tracking key mtk, the one-time public key opk, and the tracking information tki, and outputs true or false.
σ/ ⊥← Sign(osk, m): the signing algorithm takes as input the one-time secret key osk, and a message m, and outputs a signature σ or a special symbol ⊥. true/false ← Vf(opk, m, σ): the verification algorithm takes as input the one-time public key opk, a message m, and a signature σ, and outputs true or false.
The notion of correctness is formalized below.

Security of SS Without Key Exposure
In terms of security, we first want unforgeability, which guarantees that it is infeasible for an adversary to forge a signature on a (fresh) message wrt. some one-time public key opk * for a master public key mpk. The adversary is given access to a one-time secret key generation oracle OSKGenO using which the adversary can generate a fresh one-time secret key. However, the adversary does not get to learn the generated one-time secret keys, therefore the notion is said to be without key exposure. The adversary also has access to a signing oracle, to which it can query a signature on any message of its choice wrt. any one-time secret key that has been generated with a query to OSKGenO. The formal definition is presented below.
Definition 4.3 (Unforgeability without key-exposure). A SS scheme (MKGen, OPKGen, OSKGen, Track, Sign, Vf) is said to be unforgeable without key exposure if there exists a negligible function negl for all λ ∈ N, and for all PPT adversaries A the following holds: where sEUFCMA w/o−ke is defined in Figure 1.
We then want unlinkability, which guarantees that it is infeasible for an adversary to associate a one-time public key to the master public key wrt. which it was generated. The adversary is given two master public keys mpk 0 and mpk 1 , while also given a challenge one-time public key opk b and the corresponding tracking information tki b (for b ∈ {0, 1}) generated wrt. mpk b . The adversary is given access to the OSKGenO as before, and a signing oracle. The adversary is not given access to any of the one-time secret keys and therefore the notion is said to be without key exposure. The formal definition is presented below.
Definition 4.4 (Unlinkability without key-exposure). A SS scheme (MKGen, OPKGen, OSKGen, Track, Sign, Vf) is said to be unlinkability without key exposure if there exists a negligible function negl for all λ ∈ N, and for all PPT adversaries A the following holds: where UNLNK w/o−ke is defined in Figure 2.
return σ Figure 2: Experiment for unlinkability without key exposure.

Security of SS With Key Exposure
Prior works [LYW + 19, LLN + 20] formalized security with additionally giving adversary the one-time secret keys, i.e., the OSKGenO returns the generated osk to the adversary. The unforgeability notion with key exposure is formalized below. Notice that our formalization exposes the one-time secret keys osk to the adversary except the key wrt. which the adversary forges the signature.
Definition 4.5 (Unforgeability with key-exposure). A SS scheme (MKGen, OPKGen, OSKGen, Track, Sign, Vf) is said to be unforgeable with key exposure if there exists a negligible function negl for all λ ∈ N, and for all PPT adversaries A the following holds: where sEUFCMA w/o−ke is defined in Figure 3.
The notion of unlinkability with key exposure is formalized below. Similar to the case above, the OSKGenO returns the generated osk.
return osk Figure 4: Experiment for unlinkability with key exposure.
λ ∈ N, and for all PPT adversaries A the following holds: where UNLNK w/o−ke is defined in Figure 4.
Remark. It is worth noting that our formalization apart from the tracking functionality, is stronger than prior works in that the adversary is even given the challenge one-time secret key osk b .

