 So unfortunately, I have to start with a talk by saying we have a flaw in the paper. So, please open page 462 and you can fix it online. So there you find the order of the authors. And there was a difficult problem. So we tried to do it alphabetically, but we failed. So you can just... And it's not like the student has to finish the CL and put him on the paper. No, no, it's not funny. So, okay, let's start. Some people in cryptography believe that signatures provide some confidentiality in the sense that I give you the signature and not the message and you cannot say on what the signature was. So some people believe it because they say, okay, all signatures follow the hash and sign construction in the sense that we first hash the message and then sign it. And because they believe, okay, we have all functions are one way and they don't, they had all partial information. So this is both not true. But if we want a confidential signature scheme, then the naive approach is still to stay with the hash and sign construction. So how does it work? As I said, we hash the message first and sign it then with our favorite signature scheme. But unfortunately, this is not sufficient. So consider, for example, this following message, which is just the concatenation of its bits. And then we build a hash function, h prime, where we use our favorite hash function and we just add the first bit of the message to it. Then it's clear that h prime might preserve some properties of h, but it's also clear that at least the first bit of the message is leaked. So it's just an idea why hash functions may leak part of its input. But still the hope is, if the hash function has some confidentiality properties, then our signature scheme may also have it. But why is this interesting at all? So one idea to motivate is this secure message transmission. So let's think about Alice. Alice has a secret signing key here denoted by SSKA and an encryption key of Bob, e p k b. And Bob has the corresponding keys. So the s p k a is the verification key and e s k b is the decryption key. Alice now gets the message and wants to send Bob something, let's say some encryption. And Bob wants to be sure that nobody modified it, that the message really comes from Alice. And how can we do it? So an approach would be to look and encrypt and sign. So we encrypt the message and we sign it in parallel with our signature scheme. So this is an advantage that we can really just generically looking, we can perform both operations in parallel. But as I said before, the signature may just leak parts of the message or even the message entirely as we constructed here. So that's the reason why encrypt and sign does not work. It may destroy all properties of the encryption scheme. So what works is encrypt then sign. So it works as follows. Alice gets the message. She encrypts the message with the public key of Bob. She signs the cipher text and sends both pairs to Bob. And he checks the signature and if it's valid then he decrypts and is somehow convinced. Okay, but still we would be happy to do it in parallel and we all know encrypt and sign is not good. But what happens if the signature is confidential? So if the signature does not leak part of the messages. Does this construction work? Okay, so up to now I spoke a lot of confidentiality but I haven't defined it yet really. So what we want to construct is we want to construct confidential signatures. So we start again with confidential hash functions to hope that the composition is fine. And then we try to find direct constructions and at the end we will see if encrypt and sign works. So we define confidential hash functions similar to Bellaro-Bolli-Rava and O'Neill's work of deterministic encryption. So the intuition is that you get an image and you don't know what was the pre-image. And how do we model it? We basically model it in two algorithms. So the first algorithm picks some message and the second algorithm has to guess what was in the image. Okay? So this game is modeled as follows. We first, if a game first picks a random B and chooses a hash function. And now we execute the first algorithm who outputs a vector of messages and some partial information. So this is information the second algorithm has to get out of the image. We now execute it twice with freshly coined. Then we evaluate the hash function depending on the bit B either on the first or the second X. And now we give the attacker the hash function and the value h, small h. And now it tries to predict t prime and it wins if t prime equals to t0. So it can predict the value of the first algorithm. Of course X0 and X1 has to have a lot of entropy because the second part could just guess the message and then evaluate the hash function and then see if it got t0 or t1. So we always have similar to deterministic encryption the requirement that we need a lot of entropy here. And of course we say that these probabilities for B0 and B1 are negligible. So if we divide it. We also have a stronger version where we give the first algorithm access to the hash function but due to the time restriction I have to skip it. So the first question is the random oracle confidential. Since many signature schemes are based on it it's an interesting question and the answer is yes, it is. And I just want to give you an intuition why. So you could think of the random oracle as just an oracle producing random images. So when the attacker just starts querying it then it just learns part of it. But the probability that the attacker really guesses the value that points to that image is slow. It's slow. Interestingly it's not strongly confidential. So now we look at confidential signatures. We now know roughly what confidential hash functions are and we want to get signature schemes. So the definition looks almost the same. We have three different game-based definitions and also simulation-based definitions. But we only consider this one, the game-based one. So the game is roughly the same. We have two algorithms. The first one generates vector messages and some partial information. We execute it twice with fresh random coins. Again the messages have to have enough entropy. We then sign the message mb