 Welcome to my EuroCrip 2021 presentation about Bifurcated Signatures. This is a joint work with Benoît Liber from ENS de Lyon in France, Koa Enguyen from University of Wallungung in Australia, Moti Jung from Google and University of Columbia in New York in the US, and myself, Thomas Peters from UC Levin in Belgium. In this talk, I'm going to show that we do not have to choose for all between either a strong notion of accountability or statistical anonymity in a single private signing scheme. More generally, our goal is to initiate research on Bifurcated Signatures. In more than two decades, cryptographers built more and more advanced protocols, but they can usually be divided into two conflicting branches. On the one branch, we have the primitives for privacy-aware users, such as end-to-end encryption or schemes with unconditional anonymity or everlasting privacy. And on the other branch, we have the primitive design to prevent abusing the cryptosystem, where one would like properties such as key escrow, identity escrow, or accountability, sometimes motivated by safety reasons. Still, each branch taken individually might be the best solution in some context, but both rigid solutions cannot live together, and it might sometimes lead to some tensions. The goal of Bifurcated Cryptography is to make both branches to live together in a single scheme in a flexible and user-friendly manner. Of course, given a commitment, for instance, it is either perfectly hiding or perfectly binding, and never both at the same time. Dual mode commitment scheme exists and makes a bridge between both branches, but it is usually a security feature used in order to prove the security in a broader protocol rather than a functionality. In the case of anonymous signatures, cryptographers created the best solution that fits in a single branch For statistical anonymity, we have ring signatures on the one branch, and for traceability, we have group signatures on the other branch, where an opening authority can identify the actual signer on demand, but it can always do it at will. Some works try to mitigate those absolute properties in both branches, and I will briefly mention some related works later, but the separation between both branches remains strong until today. A notable exception where both branches really coexist is in accountable tracing signatures. However, the user receives a single signing key, which fixes the branch without being aware of which. Then we raise some questions. Why should we choose the branch at the key generation time? Can we avoid authoritatively freezing the targeted security notions? Or can we have the best of both branches in a flexible and rallying feature? To answer this question, we introduce Bifurcated Anonymous Signatures. In Bifurcated Anonymous Signatures, the branch is selected by predicate at the signing time. Depending on the content and even on some information related to the context, the predicate value determines point-wise whether the signature will fall in the statistical anonymity branch or in the traceability branch. Moreover, this predicate value is easily computable by the signer, who can thus make an educated choice as whether he or she can afford signing. From a privacy point of view, we require the Bifurcated Anonymous Signature to be branch hiding. That means that whether a signature is traceable or not is hidden from the outside. This allows the signer to make a free choice as no one can tell whether he or she accepts signing for one branch or the other. Accept the opening authority, of course, who can figure it out by trying to trace the signature. We are so stressed that revealing the branch can give private information about the signer, so this is also one more reason to hide the branch. Further, we also require Bifurcated Anonymous Signatures to satisfy the branch soundness notion. This is a security requirement which ensures that malicious signers, even colluding with all the authorities, cannot flip the branch and compute or implicitly force the computation of a signature that should fall in one branch while it finally falls in the other branch. Somehow, it says that no one can cheat with the predicate upon which an anonymous signer can make a secure choice. As a side note on the meaning of Bifurcated, the Miriam Repster dictionary says that it is actually two branches in one. More intuitively, this is how Bifurcated's anonymous signatures work. We have a group manager who creates some credentials for the user who belongs to the group. Once enrolled, a user can sign any message and before signing, he or she can evaluate the predicate to know whether the signature will be traceable or not. Once he or she outputs the signature, anyone can verify its validity as in normal, ordinary signature. This process is actually dynamic. A new user can come and join the group by first creating a secret, usually a signing key, and will get the credential, usually a group manager's signature on the user verification key. Traceable or not, any signature computed by a group member is at least computationally anonymous from the outside. The opening authority can try to identify the actual signer behind any signature. If it does not find any identity, that means that the signature is statistically anonymous. Otherwise, it should always find one identity. Basically, a Bifurcated anonymous signature is a flexible mix of ring and group signatures. So let's have a quick view on the state of the art. So for group signatures, the concept has been introduced in 1991 by Schoeman Van Nist. In 2000, Nathanieze Kamanish-Jua and Tsutik gave a construction resistant against the coalition, but the security analysis was made with respect to a list of security. This is only a few years later, in 2003, Belarie Mitiancho and Varinsky proposed a security model and a construction based on trapdoor permutation. But at that time, the group signature was only static. That means that it was not possible to join the group, and so the group was frozen at the key generation time. So it is just a few years after that the extension to dynamic group has been proposed with a formal model and construction as well. So that is for the group signature, and for ring signature, the concept has been introduced in 2001 by Rives Chameer and Toman. The purpose was to show how is it possible to leak a secret and keep the anonymity in an unconditional way, so in a statistical way, and the application there was to allow whistleblowing. The security has been in hands in 2007, and actually a little before, and by Ben Dercats and Marcelli, who gave stronger definition and construction in the standard model. So this was for the basic notion, somehow, of group and ring signatures, but many variants have been suggested so far, usually to reduce the power of a single entity. So in the case of group signature, several works propose to restrict the power of the opening authority by only allowing