CSI-Otter: isogeny-based (partially) blind signatures from the class group action with a twist

In this paper, we construct the first provably-secure isogeny-based (partially) blind signature scheme. While at a high level the scheme resembles the Schnorr blind signature, our work does not directly follow from that construction, since isogenies do not offer as rich an algebraic structure. Specifically, our protocol does not fit into the linear identification protocol abstraction introduced by Hauck, Kiltz, and Loss (EUROCYRPT’19), which was used to generically construct Schnorr-like blind signatures based on modules such as classical groups and lattices. Consequently, our scheme is provably secure in the random oracle model (ROM) against poly-logarithmically-many concurrent sessions assuming the subexponential hardness of the group action inverse problem. In more detail, our blind signature exploits the quadratic twist of an elliptic curve in an essential way to endow isogenies with a strictly richer structure than abstract group actions (but still more restrictive than modules). The basic scheme has public key size 128 B and signature size 8 KB under the CSIDH-512 parameter sets—these are the smallest among all provably secure post-quantum secure blind signatures. Relying on a new ring variant of the group action inverse problem (\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{rGAIP}$$\end{document}rGAIP), we can halve the signature size to 4 KB while increasing the public key size to 512 B. We provide preliminary cryptanalysis of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\textsf{rGAIP}} $$\end{document}rGAIP and show that for certain parameter settings, it is essentially as secure as the standard \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{GAIP}$$\end{document}GAIP. Finally, we show a novel way to turn our blind signature into a partially blind signature, where we deviate from prior methods since they require hashing into the set of public keys while hiding the corresponding secret key—constructing such a hash function in the isogeny setting remains an open problem.


Introduction
Blind signatures, introduced by Chaum [Cha82], allow a user to obtain a signature on a message from a signer, while the signer is blind to the message it signed. One can think of the physical analogy where a user puts a letter-acting as the message-to be signed into a special carbon paper envelope. The signer can sign the envelope without opening it; his signature is transferred to the letter by the carbon paper, and the letter is never visible to the signer. In practice, it is sometimes necessary to consider the extension of partially blind signatures, introduced by Abe and Fujisaki [AF96], that further allow embedding a message agreed by both the signer and the user into the signature. The messages can now be divided into public and private parts, where the public part can include, for instance, the expiration date of the signature. While (partially) blind signatures 1 were originally used to construct e-cash [Cha82,CFN90,OO92], anonymous credentials [Bra94,CL01], and e-voting [Cha88,FOO92], the notion has recently seen renewed interest due to applications in blockchains [YL19, BDE + 23] and privacy-preserving authentication tokens [VPN22,HIP + 22].
Currently, the most promising class of efficient blind signatures known to withstand quantum attacks is those based on lattices. We have recently encountered significant progress in lattice-based blind signatures, such as [HKLN20,LNP22,AKSY22,dK22], where the signature size currently sits around 50 KB to 10 MB. However, this is still an order of magnitude larger than their classical counterparts, with a signature size ranging from a few hundred bytes to 1 KB. As we see a continuous surge of interest in post-quantum security and better user privacy, we aim to investigate a post-quantum blind signature with a smaller signature size.
One potentially promising path to a post-quantum blind signature with a short signature is to rely on isogeny-based constructions. This is because while their signing and verification times are less efficient, standard isogeny-based signature schemes [DG19, BKV19, DKL + 20] are known to produce comparable or even smaller signatures compared to lattices. In fact, for a more advanced form of signature schemes such as ring signatures and group signatures, isogenies can produce much shorter signatures compared to their lattice counterparts [BKP20,BDK + 22].
Unfortunately, at first glance this path seems difficult to follow. Very roughly, there are two approaches to constructing a blind signature. The first approach is based on the Schnorr blind signature [CP93]. This approach builds on a sigma (or an identification) protocol with a "nice" algebraic property and boosts it into a blind signature by appropriately randomizing the interaction. This nice algebraic property has recently been stated informally to be modules [HKL19,HKLN20], where isogenies are not known to be endowed with: isogenies are only group actions that are strictly less structured than modules (see Section 1.2 for more details). The second approach is based on the generic construction proposed by Fischlin [Fis06] that requires proving, at the minimum, possession of a valid signature of a standard signature scheme using a noninteractive zero-knowledge proof (NIZK). While del Pino and Katsumata [dK22] and Agrawal, Kirshanova, Stehlé and Yadav [AKSY22] recently used this approach to construct more efficient lattice-based blind signatures than were previously known, this seems impractical to translate to the isogeny setting due to the lack of efficient NIZKs for such complex languages.
In summary, while isogenies have the potential to produce the shortest post-quantum blind signatures, it is unclear how we can leverage known approaches to build them. This brings us to the main question of this work: Can we construct an efficient post-quantum (partially) blind signature scheme from isogenies?

Our Contribution
In this work, we answer the above question in the affirmative through four contributions. Our first contribution is to construct the first post-quantum blind signature based on isogenies (or CSIDH group actions to be more specific) called CSI-Otter, short for CSI-fish with Or-proof Twisted ThreE-Round protocol. The construction is akin to the Schnorr blind signature [CP93] but follows a slightly different approach. Unlike previous constructions that required the underlying mathematical tool to be a module [HKL19, HKLN20], we bypass this requirement. The crux of our construction is to effectively use the quadratic twist of an elliptic curve, or in layman's terms, we use the fact that isogenies are slightly more expressive than a group action. We build a basic blind signature with public key size 128 B and signature size 8 KB based on the standard group action inverse problem (GAIP) over the CSIDH-512 parameter sets. We formally prove that our basic blind signature is secure in the (classical) random oracle model with poly-logarithmically many concurrent signing sessions following the recent work by Kastner, Loss, and Xu [KLX22a]. That is, the security proof permits a poly-logarithmic number of signatures to be issued per public key in a concurrent manner. However, we note that due to the lack of algebraic structures in isogenies, there seems to be no straightforward ROS 2 problem underlying the security of our blind signature [Sch01,Wag02]. This is in contrast to the Schnorr blind signature that admits a concrete attack in such a regime [BLL + 21], using the linearity of the module elements which are non-existing in the group action setting. We leave the formal analysis of our blind signature in the more desirable polynomial regime as an important open problem.
Our second contribution is to provide an optimization of our basic blind signature using a new hardness assumption called the ζ d -ring group action inverse problem (ζ d -rGAIP), where ζ d denotes a d-th primitive root of unity over Z N . Informally, ζ d -rGAIP asserts that given ([g s·ζ j d ] * E 0 ) j∈ [d] for a random exponent s $ ← Z N and base elliptic curve E 0 : y 2 = x 3 + x, it is difficult to solve for s. Note that when d = 2, we have ζ 2 = −1 and we recover the standard GAIP, where [g −s ] * E 0 is the (efficiently computable) quadratic twist of [g s ] * E 0 . At a high level, ζ d -rGAIP allows us to use a larger challenge space for the underlying sigma protocol by increasing the public key. This in turn implies that the number of parallel repetitions can be lowered compared to our basic blind signature, and effectively, we obtain a public key size of (128 · d) B and signature size of roughly (8/ log 2 d) KB based on ζ d -rGAIP. Our construction is generic and works for any group actions for which the ζ d -rGAIP is hard, however, we must show that such group actions exist for it to be useful.
Our third contribution complements our second contribution: we provide a preliminary cryptanalysis on the hardness of ζ d -rGAIP for the CSIDH-512 parameter sets. We first show that the set of values {gcd(ζ i d − 1, N )} i∈ [d] relates to the hardness of ζ d -rGAIP. Informally, we create new GAIP instances over a series of subgroups of the class group, where the size of these subgroups relate to each gcd(ζ i d − 1, N ). Using known attacks against GAIP in a Pohlig-Hellman manner, we can break this newly generated GAIP instances that has a smaller order compared to the GAIP with CSIDH-512. For instance with CSIDH-512, when d = 7 or 8, this attack shows that ζ d -rGAIP only has half the security of GAIP over CSIDH-512. On the other hand, for other values of d such as d = 2, 3, 4, 5, 9, . . . , this attack is no more effective than trying to break GAIP over CSIDH-512. In fact, when gcd(ζ i d − 1, N ) = N/poly(n) for n the security parameter, we show a reduction from the ζ d -rGAIP to GAIP, thus establishing the optimality of our attack for certain parameters such as d = 3, 5, 9, . . .. In the end, due to other correctness constraints, we are only able to instantiate the above optimized blind signature with d = 4, which leads to a public key of size 512 B and signature size of 4 KB. While our preliminary cryptanalysis shows that ζ 4 -rGAIP is presumably as hard as GAIP over CSIDH-512, we leave further cryptanalysis for future work as it is not covered by our reduction to GAIP.
Our final contribution is extending our basic blind signature into a partially blind signature. While it is straightforward to construct a partially bind signature from a Schnorr-style blind signature in the classical group or the lattice settings, this approach fails in the isogeny setting. 3 For example, Abe and Okamoto [AO00] constructed the first partially blind signature, where the main idea was to hash the public message (also known as a tag) info to a group element h info ∈ G and let the signer prove that it knows either the exponent of its public key h = g a or the hashed tag h info . In particular, the underlying sigma protocol proves a 1-out-of-2 (or an OR) relation. In the security proof, the reduction samples a info $ ← Z p , programs the random oracle so that h info = g a info , and uses a info to simulate the signing algorithm. Unfortunately, this approach is inapplicable in the isogeny setting since we do not know how to map into the set of elliptic curves while simultaneously hiding the exponent. Note that if the exponent is known, any real-world adversary can use the reduction algorithm to forge a signature, thus rendering the scheme insecure.
To this end, we provide a new general approach to constructing partially blind signatures that may be of an independent interest. At the core of our approach is devising a sigma protocol for a 2-out-of-3 relation and embedding the tag info into the signature differently. Since the sigma protocol must also be compatible with the blind signature, we are not able to rely on any 2-out-of-3 sigma protocols for threshold relations such as Cramer-Damgård-Schnoemakers' sigma protocol [CDS94] using Shamir's secret-sharing scheme [Sha79]. One downside of our partially blind signature is that compared to our blind signature, it requires a signature size roughly three times as large. However, we note that even then, we still achieve a smaller signature size than the lattice-based counterparts.

Technical Overview
A = [g a ] * E 0 for an unknown a ∈ Z N , we can efficiently compute its quadratic twist [g −a ] * E 0 , which we denote 4 by A −1 .
We first explain the underlying isogeny-based sigma protocol, where we assume for now that the challenge space is C = {−1, 1}. As above, the prover sends Y = [g y ] * E 0 for y $ ← Z N . The verifier then sends a random challenge c $ ← {−1, 1}, and the prover replies with r = y − a · c. The verifier then verifies the "signature" σ = (c, r) by checking whether [g r ] * A c = Y , where note that A c is well-defined for c ∈ {−1, 1} even though A comes from the set of elliptic curves. For an honest execution of the protocol, we have [g r ] * A c = [g r ] * ([g a·c ] * E 0 ) = [g r+a·c ] * E 0 = Y as desired. 5 Our idea is to randomize this sigma protocol so that the signature σ = (c, r) becomes σ ′ = (c · d, r · d + z), where (d, z) is uniform over {−1, 1} × Z N from the view of the signer. Concretely, given the first-sender message Y , the user randomizes Y by sampling random (d, z) $ ← {−1, 1} × Z N and sets Y ′ := [g z ] * Y d . It then computes c ′ = H(Y ′ ∥M) and sends c := c ′ · d. The signer replies with r = y − a · c as before. Since we have [g r ] * A c = Y , the user can first compute [g r·d ] * A c·d = Y d . Namely, it performs nothing if d = 1, and computes the quadratic twist of both sides if d = −1. It then acts by [g z ] to obtain [g r·d+z ] * A c·d = [g z ] * Y d . Since the right-hand side is Y ′ , σ ′ = (c ′ , r ′ ) := (c · d, r · d + z) is a valid signature for the message M as desired. Moreover, it can be checked that we have perfect blindness since c and r are both randomized; the (multiplicative) randomness d ∈ {−1, 1} hides the challenge c and the (additive) randomness z ∈ Z N hides the response r. Put differently, any signature σ ′ = (c ′ , r ′ ) has an equal chance of being generated from a transcript (Y, c, r), where the probability is taken over the randomness sampled by the user.
Finally, to turn this basic idea into a secure blind signature, we enlarge the challenge space to be exponentially large, i.e., C = {−1, 1} n where n is the security parameter. All the above arguments naturally extend to this enlarged challenge space by running the protocol n times in parallel.

