A Universally Composable Linkable Ring Signature Supporting Stealth Addresses

: The linkable ring signature supporting stealth addresses (SALRS) is a recently proposed cryptographic primitive, which is designed to comprehensively address the soundness and privacy requirements associated with concealing the identities of both the payer and payee in cryptocurrency transactions. However, concerns regarding the scalability of SALRS have been underexplored. This becomes notably pertinent in intricate blockchain systems where multiple cryptographic primitives operate concurrently. To bridge this gap, our work revisited and formalized the ideal functionality of SALRS within the universal composability (UC) model. This encapsulates all correctness, soundness, and privacy considerations. Moreover, we established that the newly proposed UC-security property for SALRS is equivalent to the concurrent satisfaction of signer-unlinkability, signer-non-slanderability, signer-anonymity, and master-public-key-unlinkability. These properties represent the four crucial game-based security aspects of SALRS. This result ensures the ongoing security of previously presented SALRS constructions within the UC framework. It also underscores their adaptability for seamless integration with other UC-secure primitives in complex blockchain systems.


Introduction
In traditional cryptocurrencies such as Bitcoin and Ethereum, the anonymity they provide is at a pseudonymous level.During transactions, it is not possible to link the wallet address to the real identity of the transactor.However, privacy-focused cryptocurrencies like Monero or Zcash demand the preservation of both payer and payee anonymity and unlinkability in transactions.In some of the blockchain systems, e.g., CryptoNote [1], linkable ring signatures (LRS) [2] and the key derivation mechanism (KeyDerM) [1] are employed to address the aforementioned goals of anonymity and unlinkability.
Specifically, when a payer intends to conduct a payment transaction with a payee, the payer first utilizes KeyDerM to derive a derived public key from the payee's master public key as the receiving address for the transaction.As the payee's master public key does not appear in the transaction, the recipient of this transaction, i.e., the payee, cannot be identified.KeyDerM is also known as the stealth address (SA) [3] mechanism.When the payee wishes to spend the currency associated with this derived public key, they need to select a ring of derived public keys during the transaction.This ring includes their own derived public key.Through this ring, a linkable ring signature is generated, allowing anyone to verify the validity of the signature without knowing the actual signer.The linkability aspect is also useful in detecting double-spending behavior by the signer, as two different signatures generated for the same derived public key will be linked.
Recently, there has been significant attention in the community on linkable ring signatures (LRS) and stealth addresses (SA) [4][5][6][7][8].For instance, in projects like Monero [9] and CryptoNote [1], LRSs and KeyDerM are considered foundational constructs, but they are treated as separate entities without a unified security analysis, despite their tight coupling in usage.The existing literature [2,[10][11][12] largely addresses LRSs or SAs individually, particularly in the context of standard signature schemes [4,8].Moreover, the signature keys and public keys used in LRSs are generated by the SA mechanism, which means that the LRS mechanism used in the blockchain system does not independently generate keys.Further research is needed to explore the security and privacy aspects of key generation in SA.Whether the security and privacy models of linkable ring signatures and stealth addresses can be effectively applied in cryptocurrency scenarios requires thorough analysis by researchers.This is especially pertinent in the context of key selection attacks by adversaries, where existing linkable models either lack consideration for such attacks or fail to align with the practical use cases of cryptocurrencies.
In order to address the aforementioned issues, Liu et al. [13] proposed a new cryptographic primitive, namely the linkable ring signature supporting stealth addresses (SALRS).This scheme aims to fulfill the security and privacy requirements of concealing both the payer and the payee in cryptocurrency transactions.The security model of SALRS provides properties such as strong unforgeability, signer-linkability, and signernon-slanderability.The privacy model ensures properties like signer-anonymity, masterpublic-key-unlinkability, and derived-public-key-unlinkability.All these properties can be concurrently defined in the SALRS model, aligning with the practical requirements of cryptocurrency scenarios, especially in the context of key selection attacks.Liu et al. [13] also introduced a lattice-based construction for SALRS and demonstrated its privacy and security under the random oracle model.However, there has not been dedicated research on the universal composability (UC) of SALRS to date.This section will analyze and study the UC security of SALRS, providing separate proofs for its security and privacy under UC security definitions.The conclusion drawn will affirm that SALRS satisfies UC security, enhancing its security and practicality in application scenarios like cryptocurrency.

Our Results
In this paper, we revisit the security definition of SALRS and explore its modularity and adaptability to other cryptographic primitives within a comprehensive cryptocurrency system.Our contributions can be summarized as follows.

•
We provide a novel security definition of linkable ring signatures supporting stealth addresses (SALRS) in the universal composability (UC) framework.We define the ideal functionality, which simultaneously captures correctness, signer-linkability, signernon-slanderability, signer-anonymity, and master-public-key-unlinkability.This is a more robust simulation-based security definition, implying that the protocol remains secure even when composed with arbitrary protocols.