message-dependent opening or only allow to trace signature between themselves and not specially to identify a signer. In the case of ring signature, some authors try to restrict the anonymity and try to find to have some accountability notion, and they introduce linkable or traceable ring signature or even K times anonymity, where the idea is that if a user sign too many times the same messages, the signature will become linkable. There are distinct properties of opening authorities, but there the anonymity is always computational. So there are works where a converter, so an authority have to convert signature in order to be able to identify signer or to make a link between them. You also have a countable ring signatures where the purpose is to have many different opening authorities, so you can have threshold opening authority, so you need that many of them work together in order to trace signature or you can also have a more flexible scheme where the opening authorities is chosen by the signer, but each time you still have someone who can retrieve their identity or link the signatures. So anonymity is only computational and you also have other solutions that are interactive that I do not discuss here. There are also other flexible kind of signatures and somewhere we give more control to who can sign and who can sign what. So we have attribute-based signatures, policy-based signatures, functional signatures, so where the purpose is not to have statistical anonymity to live with some kind of accountability. This is more or less a power to sign or not to sign. You also have some other features as in dynamic group signature in the sense that the group of user can be chosen by the signer at the signing time, but he can only choose members of the other world group. But still, this is the usual kind of opening authority and anonymity. So there was one notable exception that I already mentioned. So the case of accountable tracing signatures where ring and group signature might coexist a little bit, but the user unnotify whether they actually live in the branch of ring signature or of group signature. That means that the authority choose for the user once and for all in which branch you will live. And so the user doesn't know that. So this is something that we want the user to be aware of. We are thus indeed the first to offer the best flexibility by pushing the choice between group and ring signatures at the signing time. So our contribution consists of first giving a formal model of bias and second providing generic construction that can be instantiated in the standard model. So we provide a formal description of the primitive, the syntax. Actually, we require the use of a predicate family. That means that at the signing time we do not have a single predicate. The signer can choose one predicate among several ones that are available in the public key. As we already mentioned, the first safety notion that we want are branch hiding and branch sonness. We have unconditional anonymity or statistical anonymity if the predicate evaluates to one. That means that if it evaluates to zero, the signature is traceable. And for security purpose, we also have to define an extractable mode. An extractable mode which is indistinguishable from the real mode. And why we need that is actually because in order to prove some kind of unforgeability of, for instance, signature that are statistically anonymous, it is strange to define why it is a forgery at all since we cannot extract any identity or witness to say, oh, actually it is a forgery. So we do not have meaningful information from statistical anonymous signatures. So we will have to flip the mode in order to have something which allows us to always extract some message identity and witness in order to define the security notion of traceability and unframability as usual group signature. So we also provide a generic construction that can be expressed as bounded depth Boolean circuit. So we can instantiate this generic construction where the signature size is independent of the circuit size. We have an instantiation based on LWE that use FHE and where the depth is polynomial. And you can also have a bearing-based instance where the depth is only logarithmic. Both instantiation are in the standard model. Now let me give more formal description of bias. So here is the high-level description. So we have a setup which defines the secret key of the group manager, the one of the opening authority, so OA. We have the predicate family P. So we have many distinct predicates P with index I and any predicate takes as input a message, an identity and a witness. And we will see what is witness. This is what we call the context. And the predicates evaluate to 0 or 1. So to join the group, the group manager and the new user engage in a protocol in such a way that if the protocol succeeds, the group manager creates a certificate for the user, a new ID, and the user also gets a secret information. So that will be the signing key of the user. To sign a message, a user with identity ID a certificate, the secret information, the message and witness and predicate P produce a signature sigma. To open a signature, the opening authority uses secret key. And we assume here that the signature is valid. And to check the validity of the signature, we actually need the message, the signature and also the predicate. We need to choose a predicate to check the validity of the signature. And the opening authority will either extract an identity or a symbol indicating that the signature is actually anonymous. We have several potential applications. For instance, we can imagine money laundering or tax evasion protection in financial transaction. So the message M can be seen as the encryption of who pay the payer and the payee. W is the witness and the witness can be the amount of money involved in the transaction. And so this witness can also be in a commitment which is defined outside our primitive, but they can be combined. And then of course, anyone will not commit to a big amount of money if he doesn't want to pay such amount. So we can define the predicate PI with index I such that if the amount is in a range and all the possible range are set up by the public key. And we can thus have statistical anonymity if the amount belongs to the range or if the transaction is actually a local transaction. If it is a cross-border transaction, then the signature should be traceable. Another application is in renting an Obaim e-book. So here the predicate can simply be is the book contains only armless content. So for instance, if it is a simple story, we do not need that someone is able to identify who rent which book. But on the contrary, if the book contains some information, for instance, related to a chemistry book or we can construct a bomb, it might be good to have some accountability there and be able to extract the identity of the actual reader. We also have other