 Yes, sorry. Yeah, it's a five-inch lay only. Yes. Okay, so good morning everyone. Welcome to the session on lettuces. The first talk is zero-knowledge arguments for lattice-based accumulators, logarithmic size ring signatures and group signatures without trapdoors by Benoit Libère, Sandling, Croix-en-Ouin, Croix-chon Wang, and the talk will be given by Croix. Okay, so thank you for the introduction and hello everyone. I'm going to talk about zero-knowledge argument system for mercury accumulator from lattices and its application to ring and group signatures. This is Troy Wood, Benoit Libère, Sandling, and Croix-en-Ouin. So first I will briefly reveal the background of cryptographic accumulators and then state our result and then I will describe our construction that is an accumulator and the sporting protocol. And then I will show how to use this block to build ring and group signature from lattices with some interesting features. An accumulator is a function that has a last data set R into a constant side value U. Such that for any element of the set it is efficient to compute a short witness for the fact that D was accumulated into U. For security reasons it should be infeasible to come up with a valid witness for some data outside of the set. Accumulator has a number of applications in authentication mechanisms in many scenarios when the privacy and the anonymity of the user are big concerns then it is also desirable to have a zero-knowledge proof of a pair of input and witness. Previously there are two main families of number-theoretic accumulators based on groups of hidden orders on pairings so they rely on the strong ASA or the strong Diffie-Hermann Assumptions. A third family relies on Merkle trees. Its main disadvantage is that the use of hash trees makes it highly compatible with efficient zero-knowledge proofs. In fact known methods require non-standard assumptions in groups of hidden orders or non-fansifiable knowledge assumptions as for the case with snacks. A Merkle tree based on Latic Assumptions SIS were proposed in the EuroCrip 13 but the problem of designing a supporting zero-knowledge layer was not considered. So in this work we propose the first Latic Bay accumulators supported by logistic side zero-knowledge arguments. Specifically we start with a Merkle tree built from a family of collision decision hash functions based on the SS problem. This function has two full compression factors that is it maps two elements of some set D to an element of D. Then we demonstrate in zero-knowledge that we have a hash chain from a secret cliff of the tree into the root. This building block potentially have many applications in privacy-preserving cryptography. In particular we suggest two applications. The first one is logarithmic side ring signatures. Previous construction from Latic Sea achieved linear side in the cardinality of the ring. The second application is group signature without trapdoors. Previous construction have to rely on Latic trapdoor either for key generation or for enabling the tracing features. So the advantage of being trapdoor free is that we can work with smaller parameters, shorter keys and we can produce shorter signatures. In particular the user signing key in our scheme has side up several kilobytes while in the end this scheme from PKC last year is around 90 gigabytes. So now I'm coming to the main construction. Our starting point is a family of Latic Bay's collision system hash function. We work with security parameter N, small model of Q, K equal to log two of Q rounded up and M equal to two N Q. We also employ a power up to matrix G that allows us to interchange between vector V in GQ to the N and its binary expansion in 0, 1 to the NK. Now we can define a family hash that maps two inputs of land NK to an output of land NK where its element in the family is associated with a matrix A in GQ to the N times M consisting of two halves A0, A1. And the hash of the pair U0 you want it defined to be the binary expansion of vector A0 U0 plus A1 U1 mode Q. We noted that by definition we have the hash of the pair U0 you want equal to U if and only if, the sum of A0 U0 and A1 U1 equal to G times U mode Q. And it can be so that this family is collision resistant based on a very quick SS assumption. Once we have this function family we can easily build a secure macro T accumulators. So this figure illustrates a tree of depth 3 that accumulates the 8 data blocks from D0 to D7 into the value U at the root of the tree. The value at each null lift is simply the hash of each two children. So if we look at the data block D5 for example, then the big string 1, 0, 1, which is the binary expansion of number 5 together with the brown notes from a witness for the fact that the data block accumulates into U. In fact, given this clinic we can recompute the path from D5 to the root. So now we consider the problem of proving knowledge of an accumulated value. The protocol is summarized as follows. Suppose that we have a tree of depth L, the public input it has in magic A and the root U of the tree. The secret input contains all the information needed for recomputing the path. The vectors v i, w i's and the bit j i's are going to prove that we have a valid path from a lift to the root of the tree. In particular we have to prove that at each level of the tree we have a vector v i that is the hash of the pair v i plus 1, w i plus 1. If the bit j i plus 1 is 0. Otherwise it is the hash of the square pair v i plus 1. In the case of the bit j i, that's the bit j 1. We observe that the previous protocols for SS Bay hash function only prove knowledge of a hidden pre-image for given hash image. Here we have to prove knowledge of L hidden pre-image image pairs and they are nested along a hidden path. So some additional techniques may be required here. To address this we first transform the expression of v i here into a more compact form that is compatible with our proof. We will use the following notations. For bit b and for binary vector v denoted by b bar the bit 1 minus b. And by its 10 b v, the vector consisting of two blocks, b bar time v and b time v. Now the expression of v i can be compactly written as v equal to the sum of j i plus 1 bar time the hash of v i plus 1, w i plus 1 and j i plus 1 time the hash of the swept pair. In the following steps here we basically express the hash value as per definition and then we group together the appearances of v i plus 1 and w i plus 1 together and we finally get equation a times the extension of j i plus 1 v i plus 1 plus j i plus 1 time the extension of j i plus 1 bar w i plus 1 equal to g time v i mode queue. Now our stack is reduced to prove in zero knowledge that we have the secret big j i, secret vectors v i, w i, so on such that the l equation here