•
We further investigate the security level of the proposed security definition.Through rigorous analysis, we demonstrate that the proposed UC-security of SALRS is equivalent to the concurrent satisfaction of signer-linkability, signer-non-slanderability, signer-anonymity, and master-public-key unlinkability.

•
We establish that the ideal functionality can be securely realized by the previously proposed construction that achieving the former four security definitions.This finding indicates that, including the SALRS construction proposed in [13], all secure SALRS constructions satisfy the security definition of [13], are UC-secure, and can arbitrarily compose with other UC-secure components in a complicated blockchain system.

Related Work
Before Liu et al. [13] gave the first practical quantum-resistant solution that hides the payers and payees of transactions in cryptocurrencies, there were several studies on linkable ring signatures [5,[14][15][16], but none of them introduced stealth addresses.Without taking efficiency into account, [17,18] can also attain a logarithmic signature size concerning the number of signers in the ring.The constructions supporting stealth addresses [4,8] do not fulfill the criteria for linkable ring signature satisfaction.
While our work is the first to specifically address the UC-security of SALRS, it is worth noting that there have been various studies focusing on UC-secure signature schemes.Canetti [19] initially proposed a functionality for signature schemes, but a flaw in the definition made secure realization impossible.Subsequently, Backes et al. [20] and Canetti [21] addressed the flaw, establishing that the newly defined UC-security is equivalent to the game-based definition of EUF-CMA.In this paper, we employ a similar proven technique to circumvent the flaw identified in [19].Apart from typical signature schemes, Abe et al. [22] introduced the UC-secure non-committing blind signature.Later, Hong et al. [23] formally defined the UC security of proxy re-signature.More recently, Zhu et al. [24] discussed the UC-security of the key-insulated and privacy-preserving signature scheme with publicly derived public key (PDPKS).While similar techniques are employed in defining the ideal functionality of digital signatures, it is crucial to emphasize that SALRS is distinct from these signature-related primitives, offering unique functionality and security features.

Outline
In Section 2, we show the syntax and security definitions of the primitive linkable ring signature with stealth addresses (SALRS), and preliminaries on the universal composability framework.In Section 3, we define the ideal functionality of SALRS, which captures its UC-security.In Section 4, we prove the existence of a UC-secure construction, by proving the equivalence between the game-based security [13] and the newly defined security.This paper is concluded in Section 5.

Preliminaries
In this section, we begin by revisiting the definition of SALRS as proposed by Liu et al. [13].Next, we review the background of the Universal Composability (UC) framework [19], as well as the definition of UC-security.
Remark 1.We consider a public key ring R as an ordered set.Specifically, it is composed of a set of public keys, and during the execution of Sign() and Verify(), the public keys are arranged in a specific order, each assigned a unique index.
Remark 2. We note that the nature of whether Sign() is probabilistic or deterministic remains open, as it may vary depending on the specific constructions employed. Correct.
In more detail, unforgeability holds when only the user possessing the secret key for some public key in a ring can generate a valid signature with respect to that ring.Signerlinkability concerns the scenario where, with respect to a derived public key, if the key owner generates two or more valid signatures, these signatures will be identified as linked.This fulfills the security requirement of preventing double spending in cryptocurrencies.Signer-non-slanderability ensures that no one can falsely implicate other users by creating a signature linked to the signature of the target user.
For privacy requirements, signer-anonymity ensures that, given a valid signature for a ring of derived public key, it is infeasible for anyone to identify the signer's derived public key within the ring.This property captures the privacy-preserving requirement of concealing the payer's identity.Master-public-key-unlinkability ensures that, given a derived public key and its corresponding signatures, it is impossible to determine which master public key, from a known set of master public keys, was the origin of the derivation.Derived-public-key-unlinkability ensures that, given two derived public keys and their corresponding signatures, it is impossible to ascertain whether they are derived from the same master public key.This property ensures privacy by obscuring the link between payees in different transactions.
Particularly, Liu et al. [13] shows that unforgeability can be implied from signerlinkability and signer-non-slanderability together, and derived public-key-unlinkability can be implied from master public-key-unlinkability.We focus mainly on the remaining four properties in this paper.Formal definitions on the security properties are shown as follows.
Definition 1 (Signer-Linkability).For an SALRS scheme defined according to the specifications described above, for any PPT adversary A, consider the following experiment Exp snlink A (κ): • Setup Phase.PP ← Setup(κ; r) is executed, where r represents the randomness used within Setup().A acquires both PP and r.
where k ≥ 2. The adversary Definition 2 (Signer-Non-Slanderability).For an SALRS scheme defined according to the specifications described above, for any PPT adversary A, consider the following experiment Exp snnsl A (κ): Taking as input a message M ∈ M, a ring of well-formed derived public keys R, and a derived public key DPK ∈ R∩ dpk , the adversary A receives from this oracle a signature σ ← Sign(M, R, DPK, MPK i , MSK i ), where (MPK i , MSK i ) represents the master key pair for DPK.
Definition 3 (Signer-Anonymity).For an SALRS scheme defined according to the specifications described above, for any PPT adversary A, consider the following experiment Exp snano A (κ): • Setup Phase.Same as the Setup phase in the experiment Exp snnsl A (κ) as defined in Definition 2.