Formal Security Proof.
A knowledgeable reader may recall that the Schnorr blind signature is not known to be secure in the random oracle model [BL13]. This is also the case for our described isogeny-based blind signature. The Schnorr blind signature has been generalized by Pointcheval and Stern [PS96,PS00] and Abe and Okamoto [AO00] in similar but different ways to have a security proof in the random oracle model. The latter Abe-Okamoto blind signature is compatible with our isogeny-based construction, where the public key is modified to a tuple pk = (A 0 , A 1 ) = ([g a 0 ] * E 0 , [g a 1 ] * E 0 ) ∈ E 2 for a random (a 0 , a 1 ) $ ← Z 2 N , and the secret key to sk = (δ, a δ ) for a random δ $ ← {0, 1}. The construction uses the OR composition of the underlying sigma protocol and works well with our idea using the quadratic twist. While the original proof of Abe and Okamoto [AO00] contained a subtle but non-trivially fixable bug, Kastner, Loss, and Xu [KLX22a] recently provided a somewhat generic proof for Abe-Okamoto style blind signatures. The security proof of our blind signature is established by adapting their result to our setting.
Turning it Partially Blind. As explained in Section 1.1, there is no analog of the Abe-Okamoto partially blind signature in the isogeny setting. The only reason why we could replicate the Abe-Okamoto (non-partial) blind signature in the isogeny setting was that both (A 0 , A 1 ) in pk were set up in a way that the user did not know the secret exponents. Generating A 1 ∈ E as a hash of the tag info, i.e., A 1 = H(info), would have failed in the isogeny setting since we cannot do so without letting the computation of H(·) reveal the secret exponent a 1 . If a 1 is public, then the scheme becomes trivially forgeable.
Our main approach in constructing a partially blind signature is to keep the same public key pk = (A 0 , A 1 ) as before but to generate another curve A 2 = H(info) with the secret exponent a 2 . We then modify the signer to prove that it knows at least two of the three exponents of (A 0 , A 1 , A 2 ). The reduction will be able to extract either a secret key pair (a 0 , a 2 ), (a 1 , a 2 ), or (a 0 , a 1 ) from the forgery: we can rely on the proof for the standard blind signature that the first two pairs occur with an almost equal probability independent of the secret key used by the reduction, and the third case always allows the reduction to win.
The question is then how to construct a base sigma protocol for this 2-out-of-3 relation that is compatible with the above randomization technique using the quadratic twist. For instance, we cannot use the wellknown Cramer-Damgård-Schnoemakers' sigma protocol [CDS94] using Shamir's secret-sharing scheme [Sha79] since the challenge space C = {−1, 1} is used as a multiplicative group in our construction, rather than a field as required by Shamir's secret-sharing scheme. 6 To this end, we use a 2-out-of-3 multiplicative secret-sharing scheme as follows: Given a secret c ∈ {−1, 1}, sample (c 0 , c 1 , c 2 ) ∈ {−1, 1} 3 uniformly random conditioned on c 0 · c 1 · c 2 = c. We then view (c 0 , c 1 ), (c 1 , c 2 ), and (c 2 , c 0 ) as the three shares. One can check that any two of the three shares allow reconstructing c, while c is information-theoretically hidden when only one share is known.
Building on a similar argument using the quadratic twist, we turn this 2-out-of-3 sigma protocol into a partially blind signature by allowing the user to appropriately randomize the first-signer message Y 's . The user samples three randomness from {−1, 1} to randomize the challenge (c 0 , c 1 , c 2 ) and six randomness from Z N to randomize the second-signer message (r b,0 , r b,1 ) b∈{0,1,2} . We show that the proof of Kastner, Loss, and Xu [KLX22a] can be slightly modified to work for this partially blind signature.
Optimization using Higher Degree Roots of Unity. Finally, we show how to optimize our blind signature. One of the implicit reasons why the randomization of the sigma protocol worked was because the challenge space C = {−1, 1} was a multiplicative subgroup of the ring Z N . We generalize this observation and consider a larger challenge space C d = {ζ j d } j∈ [d] , where ζ d is the d-th primitive root of unity over Z N , 7 i.e., ζ d d = 1 and ζ j d ̸ = 1 for any j ∈ [d − 1]. C d is indeed a larger multiplicative subgroup of the ring Z N , where setting d = 2 recovers the challenge space C 2 = C. The goal of the optimized scheme remains the same: we want to randomize the signature σ = (c, r) However, unfortunately, when we use a larger challenge space C d for d > 2, the underlying sigma protocol no longer satisfies correctness. Recall in the most simple sigma protocol, the verifier receives Y = [g y ] * E 0 , outputs a challenge c ∈ {−1, 1}, receives r = y − a · c and checks if [g r ] * A c = Y . The final check by the verifier was computable since computing the quadratic twist (i.e., A −1 ) was efficient. This is no longer the case for a more general c ∈ C d since we do not know how to compute A j := [g a·ζ j d ] * E 0 given only the curve To this end, we extend the public key to pk = (A j ) j∈ [d] to aid the verifier's computation and modify the sigma protocol to address this extension. This is where we rely on the new ζ d -ring group action inverse problem (ζ d -rGAIP) which states that given pk, it is difficult to recover the exponent a ∈ Z N . Before getting into the hardness of ζ d -rGAIP, we finish the overview of our optimized blind signature below.
Although we are now able to construct a sigma protocol with a larger challenge space, it does not yet naturally extend to blind signatures due to the extra structure. In particular, the main issue is that when the signer sends Y = [g y ] * E 0 as the first message, our idea was to let the user randomize this by computed from only Y . To this end, we further extend the sigma protocol so that the prover includes all (Y j ) j∈ [d] in the first message. While this structure cannot be efficiently checked by the verifier/user, we modify the sigma protocol so that it performs some consistency checks on these Y j 's. We show that this check is sufficient to argue blindness of the resulting blind signature even when the malicious signer is using a malformed public key, i.e., (A j ) j∈ [d] does not have the correct ring structure.
Cryptanalysis of ζ d -rGAIP. We have explained how to construct an optimized blind signature assuming the hardness of ζ d -rGAIP. We complement our result by providing a preliminary cryptanalysis of ζ d -rGAIP for the CSIDH-512 parameter. We provide an attack that exploits the additional structure of ζ d -rGAIP for specific choices of d. The insight is the difference of each curves in the public key always has a factor of (ζ which constitutes a non-injective endomorphism over the secret key space Z N . By investigating these differences, we can reduce an ζ d -rGAIP instance to a GAIP instance with a possibly smaller group than Z N and recover partial information. Then, we can integrate these partial information in a Pohlig-Hellman sense. As a consequence, we can evaluate the upper bound security strength of ζ d -rGAIP using known attacks against GAIP. For some choices of ζ d , ζ d -rGAIP only has half the security compared with GAIP for the CSIDH-512 parameters. On the other hand, for some instances of ζ d , we show that ζ d -rGAIP is as hard as GAIP, which demonstrates that the upper bounds obtained via our cryptanalysis are also the lower bounds. There are some instances of ζ d -rGAIP for which our attack does not apply while also having no reduction to GAIP. We leave analysis of such instances of ζ d -rGAIP for the CSIDH-512 parameter set as an interesting future work.

Related Work
Isogeny-based Cryptography. The roots of isogeny-based cryptography can be traced back to a 1997 talk of Couveignes, later published online in 2006 [Cou06] and independently rediscovered by Rostovstev and Stolbunov [RS06]. These works propose a post-quantum key establishment protocol-the CRS protocolwhose security is based on the difficulty of the "parallelization" problem for the class group action on the set of ordinary elliptic curves; that is, finding where E is an ordinary elliptic curve with endomorphism ring O, and [a], [b] ∈ Cℓ(O). This paralellization problem is the "Diffie-Hellman analogue" of the perhaps more natural "group action inversion" problem: given two ordinary curves E and E ′ = [a] * E, find [a]. The CRS scheme suffered primarily from two flaws: first, it was impractically slowrequiring approximately 458 seconds to establish a key at the 128-bit security level [Sto10]-and second, Childs, Jao, and Soukharev [CJS14] demonstrated that the CRS protocol is vulnerable to a subexponentialtime attack using Kuperberg's algorithm [Kup05], with later works [BIJ18,JLLRL20,BS20] improving the attack to require only polynomial quantum space due to Regev's improved version of Kuperberg's algorithm [Reg04].
These problems with ordinary isogeny-based protocols led researchers to instead consider protocols based on supersingular elliptic curves. The first such protocol was the hash function due to Charles, Lauter, and Goren [CLG09]. Later, De Feo, Jao, and Plût introduced the Supersingular Isogeny Diffie-Hellman (SIDH) key establishment protocol, which was later used to construct Supersingular Isogeny Key Establishment (SIKE) [JAC + 17], which was a fourth round candidate in the NIST Post-Quantum Cryptography competition. Despite passive attacks on "unbalanced" variants [Pet17, dQKL + 21] and active attacks on static/ephemeral implementations [GPST16, DGL + 20, GL22], SIDH resisted cryptanalysis until 2022, when a series of papers [CD23, MMP + 23, Rob23] established that SIDH and SIKE could be broken in polynomial time. While there are proposals for countermeasures to these devastating attacks [FMP23], the efficacy of these countermeasures has not yet been thoroughly studied.
Commutative Supersingular Isogeny Diffie-Hellman (CSIDH) was introduced in 2017 by Castryck et al. [CLM + 18] as an alternative to SIDH. Unlike SIDH-which bears very little resemblance to CRS-CSIDH is very much a supersingular analogue of CRS. In CSIDH, the supersingularity of the curves involved is exploited to ensure that a torsion subgroup of very large smooth order is defined over F p 2 , which allows approximately uniform random sampling and evaluation of complex multiplication to be performed very effi-ciently, making CSIDH orders of magnitude faster than CRS. As well, CSIDH is not known to be susceptible to any kind of adaptive attack, making it usable in the static/ephemeral setting.
The inability to uniformly sample elements of the ideal class group whose action can be computed efficiently (without knowing the relation lattice of the class group) makes it difficult to create CSIDH-based signatures. De Feo and Galbraith were the first to solve this problem in their protocol SeaSign [DG19], using rejection sampling to ensure that signing key information is never leaked. Later, Beullens, Kleinjung, and Vercauteren were able to compute the relation lattice of the class group used in the CSIDH-512 parameter set, and hence construct CSI-FiSh [BKV19]: a CSIDH-based signature scheme without rejection sampling. Unfortunately, the best known classical algorithms to compute the relation lattice scale subexponentially in the CSIDH security parameter, and so it is not currently possible to extend CSI-FiSh to larger parameter sets. However, there are efficient quantum algorithms to compute these relation lattices, making CSI-FiSh a candidate for post-post-quantum cryptography [DF19]: cryptographic protocols which require a quantum computer to establish global parameters, but which are otherwise classical. However, it is shown by [Lai23a] that evaluating isogenies in the way described in [DF19] is not polynomial-time in theory (with the preprocessing using quantum computers) but is also slow in practice using lattice reduction estimations. A very recent work [FFK + 23] shows a feasible manner to obtain the group structure using the oriented supersingular curves and imaginary quadratic orders with a large prime conductor. Though the isogeny evaluation has subexponential complexity in theory, they show a feasible result in practice by carefully choosing the parameters.
When the relation lattice of the class group is known, complex multiplication is an instance of what Couveignes [Cou06] called a hard homogeneous space, and what is now often called a cryptographic group action [ADMP20]. While many CSIDH/CSI-FiSh-based protocols have been constructed the group action abstractly, the CSIDH group action actually has slightly more structure than an abstract cryptographic group action. In particular, if E/F p : This additional structure turns out to be a powerful tool, which has led to the construction of a UCsecure isogeny-based oblivious trasnfer [LGd21], provably-secure isogeny-based password authenticated key establishment [AEK + 22] (which had been elusive for years [TSJL21, AJK + 20]) and new techniques for fault attack-resistance of static/ephemeral CSIDH. It is also a useful tool used in [BKV19,Lai23b] to compress the signature or the proof size.
further and constructed a lattice-based blind signature with signature size of 22 KB. The construction relies on an NIZK for proving relations of concrete hash functions.
Finally, there are a few blind signatures based on other post-quantum assumptions. Blazy et al. [BGSS17] constructs a code-based blind signature following the generic blind signature construction by Fischlin. The other is by Petzoldt et al. [PSM17] that constructs a multivariate-based blind signature under a non-standard unforgeability notion.