Fuzzy Stealth Signatures
We now formally incorporate the fuzzy tracking functionality into the definition of stealth signing. ftk ← FTKGen(mtk, ρ): the fuzzy tracking key generation algorithm takes as input the master tracking key mtk, and a false positivity rate ρ, and outputs a fuzzy tracking key ftk. true/false ← FTrack(ftk, ftki): the fuzzy tracking algorithm takes as input the fuzzy tracking key ftk, the fuzzy tracking information ftki, and outputs true or false.
We define the notion of correctness below. We borrow the notion of fuzziness from [BLMG21] and adapt the same for the stealth signature setting. Intuitively, the correctness of fuzzy tracking says that with a probability ρ, the fuzzy tracking algorithm returns true for a mismatched fuzzy tracking key and a one-time public key. For a correctly matched fuzzy tracking key and a one-time public key, the tracking algorithm always returns true. The unforgeability notion remains the same as in Figure 3, as the adversary in this notion already has access to the master tracking key.
Unlinkability with fuzzy tracking ensures that it is computationally infeasible for an adversary, given two fuzzy tracking keys that both return either true or false when tracking a challenge one-time public key (opk b , ftki b ) simultaneously, to associate (opk b , ftki b ) with the correct tracking key (either ftk 0 or ftk 1 ). The adversary is said to violate the notion if it can guess correctly the association non-negligibly more than 1/2. Definition 4.9 (Unlinkability with key-exposure and fuzzy tracking). A F-SS scheme (MKGen, OPKGen, OSKGen, Track, Sign, Vf, FTKGen, FTrack) is said to be unlinkable with key-exposure and fuzzy tracking if there exists a negligible function negl for all λ ∈ N, all ρ ∈ (0, 1] such that log 2 ρ ∈ Z, and for all PPT adversaries A the following holds: where UNLNK fw−ke is defined in Figure 5.

Scalable Fuzzy Tracking
We now formalize the functionality, correctness, and security of fuzzy scalable stealth signatures as follows.
return osk Figure 5: Experiment for unlinkability of F-SS with key-exposure.
Crucially, we omit opk in FTrack as ftki is already associated with opk and we still have the regular Track algorithm that works with tk, opk and tki for tracking. The correctness definition above 'ties' together the keys ftk, mpk and mtk, and (opk, tki, ftki) ← OPKGen(mpk) by requiring that FTrack(ftk, ftki) always returns 1.
Definition 4.12 (Unlinkability with key-exposure and fuzzy scalable tracking). A F-SSS scheme (MKGen, OPKGen, OSKGen, Track, Sign, Vf, FTKGen, FTrack) is said to be unlinkable with keyexposure and fuzzy scalable tracking if there exists a negligible function negl for all λ ∈ N, any integer N , all ρ ∈ (0, 1] such that 1 2 ⌈log 2 N ⌉ | ρ, and for all PPT adversaries A the following holds: return osk where UNLNK f s w−ke is defined in Figure 6. Note that, similar to prior works, we only consider the semi-honest server in the definition. Pr UNIUBS A f s (λ, ρ, N ) = 1 ≤ where the experiment UNIUBS f s is defined in Figure 6 where list[i] denotes the i-th item of the list and K denotes the master public key space.

Generic Transformation To Get Security With Key Exposure
We provide our black-box compiler below to upgrade an SS w/o without key-exposure to an SS w with key-exposure. Suppose we have a digital signature scheme DS which is strongly unforgeable sEUFCMA. Then we have a black-box compiler leveraging SS to stronger version as shown in Figure 7. Basically, the compiler transforms any SS w/o with EUFCMA w/o−ke and UNLNK w/o−ke security (without keyexposure) into an SS w with sEUFCMA w−ke and UNLNK w−ke security (with key-exposure).
It is easy to see that correctness always holds as long as SS w/o and DS are correct. The security of unforgeability and unlinkability for SS w are captured informally in the following theorem. The formal theorem and security proofs are deferred to Appendix E.

