 So, I've been working on anonymous credentials with Anna recently, and we have some exciting new results in this area. So, first of all, just reviewing usual signatures. We have a sign and verify algorithm, and for correctness, the message has to be identical in both, and then verify accepts, and the security is the usual definition. We can take this one step further by introducing signatures on equivalence classes. So, in this case, we're looking at messages in the same equivalence class, and in this case, correctness means that if we have messages within the same equivalence class, then the verify algorithm will accept, and security in this way basically just means that the adversary produces a forged public key message and signature, and the forgery is successful if the message is not in any equivalence class that's already been signed. And there's an interesting construction for this in the FAHS 14 paper. So, in that case, basically, we're just looking at vectors of group elements, and the equivalence class is multiplication by a scalar. So, and there are some very nice results in this paper, actually. They were able to show a result about class hiding, which means that the adversary is unable to tell if two messages are in the same equivalence class, and they show that if and only if the DDH assumption holds, you get class hiding. So, then what we did is we said, well, okay, so we're able to randomize the message into the same equivalence class. What about randomizing the public key as well? And when we took a look at this idea, we were able to extrapolate and say, okay, so correctness in this case, the messages have to be in the same equivalence class, public keys have to be in the same equivalence class, and it still verifies. In this case, an adversary has a successful forgery if the forged message, again, as in the previous slide, is not in any equivalence class that's already been signed. But the public key does have to be in the same equivalence class as the original public key. Otherwise, it's kind of trivial. You can come up with different public keys and messages that still verify. So the public key does have to be in the same equivalence class. And so we have two main results. The first is we were able to realize mercurial signatures and prove them secure in the generic group model. And then why do we care about this? Well, our original motivation was to construct delegatable anonymous credentials. And the basic idea is that a user signs the next user's public key. And then that user can take the signature and randomize it. And so everybody's acting under pseudonyms, which is why it's anonymous. And through the randomization of the message and the public key, you're able to achieve delegatable anonymous credentials. So our second result is that for certain mercurial signatures using the equivalence class that I described before, then we're able to achieve delegatable credentials. The reason why this is important is that in the seminal paper by Anna and Melissa Chase in 2006, when they introduced delegatable anonymous credentials, they had to use a lot of heavy machinery like non-interactive zero-knowledge proofs. This is direct. It's quite simple. It's very efficient. Each link in the chain can be represented by only five group elements. So I'm very happy with this work. And if you're interested in the manuscript, it's not completely finished yet because my advisor has decided to work in a different direction for a little while. Thank you.