depending on the bit b and we give the second attacker now the public key and a vector of signatures. And we also give him access to the signing oracle and he tries to predict t' and again the attacker wins if t' equals t0. So this is a very weak definition and we try to find stronger ones. The obvious way is to also give the first algorithm the public key and that we denote by mightly confidential. And the second one and the third one is the strongly confidential. We also the first attacker's access to signing oracle and can query it. So now we have a brief idea what we understand under confidential signatures. And we want to see if there is definition achievable. So famous schemes are based on FDH signatures that are basically defined as follows. We have a secret transformation f and a public transformation g and a full domain hash. So to sign a message a sign just computes h of m and applies it to f and verification is straightforward. From here h of m to g of s. And we show in this paper that this is weakly confidential. So the question is, is this also mightly or strongly confidential? And no it's not. So I just give a short hint why this is the case. So the point is that in the mightly game as you might remember the attacker gets the hash function through the public key as input and therefore he has the hash function. So attacker A1 just picks a random message. He applies the hash function to this message and output this as t. And the second attacker simply output g of s. So if b was zero then g of s equals h of m and our first message is and our partial information of the first algorithm is exactly h of m. So in this part the width was probability one. But on the other hand if b was one then it gets a signature on another message h of m is most, is with high probability doesn't equal to h of m one. So just the idea. Okay as I said shortly before the random oracle is not strongly confidential. But can we get signatures in the room that are strongly confidential? And the answer is yes. So we have a really really nice and simple approach what we say what we call is randomized hashing. So the signer picks a random value r and now it computes the hash of r and m. And it outputs the signature as the signature and this randomness. So why is this strongly confidential? So the idea is that the first algorithm cannot guess this r as it's internally chosen each time. So it somehow has to pass information it must predict this value with it cannot predict. So on the other hand the second attacker plays against this message. But as we assume the message has high entropy he also cannot guess this message. So in fact these both algorithms are uncorrelated. Another famous approach to get signature in the random oracle is the fear-chamia transformation that turns any three-move identification scheme into a signature scheme. So how does it work? It's a sender and a receiver. The sender has a private key ISK and a public key IPK. It has three moves. So the sender sends a commitment, the receiver a challenge and the sender answers with a respond. So to turn it into a signature scheme one has to first choose some random value r. One computes a commitment executing the signer with this randomness in a third mode. You compute the challenge locally using a random oracle of the commitment and the message. You compute the respond executing again the signer locally with all these two areas. And at the end you get the signature as the commitment, the challenge and the respond. So verification works straightforward. To verify you simply recompute the hash. You compare C prime with C and output the result of the receiver on the commitment challenge and the respond. So we show in this paper that this is also strongly confidential assuming that the commitment of course has enough entropy otherwise the first attacker could simply guess it again. Okay, so many people do not believe in random oracles and we would be happy to have a scheme in the standard model. No random oracles. We get another interesting idea which relies on randomness extractors. So recall that a randomness extractor takes this input some message and some randomness and it outputs some value h. And the randomness extractor now tells you that if you look at the pair r, r, h and you compare it to another pair r, r, u then these are statistically close for uniformly choosing u. So signing works now as follow. The signer chooses this randomness, it computes the extractor and then it signs this value h and the signature consists of r and r and s1. Again verification is analog. You recompute the extractor on both values. You return the verification on h and s1 from the generic signature scheme and we can show that this construction is also strongly confidential. So as I told you at the beginning we are still interested in the crypt and psi. So now you would say, ah, I know that the deterministic encryption scheme that we know from cryptome, we just plug it in with the encryption scheme, we add the confidential signature scheme and then we hope we are done. But unfortunately this is not the case. It's insecure. So here is basically what I also presented before. The attacker gets this input the public key and then here as it's deterministic he can just put it as the partial information. But we have a security proof in the model of Andodes and Rabin and Bach, Steinfeld and Zang. But to get the security proof work we need CCA2 encryption and we need the signature scheme strongly, unfortunately, strongly confidential and deterministic. So now you might say, okay, so many properties I believe are strongly, unfortunately, signatures and strongly confidential but I don't know a deterministic one. And there we apply basically the de-renumization technique of Goldreich to get it. So, yeah. So this was... So this was a quick talk. I want to thank my co-authors, Alex Martinouis. Oh, Alex, I put the wrong picture actually. I wanted to show this one. I downloaded them before. In particular, I want to thank Alex for proposing this topic at an e-crib meeting and for pushing us to finish the paper and as he proposed this topic to work and I also have to thank him for letting me give the talk here. So, thank you.