Lattice-based Stealth Signature
We use an ANOCCA-secure key exchange KEM (Kyber) [SAB + 20] and an EUFCMA-secure signature (Dilithium) to construct an SS scheme with existential unforgeability without key-exposure and unlinkability without key-exposure in random oracle model. We require a common reference string crs ←$ {0, 1} 256 , but for conciseness, we omit the explicit mention of crs in interfaces. We provide the detailed construction in Figure 8.
Intuitively, we use KEM to re-randomize the underlying master secret key msk to obtain osk each time and it needs to be actively anonymous which can be instantiated by Kyber with slight modification as shown in [GMP22]. Also, we only require Dilithium to be EUFCMA secure which gives us larger space to choose parameters. We recall Dilithium as follows.
Definition 6.1 (Dilithium [LDK + 20]). Dilithium denoted by Dil is a post-quantum digital signature DS scheme based on the "Fiat-Shamir with Aborts" approach [Lyu09,Lyu12]. It is based on MLWE, MSIS and SelfTargetMSIS assumptions with ring R q := Z q [X]/(X m + 1). Moreover, for secrets s ←$ S ℓ η , its each coefficient of the vector is an element of R q with small coefficients of size at most η. In its optimized construction, there are some useful supporting algorithms which we described as follows: • ExpandA(crs) : The function maps a uniform seed crs to a matrix A ∈ R k×ℓ q .
• ExpandS(K) : The function used for generating the secret vectors in key generation, maps a seed K to (s 1 , The function is the straightforward bit-wise way to break up an element r := r 1 · 2 d + r 0 where r 0 = r mod 2 d and r 1 = (r − r 0 )/2 d .
• HighBits q (r, α) : The function select an α that is a divisor of q − 1 and write r = r 1 · α + r 0 in the same way as before then returns r 1 .
Notably, s ′ 1 + s 1 and s 2 + s ′ 2 have approximately doubled norms, which results in doubled β in signatures. This will require additional iterations in the Sign algorithm, as the number of repetitions is roughly 2 −256·β( ℓ γ 1 + k γ 2 ) , where γ 1 ≈ 2γ 2 [LDK + 20]. However, besides having doubled β, we can also increase γ 1 and γ 2 to 2γ 1 and 2γ 2 , respectively. This adjustment slightly lowers the SelfTargetMSIS hardness but won't harm the running time. To see this, in Dil's proof, the reduction's advantage is mainly dominated by MSIS k,ℓ,4γ2 for sEUFCMA security, but SelfTargetMSIS k,ℓ+1,2γ2 for EUFCMA security. Without using the forking lemma (since it is not tight and not applicable in the quantum setting), the hardness of SelfTargetMSIS mainly comes from finding short vectors (∥·∥ ∞ ≤ 2γ 2 ) z, u ′ such that Az + u ′ = t ′ and amounts to the MSIS problem (refer to Section 6.2.1 and Appendix C.3 in [LDK + 20] for details). Therefore, doubling γ 2 in our Spirit construction provides the reduction of EUFCMA w/o−ke with roughly the same advantage as that of sEUFCMA in Dil. We present the concrete security levels in Table 3.
(pk, sk) ← pRgv.Gen(λ, n) mpk := (mpk ′ , pk), msk := msk Security Analysis. We prove the construction of Spirit in Figure 8 is existential unforgeable and unlinkable without key exposure, and is secure in EUFCMA w/o−ke and UNLNK w/o−ke experiment, respectively. For security of EUFCMA w/o−ke , we prove this in two steps. First, we show it is unforgeable without key exposure under no-message attacks (NMA), i.e., the adversary cannot query SignO(·), and we refer the corresponding experiment to UFNMA w/o−ke ; Next, we show a reduction from UFNMA w/o−ke to EUFCMA w/o−ke . Since Dil does not rely on the lower parts of public key t 0 to be secret, so for simplicity, we assume the one-time public key opk is t ′ instead of t ′ 1 . Also, we assume crs := A directly and is publicly known. Then we have the following theorems to show the construction is unforgeable and unlinkable. The formal statement and analysis of the above lemma and the following theorem is deferred to Appendix F. Theorem 6.2 (informal). Spirit in Figure 8 is existential unforgeable and unlinkable without key exposures if it is UFNMA w/o−ke and the KEM used is ANOCCA secure.