Notation
We denote the set of natural numbers and integers by N and Z, respectively. We define the ring of integers modulo N , i.e., Z N , with representatives in [−q/2, q/2) ∩ Z. to sample x uniformly at random over S. We use ⊙ to denote the component-wise multiplication of vectors in R. We use ∥ to denote the concatenation of two strings. For an element g and vector a = (a 1 , . . . , a n ), we use g a as a shorthand for (g a1 , . . . , g an ). Moreover, for any operation * defined between two elements g and h and vectors a = (a 1 , . . . , a n ) and b = (b 1 , . . . , b n ), we use g a * h b as a shorthand for (g a1 * h b1 , . . . , g an * h b1 ).

(Partially) Blind Signature
We define partially blind signatures consisting of three moves, which is sufficient to capture many known protocols, e.g., [AO00,KLX22b,KLX22a]. Below, we retrieve the standard definition of (three-move) blind signatures by ignoring the tag info or alternatively setting info to a predefined value. PBS.S 1 (sk, info) → (state S , ρ S,1 ) : On input a secret key sk and a tag info, it outputs an internal signer state state S and a first-sender message ρ S,1 . 8 PBS.S 2 (state S , ρ U )) → ρ S,2 : On input a signer state state S and a user message ρ U , it outputs a secondsender message ρ S,2 .
PBS.U = (PBS.U 1 , PBS.U 2 ) : The interactive user algorithm consists of two phases: On input a public key pk ∈ PK, a tag info, a message M, and a first-sender message ρ S,1 , it outputs an internal user state state U and a user message ρ U .
PBS.U 2 (state U , ρ S,2 )) → σ : On input a user state state U and a second-signer message ρ S,2 , it outputs a signature σ.
PBS.Verify(pk, info, M, σ) → 1 or 0 : In input a public key pk, a tag info, a message M, and a signature σ, the verification algorithm outputs 1 to indicate the signature is valid, and 0 otherwise.
If the partially blind signature only accepts a unique tag info, we drop the "partially" and simply call it a blind signature (BS) and omit info from the syntax. We require a partially blind signature to be complete, blind against malicious signer, and one-more unforgeable. We first define correctness.

Definition 2.2 (Perfect Correctness).
A three-move partially blind signature scheme PBS is perfectly correct if for all public and secret key pairs (pk, sk) ∈ PBS.KGen(1 n ) and every tag and message pair (info, M), we have The following definitions are taken from [KLX22b,KLX22a]. Partial blindness roughly requires the transcript to be independent of the signature even if the signer choses the keys maliciously.

Definition 2.3 (Partial Blindness Under Chosen Keys).
We define partial blindness of a three-move partially blind signature scheme PBS via the following game between a challenger and an adversary A: Setup. The challenger samples coin ∈ {0, 1} and runs A on input 1 n .
Online Phase. When A outputs a tag info, messages M 0 and M 1 , and a public key pk ∈ PK, it assigns A is then given access to oracles U 1 , U 2 , which behave as follows. the oracle returns the two signatures (σ coin , σ 1−coin ) to A, where note that σ coin (resp. σ 1−coin ) is a valid signature for M 0 (resp. M 1 ) regardless of the choice of coin. A outputs a guess coin * for coin. We say A wins if coin * = coin.
We say PBS is partially blind under chosen keys if the advantage of A defined as Pr[A wins] is negligible.
One-more unforgeability roughly ensures that at most one valid signature is generated after each execution of PBS.Sign. Formally, we have the following.

Definition 2.4 (One-More-Unforgeability).
We define ℓ-one-more unforgeability (ℓ-OMUF) for any ℓ ∈ N of a three-move partially blind signature scheme PBS via the following game between a challenger and an adversary A: Setup. The challenger samples (pk, sk) $ ← PBS.KGen(1 n ) and runs A on input pk. It further initializes ℓ closed = 0 and opened sid = false for all sid ∈ N.
Online Phase. A is given access to oracles S 1 and S 2 , which behave as follows.
Oracle S 1 : On input a tag info, the oracle samples a fresh session identifier sid. It sets opened sid ← true and generates (state S,sid , ρ S,1 ) $ ← PBS.S 1 (sk, info). Then it returns sid and the first-sender message ρ S,1 to A.

Sigma Protocols
While we do not explicitly rely on a sigma protocol, we provide an informal treatment as it will aid the intuition behind the construction of our (partially) blind signature. For concreteness, we provide a formal treatment in Appendix A. A sigma protocol for an NP relation R ⊆ {0, 1} ⋆ × {0, 1} ⋆ is a special type of public-coin three-move interactive protocol between a prover and a verifier.

Definition 2.5 (Sigma Protocol).
A sigma protocol Σ for an NP relation R is a three-move public-coin interactive protocol with two pairs of PPT algorithms P = (P 1 , P 2 ), V with the following flow: • The prover on input a statement and witness pair (X, W) ∈ R, runs (com, state) $ ← P 1 (X, W) and sends a commitment com to the verifier.
• The verifier samples a random challenge ch $ ← C from a specified challenge set, and sends ch to the prover.
• The prover runs rsp $ ← P 2 (state, ch) and returns a response rsp to the verifier.
• The verifier runs V(X, com, ch, rsp) and outputs 1 to indicate the prover is valid and 0 otherwise.
To be useful as an (implicit) building block for blind signatures, a sigma protocol must satisfy correctness, honest verifier zero-knowledge (HVZK), witness indistinguishability, and special soundness. A formal definition can be found in for example [Dam02].
Informally, correctness requires that if the prover has a valid statement and witness pair (X, W), the verifier outputs 1 with probability 1. HVZK roughly requires that there exists a PPT simulator Sim such that given any statement X (in the language) and challenge ch ∈ C, it outputs a valid transcript (com, ch, rsp) that is indistinguishable from a real transcript. Witness indistinguishability is a weaker notion compared with HVZK, where we require the interactions between a prover using a witness W 1 or W 2 satisfying (X, W 1 ), (X, W 2 ) ∈ R are indistinguishable. Namely, the interaction does not leak which witness is being used. Finally, special soundness requires that there is a deterministic polynomial time extractor Ext such that given two valid transcripts (com, ch 1 , rsp 1 ) and (com, ch 2 , rsp 2 ) for X with the same com and distinct ch 1 ̸ = ch 2 , it outputs W such that (X, W) ∈ R.
We also define a hard instance generator for the NP relation R as follows.
Definition 2.6 (Hard Instance Generator). An NP relation R is associated with an instance generator (IG) if IG, given as input the security parameter 1 n , outputs a statement-witness pair (X, W) ∈ R. Moreover, we say the instance generator is hard if the following holds for any PPT adversary A:

Elliptic Curves and Isogenies
Let E denote the elliptic curve over a finite field F p with p a large prime, and let 0 E is the point at infinity on E. The curve E is called supersingular if and only if #E (F p ) = p + 1. Therefore, by using point counting or the Schoof's algorithm [Sch95], one can verify the supersingularity of a given curve efficiently. Otherwise, the curve is called ordinary curve. Given two elliptic curves E and E ′ , an isogeny ϕ is a morphism ϕ : namely, isogeny is a map given by rational functions and it is a group homomorphism such that ϕ (0 E ) = 0 E ′ . An isomorphism is an isogeny whose inverse over the algebraic closure is also an isogeny and two elliptic curves are isomorphic if and only if they have the same j-invariant. There is a one-to-one correspondence from finite subgroups of an elliptic curve to separable isogenies from said curve, up to post-composition with isomorphisms. To be more specific, any subgroup S ⊂ E F p k determines a (separable) isogeny ϕ : E → E ′ with ker ϕ = S, i.e. E ′ = E/S. Given subgroup S, the equation equation for E ′ and the isogeny ϕ can be computed using Vélu's formulae using O #S(k log p) 2 bit-operations. As a result, only the small subgroups S defined over F p with small p can be computed efficiently. The ring of endomorphisms End(E) consists of all isogenies from E to itself, and End p (E) denotes the ring of endomorphisms defined over F p . When E/F p is supersingular, the endomorphism ring End p (E) is isomorphic to an order O of the quadratic field Q( √ −p) [CLM + 18]. We recall that an order is a subring of Q( √ −p), which is also a finitely-generated Z-module containing a basis of Q( The invertible fractional ideals of O form an Abelian group whose quotient by the subgroup of principal fractional ideals is finite. This quotient group is called the ideal class group of O, and denoted by Cℓ(O).
The ideal class group Cℓ(O) acts freely and transitively on the set Eℓℓ, which contains all supersingular elliptic curves E over F p -modulo isomorphisms defined over F p -such that there exists an isomorphism between O and End p (E) mapping √ −p ∈ O to the Frobenius endomorphism π : (x, y) → (x p , y p ). The quadratic twist of a given elliptic curve E : The quadratic twist can be efficiently computed in this setting. When p = 3 mod 4, the quadratic twist Remark 2.7. Throughout the rest of the paper, we consider the underlying prime p = 3 mod 4. We assume the structure of the ideal class group G = ⟨[g]⟩ ∼ = Z N , justified by the Cohen-Lenstra heuristic, is known for some N ∈ N and for each i ∈ [N ] the action [g i ] * E can be efficiently evaluated. The setup is justified by [BKV19]. Let E 0 ∈ E be the supersingular curve of j-invariant 1728. Our cryptosystems rely on the following assumptions.

Definition 2.8 (Group Action Inverse Problem (GAIP)).
Given The problem is equivalent to finding the exponent s mod N by considering f (m, n) = [g m g ′n ] ⋆ E 0 and applying the quantum period finding algorithm.
Recall that G ∼ = Z N and Z N is a ring. We introduce a generalized version of the group action inverse problem by considering a d-th primitive root of unity, denoted by ζ d , over Z N such that ζ d d = 1 and ζ j d ̸ = 1 for any j ∈ [d − 1]. We define the ring group action inverse problem with respect to ζ d as follows.

Definition 2.9 (ζ d -Ring Group Action Inverse Problem (rGAIP)). Given
When the context is clear, we may remove d from the subscript or remove ζ d entirely and call it rGAIP for simplicity. This problem is a generalized version of GAIP, which is a ζ 2 -rGAIP with ζ 2 = −1. To see this, by taking the quadratic twist of a GAIP instance where φ is the Euler phi-function. Similar to GAIP [FIM + 14, BN18, CDEL21] having polynomial-time HSP algorithms for insecure group structures, the hardness of an ζ d -rGAIP also relies on the underlying algebraic structure and the specific choice of ζ d . In Section 7.2, we provide a structural analysis on the ζ d -rGAIP for CSIDH-512 and display a few weak and hard instances depending on ζ d . We show that for some carefully-chosen d (depending on N ), ζ d -rGAIP is as essentially as hard as the original GAIP. Finally, when constructing our optimized blind signatures in Section 6, we require d to satisfy a bit more requirement other than ζ d -rGAIP being hard. Informally, we require ) to be small for the extractor of the underlying sigma protocol to be efficient. More details can be found in Section 6.