•
Probing Phase 1. Same as the Probing phase in the experiment Exp snnsl A (κ) as defined in Definition 2.

•
Challenge Phase.The adversary A outputs a message M * ∈ M, a ring of well-formed derived public keys R * , and two indices i 0 , With these comprehensive security and privacy models, SALRS effectively addresses the security-and privacy-preserving requirements essential in practical cryptocurrency scenarios.Notably, SALRS accommodates rings containing derived public keys that an adversary generated from their own master public keys.This realistic feature acknowledges situations where an attacker might create derived public keys from their master public keys, engaging in transactions among these keys with the intention of executing attacks, such as double spending or compromising the security and privacy of other users.

Universal Composability
We adopt the concept of universally composable security as defined by Canetti [19].This framework offers a systematic approach to defining the security properties of cryptographic primitives, ensuring security is preserved under a general composition with an unbounded number of instances of arbitrary protocols running concurrently.Within this framework, all protocols operate in a specified computational environment in the presence of an adversary.The computational environment represents other protocols that may be concurrently executed alongside the protocol under consideration.
Given that communication is public, with no assurance of message delivery and is asynchronous without a guarantee of messages being delivered in order in the actual network, we presume that the communication between parties is authenticated.This authentication ensures that messages sent by honest parties will not be tampered with.We proceed by providing an overview of the model for protocol execution, known as the real-world model of computation.Subsequently, we introduce the ideal-world model of computation and present the general definition of security that realizes an ideal functionality.
In the real world, there exists an adversary A and a protocol π that realizes a functionality among several parties.We denote the output of environment Z when interacting with adversary A and parties P 1 , . . ., P n running protocol π on a security parameter k, auxiliary input z, and random input r = (r Z , r A , r 1 , . . ., r n ), where each element represents the random tape used by the corresponding participant.We use the notation REAL π,A,Z (k, z, r) to represent this output.Additionally, let REAL π,A,Z (k, z) denote the random variable describing REAL π,A,Z (k, z, r) when r is uniformly chosen.
In the ideal world, there is a simulator S that simulates the real-life scenario, an ideal functionality F, and n dummy parties for the integrity of the simulation.Let IDEAL F,S,Z (k, z, r) denote the output of environment Z when interacting with adversary S and ideal functionality F on security parameter k, auxiliary input z, and random input r = (r Z , r S , r F ), where each element represents the random tape used by the corresponding participants.Let IDEAL F,S,Z (k, z) denote the random variable describing IDEAL F,S,Z (k, z, r) when r is uniformly chosen.
The definition of universal composability is shown as follows.
Definition 5 (Universal Composability [19]).A protocol π UC-realizes a well-designed ideal functionality F if, for any PPT adversary A, the ensembles REAL π,A,Z and IDEAL F,S,Z are indistinguishable.

Security Model of SALRS in the UC Framework
In this section, we aim to define the security model of SALRS in the universal composability model by introducing the newly designed ideal functionality F SALRS .The definition of F PDPKS is presented in Figure 1.
We assume that this ideal functionality operates under a fixed system parameter, hence the Setup functionality interface.This omission eliminates the need for repetitive checks on the rationality of system parameters in subsequent interfaces.Remark 3. Our definition in the UC framework captures the correctness, soundness, and privacy of SALRS simultaneously.A formal proof establishing the existence of a UC-secure construction will be presented in Section 4.

Linkable Ring Signature Supporting Stealth Address
The functionality F SALRS is parameterized with a fixed system parameter PP, and interacts with n participants P 1 , . . ., P n and a simulator S. The initialization of empty sets L dpk,i is performed for i ∈ [n].
If there is no record (P i , mpk i ) in memory such that mpk ′ i = mpk i , then ignore this request.2.
Otherwise, send (DPKDerive, sid, mpk ′ i , P i ) to the simulator S.
Upon receiving (DPKDerived, sid, dpk i , P i ) from the simulator S, send (DPKDerived, sid, dpk i , P i ) to P j , and update L dpk,i = L dpk,i ∪ {dpk i }.