Lattice-based Fuzzy Stealth Signature
We provide a lattice-based construction for fuzzy tracking in standard model. Basically, it is packed Regev encryption (denoted as pRgv) with ciphertext compression [BDGM19]. And this gives us the first post-quantumly ambiguous encryption without relying on random oracles. Packed Regev (compressed). For a more detailed description and analysis, please refer to Appendix G. In short terms, the packed Regev scheme pRgv is a lattice-based linearly homomorphic encryption that has an additional property that allows for ciphertext compression. This unique feature enables the representation of a ciphertext encrypting n bits with a size of only n + O(λ) bits. This reduced ciphertext size contributes to the both asymptotic and concrete efficiency of the scheme.
Since INDCPA and IKCPA security (recalled in Appendix C) of pRgv are discussed in prior works already, we focus on its ambiguous security and we show it is actually Uniformly-Ambiguous (recalled in Appendix C) with super-poly noise-modulus ratio. The formal statement and proof of the lemma below is deferred to Appendix G. Lemma 6.3. Packed Regev encryption pRgv with ciphertext compression shown in Figure 16 satisfies Definition C.8 and is uniformly-ambiguous UNIAMB-secure when 4Bn q is negl(λ). The modulus. To argue uniformly-ambiguous security, we need super-polynomial noise-to-modulus ratio (e.g., 60-bit modulus in our case) which is usually assumed in homomorphic encryption related works. This is a somewhat stronger assumption since it assumes the lattice problem BDD or GapSVP is hard even with super-polynomial approximation factor [Reg05]. Construction. We then provide a lattice-based fuzzy stealth signature in Figure 9, which is composed of a standard stealth signature SS and a compressed packed Regev encryption pRgv shown above. Basically, it use the same framework as FMD 1 presented in [BLMG21]. Correctness. We provide the correctness analysis in Appendix G. Now we consider the false-positive rate ρ when using different fuzzy tracking key. Since c 1 looks uniformly random due to LWE assumption, s T i c 1 is uniformly random over Z q by Leftover Hash Lemma as inner product is a strong randomness extractor 5 . This implies ⌈s T i c 1 + z⌋ is uniformly random over {0, 1} and FTrack returns true with probability 2 −t = ρ. Security Analysis. Formal statement and corresponding proof of the following theorem are deferred to Appendix G. Theorem 6.4 (informal). The fuzzy stealth signature constructed in Figure 9 is unlinkable with keyexposure and fuzzy tracking if the underlying stealth signature is UNLNK w−ke and pRgv is UNIAMB and IKCPA secure.
We also provide an approach to extend it to finer false-positive rate as shown in Appendix G.

Scalable Lattice-based Fuzzy Tracking
As discussed in Section 2.4, we limit the user's ability to choose false-positive rate and provide a new framework of fuzzy tracking which is substantially more scalable than prior works[BLMG21, MSS + 21, LT21]. Please refer to Section 4.4 for functionality and security definitions. Construction. We describe the detailed construction in Figure 10, where {0, ) is a hash function with the seed k and H n : {0, 1} |mpk| → {0, 1} n is another hash function mapping mpk to a hint which is used to locate mpk's mailbox in server's storage. Since it is based on Module-LWE assumption, R q denotes the ring Z q [X]/(X m + 1), and encode Rq : {0, 1} m → Z q [X]/(X m + 1) is a function mapping binary strings to the ring elements with binary coefficients; Similarly, decode Rq is the reverse operation to map back to binary string. Basically, it is a variant of the underlying INDCPA encryption of Kyber with non-prime modulus because we need Z 2 to be a subgroup of Z q in correctness and security analysis. Though we lose the advantage of NTT multiplications, we can still mitigate this by using Karatsuba and Toom-Cook algorithms.
Correctness. It is clear to see that the targeted mpk must have hint := hint i = H n (mpk) appears in list with probability 1: For the targeted index i ∈ [t], we have c i 1 = A T r + e 1 which is the same as standard ciphertext header. The decryption will output hint directly as long as q > 4B. Now we focus on the other case where mpk ′ ̸ = mpk. Firstly, considering hint j ∈ list, it is decrypted as
Security Analysis. The formal theorem statements and proof of the following theorems are deferred to Appendix H.
Theorem 6.5 (informal). The fuzzy scalable stealth signature constructed in Figure 10 is unlinkable with key-exposure and fuzzy tracking if the underlying stealth signature is UNLNK w−ke and MLWE holds. It is also unbiased and satisfying UNIUBS f s defined in Definition 4.13 if n ≤ m 2 where m is a power of 2 and B η is a centered binomial distribution.