Generic Proofs for Blind Schnorr-Type Signatures
In this section, we review the recent work of Kastner, Loss, and Xu [KLX22a] that provided a proof of the Abe-Okamoto (partially) blind signature [AO00]. The original security proof of the one-more unforgeability in [AO00] contained a leap of logic in the security proof (i.e., the scheme was correct but the security proof was not), and Kastner, Loss, and Xu provided a somewhat generic proof that works for many of the blind Schnorr-type signatures [CP93]. 9 While their focus was on the scheme by Abe and Okamoto, the proof is generic enough to capture other similar schemes (see for instance [KLX22a, Appendix F] that provides a proof sketch of [Abe01]). Indeed, the constructions we propose fall under their generic proofs as well. To this end, we extract the minimal definitions and lemmas from [KLX22a] required to argue the security of our (partially) blind signatures. Here, we note that it is likely that one can rewrite [KLX22a] in a more generic fashion by borrowing the tools from [HKL19]. However, we chose not to for better readability and since isogenies do not naturally endow a linear identification scheme as required by [HKL19]. Finally, we emphasize that while this section is not contained in Section 2 (i.e., Background), we do not claim any technical novelty of it.
Below, we provide a brief overview of the proof by Kastner, Loss, and Xu and then introduce the key lemmas that need to be proven in this paper to apply their proof.

Proof Overview
Loosely speaking, a blind Schnorr-type signature is a type of blind signature that builds on top of a Schnorrtype sigma protocol [Sch90]. The signer of the blind signature is identical to the prover in a sigma protocol, while the user of the blind signature modifies the verifier in the sigma protocol by appropriately adding blindness factors. In the proof of one-more unforgeability, the adversary (i.e., a malicious user) does not care if its forgeries are blind, and thus, how the blindness is achieved can be ignored for now.
At a high level, to argue one-more unforgeability, we would like the reduction to embed a hard problem into the public key of the blind signature and appeal to the special soundness of the underlying sigma protocol to extract a solution from the forgeries. However, unlike standard Fiat-Shamir-based signatures, the reduction cannot rely on HVZK to simulate the signatures since the challenge is under the adversary's control. To simulate the interaction between the adversary, we thus allow the public key to have two valid secret keys, e.g., The reduction embeds a hard problem into one of the secret keys while simulating with the other secret key.
What makes the security proof of blind Schnorr-type signatures tricky is that even if the adversary's view is independent of the secret key being used, this alone does not complete the proof. This is because to argue that the secret key extracted via the special soundness of the underlying sigma protocol is unbiased, we need to argue that the algorithm (i.e., reduction) executing the extractor of the special soundness is unbiased. While this holds for standard Fiat-Shamir based signature schemes since the reduction can invoke HVZK, this is not the case for blind signatures. As we discussed above, since the adversary chooses the challenge, the reduction can only try to invoke witness indistinguishability. However, witness indistinguishability breaks when the reduction rewinds the adversary since the reduction needs to simulate two transcripts using the same first commitment of the sigma protocol. Thus, the reduction is not compatible with the definition of witness indistinguishability.
That being said since the view of the adversary (in each run) is independent of the secret key being used, intuition tells us that the extraction works: the only thing that's not working is the security proof. To overcome this issue, Kastner, Loss, and Xu [KLX22a] provides a detailed analysis of the probability of the reduction succeeding while implicitly relying on witness indistinguishability. We note that Abe and Okamoto [AO00] also rely on the same proof approach but included a subtle but non-trivially fixable flaw to compute the probability.

Key Definitions, Lemmas, and Theorems
We extract the minimal definitions and lemmas from [KLX22a] in a self-contained manner so that the security of our (partially) blind signatures is established through several easy-to-state lemmas. For a more full exposition, we refer the readers to [KLX22a].
Preparation. We first assume the adversary against the one-more unforgeability game is restricted to make only ℓ + 1 distinct hash queries to the random oracle, where ℓ + 1 is the number of forgeries the adversary outputs. Moreover, as with any blind Schnorr-type signature, we assume each signature in the forgery is associated with a distinct hash query. 10 We also assume the public key of the (partially) blind signature has exactly two corresponding secret keys. More specifically, we assume the underlying sigma protocol is for the NP OR-relation R defined with respect to another NP relation R ′ . That is, (X : X is the public key and W is the secret key. Finally, we assume the adversary's user-message ρ U queried to the signing algorithm PBS.S 2 satisfies ρ U ∈ C, where C is the challenge space of the underlying sigma protocol for relation R (and R ′ ).
We first define the notion of instances. Roughly, an instance defines the signer's key and randomness. We present a variant of the definition of instances in [KLX22a, Definition 4] that is agnostic to the underlying sigma protocol. We provide an explicit description of instances, analogous to [KLX22a, Definition 4], when we detail our construction of (partial) blind signatures.

Definition 3.1 (Instances).
Assume the public key of a blind Schnorr-type signature has exactly two corresponding secret keys sk 0 = (0, W ′ 0 ) and sk 1 = (1, W ′ 1 ). We define two types of instances I: A 0-side (resp. 1-side) instance consists of sk 0 (resp. sk 1 ) and the randomness used by the honest signer algorithm when the secret key is fixed to sk 0 (resp. sk 1 ), i.e., randomness excluding those used by the key generation algorithm.
The main argument of Kastner, Loss, and Xu boils down to arguing that the output of the extraction algorithm (i.e., forking algorithm) explained above is independent of the instances.

Let
− → h be the vector of responses returned by the random oracle, where − → h = ℓ + 1, and let rand be the randomness used by the one-more unforgeability adversary. We define a deterministic wrapper algorithm W that simulates the interaction between the signer and the adversary given input (I, rand, − → h ). W invokes the signer and the adversary on inputs I and rand, respectively, and uses − → h to answer the random oracle queries made by the adversary. We define W(I, rand, − → h ) to output ⊥ if the adversary aborts prematurely or fails to win the one-more unforgeability game, and otherwise, output what the adversary outputs. We then define the notion of successful tuples as follows.

Definition 3.2 (Successful Tuples).
We define the set of successful tuples as follows: We next define a sufficient condition to invoke the extraction algorithm of the underlying sigma protocol. This is a standard definition (often implicitly) used even for Fiat-Shamir based signatures.

Definition 3.3 (Successful Forking [KLX22a, Definition 7]). We say two successful input tuples
We next define the notion of transcripts. A query transcript denotes the user messages queried to the signer. A full transcript denotes the entire transcript produced by the signer and the adversary, including the final forgery.

Definition 3.4 (Query Transcript [KLX22a, Definition 5]). Consider the wrapper W running on input
, is the vector of user message (ρ U ) queries made to the signing algorithm PBS.S 2 (simulated by W) by the adversary, ordered by sid.

Definition 3.5 (Full Transcript [KLX22a, Definition 6]). Consider the wrapper W running on input
, is the transcript produced between the signer and the adversary, i.e., all messages sent between the signer and user played by the adversary, including the forgeries.
We now define partners, which plays a key role in the analysis of [AO00,KLX22a]. Informally, two tuples (I, rand, Succ are partners at i if they fork at this index i and produce the same query transcript. Note that this does not necessarily imply that each tuple results in the same full transcript.
We denote the set of ( A triangle is another key tool introduced in [AO00, KLX22a] in order to enhance the standard forking tuples with the nice properties of partners. A triangle consists of three vectors h ′′ such that each two vectors fork at the same index, and additionally, (

Definition 3.7 (Triangles [KLX22a, Definition 9]). A triangle at index
rand is a tuple of three successful tuples in the following set: We next define a map that transforms a b-side instance into a (1−b)-side instance for b ∈ {0, 1}. Roughly, the map allows us to relate the number of triangles with a 0-side instance to those with a 1-side instance. We present a variant of the definition of instances in [KLX22a,Definition 12] that is agnostic to the underlying sigma protocol. We provide an explicit description of the map, analogous to [KLX22a, Definition 12], when we detail our construction of (partial) blind signatures.

Definition 3.8 (Mapping Instances via Transcript). For
Finally, we formally define the witness extractor used by the reduction. We present a variant of the definition of witness extractor in [KLX22a, Definition 13] that is agnostic to the underlying sigma protocol. This is because the witness extractor's concrete description is defined using the special soundness extractor of the underlying sigma protocol, which we will do when we detail our construction of (partial) blind signatures.

Definition 3.9 (Witness Extraction). Fix I, rand and let
Sufficient Condition for One-More Unforgeability. We are now prepared to formally present the main result of Kastner, Loss, and Xu [KLX22a]. First of all, if the map Φ rand, − → h is a bijection that preserves transcripts for any rand and − → h , then a partner tuple with a b-side instance maps to another partner tuple with a (1 − b)-side instance for the same rand and − → h (see [KLX22a, Corollary 1 and Lemma 3]). This implies that the extracted witness from a partner tuple is independent of the reduction's secret key. However, it is not clear if the reduction is able to obtain a partner tuple by rewinding. To this end, we use the sides of the triangle rather than the base (i.e., partner tuple) to extract a witness, where the main observation is that if a b-side witness can be extracted from the base of a triangle, then a b-side witness can be extracted from at least one of the sides. Then, we argue that the reduction having a b-side witness hits one corner of the base of a triangle in the first run, and then hits the top of the triangle such that it creates side with a (1 − b)-side witness with a probability of roughly 1/2.
The main contribution of Kastner, Loss, and Xu [KLX22a] was to make the above high-level argument precise. Their result is mostly purely statistical and it suffices to only prove that our (partial) blind signature satisfies the following two lemmas to invoke their main theorem concerning one-more unforgeability. The first lemma shows that the blind signature is perfectly witness indistinguishable. This is used to establish the extracted witness from a partner tuple is independent of the reduction's secret key.
The second lemma states that if a witness can be extracted from a base of a triangle, then the same witness can be extracted from at least one of its sides.

Lemma 3.11 ([KLX22a, Corollary 3]). Fix I, rand and let
of the triangle at index i, then one can also extract the 0-side (1-side) witness from at least one of the sides (I, rand, The following is the main theorem of Kastner, Loss, and Xu [KLX22a, Theorem 1] casted slightly generally to be agnostic to the underlying hardness assumption. Theorem 3.12. Let the (partially) blind Schnorr-type signature (P)BS be as defined in the preparation of Section 3.2. In particular, assume the public key consists of two instances of the NP relation R ′ generated by a corresponding hard instance generator IG and the underlying sigma protocol has challenge space C.
If Lemmas 3.10 and 3.11 hold, then for all ℓ ∈ N, if there exists an adversary A that makes Q hash queries to the random oracle and breaks the ℓ-one more unforgeability of (P)BS with advantage ϵ A ≥ C1 |C| · Q ℓ+1 , then there exists an algorithm B that breaks the hard instance generator with advantage We note that Kastner, Loss, and Xu only show the above theorem for blind signatures. They then show that it can be extended to a proof for their particular partially blind signature with a loss of 1/T , where T is the number of the distinct tag info queries by the adversary (see [KLX22a,Theorem 2]). However, as explained in the introduction, we cannot follow their approach since our partially blind signature must deviate from prior constructions. To this end, we notice that the same proofs and theorem above can be applied to the partially blind setting if the instances in Definition 3.1 can be defined independently from the tags info used by the adversary. See Section 5 for more details.