2.
If P i has not been compromised and Send (DPKOwnerChecked, sid, dpki, P i , f ) to P i .• DPKPublicCheck: Upon receiving (DPKPublicCheck, sid.dpk i ) from a party P j ): 1.

2.
If P j has not been compromised and dpk i belongs to some set L dpk,i (where i ∈ Send (DPKPublicChecked, sid, dpk i , f ) to P j .
• Sign: Upon receiving (Sign, sid, M, R, dpk i ) from a party P i : 1.
Send (Sign, sid, M, R, dpk i , P i ) to the simulator S, and receive the response (Signature, sid, M, R, σ, dpk i ) from S.

2.
If P i is uncompromised, and either the d public key ring R is incorrectly formatted or dpk i / ∈ L dpk,i , return an error message to P i .Otherwise, check if there is a record (M, R, σ, dpk i , 0) in memory.If found, output an error message to P i .Otherwise, record the information (M, R, σ, dpk i , 1) and return (Signature, sid, M, R, σ, dpk i ) to P i .

•
Verify: Upon receiving (Verify, sid, M, R, σ) from a party P i : Send (Verify, sid, M, R, σ) to the simulator S. Upon receiving (Verified, sid, M, R, σ, f ′ ) from the simulator S, return (Verified, sid, M, R, σ, f ), where f is determined as follows: -If the derived public key ring R is well formed and there is information in memory (M, R, σ, * , 1) where " * " serves as a wildcard, set f = 1.
-Otherwise, if the derived public key ring R is well formed and there is no information about (M, R, σ) in memory, set f = 0.

A UC-Secure SALRS Construction
In this section, we prove that the UC-security of SALRS defined above in Section 3 is equivalent to satisfying signer-linkability, signer-non-slanderability, signer-anonymity, and master-public-key-unlinkability simultaneously.
Firstly, if Σ lacks signer-linkability, there exists an adversary G that can break the signer-linkability property of Σ with a non-negligible advantage.In other words, there exists a PPT adversary A, for any ideal world simulator S, and an environment Z that, with the assistance of G, can distinguish (S, F SALRS ) and (A, π Σ ) with a non-negligible probability.The process of the environment Z is as follows: 1.
Z activates the Setup Party T with information (Setup, sid, T), obtaining system parameters PP, and sends PP to adversary G.
) from adversary G, consisting of messages, well-formed derived public key rings, and signatures.
In step 2, because adversary G can break the signer-linkability of Σ, the k tuples received by Z satisfy the following conditions: 1.

Verify(M
When Z executes in the real world, all these conditions can be verified.However, when Z executes in the ideal world, since the ideal functionality F SALRS does not store relevant information, the first condition cannot be verified.Therefore, Z distinguishes between the real and ideal worlds, and the probability that Z distinguishes between the real and ideal worlds is equal to the probability that G can break the signer-linkability.Hence, if Σ does not satisfy signer-linkability, then π Σ cannot UC-realize F SALRS . Secondly, if Σ lacks signer-non-slanderability, there exists an adversary G that can break the signer-non-slanderability property of Σ with a non-negligible advantage.In other words, there exists a PPT adversary A, for any ideal-world simulator S, and an environment Z that, with the assistance of G, can distinguish (S, F SALRS ) and (A, π Σ ) with a non-negligible probability.The interaction process of the environment Z is as follows: 1.
Z activates the setup party T with information (Setup, sid, T), obtaining system parameters PP, and sends PP to adversary G.

2.
When Z receives a query on the master public key of a participant P i from adversary G, Z activates participant P i to obtain its master public key and sends it to G. G can inquire about the master public key of any participant.

3.
When Z receives a query from adversary G regarding whether a given derived public key dpk i is derived from a given master public key (DPKOwnerCheck, sid, dpk i , P i ), Z activates participant P i to obtain the check result and sends it to G.

4.
When Z receives a signature query about (M, R, dpk i ) from adversary G, Z activates the owner of the derived public key dpk i to obtain the signature result and sends it to G.