Conclusion
In this work, we have presented a novel and practical approach to address post-quantum secure stealth addresses. Along the way, we demonstrate its potential applications, such as privacypreserving payments and passwordless authentication schemes like FIDO. We have also introduced a generic method to transform standard security without key-exposure resistance into a robust security solution capable of withstanding key-exposure attacks. Additionally, we have explored post-quantum fuzzy message detection (fuzzy tracking) and proposed two potential constructions.
Future work and open problems include exploring the integration of our approach into RingCT-like frameworks [EZS + 19, ESZ22] and investigating methods to reduce the signature size based on our current results.

A Discussions about Quantum Random Oracles
Since our goal is a practically efficient construction, we mainly focus on post-quantum security in the classical random oracle setting which is in the same spirit as in related works such as [LLN + 20, EZS + 19, ESZ22], etc. However, our protocols are highly likely to be secure even in the QROM setting. In more detail, for unforgeability, we can either follow the same strategy in Section 4.5 of [KLS18] to argue the EUF-CMA security in the QROM setting or apply the lifting theorem 1.1 and 1.2 from [YZ21] to establish the reduction from EUF-NMA in classical random oracle model to EUF-CMA in the QROM setting; for unlinkability, according to [GMP22], our adapted Kyber is already ANO-CCA secure in the QROM setting, and we only program the random oracle in a non-adaptive way as in the unforgeability game, thus the security in QROM is supposed to be preserved. We will add this discussion to the paper.

B Performance Analysis
We present the performance result in Table 3 and Table 4. Implementation. We implement the Spirit, post-quantum FMD, and scalable fuzzy tracking schemes in C, and the open-source code of our proof-of-concept implementation can be found at [imp]. Specifically, we choose the anonymized variant of Kyber [SAB + 22] to instantiate the KEM for building Spirit: We replace the original FO transform of Kyber with the one suggested in [GMP22], which makes Kyber ANOCCA-secure.
To instantiate the generic transformation in Section 5 to make Spirit secure against keyexposure attacks, we consider using Dilithium or Falcon [PFH + 22] as the additional digital signature. Combining Spirit with Dilithium results in better efficiency but a slightly larger signature size; on the other hand, combining Spirit with Falcon leads to the most compact signatures but significantly longer key generation time.
For Spirit in Section 6.1, similar to Dilithium, we denote the scheme with three security levels as Spirit 2 , Spirit 3 , and Spirit 5 . Parameters are the same as Dilithium's, except that our β, γ 1 , γ 2 are doubled.
For Scalable Fuzzy Tracking in Section 6.3, to attain 115-bit security and negligible failure probability, we choose q = 4096; other parameters are the same as Kyber512, specifically, we have m = 256, η = 3, ℓ = 2. Environment. We run the implementation on a standard laptop: Macbook Air (M1 2020) with 8GB RAM and a 2.1 GHz CPU (Turbo 3.2 GHz). It is important to note that our implementation is based on the reference implementation of Dilithium, Kyber, and Falcon, without using AES or AVX optimization. We perform each test 10,000 times to calculate the average running time. For post-quantum FMD, we run tests 100 times to obtain the average running time.
Experimental results demonstrate that Falcon512+Spirit 2 provides the smallest signature size (4.09 KB) for security against key-exposures with a decent hardness level (114-bit security). Additionally, Scalable Fuzzy Tracking offers the smallest communication cost (800 Bytes) and server's computational overhead (3.4 ms) for millions of clients. Prior Works. We provide comparison tables with prior works in Table 1 and Table 2.
In Table 1, we compare our group-based stealth signature (Appendix D), Spirit 2 (Section 6.1), Spirit 2 +Dilithium2, and Spirit 2 +Falcon512 with previous works. It is important to note  that[LLN + 20] is a theoretical work without concrete parameters. We estimate the parameters based on the information provided in the paper. For a more in-depth analysis of the estimated parameters, please refer to the original text.
If we aim to improve their work with the recent advancements in NTRU, it is worth mentioning that the techniques used in [LLN + 20] are derived from [ABB10], which implies HIBE. Combining it with NTRU could potentially enhance its efficiency. However, it is likely to have parameters similar to the state-of-the-art NTRU-based HIBE [ZMS + 21]. Thus, we estimate the parameters here based on [ZMS + 21] for 80-bit security, as they only provide two levels of security (80-bit or 160-bit).
In Table 2, we compare our Post-quantum FMD (Section 6.2) and Scalable Fuzzy Tracking (Section 6.3) with previous works on message detection or retrieval. All these works assume a semi-honest server, except for Π TEE , which also considers a malicious server. Note that for security, ρ needs to be as large as 1 √ N as calculated in [SPB21]. Additionally, some prior works consider fuzzy schemes ( [BLMG21] and ours) as ρM -anonymity, where M is the total number of messages. However, this is not accurate due to statistical attacks as shown in [SPB21]: even with only one message (M = 1), some extent of anonymity is maintained if N is large.
Regarding the server's workload, we compare the results for a single server with a single thread, as all works (except for Π GC ) support distributed servers or parallelized threads. [BLMG21] requires running their test functionality for each recipient's detection key for each incoming message. Other schemes with full privacy inherently demand O(N ) work from the server; otherwise, information leakage will occur.
Latency per message is dominated by the server's computational time. Assuming there are N = 2 20 clients (a reasonable assumption for cryptocurrencies [use]) and setting the false-positive rate ρ = 2 −10 for [BLMG21] and ours. The numbers of other works are taken directly from their papers. With an assumption of 10 − 20 messages per second (e.g., Bitcoin or Ethereum), only our scheme is practical with many users.
To compute each recipient's computational time, we assume a total of M = 500, 000 messages C Additional Preliminaries C.1 Assumptions Definition C.1 (Cyclotomic Polynomial). We denote by R the ring Z[X]/(X n + 1) and by R q the ring Z q [X]/(X m + 1), where m = 2 m ′ −1 such that X m + 1 is the 2m ′ -th cyclotomic polynomial Φ 2m ′ (X). Moreover, we have Definition C.2 (Learning with Errors (LWE) [Reg05]). For a vector s ∈ Z n q called the secret, the LWE distribution A s,χ over Z n q × Z q is sampled by choosing a ∈ Z n q uniformly at random, choosing e ←$ χ, and outputting (a, b = ⟨a, s⟩ + e mod q). Moreover, decisional-LWE n,m,q,χ is  Figure 11: Experiment for ANOCCA A KEM (λ)