Constructing Isogeny-Based Blind Signatures
In this section, we provide our isogeny-based blind signature. We first explain the sigma protocol that underlies our isogeny-based blind signature and then show how to compile it into a blind signature.

Base Sigma Protocol for an OR Relation
To begin, we consider a sigma protocol to prove that the prover knows at least one of the two secrets corresponding to the public statement X = (A 0 , A 1 ) = ([g a0 ] * E 0 , [g a1 ] * E 0 ). The sigma protocol is depicted in Fig. 1. Note that this is a standard isogeny-based sigma protocol where 0 is removed from the challenge space (see for instance [BKV19]). As explained in Section 1.2, the main reason for this slight modification is to make the (non-soundness amplified) challenge space {−1, 1} to be a (multiplicative) subgroup of Z × N . While these properties are implicit in the blind signature, we sketch the properties of our sigma protocol for completeness. Correctness can be verified through a routine check.
HVZK. Given a challenge c, a zero-knowledge simulator Sim samples random (c 0 , c 1 ) , 1}, and outputs the simulated transcript (Y 0 , Y 1 ), c, (r 0 , r 1 , c 0 , c 1 ) . Since there is a bijection between r b and Y b once c b is fixed, this produces a transcript identically distributed as a real transcript.
Witness Indistinguishability. This is a direct consequence of the above since perfect HVZK implies perfect witness indistinguishability.
1} are the first elements of c 0 and c ′ 0 , respectively. The extractor Ext then given such two valid transcripts outputs a witness (0, are the first elements of r 0 and r ′ 0 . Let us verify the correctness of such an Ext. Since the two transcripts are valid, we Cleaning up the exponents, we obtain the desired a 0 .

Description of Our Blind Signature
We present our isogeny-based blind signature building on top of the base sigma protocol in Section 4.1. Let (p, N, E 0 ) be the public parameter specified as the underlying prime, the order of the group and the distinguished element, resp. Let g be a generator of the ideal class group Cℓ(O). We assume these parameters are provided to all algorithms. Let H : {0, 1} * → {−1, 1} n be a hash function modeled as a random oracle in the security proof. The following algorithms are summarized in Fig. 2. BS.U 1 (pk, M, ρ S,1 ) : The user parses ( BS.S 2 (state S , ρ U ) : The signer parses (y * δ , c * 1−δ , r * 1−δ ) ← state S , c * ← ρ U , sets c * δ = c * ⊙c * 1−δ ∈ {−1, 1} n , and computes r * δ = y * δ − a δ · c * δ ∈ Z n N . 12 It then outputs the second-signer message ρ S,2 = (c If it holds, it outputs a signature σ = (c b , r b ) b∈{0,1} ∈ {−1, 1} n × Z n N 2 , and otherwise a ⊥.
The correctness, blindness, and one-more unforgeability of our blind signature are provided in the subsequent sections.

Proof of Correctness and Blindness
Correctness can be checked by a routine calculation. For completeness, we provide the proof below. Figure 2 is (perfectly) correct.

Theorem 4.1 (Correctness). The blind signature scheme in
Proof. To show correctness, it suffices to show that Eq. (1) holds when both the signer and user follow the protocol. First, it can be checked that we have 1}. The case b = 1 − δ holds by definition and the other case holds due to the correctness of the base OR sigma protocol (see Section 4.1).
(1) as desired. Note that we use the fact that x ⊙ x = 1 for any x ∈ {−1, 1} in the first equality.
The proof of blindness is also standard. Since checking A is a valid elliptic curve can be done efficiently and for such valid A, there exists a unique a ∈ Z N such that [g a ] * E 0 = A, our blind signature is secure even against a malicious server outputting an arbitrary public key. Figure 2 is (perfectly) blind under chosen keys.

Theorem 4.2 (Blindness). The blind signature scheme in
Proof. It suffices to show that for any valid public key pk, any first and second-signer messages that could have generated σ. In other words, it suffices to show that fixing an arbitrary (pk, ρ S,1 , ρ S,2 ), there exists a bijection between a valid σ and state U . Here, note that any public key pk = (A 0 , A 1 ) output by the adversary (i.e., malicious signer) A can be efficiently checked to be valid elliptic curves (i.e., supersingularity). Below, we let (a 0 , a 1 ) ∈ Z 2 N be the unique secret key sk = (a 0 , a 1 ) such that . Therefore, state U is indeed a user state that results in the valid signature σ. Moreover, for any choice of ρ S,2 and any σ ̸ = σ ′ , it can be checked that the corresponding user states state U and state ′ U defined as above are distinct. Hence, there is a bijection between a valid signature and a user state. This concludes the proof.

Proof of One-More Unforgeability
Our proof of OMUF consists of preparing the necessary tools to invoke Theorem 3.12. Specifically, we define instances (see Definition 3.1), the map Φ rand, − → h (see Definition 3.8), the witness extractors (Ext 0 , Ext 1 ) (see Definition 3.9) and prove that Lemmas 3.10 and 3.11 hold.
Below, we denote − → X as a shorthand for a vector (X (1) , . . . , X (ℓ) ) and endow − → X with the same operations defined for X (k) by operating them component wise. Moreover, recall rand denotes the adversary's randomness, and − → h = (c (1) , . . . , c (ℓ) ) is the random oracle's response vector conditioned on the adversary making only ℓ random oracle queries. Finally, once the instance, adversary's randomness and hash output tuple (I, rand, − → h ) is fixed, the query transcript − → e (I, rand, − → h ) -the vector of user message ρ U queries made to the signing algorithm BS.S 2 -is defined. We denote this as − → c * below to be consistent with the notations used in our construction.
Preparation: Instances. Let us first define the 0-side instance I 0 and the 1-side instance I 1 . Below, we assume the adversary against the one-more unforgeability game makes ℓ-signing queries in total.
• A 1 : The part of the public key pk = (A 0 , A 1 ) whose secret key is unknown.
• r * (k) 1 : The exponent of the commitment Y * (k) 1 in the k-th (k ∈ [ℓ]) first-sender message when δ = 0 Non-bold font indicates the entries of a vector.
• A 0 : The part of the public key pk = (A 0 , A 1 ) whose secret key is unknown.
We next define the map Φ rand, − → h that maps a 0-side instance I 0 into a 1-side instance I 1 and vice versa. Concretely, a 0-side instance maps to a 1-side instance I 1 such that where a 1 is such that [g a1 ] * E 0 = A 1 and recall that − → c * = − → e (I 0 , rand, − → h ). On the other hand, a 1-side maps to a 0-side instance I 0 such that Preparation: Witness Extractors (Ext 0 , Ext 1 ). Fix I, rand and let ( We define the witness extractors (Ext 0 , Ext 1 ) as in Fig. 3. The following lemma establishes the correctness of the witness extractors.
Moreover, since − → h and − → h ′ agree up to the i-th entry and the challenger and adversary's randomness are fixed, the input to the hash functions agree. Namely, we have Since c (i) ̸ = c ′(i) , we must have c 0 ̸ = c ′ 0 or c 1 ̸ = c ′ 1 . Based on the special-soundness of the underlying sigma protocol (see Section 4.1), one of Ext 0 or Ext 1 always outputs a valid secret key. This completes the proof.
Proof of One-More Unforgeability. We prove the following two lemmas required to invoke the main theorem Theorem 3.12. Proof. Since the proof for the 0-side and 1-side instances I 0 and I 1 are analogous, we only consider the 0-side instance. For any rand, − → h , let us consider the query transcript − → e (I 0 , rand, − → h ) = − → c * , i.e., the vector of user message ρ U queries made by the adversary to the signing algorithm BS.S 2 . Since the underlying sigma protocol is perfectly witness indistinguishable (see Section 4.1), for each i ∈ [ℓ] and c * (i) , there is a set of randomness that the signer with a secret key (1, a 1 ) (i.e., a 1-side witness) could have used to produce the same view (i.e., first and second-signer messages) to the adversary. Concretely, this set of randomness is exactly those defined by Φ rand, − → h (I 0 ). Hence, we have trans(I 0 , rand, Hence, it is a bijection as desired. This completes the proof. Combining everything together, we obtain the following. Theorem 4.6 (One-more Unforgeability). The blind signature scheme in Figure 2 is one-more unforgeable. To be more specific, for all ℓ ∈ N, if there exists an adversary A that makes Q hash queries to the random oracle and breaks the ℓ-one more unforgeability of BS with advantage ϵ A ≥ C1 2 n · Q ℓ+1 , then there exists an algorithm B that breaks the GAIP problem with advantage ϵ B ≥ C 2 · ϵ 2 A ( Q ℓ+1 ) 2 ·(ℓ+1) 3 for some universal positive constants C 1 and C 2 .
Proof. We define the hard instance generator IG to output a GAIP problem instance. Then, the proof follows from the above Lemma 4.4 and by Theorem 3.12, i.e., the main theorem of Kastner et al. [KLX22a].

Extension to Partially Blind Signatures
In this section, we provide our isogeny-based partially blind signature. We first explain the sigma protocol that underlies our isogeny-based partially blind signature and then show how to compile it into a partially blind signature.

Base Sigma Protocol for a 2-Out-of-3 Relation
We consider a sigma protocol to prove that the prover knows at least two out of the three secrets corresponding to the public statement X = (A 0 , A 1 , A 2 ) = ([g a0 ] * E 0 , [g a1 ] * E 0 , [g a2 ] * E 0 ). The sigma protocol is depicted in Fig. 4. Since the secret a 2 for A 2 will be known by the signer and user in our partially blind signature, we assume the prover always knows the secret a 2 and proves knowledge of one other secret a 0 or a 1 in our sigma protocol. While these properties are implicit in the partially blind signature, we sketch the properties of our sigma protocol for completeness.

Description of Our Partially Blind Signature
We are now able to present our isogeny-based partially blind signature. Let (p, N, E 0 ) be the public parameters, g be a generator in Cℓ(O), and H : {0, 1} * → {−1, 1} n as defined in Section 4. We also require another hash function G : {0, 1} * → Z N that is modeled as a random oracle. Note that H and G can be implemented by a single random oracle by using domain separation. The following algorithms are summarized in Fig. 5. PBS.S 1 (sk, info) : The signer performs the following for j ∈ {0, 1}: It samples (y * δ,j , y * 2,j )

