 Hello everyone, I am Moly de Sanderse and this is my presentation on efficient predictable signature and application to anonymous credentials. The problem we study in this paper is related to digital signature, one of the main cryptographic primitives. Digital signature can be used in practice to authenticate digital data, for example to sign several messages to ensure that not even one bit can be modified. The problem when you issue one signature for a set of messages is that you need to know all the messages to check the validity of the signature. In particular this means that even if I need to check one specific message, I still need to know all the other one. So let us consider a use case when one need to verify that the user's age is over some threshold, for example 18, then it means that you will have to send the other attributes of the users, which is a problem regarding efficiency because you are going to send n messages instead of 1, but also regarding privacy because you are going to link a lot of information. So the problem we want to solve in this paper is how to efficiently and privately check that k out of n sign message are certified or that they satisfy some relations. Actually there are many other alternatives that we could use, for example we could simply issue one signature per message. This way when we want to check one specific message which simply has to send one message which is better regarding privacy, but the problem is that now instead of one signature we have to store n signature which is a problem regarding efficiency. If we'll consider different solutions such as make Merkel's tree for example, this is not significantly better because we still have to send a logarithmic number of elements even to check one element and moreover the use of hash function will prevent the use of efficient zero knowledge proofs which is a problem regarding privacy. Actually regarding privacy the best solution is probably to prove knowledge of all the unnecessary messages. This would be perfect regarding privacy but the problem is that now we have replaced the sending of n messages by the sending of n proofs of knowledge of these messages. So this is far worse regarding efficiency. So there is no simple satisfying solution, but we can consider more intricate solution from the literature. For example, I propose a system where the messages to be signed are first accumulated into an accumulator C that is signed by the issuer. This way if one want to check the validity of the authenticity of just a subset of these messages for example the birth date in my example, then one simply has to generate a witness W that this value has been accumulated in C and by sending W, C and sigma the verifier is able to check this authenticity. By simply checking that the birth date has indeed been accumulated in C and that C has been certified. This way we get a solution with a constant size for the certificate with a constant communication complexity if I exclude the sending of the K-disclosed messages and whose verification can be performed with the complexity that only depends on the number of disclosed messages. The problem with this solution is that now the messages can be disclosed but it is no longer possible to prove that they satisfy some relations. So this is not fully satisfying regarding privacy. Actually there is a different solution that was proposed by Kaminichet Hall. The idea is to use a new primitive that they call unlinkable predictable signature to issue one signature on the messages that have to be signed. But the point of this signature is that you can derive from it a new signature sigma prime that is only valid on a subset of these messages. For example in my example the signature sigma prime will only be valid on the birth date. So this means that the authenticity of the birth date can be checked by only knowing this message and the derived signature sigma prime. So here again we have a constant size for the certificate. We have a constant communication complexity but unfortunately in this case the constant is very large. Moreover this scheme suffers from the same problem that the one from the paper of Fuchsbauer et al. Meaning that the messages must be disclosed but it is not possible to efficiently prove that they satisfy some relations. So this is not a fully satisfying solution ever. Now in our paper we want to improve these previous results by providing an unlinkable predictable signature scheme with short constant size signatures and for which it is possible to verify the authenticity of K out of N messages with complexities that only depends linearly on K. Moreover we want a system that achieves unlinkability meaning that it is not possible to link signature that are derived from the same signature and we want to be able to prove relations about non-redicted messages by using zero knowledge pools. Our starting point will be the PS signature schemes that use asymmetric linear groups and that present very nice feature. For example this signature scheme generates signature of constant size that only consists of two elements. These signatures can be re-randomized and they can also be aggregated. Moreover they can be verified with only one pairing equation where the messages are involved as exponents. This means that it is very easy to prove knowledge of this exponent by using standard protocols such as the Schnurz protocol. So the problem we want to solve is to check that a subset of these messages have been signed or that they satisfy some relations meaning that we need to redact all the other messages. So the standard solution here will be to prove knowledge of the redacted messages and to reveal or prove relations about the non-redacted messages but this will be very inefficient. So we use a different solution that is based on the following idea. If we look at the verification equation of PS signature we can see this product that involves all the signed messages. So we could simply try to split this product into a first part that involves the redacted messages and a second part that involves the other messages. So