C.2.1 Statistical Tools
Definition C.9 (Statistical Distance). The statistical distance between two probability distributions A and B is Recall min-entropy of a random variable A is then we have the following lemma. Figure 12: Experiment for UNIAMB A PKE (λ) and IKCPA A PKE (λ)

D Group-based Construction against Bounded Leakage
We provide an SS which is unforgeable and unlinkable with bounded key-exposure. The construction is shown in Figure 13, where G is a group of primer order p, g is a generator, and H is a random oracle mapping from G to Z p . Additionally, DS is an efficient group-based signature scheme such as ECDSA, Schnorr and others whose verification key and signing key has discrete logarithm relation, i.e., vk = g sk . Correctness. It is clear that opk = g osk as Tracking mechanism also works since Security Analysis. Now we analyze the security of above construction.
Proof. (sketch) For unlinkability, without knowing x i or r, by DDH assumption, the triple g r , g xi , g r·xi remains uniformly random over G. With random oracle H, H(g r·xi ) is also uniformly random over Z p . Therefore, it is clear that opk, R, R 0 are uniformly random. For unforgeability, as long as DS is (strongly) unforgeable, then SS is also (strongly) unforgeable. Now we consider key-exposures. Since

MKGen(λ)
this is an equation with n variables (x i ) for adversaries. If the adversary learns at most n − 1 equations, then this linear system is undetermined and has at least p solutions which is exponentially large. Thus msk is hiding when there are at most (n − 1) key-exposures.