hold. To this end we develop a Stern-like protocol. So let me recall the main idea of Stern's protocol. It's word proposed in the context of this. The reason is it had appeared to be quite useful for let's make crypto as well. It's allowed to prove in zero knowledge the possession of a binary vector s would fix ham and way t such that m time s equal to u mode queue for a given pair m and u. So there are two main ideas here. For proving the linear equation use random masking. Pick a mark r for s and convene the variable instead of s. Second, for proving the constraint of s you random bermutation. Pick a random bermutation pi and so the variable pi of s had way t. This should be sufficient to convene the variable that the original vector s has way t. But later cannot learn anything else about s. We observe that the first idea can be generalized to prove that all the l equation in the system one hold. We simply use the random bermutation to prove that all the l equation in the system appear there. Secondly, we also would like to prove the constraints of the vectors v i, w i and that z i and y are the correct extension without revealing anything using random bermutation. But how? A user bermutation of co-ordination of the v i and w i will not work here because the verifier will not work. So to tackle the problem we use some extending and permuting techniques that we developed from recent work on Stern's protocol. So the idea is that we first extend z vector v i and w i to v i star and w i star in a set that we call b m n k. Containing that all vector of length m would fix coming way n k. So the point of the extension step is to use random bermuting. Then we can use random bermutation of m element for z vector. So the second idea is that we also want to prove that we have the correct extension z i star y i star without revealing the big j i, also the vector v i and w i here. So to this end we use a combination of two permutations specifically for a bit B and for a bermutation of m element we define the permutation f B pi that transform a vector z consisting of two blocks z 0 z 1 to the vector consisting of two blocks pi z B and pi of z B bar. So basically if the bit B is 0 then we permute each block. If the bit is 1 then we swap them before permuting. Now let's take a look at the extension of z i star following nice properties. We have the z i star is the correct extension of z i and v i star if and only if its permutation is the correct extension of j i x of B and pi of v i star. This gives us a nice method for proving that the left-hand side hold. We simply use a random method to verify that the right-hand side hold. So here B, the bit B basically serves as one time back perfectly hard bit j i. The same idea works for proving y i star. But here the big question is j i bar. So we use the permutation determined by the bit B bar and the sum of them will be j i x of B. So to summarize in the framework of Stern's argument for our accumulator when we extend the secret vector we also extend the public matrices A and G accordingly to preserve equations so that we can apply the random masking methods. Further, to prove that the same vector v i is nested in two consecutive equations we use the same permutation at both places. Each row of the protocol has communication got linear in the depth of the tree with the bit in the number of the leaves. Each row has sonic error to touch with inherent for Stern's protocol but it can be magnalizable using standard repetition techniques. So now I'm coming to the applications. Our protocol can be seen as a method for proving membership in sets chosen by the user. So it's quite natural application in range nature where we want it to be in the ring of his choice. To realize this nature we add one more hasten layer where each user pick a secret X and output a public key D which is the binary expansion of A times H more Q. Then for signing message with respect to a ring containing the signer's public key the signer first accumulates the ring into U and then extend the eroded argument for the simulator to additionally prove that he knows some X such that the value at the secret lift in question is exactly the binary expansion of A times X more Q. The argument then transform into a signature during the file somewhere. We can further extend the ring signature to achieve group signature where the group is set up by a manager and there is a tracing mechanism. So the first we fix a number N that is the expected number of expected size of the group. The manager assemble all of the vectors X0 to XN-1 and compute the corresponding has DI then accumulates them into U. The signing key of the user chain is defined to be vector HA and the witness for DJ. To enable tracing we add a CCSQ encryption layer and when signing message the user is supposed to encryve the binary expansion of his index chain. To achieve CCSQ without relying on trapdoor we apply the now in double encryption technique to the multi-bit version of the encryption scheme. And finally we manage to extend the argument system for the ring signature to additionally prove that the two cyber tests correspond to the same plan test and that plan test is exactly the binary expansion of the system. So here is summary of what we propose in this work. One interesting feature of our group signature scheme in the general sense is that you see the first logarithmic signature in the BMW model that does not use a full-fledged digital signature for generating group members private keys. And thank you for your attention. We have time for a few questions. So I have a question. What is the standard bound for the approximation factor in your construction? So for the hash function actually it is a very weak assumption. For the SS problem in an infinity norm we just rely on the bow. So the bow is just one. So a very weak assumption. And another question is so you can play this game with different construction of miracle trees and this is if I move it to a different world, if I use a different miracle tree how does it compare? Is it better? Are we using special properties of lattices that makes it unique here? Or the other construction in the same framework when you use miracle trees but not in the lattice setting? Okay, so first proving knowledge of a hash chain is very hard. Not to do it in lattice but from other assumptions it is very hard to achieve without standard assumption. Okay, so if you want to use to build group signature from miracle tree so we have to rely on such kind of protocol and in this we now have two such protocol one is by Bonet and Corrigan Gibbs at Azure Crip 14 that rely on non-standard assumption in group of hidden orders. The other one is NACS and fence variable and knowledge assumption. Thank you. So let's thank the speaker again.