5.
When Z receives two well-formed tuples ( M, R, σ) and (M * , R * , σ * ) from adversary G, where (1) (M * , R * , σ * ) can be verified by signature, (2) ( M, R, σ) is the signature result of G's query to Z about a derived public key d pk, (3) ( M, R, σ) is not the signature result of G's query to Z about derived public key d pk, and (4) these two tuples can pass the linkable verification, Z outputs 0 and halts.Otherwise, Z activates the party to return the linkable verification bit.Z obtains such tuples, and if Z is interacting with A and π Σ in the real world, Z will output 1, since signature verification and linkable verification are valid.If Z is interacting with S and F SALRS in the ideal world, Z will output 0 because the ideal function F SALRS does not record (M * , R * , * , σ * ), so signature verification cannot pass, or F SALRS records (M * , R * , * , σ * ), but * ̸ = d pk, so linkable verification cannot pass.
Since G can break the signer-non-slanderability property of Σ with a non-negligible probability, the probability that Z outputs 1 when interacting with the real model is also non-negligible.Therefore, Z can distinguish the interaction with the real model and the ideal model with a non-negligible probability.In other words, if Σ lacks signer-nonslanderability, then π Σ cannot UC-realize F SALRS .
Thirdly, if Σ lacks signer-anonymity, there exists an adversary G that can break the signer-anonymous property of Σ with a non-negligible advantage.In other words, there exists a PPT adversary A, for any ideal-world simulator S, and an environment Z that, with the assistance of G, can distinguish (S, F SALRS ) and (A, π Σ ) with a non-negligible probability.The interaction process of the environment Z is as follows: 1.
Activate parties {P i } i∈[poly(κ)] with the message (Masterkeygen, sid, PP) to obtain individual master public keys Send {mpk i } i∈[poly(κ)] to G, and play the roles of oracle O DPKAdd (•, •) for adding derived public keys and the signing oracle O Sign (•, •, •).Initialize the empty set L dpk = ∅.

3.
Receive a message M * , a well-formed derived public key ring R * , and two derived public keys dpk i 0 and dpk i 1 from G, satisfying the following: (1) neither dpk i 0 or dpk i 1 is queried before as an input by oracle O Sign (•, •, •).

4.
Randomly choose a bit b ∈ {0, 1}, run the DPKOwnerCheck algorithm to obtain the participant corresponding to the selected target derived public key dpk i b , and activate this participant to obtain a signature σ ← Sign(M * , R * , dpk i b , mpk, msk), where (mpk, msk) is the master key pair corresponding to dpk i b .Send this signature σ to G.

6.
Receive b ′ from G, output 1 if b ̸ = b ′ , otherwise output 0 and halt.In step 2, adversary G initiates queries q 1 , . . ., q m , where query q l is one of the following: • Oracle O DPKAdd (•, •): Z receives a derived public key adding request concerning dpk and the master public key mpk i .Z sends a derived public key owner check request regarding this information to the participant P i corresponding to the master public key mpk i , obtaining the return value b ← DPKOwnerCheck(dpk, mpk i , msk i ).
•, •): Z receives a signature request concerning the message M, a wellformed derived public key ring R, and a derived public key dpk ∈ R ∩ L dpk .Z queries the owner of the derived public key dpk and activates the owner of the derived public key dpk with this signature request.Z receives the returned signature information σ ← Sign(M, R, dpk, mpk i , msk i ), where (mpk i , msk i ) is the master public-private key pair corresponding to dpk.Return the signature σ to G.
These query requests may be adaptive, meaning that each query q l may be determined based on the answers to previous queries q 1 , . . ., q l−1 .
In step 5, adversary G initiates more queries q m+1 , . . ., q n , where q l may be adaptively chosen as in step 2, except that O Sign (dpk i 0 , •, •) and O Sign (dpk i 1 , •, •) cannot be queried.
When Z interacts with A and π Σ , Z in step 4 obtains a signature σ ← Sign(M * , R * , dpk i b , mpk, msk), and G can break the signer-anonymity with a non-negligible advantage.When Z interacts with A and π Σ , we use Pr[Z → 1|Z ↔ REAL] to denote the probability that Z outputs 1.
In contrast, when Z interacts with the ideal functionality F SALRS and any adversary, the instance of G's perspective is statistically independent of b.In this case, the probability that b = b ′ is exactly one-half.G's perspective is independent of b; it includes all derived public-key-checking algorithms and signing algorithms.The σ randomly generated by S is independent of b, and the oracle queries provided by Z are also independent of b.
When Z interacts with S and the ideal functionality F SALRS , we denote by Pr[Z → 1|Z ↔ IDEAL] the probability that Z outputs 1.
Therefore, the probability Pr . Thus, Z can distinguish (π Σ , A) and (F SALRS , S) with a non-negligible probability, proving that UC-secure SALRS implies signer-anonymity of SALRS.
Fourthly, if Σ lacks master-public-key-unlinkability, there exists an adversary G that can break the master-public-key-unlinkability property of Σ with a non-negligible advantage.In other words, there exists a PPT adversary A, for any ideal world simulator S, and an environment Z that, with the assistance of G, can distinguish (F SALRS , S) and (π Σ , A) with a non-negligible probability.The interaction process of the environment Z is as follows: 1.
Activate each participant {P i } i∈[poly(κ)] with the message (Masterkeygen, sid, PP), obtaining the master public keys {mpk i } i∈[poly(κ)] for each participant, and send them to G.

2.
Play the roles of the oracle O DPKAdd (•, •) and a signature oracle O Sign (•, •, •) for adversary G during the interaction.Initialize an empty set L dpk = ∅.