E Security Analysis of Generic Transform
Proof of Theorem 5.1 We restate the theorem here more formally for the case of unforgeability.
Theorem E.1. The stealth signature SS w constructed in Section 5 is secure in sEUFCMA w−ke experiment if SS w/o is EUFCMA w/o−ke secure and DS is sEUFCMA secure. Specifically, for any λ ∈ N, and for any PPT adversary A, if it succeeds in the experiment sEUFCMA w−ke , then there are other adversaries B 1 , B 2 running in roughly same time such that Proof. We prove the theorem by reduction. Suppose there's an adversary A has non-negligible advantage in sEUFCMA w−ke , then we can construct another adversary B to win the experiment EUFCMA w/o−ke of SS w/o or the experiment sEUFCMA (strong unforgeability) of DS as follows. B forwards mpk, mtk from the challenger in EUFCMA w/o−ke to A.
To simulate OSKGenO(i, opk i , tki i , flag i ), if flag i = true, B runs (vk i , sk i ) ← DS.Gen, then queries σ i 1 ← SignO(vk i ) in EUFCMA w/o−ke and returns osk i := (σ i 1 , vk i , sk i ) to A; If flag i = false, B asks a challenger C i in sEUFCMA of DS to send a challenge verification key vk i , then queries σ i 1 ← SignO(vk i ) in sEUFCMA w/o−ke of SS w/o and stores σ i 1 ; If OK[i] = (opk i , ·, ·) ∧ flag i = true, B signals C i to terminal the experiment and asks for its osk i then forwards that to A. To simulate SignO(i, m j ), B queries σ j 2 ← SignO(m j ||σ i 1 ) and returns σ j := (σ i 1 , σ j 2 , vk i ) to A. Once A submits some valid forgery σ ′ := (σ ′ 1 , σ ′ 2 , vk ′ ), m ′ , i ′ as shown in Figure 3, B behaves in following cases: • If m ′ is not appeared in Q (recall that Q is the set to record signing queries), B forwards σ ′ 2 , m ′ ||σ ′ 1 to i ′ -th challenger in sEUFCMA of DS; • If vk ′ is not appeared in Q, B forwards σ ′ 1 , vk ′ to the challenger in EUFCMA w/o−ke of SS w/o ; • If both m ′ , vk ′ are in Q, then the only case that σ ′ is a valid forgery is either σ ′ 1 or σ ′ 2 not appeared in Q. In either case, B just forwards σ ′ 2 , m ′ ||σ ′ 1 to the challenger in sEUFCMA of DS. This completes the proof.
We restate the theorem here for unlinkability.
Theorem E.2. The stealth signature SS w constructed in Section 5 is secure in UNLNK w−ke experiment if SS w/o is UNLNK w/o−ke secure. Specifically, for any λ ∈ N, and for any PPT adversary A, if it succeeds in the experiment UNLNK w−ke , then there are other adversaries B running in roughly same time such that Adv Proof. Similarly, we can also prove this theorem easily by reduction. Suppose there's an adversary A has non-negligible advantage in UNLNK w−ke , then we can construct another adversary B to win the experiment UNLNK w/o−ke of SS w/o as follows. B forwards mpk 0 , mpk 1 , opk b , tki b from the challenger in UNLNK w/o−ke to A. To simulate osk b , B runs DS.Gen to get (vk, sk), then queries the signing oracle via SignO(·, −1, vk) from UNLNK w/o−ke to learn a signature σ 1 of vk, then returns osk b := (σ 1 , vk, sk) to A. To simulate OSKGenO, B queries SignO and runs DS.Gen as above to generate osk. Once A submits b ′ , B simply forwards b ′ as its final guess. This completes the proof.