Proof of Correctness and Blindness
Correctness can be checked by a routine calculation. For completeness, we provide the proof below. (y * δ,j , y * 2,j )   1} ∥info∥M), we obtain Eq. (3) as desired. Note that we use the fact that x ⊙ x = 1 for any x ∈ {−1, 1} in the first equality.
The proof of blindness is also standard. Since checking A is a valid elliptic curve can be done efficiently and for such valid A, there exists a unique a ∈ Z N such that [g a ] * E 0 = A, our partially blind signature is secure even against a malicious server outputting an arbitrary public key.
Theorem 5.2. The partially blind signature scheme in Figure 5 is (perfectly) blind under chosen keys.
Proof. It suffices to show that for any valid public key pk, tag info, any first and second-signer messages

there exists a unique and pair-wise distinct user state state
In other words, it suffices to show that fixing an arbitrary (pk, info, ρ S,1 , ρ S,2 ), there exists a bijection between a valid σ and state U . Here, note that any public key pk = (A 0 , A 1 ) output by the adversary (i.e., malicious signer) A can be efficiently checked to be valid elliptic curves (i.e., supersingularity). Below, we let (a 0 , a 1 ) ∈ Z 2 N be the unique secret key sk = (a 0 , a 1 ) such that (A 0 , A 1 ) = ([g a0 ] * E 0 , [g a1 ] * E 0 ) and set a 2 = G(info) and A 2 = [g a2 ] * E 0 .
• A 1 : The part of the public key pk = (A 0 , A 1 ) whose secret key is unknown.
• A 0 : The part of the public key pk = (A 0 , A 1 ) whose secret key is unknown.
In the above, note that the randomness ( − − → y 2,0 , − − → y 2,1 ) associated with the tags − − → info are identical for both instances, and moreover, chosen independently of the tags queried by the adversary. This will be a crucial observation when applying Theorem 3.12, which focuses on the one-more unforgeability of blind signatures, to the partially blind signature setting.
Preparation: Map Φ rand, − → h . We next define the map Φ rand, − → h that maps a 0-side instance I 0 into a 1-side instance I 1 and vice versa. Concretely, a 0-side instance I 0 = (0, a 0 , A 1 , maps to a 1-side instance I 1 given by On the other hand, a 1-side instance I 1 = (1, a 1 , A 0 maps to a 0-side instance I 0 such that  where recall that Preparation: Witness Extractors (Ext 0 , Ext 1 ). Fix I, rand and let ( We define the witness extractors (Ext 0 , Ext 1 ) as in Fig. 6. The following lemma establishes the correctness of the witness extractors.
Moreover, since − → h and − → h ′ agree up to the i-th entry and the challenger and adversary's randomness are fixed, the input to the hash functions agree. Namely, we have Due to the special soundness of the underlying sigma protocol (see Section 5.1), the witness extractors Ext 0 and Ext 1 each outputs a valid secret key from the 0-side and 1-side instances, respectively. Moreover, since Thus, at least one of Ext 0 or Ext 1 always outputs a valid secret key; if c 1 ̸ = c ′ 1 , then they both output a valid secret key. This completes the proof.
Proof of One-More Unforgeability. We prove the following two lemmas required to invoke the main theorem Theorem 3.12. Proof. Since the proof for the 0-side and 1-side instances I 0 and I 1 are analogous, we only consider the 0-side instance. For any rand, − → h , let us consider the query transcript − → e (I 0 , rand, − → h ) = − → c * , i.e., the vector of user message ρ U queries made by the adversary to the signing algorithm PBS.S 2 . Since the underlying sigma protocol is perfectly witness indistinguishable (see Section 5.1), for each i ∈ [ℓ] and c * (i) , there is a set of randomness that the signer with a secret key (1, a 1 ) (i.e., a 1-side witness) could have used to produce the same view (i.e., first and second-signer messages) to the adversary. Concretely, this set of randomness is exactly those defined by Φ rand, − → h (I 0 ). Hence, we have trans(I 0 , rand, Hence, it is a bijection as desired. This completes the proof. Lemma 5.5. Lemma 3.11 holds for the witness extractors (Ext 0 , Ext 1 ).
Proof. Since the proof of 0-side and 1-side witnesses are analogous, we only consider the 0-side witness. Suppose the 0-side witness can be extracted from base (I, rand, − → h ), (I, rand, − → h ′ ) at index i, but cannot be extracted from either of the sides (I, rand, Due to the description of our witness extractors (Ext 0 , Ext 1 ) in Fig. 6, we have (c ′ 0 , c ′ 1 ) = (c ′′ 0 , c ′′ 1 ) and (c 0 , c 1 ) = (c ′′ 0 , c ′′ 1 ) if the 0-side witness cannot be extracted from either of the sides. This implies that (c 0 , c 1 ) = (c ′ 0 , c ′ 1 ). However, this means that Ext 0 fails to extract a 0-side witness, thus contradicting our assumption. This completes the proof.
Combining everything together, we obtain the following.
Theorem 5.6 (One-more Unforgeability). The partially blind signature scheme in Figure 5 is one-more unforgeable. More precisely, for all ℓ ∈ N, if there exists an adversary A that makes Q hash queries to the random oracle and breaks the ℓ-one more unforgeability of our PBS with advantage ϵ A ≥ C1 2 n · Q ℓ+1 , then there exists an algorithm B that breaks the GAIP problem with advantage ϵ B ≥ C 2 · ϵ 2 A ( Q ℓ+1 ) 2 ·(ℓ+1) 3 for some universal positive constants C 1 and C 2 .
Proof. We define the hard instance generator IG to output a GAIP instance. Then, the proof follows from the above Lemmas 3.10 and 3.11 and by invoking Theorem 3.12, i.e., the main theorem of Kastner, Loss, and Xu [KLX22a]. To be precise, [KLX22a, Theorem 1] is for blind signatures and not the partially blind variant-however, it can be checked that the same proof applies to our partially blind signature by observing that our definition of 0-side and 1-side instances are defined independently of the tags − − → info used by the adversary, where note that − − → info is implicitly defined by (I, rand, − → h ). In particular, the probability that the reduction extracts the correct witness (i.e., the witness not used by the reduction), can be bounded following the same argument as [KLX22a, Theorem 1].
Remark 5.7 (Comparing to the Abe-Okamoto Partially Blind Signature). We note that the reason why the same argument does not hold for the Abe-Okamoto partially blind signature [AO00] is that the tag info is explicitly required to define the instances. In more detail, the Abe-Okamoto partially blind signature only has one secret key a 0 ∈ Z p attached to the verification key h 0 = g a0 ∈ G. To sign with respect to a tag info, the signer hashes info to a group element h info and then performs an OR proof that it knows a secret key to either h 0 or h info . In the security proof, the reduction hashes info to a group element h info = g a info while knowing the exponent a info . In case the adversary is restricted to use only one tag info, the proof can define the 0-side and 1-side instances by using a 0 and a info , respectively, and in particular independently of the adversary's randomness. However, when there is more than one tag, we can no longer define a well-defined 1-side instance. This is why Kastner, Loss and Xu and Abe and Okamoto first prove the single-tag setting and then prove the multi-tag setting by guessing which tag info the adversary forges on.

Optimization Using Higher Degree Roots of Unity
We investigate the possibility of reducing the signature size by exploiting the Z-module structure of the ideal class group. In this section, we present a generalized construction of the blind signature presented in Section 4 based on a new assumption, the ring group action inverse problem (rGAIP), which is a generalized version of the group action inverse problem (GAIP). In Sections 6.4 to 6.6, we provide the proofs of the correctness, blindness, and OMUF of the construction under the assumption that rGAIP is hard and discuss the applicability of the partialness technique given in Section 5. In Section 7, we provide analysis on the hardness of the rGAIP for the CISHD-512 parameter set and show that not all rGAIP instances are equally difficult.

Overview and Preparation
Notations. We summarize some notations unique to this section. We use Z d to denote the set {0, . . . , d−1}. Moreover, any vector is indexed from 0, e.g., a ∈ Z κ d is expressed as (a 0 , . . . , a κ−1 ). With an overload of notations, for any integer j, we define the bold font j as the length-κ vector (j, . . . , j). For any positive integer d and a ∈ Z or Z d , we use [a] d to denote (a mod d) ∈ Z d . For the simplicity of the notations, we use the exponent of ⟨ζ⟩ to represent the challenge space of a sigma protocol with an understanding that ⟨ζ⟩ is the d-th primitive root of unity. That is, we will draw a challenge c from Z d . The operation between the challenges is thereby the addition c 0 + c 1 , corresponding to the multiplication of ζ c0+c1 = ζ c0 ζ c1 .
Overview. It is a natural attempt to reduce the signature size by considering a larger public key space. Indeed, as shown in [BKV19, Section 5.1], such an optimization is possible for standard signature schemes by relaxing GAIP to the multi-target GAIP. As a result, the soundness error of the underlying sigma protocol in a single round decreases to 1 2S−1 from 1 3 for a public key size S. Since the number of repetitions is decreased to n log 2 (2S−1) , this technique makes it possible to decrease the signature size, signing, or verification time at the cost of increased public key size. For isogeny-based protocols-which are generally slow but offer small key sizes-this is a very favorable tradeoff.
Unfortunately, a natural adaptation of the same relaxation will not apply to our case because the multitarget GAIP does not offer the particular structure that our blind signature requires. Roughly speaking, a main component of our blind signature requires a user/verifier to compute [g z+y * d ] * E 0 while only given [g y * ] * E 0 ∈ E, z ∈ Z N and d. This is only feasible by using the quadratic twist which is when d ∈ {−1, 1}. An unstructured random public key not only fails to benefit the user but also breaches the group structure of the challenge space since d is no longer restricted in {−1, 1}.
To this end, we present a novel technique that allows us to trade off between efficiency and the signature size using a structured public key. The high-level idea is fairly simple: to generalize the concept of the quadratic twist in the sense of the group action relation. In the previous section, both parties compute the action of [g r ] on a curve E 0 or E −1 0 with respect to the challenge c ∈ Z × 3 = {−1, 1}. Recall that ([g r ] * E 0 ) −1 = [g −r ] * E 0 . In other words, the challenge c ∈ Z × 3 = {−1, 1} is encoded into g c . Since −1 is a second primitive root of unity over Z N , the challenge space, as a (multiplicative) group, induces an action on E by computing the twist.
We generalize the concept by expanding the challenge space to ⟨ζ⟩ = {1, ζ, ζ 2 , . . . , ζ d−1 }, where d ∈ N and ζ, a d-th primitive root of unity over Z × N ; that is, ζ satisfies ζ d = 1 and ζ j ̸ = 1 for any j ∈ [d − 1]. Note that ⟨ζ⟩ is naturally a multiplicative (sub)group, which offers the operation over the challenge space. The action (r, c) ∈ Z N × Z d on a curve E 0 ∈ E is defined to be [g rζ c ] * E 0 . When k = 2 and ζ can be taken to be −1, this is identical to the scheme in the previous section. However, unlike the case d = 2 where we have the formula derived from the quadratic twist, when d ≥ 3 the signer is required to compute [g y * b,j ζ ] * E 0 for each (b, j) ∈ [2] × [κ] in BS.S 1 to aid the user's computation.

Preparation.
Our construction requires one more property from the d-th primitive root of unity ζ to be useful. Looking ahead, when we construct a sigma protocol for the rGAIP relation, the special soundness extractor must solve for the secret exponent a ∈ Z N , given c 1 , c 2 ∈ Z 2 N and r 1 = y + aζ c1 , r 2 = y + aζ c2 (mod N ) for an unknown a and y. If Z N i a finite field, then this is trivial. However, in general when Z N is a ring, such a may not be efficiently computable. One sufficient condition would be to only use a d ∈ Z N such that (ζ c1 − ζ c2 ) is invertible over Z N for all distinct (c 1 , c 2 ) ∈ Z 2 N . However, this is an overly restrictive requirement and we thus make the following relaxed requirement.
The requirement is equivalent to finding a d such that d divides many Euler-values of maximal prime power divisors of the class number (see Section 7.1 about the existence and finding a root). Informally, when η d is polynomial in the security parameter n, then we can brute force all a ∈ Z N such that a · (ζ c1 − ζ c2 ) = z for a given (c 1 , c 2 , z) ∈ Z 3 N . Formally, we have the following.
Lemma 6.1. Let (N, d, ζ) be a public parameter where the factorization of N is known and let η d = lcm i∈[d−1] (gcd (ζ i − 1, N )). Then, there exists an extractor Ext ′ that takes as input the public parameter and (r 1 , r 2 , c 1 , c 2 ) ∈ Z 2 N × Z 2 d where c 1 , c 2 are distinct with relations r 1 = y + aζ c1 d , r 2 = y + aζ c2 d (mod N ), and outputs a list containing a ∈ Z N of size not greater than η d in time poly(η d ).
Proof. By calculating (r 1 − r 2 )ζ −c2 d = a(ζ c1−c2 d − 1), the extractor solves a by solving the linear equation lifted to the prime power factor of N , then using the Chinese remainder theorem to obtain a list of candidates of a. The size of the list is the number of solutions for the linear equation, which is at most η d .