3.
G sends two master public keys mpk i 0 and mpk i 1 to Z. Z randomly chooses a bit b ← {0, 1}, selects an arbitrary participant P r , and activates P r with (DPKDerive, sid, mpk i b ), obtaining dpk * ← DPKDerive(mpk i b ).

4.
Send dpk * to G as the target derived public key. 5.
Continue playing the role of an oracle O DPKAdd (•, •) and a signature oracle O Sign (•, •, •) for adversary G during the interaction, except that queries O DPKAdd (dpk * , mpk i j ) where j ∈ {0, 1} cannot be made.6.
G outputs b ′ as the guess result.If b = b ′ , output 1; otherwise, output 0 and halt.
In step 2, adversary G initiates queries q 1 , . . ., q m , where query q l can be one of the following: • Oracle O DPKAdd (•, •): When Z receives a query from G about whether a given derived public key dpk belongs to a certain master public key mpk i , Z sends this information to the participant P i corresponding to mpk i .When Z receives the result b ← DPKOwnerCheck(dpk, mpk i , msk i ) from participant P i , if b = 1, update L dpk = Ldpk ∪ {dpk}.Submit the result b to G.
These query requests may be adaptive, meaning that each query q l may depend on the responses to previous queries q 1 , . . ., q l−1 .
In step 5, adversary G initiates additional queries q m+1 , . . ., q n , where q l may be adaptively chosen like in step 2, except for queries O DPKAdd (dpk * , dpk i j ), where j ∈ {0, 1}, cannot be made.
When Z interacts with A and π Σ , in step 3, Z obtains dpk * ← DPKDerive(mpk i b ).G can break the master-public-key-unlinkability with a non-negligible advantage.When Z interacts with A and π Σ , we use Pr[Z → 1|Z ↔ REAL] to denote the probability that Z outputs 1.
In contrast, when Z interacts with the ideal functionality F SALRS and any adversary, the perspective of the instance G is statistically independent of b.In this case, the probability that b = b ′ is exactly one-half.The derived public key dpk * generated by S is independent of b, and the queries provided by Z are also independent of b.When Z interacts with S and F SALRS in the ideal world, let Pr[Z → 1|Z ↔ IDEAL] denote the probability that Z outputs 1.
. Thus, Z can distinguish (π Σ , A) from (F SALRS , S) with a non-negligible probability, demonstrating that UC-secure SALRS inherently implies the non-linkability of public keys in SALRS.
Proof.We establish the proof through a method of contradiction.In other words, if π Σ cannot UC-realize F SALRS , then Σ fails to satisfy at least one of the properties: signerlinkability, signer-non-slanderability, signer-anonymity, or master-public-key-unlinkability.
Firstly, we claim that if π Σ cannot UC-realize F SALRS , while satisfying the other three properties, it can be deduced that Σ does not satisfy signer-linkability.In more detail, we assume the existence of an adversary A in the real world such that for any ideal world adversary S, there exists an environment Z capable of distinguishing (S, F SALRS ) and (A, π Σ ).If this holds true, then there exists an adversary B that simulates the simulator S and the ideal functionality F SALRS , using the environment Z to distinguish between the ideal and real world.
B simulates the ideal adversary S in the following manner: Firstly, B obtains the public key mpk i of participant P i from Z.

1.
Upon receiving input from the environment Z, B forwards this input to A and replicates A's output as its own output.

2.
Upon receiving (DPKDerive, sid, mpk ′ i ) from F SALRS , B first checks if mpk ′ i = mpk i .If not, it ignores this information; otherwise, it runs the algorithm DPKDerive(mpk i ) to obtain a derived public key dpk i corresponding to mpk i .

3.
Upon receiving (DPKOwnerCheck, sid, dpk i ) from F SALRS , B queries the derived public key adding oracle O DPKAdd (•) to verify whether dpk i is derived from mpk i and returns the verification result (DPKOwnerChecked, sid, dpk i , f ).

4.
Upon receiving (DPKPublicCheck, sid, dpk i ) from F SALRS , B runs the corresponding algorithm and returns the verification result.

5.
Upon receiving (Sign, sid, M, R, dpk i ) from F SALRS , B queries the signature oracle O Sign (•, •, •) to obtain a signature σ for the message M, the ring R, and the derived public key dpk i , and returns (Signature, sid, M, R, σ, dpk i ).