F Security Analysis of Stealth Signature Without Fuzzy Tracking
Proof of Lemma 6.1 We restate the lemma formally here.
Lemma F.1. Spirit in Figure 8 is unforgeable without key exposure under no-message attacks. Specifically, in random oracle model, for any λ ∈ N, for any adversary A, if Dil has parameters β, γ 1 , γ 2 , and we denote H ′ as a random oracle can be accessed by A and B 2 , then the advantage to win the game UFNMA A w/o−ke (λ) is Proof. Consider the experiment EUFCMA w/o−ke in Figure 1 where the SignO is forbidden to access. Suppose A forges σ * , then we have the following claim.
Sign(opk i , m j ) / / in Hyb1 and Hyb2 where we denote H as a random oracles can be accessed by A and γ 1 , γ 2 , β are parameters of the underlying Dil scheme.
Proof. We prove the theorem in a sequence of hybrid games. Hybrid 1 : We modify the above game by changing the function Sign(osk, m j ) in UNLNK w/o−ke experiment to the Sign(opk i , m j ) without using osk in Figure 15. Specifically, it samples uniformly random (z j , c j ), programs the random oracle such that H(µ j ||w j 1 ) = c j where µ j is determined by m j and w j 1 := HighBits(Az j − c j t i , 2γ 2 ). Then set σ j := (z j , c j , h j ) where h j can be determined by c j , t i , z j . Because of the perfectly zero-knowledge of σ j , the distribution of signatures in this hybrid is the same as the one in Hybrid 0 , i.e., |Pr[Hybrid 0 ⇒ 1] − Pr[Hybrid 1 ⇒ 1]| = 0.
Besides, this hybrid can be fully simulated by an adversary B 1 of ANOCCA experiment. B 1 simulates the random oracle H for A. Upon receiving ek 0 , ek 1 and (C b , K b ) from ANOCCA experiment, B 1 sets mpk 0 := (t 0 , ek 0 ) and mpk 1 := (t 0 , ek 1 ) where (t 0 , t 1 ) ←$ R k q × R k q are uniformly sampled.

pRgv.Gen(λ, n)
Thus, there is where e ′ = e 2 +e T r−s T e 1 is the small noise term and u ′ = u− q 2 · x i 0 . Note that q 2 (+s 1 x i ) = q 2 (−s 1 x i ) mod q. Therefore, we have shown that ftki 0 and ftki 1 are indistinguishable for the adversary.
Since ftki b and ftki 1−b are indistinguishable and exchangeable for A in UNLNK f s w−ke . Now we show that B can fully simulate the UNLNK f s w−ke experiment as follows. Upon receiving mpk 0 , mpk 1 , opk b , tki b , osk b from UNLNK w−ke , B sample ftk, fpk then computes corresponding ftki b ′ and list for b ′ ←$ {0, 1}, such that w 0 ∈ list ∧ w 1 ∈ list where H(mpk 0 ) = decode Rq (w 0 )[: n] and H(mpk 1 ) = decode Rq (w 1 )[: n]. Then B forwards all of them to A of UNLNK f s w−ke and A cannot distinguish between ftki 0 or ftki 1 due to Claim 2. If A has non-negligible advantage u(λ) in UNLNK f s w−ke , then B has the same non-negligible advantage u(λ) in UNLNK w−ke .
We restate the theorem for UNIUBS f s formally here.
Theorem H.2. If there is n ≤ m 2 where m is a power of 2, and B η is a centered binomial distribution, then the scalable fuzzy tracking constructed in Figure 10 is information theoretically unbiased and satisfies UNIUBS f s defined in Definition 4.13.
Proof. If A is able to output valid mpk i (i.e., valid hint i and w i ), then for him, there is w j = w i ⊕ y i ⊕ y j ⊕ ⌈ q 2 (s 1 (x i − x j ))⌋ 2 .
Note that the coefficients of ⌈ q 2 s 1 ⌋ 2 are uniformly random over {0, 1} m because s 1 ←$ B η where B η is a centered binomial distribution. Moreover, since polynomial multiplication can be written as circular convolution, ⌈ q 2 (s 1 (x i − x j ))⌋ 2 can be written as Xs mod 2 where s ← decode Rq (⌈ q 2 s 1 ⌋ 2 ) and X is the circulant matrix represented by the polynomial x ← ⌈ q 2 (x i − x j )⌋ 2 . Specifically, the first column of X is decode Rq (x) and other columns are rotational shift of the previous column. Since m is a power of 2, it only has divisors from 2 0 to 2 log m . According to Lemma C.2 and Definition C.1, the biggest divisor of X m − 1 is the polynomial Φ m (X) = X m 2 + 1 with degree m 2 . Thus the rank of X is at least m − m 2 and at least a half of elements in Xs mod 2 are uniformly randomly distributed. This means hint j ← decode Rq (w j )[: n] is uniformly random as long as n ≤ m 2 .