Base Sigma Protocol with a Large Challenge Space
We first introduce the base sigma protocol with a larger challenge space assuming Requirement 1. This is depicted in Fig. 7 with the boxed components omitted. We will show the correctness, HVZK, and, importantly, special soundness of this sigma protocol. P: Figure 7: The base sigma protocol with a large challenge space, where the box is to be ignored. Recall Other notations are explained in the paragraph above Section 6.2. The base sigma protocol can be made compatible with blind signatures by running the boxed lines instead of the preceding non-boxed lines.
Correctness. It suffices to show the equation.
for b ∈ {0, 1}. For the case b = 1 − δ, the equation holds naturally. For the case b = δ, we have where we use the fact that A c δ = [g a δ ζ c ] * E 0 for any c ∈ Z d .

HVZK.
Given a challenge c ∈ Z κ d , a zero-knowledge simulator Sim samples random (c 0 , c 1 ) Y 1 ), c, (r 0 , r 1 , c 0 , c 1 )). Since there is a bijection between r b and Y b once c b is fixed, this produces a transcript identically distributed as a real transcript.
Witness Indistinguishable. This is a direct consequence of the above since perfect HVZK implies perfect witness indistinguishability.
Special Soundness. It suffices to show that special soundness holds for κ = 1. Let ((Y 0 , Y 1 ), c, (r 0 , r 1 , c 0 , c 1 N ) where y, a 0 are unknown. Since we assume Requirement 1 holds, we can use the extractor Ext ′ (r 0 , r ′ 0 , c 0 , c ′ 0 ) in Lemma 6.1 to obtain a list of size η = lcm i∈[d−1] (gcd(ζ i − 1, N )) = poly(n) containing a 0 ∈ Z N in polynomial time. We can find a 0 from the list by running through each element in the list and checking if it maps to the statement (A j 0 ) j∈Z d or (A j 1 ) j∈Z d . Here, we implicitly assume the statement is honestly generated and that this check always terminates.

Enhancing the Base Sigma Protocol for Blind Signatures
Before explaining our blind signature, we make a subtle but important modification to our base sigma protocol. To understand this modification, notice that if we tried to use a similar idea as in the prior sections to blind Y b = [g y b ] * E 0 for b ∈ {0, 1}, the user must randomize it to a value [g This was doable when d = 2, since ζ = −1 and [g y b ζ d b ] * E 0 is simply the quadratic twist of Y b . However, in general, such a computation cannot be performed. To this end, we let the prover include components that will later help the user in the blind signature. This extension to our basic sigma protocol is illustrated in Fig. 7, where the box represents the modification. The prover sends [g y b ζ j ] * E 0 for all j ∈ Z d so that the user in the blind signature can choose whichever one based on the d d it samples. We also modify the verifier of the base sigma protocol to check that [g y b ζ d b ] * E 0 were generated correctly. Below, we show that the extended sigma protocol satisfies correctness and HVZK. Since the extended sigma protocol includes the transcript of the base sigma protocol, special soundness is inherited.
Correctness. It suffices to show that For the case b = 1 − δ, the equation holds by definition. For the case b = δ, we have where we use the fact that A HVZK. Given a challenge c ∈ Z κ d , a zero-knowledge simulator Sim samples random (c 0 , c 1 ) , and outputs ((Y j 0 , Y j 1 ) j∈Z d , c, (r 0 , r 1 , c 0 , c 1 )) Since for every j ∈ Z d , there is a bijection between r b and Y j b once c b is fixed, this produces a transcript identically distributed as a real transcript.

Description of Our Optimized Blind Signature
We present our optimized isogeny-based blind signature building upon of the enhanced base sigma protocol in Section 6.2. Let (p, N, E 0 ) be the public parameter and g be a generator of the ideal class group Cℓ(O) as in Section 4. Let ζ to be a d-th root of unity. We assume these parameters are provided to all algorithms. The parameter κ ∈ N indicates the number of repetition of the underlying sigma protocol such that d κ ≥ 2 n . Let H : {0, 1} * → Z κ d be a hash function modeled as a random oracle. The following algorithms are summarized in Fig. 8.
. See the caption of Fig. 7 for further explanation on the notations.
Remark 6.2. One can observe that the only source of overhead in the communication bandwidth compared to the blind signature in Section 4 is in BS.S 1 . The bandwidth is increased by a factor of dκ 2n . Remark 6.3. We remark that it is possible to fuse our partial blindness technique and the generalized construction in this section and obtain an optimized PBS variant. By doing so, we can obtain a PBS with a smaller signature size based on the rGAIP. Roughly, there are three sequences of the curves in the public statement where the secret key of the third public key is derived from the public information. The underlying sigma protocol is to prove for a two-out-of-three secret corresponding to this statement. However, given the proofs in Section 5 and in this section, we expect the proof to be highly involved. We leave this as a future work.

Proof of Correctness and Blindness
The subsection shows that our blind signature presented in Section 6.4 has (perfect) correctness and blindness.
Theorem 6.4. The blind signature scheme in Figure 8 is (perfectly) correct.
Proof. To show correctness, it suffices to show the equation holds when both the signer and user follow the protocol. From the description of BS.U 1 , BS.S 2 and BS.U 2 , we have c = c . Therefore, we have c = c 0 + c 1 , which shows the l.h.r. equation. It remains to show where Eq. (7) follows from the check performed by BS.U 2 and Eq. (8) follows from the definition of (c b , r b ).
Next, we will show the generalized blind signature has perfectly blindness. Notably, blindness holds even under chosen keys. This is a strong property since if a malicious signer uses malformed supersingular curves in E without the ring structure as the public key, the user cannot detect this. The main reason why we can argue perfect blindness is that if the public key is malformed, then the pair of curves in the first message (Y j * 0 , Y j * 1 ) j∈Z d is also malformed in a controlled manner. If there exists one user state that leads to a valid signature, then we can argue that the first message must be in a specific (but possibly incorrect) form regardless of the user state. Using this, we are able to establish a bijection between an arbitrary user state and a valid signature conditioning on a fixed first and second signature messages and a user message. Namely, any valid signature could have been produced with an equal probability.
Theorem 6.5. The blind signature scheme in Figure 8 is (perfectly) blind under chosen keys.
Proof. Let (ρ S,1,0 , ρ S,2,0 ) and (ρ S,1,1 , ρ S,2,1 ) be the two sets of first and second-signer message pairs the adversary A queries to oracles U 1 and U 2 . Moreover, let ρ U,b be the user message returned by oracle U 1 when A queries with ρ S,1,b for b ∈ {0, 1}, and let (σ coin , σ 1−coin ) be the two signatures A sees at the end, where note that these two corresponds to M 0 and M 1 , respectively, regardless of the choice of coin ∈ {0, 1}. We call (ρ S,1,b , ρ U,b , ρ S,2,b ) b∈{0,1} the view of A. To prove perfect blindness, it suffices to prove that the view is independent of coin ∈ {0, 1}. In other words, since the randomness used by oracle U 1 is defined by (state U,b ) b∈{0,1} and oracle U 2 is deterministic, we prove that there exist two sets of states (state U,b ) b∈{0,1} that can be sampled by oracle U 1 with an equal probability such that they generate the same view to A but produce a different pair of signatures (σ 0 , σ 1 ) and (σ 1 , σ 0 ), respectively. Considering that the set of valid signature space and user randomness/state space is identical, we prove a stronger statement that for any non-aborting (partial) view (ρ S,1,0 , ρ U,0 , ρ S,2,0 ) of A, there is a bijection between a valid signature σ 0 on message M 0 and a state state U,0 of the oracle U 1 . Below, we drop the subscript 0 for readability.
Let us denote the first and second-signer message as ρ S,1 = (Y j * 0 , Y j * 1 ) j∈Z d , ρ S,2 = (c * 0 , c * 1 , r * 0 , r * 1 ), a user message as ρ U = c * , and a valid signature for message M as σ = (c 0 , c 1 , r 0 , Here, note that any public key pk = ((A j 0 ) j∈Z d , (A j 1 ) j∈Z d ) output by the adversary (i.e., malicious signer) A can be efficiently checked to be valid elliptic curves (i.e., supersingularity) but cannot be checked if it has the correct cyclic structure.
We define a map between the signature σ = (c 0 , c 1 , r 0 , r 1 ) and user state state U = (d 0 , d 1 , z 0 , z 1 ) by It is easy to check that once the view (or ρ S,2 = (c * 0 , c * 1 , r * 0 , r * 1 )) is fixed, then this mapping is indeed a bijection. It remains to prove that this state U is a state that produces σ.
Observe that if BS.U 1 (pk, M, ρ S,1 ) samples state U , then it computes Moreover, due to restrictions on the blindness game, the view is non-aborting for at least one state state U . Combining this with the fact that the first check performed by BS.U 2 (state U , ρ S,2 ) only depends on ρ S,2 , and in particular independent of state U , we have [g r for j ∈ Z d and any state state U . Therefore, BS.U 2 always outputs σ as desired since the signature σ is assumed to be valid.
It remains to check that ρ ′ U = c ′ * generated by BS.U 1 is the desired ρ U = c * to complete the proof. Since σ is valid and due to the definition of state U , we have c * . Moreover, since the view is non-aborting, we are guaranteed that c , 1}, then we can conclude that c * = c ′ * as desired. This can be checked as follows, where we use for j ∈ Z d in the second equality: This completes the proof.

Proof of One-More Unforgeability
Our proof of OMUF consists of preparing the necessary tools present in Section 3 to invoke Theorem 3.12. Specifically, we define instances I 0 , I 1 (see Definition 3.1), the map Φ rand, − → h (see Definition 3.8), the witness extractors (Ext 0 , Ext 1 ) (see Definition 3.9) and prove that Lemmas 3.10 and 3.11 hold. We refer the readers to Section 4.4 for some of the notations used below.
Preparation: Instances. Let us first define the 0-side instance I 0 and the 1-side instance I 1 . Below, we assume the adversary against the one-more unforgeability game makes ℓ-signing queries in total.
• A 1 : The part of the public key pk = (A 0 = (A j 0 ) j∈Z d , A 1 = (A j 1 ) j∈Z d ) whose secret key is unknown. • y * (k) 0 : The exponent of the commitment (Y j * (k) 0 ) j∈Z d in the k-th (k ∈ [ℓ]) first-sender message when • c * (k) 1 : The simulated challenge in the k-th (k ∈ [ℓ]) first-sender message when δ = 0.  Figure 9: Witness extractors for our generalized blind signature for σ, σ ′ . In the above, σ = (c 0 , c 1 , r 0 , r 1 ) and Ext ′ is the extractor in Lemma 6.1. Non-bold font indicates the entries of a vector.
• A 0 : The part of the public key pk = (A 0 = (A j 0 ) j∈Z d , A 1 = (A j 1 ) j∈Z d ) whose secret key is unknown. • y Lemma 6.6. (Ext 0 , Ext 1 ) in Fig. 9 satisfy the definition of witness extractors in Definition 3.9.

Finding a Root of Unity and Satisfying Requirement 1
We briefly discuss the existence of and a process for finding a primitive d-th root of unity ζ d ∈ Z × N which satisfies Requirement 1. Firstly, it is a straightforward consequence of the fundamental theorem of finitelygenerated abelian groups and the definition of λ(N ) that Z × N ∼ = Z n1 × Z n2 × · · · × Z nr where n 1 | n 2 | · · · | n r and n r = λ(N ), so that a d-th root of unity exists if and only if d is a divisor of λ(N )-here, λ(·) is the Carmichael function.
To find such a root for a given valid d, the most intuitive method, perhaps, is to start with a primitive λ(N )-th root of unity ζ λ(N ) , and compute ζ λ(N ) d λ(N ) , which will have order exactly d. Unfortunately, this may result in a d-th root of unity that does not meet Requirement 1 (even when one exists which satisfies Requirement 1). In particular, we have to ensure that ζ is a generator modulo all but small prime power divisors of N to conclude η d = lcm i∈[d−1] (gcd(ζ i − 1, N )) = poly(n). To this end, in every Sylow subgroup of Z × N , we find a generator of a cyclic subgroup of order d (if one exists) and use the Chinese remainder theorem to obtain a d-th root of unity. If a root meeting Requirement 1 exists, this method ensures finding such a root.
Remark 7.1. In the list above, we only display d that is a prime power. For other composite divisors of λ(N ), one can obtain the corresponding root by multiplication. For instance, we can obtain ζ 23453 = ζ 47 ζ 499 .
Concretely, for the CSIHD-512 parameter set, the totients of the small prime divisors of N have the following (maximal) small prime power divisors: This implies that for the CSIDH-512 parameter we can only find a 4th root of unity meeting Requirement 1 (with η 4 = 3) since only Z × 3 has no cyclic subgroups of order 4. For example, for any 3rd root of unity ζ 3 , we always have a 134-bit divisor of gcd(ζ 3 , N ). Therefore, ζ 4 -rGAIP over CSIDH-512 is the candidate hardness assumption that can be used for our optimized blind signature construction.
In the next subsection, we show that the hardness of ζ d -rGAIP varies with the choice of ζ d . Since we believe ζ d -rGAIP may be of independent interest, we waive Requirement 1 when considering the cryptanalysis.