6.
Upon receiving (Verify, sid, M, R, σ) from F SALRS , B runs the verification algorithm to obtain a verification value f and returns (Verified, sid, M, R, σ, f ).
Clearly, in the above interaction, through querying oracles and invoking algorithms, the simulated S and F SALRS by B are indistinguishable from the real S and F SALRS .
When the environment Z activates the participant P j with (Link, sid, , B verifies whether this information is linkable.If the linkability verification fails, and at the same time, B can successfully verify the signatures for the tuples , obtaining signatures σ * 0 and σ * 1 , where * 0 ̸ = * 1 , then B outputs (Link, sid, M 0 , R 0 , σ 0 , M 1 , R 1 , σ 1 ) and halts.In other words, B has obtained a set of information that breaks the linkability of signers.Otherwise, B continues the simulation.
If B can obtain such a set of information, then for the input (Link, sid, , if Z interacts with the real-world protocol π Σ , the observed output by Z is 1; if Z executes in the ideal world, Z observes an output of 0. In other words, Z can distinguish whether it is interacting with the ideal functionality F SALRS or the implemented protocol π Σ .Therefore, if the probability of B successfully breaking the signer-linkability is negligible, then the probability that the environment Z can distinguish between the real world and the ideal world is also negligible, contradicting the assumption.
Therefore, there exists some h ∈ {0, . . ., l} such that Here, without loss of generality, we assume H h−1 − H h > negl(κ) l .Thus, the advantage of the adversary G h is as follows: This implies that G has a non-negligible advantage with respect to κ, as l is polynomially bounded in κ.Therefore, if the environment Z can distinguish between the real and ideal worlds, there exists an adversary B that, under the help of the environment Z, breaks the signer-anonymity of Σ.
Finally, we claim that if π Σ cannot UC-realize F SALRS while satisfying the other three properties, it can be deduced that Σ does not satisfy master-public-key-unlinkability.More specifically, we assume the existence of an adversary A in the real world such that, for any ideal-world adversary S, there exists an environmental machine Z, which can distinguish (S, F SALRS ) from (A, π Σ ) for any fixed security parameter κ and fixed input z, as shown in Equation (3).
We demonstrate that the adversary G h exhibits an advantage in the game of masterpublic-key-unlinkability, denoted as Adv mpkunl Σ,G h (κ) > negl(κ)/l, where l is the total number of generated target derived public keys.The public keys of participants, denoted as {mpk i } i∈[poly(κ)] , are sent to both G h and Z, allowing G h to make queries to the aforementioned two oracles.G h simulates the environment Z in a manner analogous to the execution of π Σ /F SALRS .

1.
For the first h − 1 queries, Z requests participant P j to provide a derived public key dpk n related to mpk i , where n ∈ [h − 1].G h instructs P j to execute the corresponding algorithm and return dpk n ← DPKDerive(mpk i ).

2.
For the h-th query, Z requests participant P j to provide a derived public key dpk h related to mpk i .G h randomly selects a public key mpk r such that mpk i ̸ = mpk r and queries the oracle O DPKDerive (•) with the information (mpk i , mpk r ) to obtain the target derived public key dpk h .Subsequently, G h submits dpk h as the derived public key for mpk i .In other words, dpk h ← DPKDerive(PP, mpk i ) where b = 0 or dpk h ← DPKDerive(PP, mpk r ) where b = 1.

3.
For the remaining l − h queries, Z requests participant P j to provide a derived public key dpk n related to mpk i , where n ∈ [l]\[h].G h instructs P j to return dpk n ← DPKDerive(PP, mpk r ).

4.
Whenever participant P i is activated with the input (DPKOwnerCheck, sid, dpk), G h instructs P i to return the corresponding result f , where f = 1 indicates that dpk is linked to the public key of P i .Otherwise, G h queries the oracle O DPKAdd (•, •) about ideal worlds, there exists an adversary B that, under the help of the environment Z, breaks the master-public-key-unlinkability of Σ.
Consequently, we arrive at the following theorem.
Theorem 1.Let Σ be an SALRS scheme.The corresponding protocol π Σ securely realizes the ideal functionality F SALRS if and only if the scheme Σ satisfies signer-linkability, signer-nonslanderability, signer-anonymity, and master-public-key-unlinkability simultaneously.
Proof.The proof can be deduced from the preceding two lemmas.

Conclusions
In this paper, we revisited and formalized the ideal functionality of the linkable ring signature supporting stealth addresses (SALRS) within the universal composability (UC) model, encapsulating all correctness, soundness, and privacy considerations.Furthermore, our research conclusively demonstrates that the newly introduced UC-security feature for SALRS aligns with the simultaneous fulfillment of essential game-based security properties: signer-unlinkability, signer-non-slanderability, signer-anonymity, and master-public-keyunlinkability.This finding not only safeguards the sustained security of pre-existing SALRS designs within the UC framework but also highlights their seamless integration capabilities with other UC-secure primitives in intricate blockchain systems.Future research may focus on providing security proofs for more cryptographic primitives in the UC model within the context of blockchain, thereby strengthening the overall security of the blockchain structure.

