Proving equality of two Schnorr Signatures

Question

Given two Schnorr Signatures that were made from the same $x$, where each $x$ is private. Is there a way to prove that they came from the same $x$ without revealing $x$?

I heard about Chaum-Pedersen Protocol and how it is supposed to address this, but I am a bit confused how it should work. The book I'm reading has the following notation:

Equality is proven so long as:

$r_1 == g^{s_1}$. $y_1^{c_1}$

and

$r_2 == h^{s_2}$. $y_2^{c_2}$

Where $g$ and $h$ are generators $s$ is the proof $y_1$ and $y_2$ are the public keys of the the secret $x_1$ and $x_2$ and $c_1$ and $c_2$ are the challenges

I am seriously confused about what the relation between those numbers are: With the above, you prove that each Schnorr Signature came from a different $x$, but not that they came from the same $x$, right?

Answering some questions that came up:

Are $g$ and $h$ different generators from the same group?

Yes, they are.

Are $c_1$ and $c_2$ hashes?

Yes they are. Made with a random oracle. The term "challenge" might be weak here since they are non-interactive.

I'm just really trying to wrap my head around the possibility of proving equality for Schnorr signatures.

Answer 1

I don't think that works with keeping the message private - unless you break the signature scheme by reusing the nonce.

Your variables $c_1$ and $c_2$ are the results of the hash function. And those can not be the same by the definition of $r$ being a nonce. Moreover: the hash function does not retain any algebraic structure. By the definition of hash functions, the resulting hash only shows if two inputs wre the same or not. No partial matching or any type of relation between two inputs.

But they are also the only variables, that depend on the private message $x$. And from that, I don't see any way to distinguish $c$-values , where $x$ is the same or $x$ is different. Unless you allow $r_1=r_2$, which breaks the security of the signature.

The main misconception with using Chaum-Pedersen: They don't use signature schemes. They use commitments. From the statement, that you want to keep $x$ private, maybe you should use commitments instead of digital signatures. They give the privacy requirement, and you can use Chaum-Pedersen directly.