Cryptanalysis and Structural Attack on rGAIP
In the previous section, we showed how to choose a root ζ d according to the decomposition of the multiplication group of Z × N . In this section, we show that the underlying structure of ζ d in each component is related to the security of ζ d -rGAIP by presenting a concrete cryptanalysis on the overstretched ζ d -rGAIP with respect to the CSIDH-512 parameters.
Generic Attacks on GAIP. The best known classical algorithm against GAIP is the meet-in-the-middle attack [GHS02,GS13] The best-known quantum algorithm against GAIP is Kuperburg's algorithm [Kup05, Reg04, Kup11, Pei20, BS20]. Typically, given a challenge E to find a ∈ Z N such that Structural Attack on rGAIP. Let ζ d be a d-th primitive root of unity and N be the class number. We show that the underlying structure of the root in each component of Z × N is related to security by displaying a structural attack against ζ d -rGAIP and the efficacy of the attack is related to each gcd(ζ i d − 1, N ). The high-level strategy of our structural attack is to break down a ζ d -rGAIP instance into several GAIP instances over smaller subgroups or quotient groups. The idea is to exploit the differential information of any two curves in the instance and launch a Pohlig-Hellman-type attack. Recall that the instance is of the form ( As a consequence, we reduce each ζ d -rGAIP instance to a GAIP instance with a group size determined by ζ d . This is summarized in Table 1. For ζ 8 , we have a chain N ), respectively, and the largest quotient group is |G 2 /G 1 | ≈ 2 134 , which demonstrates the invulnerability of ζ 8 -rGAIP. For instance, for ζ 3 we have a chain where G 2 is of size 37 and the largest quotient group is |G 3 /G 2 | ≈ 2 251 . For ζ 4 , ζ 47 and ζ 499 we have a chain {1} = G 1 < G 2 < G 3 = Cℓ(O) where G 2 is of size 1407181 with the largest quotient group |G 3 /G 2 | ≈ 2 236 . Our cryptanalysis gives an upper bound of ζ d -rGAIP from the perspective of GAIP. Importantly, ζ 4 -rGAIP which we use for our optimized blind signature only seems to lose 2 bits of security compared with ζ 2 -rGAIP, or equivalently, GAIP over CSIDH-512.  Table 1: The upper row denotes ζ d -rGAIP over CSIDH-512. Using our cryptanalysis in Section 7.2, we reduce each ζ d -rGAIP instance into a GAIP instance with a group size summarized in the lower row. Note that GAIP over CSIDH-512 is equivalent to ζ 2 -rGAIP over CSIDH-512.

Equivalence between GAIP and rGAIP
We complement our cryptanalysis by showing that our attack is optimal for some parameters. Although a few instances of ζ d -rGAIP were shown to be significantly weaker than the original GAIP over CSIDH-512, we present a surprising condition that allows to reduce ζ d -rGAIP to the original GAIP. This shows that the attack in Table 1 is optimal for those specific choices of ζ d . We note that though the condition does not cover all cases (including ζ 4 which meets Requirement 1), the result gives us some guidance of the hardness of ζ d -rGAIP.
Large gcd(ζ d − 1, N ) ≈ N . Note first that in this case we do not know how to have an efficient extractor in our optimized sigma protocol due to the large value of η d (see Lemma 6.1). Requirement 1 is not satisfied.
It is clear that GAIP is never easier than ζ d -rGAIP. The key insight of the reverse reduction is that when gcd(ζ d − 1, N ) ≈ N (or gcd(ζ d − 1, N ) = N/poly(n) to be precise), given a GAIP instance we can generate a ζ d -rGAIP instance by trial and error. Additionally, the success rate can also be amplified by repetitively invoking the GAIP oracle and testing the correctness.

Performance
We present an overall performance in Table 2 for our protocols instantiated using CSIDH-512. As explained in Section 7, we instantiate the ζ d -rGAIP assumption with the 4-th root of unity ζ 4 as it is the only parameter that satisfies Requirement 1 while being presumably as hard as GAIP over CSIDH-512. We also analyze the trade-off between our basic blind signature in Section 4 and the optimized blind signature using a d-th primitive root of unity in Section 6. This helps us illustrate the effect of the value d on our optimized scheme and may be useful in the future when new group actions where ζ d -rGAIP is hard are discovered.
The public key is d times larger compared to the basic scheme in general, which can be halved when d is even and ζ d 2 = −1. Let w = log 2 (N )/8 denote the byte size of a class group element in Z N and approximately 2w for one elliptic curve in E; for example w ≈ 32 for a CSIDH-512 group. In Section 4, the sender and user bandwidths and the signature size of the basic blind signature are 4wn B, n/8 B (i.e., one hash), and 2n(w + n/8) B, respectively. On the other hand, in Section 6 the sender and user bandwidths and the signature size of the optimized blind signature are 2κ(wd + w + log 2 d) B, (κ log 2 d)/8 B, and 2κ(w + log 2 d) B, respectively. Now, given the security parameter n, the number of repetitions κ with a d-th primitive root of unity is required to satisfy d κ = 2 n , i.e., n = κ log 2 d. Therefore, the communication cost of the signer is increased by roughly dκ 2n , while the signature is decreased by roughly n κ . The computation cost is increased by a factor of dκ 2n in group action evaluations for both the signer and the user. Concretely, when d = 4, we have n = 2κ and thus the signature size is reduced by approximately 50%.
Bandwidth.S Bandwidth.U |sk| |pk| |σ| Assumption Basic. (Fig. 2  The overall performance of our blind signature family regarding the bandwidth, the secret key size, the public size, and the signature size using CSIDH-512. We take n = 128 and sk is generated by a seed of n bits. The first two rows are our blind signatures and the final row is our (unoptimized) partially blind signature.
It takes roughly 40 ms to perform an action on a 2.70 GHz processor [CLM + 18, BKV19], and we can estimate the running time in terms of the number of the isogeny action. Since the signing (respectively, verifying) process requires 6×128 (respectively, 2×128) actions in Section 4, it takes 30 seconds (respectively, 10 seconds) for the procedure. advancement of cyber R&D, innovation, and workforce development. For more information about CCI, visit www.cyberinitiative.org.
Proof. Suppose that the protocol is executed according to the specification. Then [g r ] * A c = [g y−a·c ] * [g a·c ] * E 0 = [g y ] * E 0 = Y so that V accepts, as required.
Lemma A.5 (Special Soundess). The protocol depicted in Figure 10 satisfies special soundness. Proof. Using the notation of Figure 10, without loss of generality we may assume that c = 1 and c ′ = −1. Then r ′ − r = (y + a) − (y − a) = 2a.
Recall the parameter where p = 3 (mod 4) implies |Cℓ(O)| is odd. Therefore, we can solve for the unique value of a ∈ Z N as a ≡ 2 −1 (r ′ − r) (mod N ).
Considering Equation 9, we see that the following procedure will perfectly simulate the honest distribution of transcripts: 1. Choose r ∈ Z N uniformly at random.
Thus we have defined the required Sim, and so the protocol satisfies the honest verifier zero-knowledge property.

A.3 Our rGAIP-based Sigma Protocol
For clarity, in this section we describe the most basic version of rGAIP-based sigma protocol which underlies the OR sigma protocol of Figure 7, used in the construction of our optimized variant of our isogeny-based blind signatures in Section 6.
As we did for the protocol of Figure 10, we prove here that this protocol is perfectly complete, specially sound, and honest verifier zero knowledge. Figure 11 is perfectly complete.
P: Figure 11: The basic rGAIP-based sigma protocol underlying our optimized blind signature scheme and partially-blind signature scheme.
The special soundness is slightly different from the previous constructions. We require a relaxed relatioñ which contains the rGAIP relation where the relations are implicitly parameterized by Cℓ(O), Eℓℓ, N, ζ and the embedding a ′ = a(ζ − 1) and ∆ = 0 implies the containment. The relation R is relaxed asR in the sense that the "center" of the ring can be shifted from E 0 . Also, R allows ⟨ζ ∆ ⟩ < ⟨ζ⟩ such that the state can be divided into multiple "smaller" rings. Alternatively, when the ring ofR is centered at E 0 and d is a prime the relations are essentially the same. In general, as long as Requirement 1 is met, solving an instance inR for a witness is not easier than in R since the embedding a → a(ζ − 1) is recoverable (see Lemma 6.1). Figure 11 satisfies special soundness for a relaxed relationR.

Lemma A.9 (Honest Verifier Zero-Knowledge).
Provided that gcd(d, N ) = 1, the protocol depicted in Figure 11 satisfies the honest verifier zero-knowledge property.
Proof. For a fixed valid statement X = ([ag ζ j ] * E 0 ) j∈Z d , the distribution of honest transcripts is uniform on the set Considering Equation 10, we see that the following procedure will perfectly simulate the honest distribution of transcripts: 1. Choose r ∈ Z N uniformly at random.
Thus we have defined the required Sim, and so the protocol satisfies the honest verifier zero-knowledge property.

B Sampling of a Root of Unity Discussion
As mentioned in Section 7, given λ(N ) that Z × N ∼ = Z n1 ×Z n2 ×· · ·×Z nr where n 1 | n 2 | · · · | n r and n r = λ(N ), to find such a primitive d-th root for a given valid d (i.e. dividing λ(N )), the most intuitive method is to start with a primitive λ(N )-th root of unity ζ λ(N ) , and compute ζ λ(N ) d λ(N ) , which will have order exactly d. Unfortunately, this may result in a d-th root of unity that does not meet Requirement 1, which is required to construct our optimized blind signatures. This is because only when gcd(d, n r−1 ) = 1, every primitive dth root of unity ζ d in Z × N takes the form ζ d = ζ j λ(N ) d λ(N ) for some j ∈ Z × d ; thus, using this method to find a primitive d-th root of unity which satisfies Requirement 1 (if one exists) may result in a weak rGAIP instance.
Therefore, this method can only be used to find a primitive d-th root of unity where only one Sylow subgroup of Z N has a cyclic subgroup of size d. For instance, in CSIDH-512, we can use this to find for d = 5, 7, 47, 71, 499 and will result in the same as using the method in Section 7.1. We analyze the probability to find such a primitive λ(N )-th root of unity. First note that by the invariant factors decomposition, exactly n 1 n 2 · · · n r−1 φ(λ(N )) = φ(N ) λ(N ) φ(λ(N )) elements of Z * N have order λ(N ), and so the probability that a randomly-chosen element of Z * N has order exactly λ(N ) is as long as N ≥ 9. So to find the necessary ζ λ(N ) , we simply sample elements of Z * N uniformly a random until we find one of order λ(N ) (which can be tested efficiently, using the factorization of λ(N )). By Equation 11, only a polynomial number of samples are required, in expectation, and this technique to find such a primitive λ(N )-th root of unity is feasible.