if we aggregate the first part into an element sigma 1 we can see that we no longer need to know the redacted messages to check the authenticity of the non-redacted messages. So we could simply try to send this value sigma 1 and resulting in a new signature that would consist in three elements but unfortunately this signature scheme would not be secure because the problem is that if I isolate one specific index for example i0 from i we can see that it is very easy to replace the signed message mi0 by any other message by simply aggregating the complementary part of this message into sigma 1. As you can see the new signature sigma 1 prime sigma tilde 1 and sigma tilde 2 would be valid on this new set of messages meaning that the adversary could generate forgeries on any message of its choice. The problem actually is due to the fact that we can aggregate anything in sigma 1 including illicit elements. By illicit elements I mean elements whose index is in the set i. So the first solution could be to prove that sigma 1 is well formed but this would be bring us back to square 1 actually this would be a very inefficient solution. Moreover this would be an overkill because this would prove more that what we need. We don't need to prove that sigma 1 is well formed we just need to prove that sigma 1 does not contain illicit elements. So we will use a very different solution. Actually if sigma 1 is honestly formed one can see that this pairing involving sigma 1 generate a new element whose exponent is a polynomial f and if sigma 1 has been honestly formed then f only contains monomials of the form yi yj for different index i and j. On the contrary if the adversary has cheated in the construction in sigma 1 if he has aggregated illicit elements in sigma 1 then necessarily f will contain square monomials. So to distinguish these two cases we will simply add to the public key the element j2 yi yj for different index i and j. So this element would be sufficient to compute a new element sigma 2 that will prove that sigma 1 is honestly formed in the form yi. On the contrary if the adversary has cheated in the construction of sigma 1 then he won't be able to prove that sigma 1 is well formed he won't be able to compute such an element sigma 2 and this validity of sigma 1 as you can see can be easily checked using sigma 2 by simply adding one pairing equation for our system. So this means that we get a new redactable signature scheme that consists of only four group elements and so it is of constant size and this signature can be verified by performing essentially k exponentiation where k is the number of elements in i. But the problem is that right now this system is not unlinkable so we need to improve it to achieve this property. Actually as our signature contains a ps signature we can simply re-randomize this part but this would not work for sigma 1 and sigma 2 so we need to use a different approach and actually we will use the fact that sigma 2 does not prove that sigma 1 is well formed it only proves that sigma 1 does not contain illicit elements whose index is in i so this means that we can aggregate anything else in sigma 1 including random elements. So we will at this step use the fact that ps signature can be aggregated we will in the first step aggregate to the ps signature part of our signature we will aggregate a random element under some dummy public key one in our in our construction but we could use anything else and then we will re-randomize this ps signature so we get a new ps signature that is valid on the original set of sign messages but also on a new random element t. Then in a seventh step we will redact all the messages we want to redact and also we will redact the this new randomness t and this way as you can see sigma 1 prime and sigma 2 prime will will include this random element t and what we show in our paper is that this randomness will perfectly hide the redacted messages actually what we show in this in our paper is that unlicability now hold unconditionally. So we have a new unlicable redactable signature scheme that is perfectly secure and what we show in the second part in our paper is that it is very easy to constrict from it a new anonymous credential system actually this conversion is very simple it consists simply in issuing a signature on the user's secret key and on his attributes and this signature will be the credential of the user and now the user when you want to show a credential on a subset of his attributes he will simply run the derive algorithm on his secret key and on this subset of attributes to get a derived signature sigma and he will prove knowledge of his secret key usk so this means that the the showing process of this anonymous credential would be almost as efficient as a redactable signature scheme because we simply added a proof of knowledge of the user's secret key which is very short. Moreover what we show in our paper is that security of this anonymous credential system follows directly from the one of our redactable signature scheme what we show is that if a user can cheat in the showing process then it can forge a redactable signature. The only difference is is unlicability is that no longer holds unconditionally but that now holds under the DDH assumption but this is very reasonable so to conclude in this paper we have proposed a new efficient unlicable redactable signature schemes and from this signature scheme it is possible to derive signature on any subset of signed messages. The derived signature contains only four elements and can be verified with the complexity that depends linearly on the number of non-redacted messages. The derived signatures are unlinkable and it is also possible to disclose the messages or to prove that they satisfy some relations which is an important improvement over previous solutions. The downside of our paper is that now the derivation public must contain a quadratic number of elements but we hope that this could be improved by a further walk. So thank you for your attention and do not hesitate to contact me if you have any question about my paper.