Figure 1 .
Figure 1.Ideal functionality of linkable ring signature supporting stealth addresses.
DPK, MPK, MSK) → σ.Taking as input a message M, a ring of well-formed derived public keys R = (DPK 1 , . . ., DPK r ), a derived public key DPK ∈ R, and its corresponding master public-private key pair (MPK, MSK), the key owner can execute the signing algorithm to generate a signature σ on the message M with respect to the ring R.
any ring of well-formed derived public keys R, and ∀DPK s ∈ R s.t.DPKOwnerCheck (DPK s , MPK, MSK) = 1 for some master key pair (MPK, MSK), it holds that Verify(M, R, Sign (M, R, DPK s , MPK, MSK)) = 1.• ∀M 0 , M 1 ∈ M, any well-formed derived public key rings R 0 , R 1 , and ∀DPK s 0 ∈ R 0 , DPK s 1 ∈ R 1 , s.t.DPKOwnerCheck(DPK s i , MPK i , MSK i ) = 1 for some master key pairs and (3) none of DPK i 0 or DPK i 1 were queried as input of O Sign .A challenge bit b ∈ {0, 1} is selected; the adversary A is provided with the signature σ ← Sign(M * , R * , DPK i b , MPK, MSK), where (MPK, MSK) represents the master key pair for DPK i b .• Probing Phase 2. Same as Probing Phase 1, with the added condition that none of DPK i 0 or DPK i 1 were queried as an input of O Sign .
• Output Phase.The adversary A outputs a bit b ′ ∈ {0, 1} as its guess for b.The advantage of the adversary A winning Exp snano A The SALRS scheme is signer-anonymous if, for any PPT adversary A, there is a negligible function negl(•) such that Adv snano For an SALRS scheme defined according to the specifications described above, for any PPT adversary A, consider the following experiment Exp mpkunl A ≤ negl(•).Definition 4 (Master-Public-Key-Unlinkability).A (κ): • Setup Phase.Same as the Setup Phase in the experiment Exp snnsl A (κ) as defined in Definition 2. • Probing Phase 1. Same as the Probing phase in the experiment Exp snnsl A (κ) as defined in Definition 2. • Challenge Phase.The adversary A outputs two indices i 0 , i 1 ∈ [poly(κ)], such that i 0 ̸ = i 1 .A challenge bit b ∈ {0, 1} is selected, and the adversary A is provided with the derived public key DPK * ← DPKDerive(MPK i b ).Update L dpk = L dpk ∪ {DPK * }. • Probing Phase 2. Same as Probing Phase 1, with the added condition that none of (DPK * , MPK i j ) j∈{0,1} were queried as an input of O DPKAdd .• Output Phase.The adversary A outputs a bit b ′ ∈ {0, 1} as its guess for b.The advantage of the adversary A winning Exp mpkunl A Upon receiving input (Setup, sid, T), where T is a setup party, T acquires the system parameter PP by executing the Setup algorithm with a security parameter κ, and subsequently outputs PP. • MasterKeyGen: Upon receiving input (MasterKeyGen, sid, PP), a participant P i executes the Mas-terKeyGen algorithm with the system parameters PP, generating a master key pair (mpk i , msk i ), and outputs the corresponding master public key mpk i .• DPKDerive: Upon receiving input (DPKDerive, sid, mpk i ), a participant P j runs the DPKDerive algorithm with mpk i and PP, generating a derived public key dpk i corresponding to the master public key mpk i .• DPKOwnerCheck: Upon receiving input (DPKOwnerCheck, sid, dpk i ), a participant P i executes the DPKOwnerCheck algorithm, determining a bit value b ∈ {0, 1}, indicating whether dpk i is derived from P i 's master public key mpk i .• DPKPublicCheck: Upon receiving input (DPKPublicCheck, sid, dpk i ) to a participant P j , P j executes the DPKPublicCheck algorithm to assess whether dpk i is a well-formed derived public key derived from any master public key in the system, yielding a bit value b ∈ {0, 1}.• Sign: Upon receiving input (Sign, sid, M, R, dpk i ) to a participant P i , P i executes the Sign algorithm, producing a signature σ. • Verify: Upon receiving input (Verify, sid, M, R, σ) to a participant P j , P j executes the verification algorithm, determining a bit value b ∈ {0, 1}, where b = 1 denotes a valid signature, and b = 0 indicates an invalid one.
• Link: Upon receiving input (Link, sid, M 0 , R 0 , σ 0 , M 1 , R 1 , σ 1 ) to a participant P j , P j executes the Link algorithm, determining a bit value b ∈ {0, 1}, where b = 1 signifies that the two sets of signatures are linkable, and b = 0 signifies the non-linkability.