interesting application on free investigative journalism. So here we have journalism who might be abroad in some country I and the journalist want to authenticate a paper or some information and depending on the fact that it is in a country with a freedom of speech or not, he want to have some statistical anonymity to send authenticated messages. But of course if you have in another country and you have no problem with that, there is no issue with being able to identify you and even it is better to be able to quickly identify those signed papers, it will be easier for the application. So for the journalism abroad, of course this identity can be related to some credential that ensures that the journalism receives some credential to be in another country and so on. So it's time to talk about the security notion. So we have some notion of privacy and some other on security. For privacy, we have two complementary anonymity flavors. So the non-traceable case and the traceable case. The non-traceable case actually corresponds to the statistical anonymity. So the adversary can choose a predicate P, a single predicate P, a single message M, but he can then choose different distinct identities, witnesses and certificates. And as long as the predicate evaluates to one in both cases, then the signature should statistically hide our choice B. In the traceable case, we can say, okay, now we can just focus on what's happened when the predicate evaluates to zero, but if we do that, we do not capture the branch hiding notion. That means that if we only have an anonymity for when the predicate evaluates to one and another one when the predicate evaluates to zero, that doesn't mean that we have indistinguishability actually computationally from traceable and non-traceable signatures. So here in the traceable case, actually there is no restriction on the predicate's value. And we follow the usual CCA-like principle with opening carries. So there the anonymity is defined and can only be reached computationally. For the security, we have a two-step notion. We talked about the need of an extractable mode in order to define, for instance, the unforgeability of a statistically anonymous signature. So we introduce a simulation setup that creates a trapdoor key information tool. And with this piece of information, we can always extract identity and weaknesses with overwhelming probability. And actually the way we define branch sonness is by saying that the two modes are indistinguishable even if we give to the adversary the secret signing information. That is because we do that because we want the security property defined in the extractable modes to have some meaningful interpretation in the real mode where we want to have security against the authorities if they collude, for instance. Once we have that, we can extract identity and witness. It is easily to define now the notion of trustability and frameability where, for instance, the purpose is to show that even if the opening authority and the group manager collude, they cannot make an honest signer accountable for a signature that he never signed. I will now give a quick overview of our generic construction. So we have a join algorithm, a join protocol which works exactly as many other schemes. So a signer creates a signing key, SKID, and asks the group manager to sign his public verification key. So the certificate is the signature from the group manager. Now to sign a message M. First, we compute a message-dependent circuit, like this. As in signature, we also first pick a pair of keys from a strongly inforgeable signature scheme. And we will use that at the end in order to sign all the computation that we made in order to have non-malleability and we need non-malleability to have a CTA-like anonymity property. We also have to commit to the identity and the witness, and we do that by using an LLC ciphertext, an LLC encryption. So the LLC encryption takes a tag which is here, the verification key of the one-time signature scheme. And depending on the verification key, we can have a ciphertext which is lossy or not in the real mode, but we can also have a mode where all the ciphertexts are lossy. And we use that because we need to extract at some point every identity and witness, and we also have to switch for a program tag VK for the anonymity property. So now we evaluate the predicate actually, so the circuit, and we have the C-E-V value, and we compute a lossy ciphertext. So this one is not our lossy, it's only lossy, and we actually encrypt the identity or something which is zero, independent of the identity, depending on the value of the predicate. Then we rely on homomorphic equivocal commitments. So this is a scheme for which it is possible to compute a commitment here on the identity and the witness, and anyone can evaluate on top of the commitment some of the circuit, and then we will have another commitment, and us, since we know the random coin, we are able to provide an opening value for the committed evaluation of the circuit on the inputs that we use in the commitment. Then we, of course, sign the message, the predicate, and also the commitment, and we have to prove that everything was done honestly, and we make use of a dual-mode statistical and interactive zero-knowledge argument. We prove that everything was done honestly, as I just said, and at the end we do not have to forget to sign everything using the one-time secret key of the strongly unforgeable scheme. It is worth noticing that we do not really directly need simulation sonneness from the argument because we actually rely on the lossiness of the ciphertext, so it is possible to have simply honest computation and everything was done by the indistinguishable mode of the lossy encryption key. To conclude, we introduce bifurcated anonymous signature and new direction of bifurcated cryptography in general. We reconcile unconditional anonymity and accountability in a single scheme at the signing time. We provide generic construction in the standard model for bond and depth circuits. We have two instantiation, and in the case of pairings, we can use a gross, high-proof system, structure-preserving signature, and just to give an idea here, you have the size of the signature, which depends on the length of the witness and the identity. So we use a symmetric pairing just to show how practical in some sense the signature size can be. We have some nice open problems. Of course, we can try to apply the bifurcated ID to other primitives, for instance, to end-to-end encryption with escrow or not. We can also try to have more practical bias for specific predicates in the random-oracle model and under simple assumptions. And, of course, we can also imagine extension of Malichewski and subverted anonymity that we already defined in the long version of the paper, and we can also think about revoking the ability to sign in the group. Thank you. I hope you enjoyed your presentation.