 The next talk is about optimal structure-preserving signatures in asymmetric bilinear groups. It's given by Masayuki Abe, Jens Gross, Christian Hara-Lambief, and Miako Okubo. Jens will give a talk. Thank you. Okay, so this is about structure-preserving signatures, which is a special type of pairing-based signature schemes. I want to start by talking about structure preservation, okay, which is something that we're already very familiar with in cryptography, right? I mean, if you think about a mathematical structure, such as, for instance, a finite cyclic group, it's proven to be extremely helpful in constructing cryptographic protocols, right? So we have things such as algorithmic encryption, Peterson commitments, Schnorr proofs, and so forth, okay? And there may be more structure preservation going on here, right? If you think of algorithmic encryption, it encrypts messages which are basically the plaintext elements of this finite cyclic group, right? And if you multiply two sides of a text, then you get a product of the plaintext. So you also preserve the group operation in algorithmic encryption. If we have more mathematical structure, we can do more things, okay? So one example of that would be from pairing-based cryptography, where now we have three cyclic groups and some bilinear map. The map pairs of elements from the two base groups and map it into the target group. And now we can do more things. Now we can do identity-based encryption. We can do short digital signatures. We can do non-interactive zero-knowledge proofs and so forth, right? So the notion of structure preservation, the idea is that you have all these mathematical structures and they're really useful for doing cryptography. And you could hope also that the more structure you preserve in your schemes, the easier it is to put them together and build more complex schemes in a modular manner. And there are actually quite a few papers saying something with structure preservation, structure preserving signatures, structure preserving commitments, structure preserving encryption, and so forth. Okay. So let me get more precise about this. So let me first state what is a bilinear group, which is the structure we are looking at in this paper, right? So you have some generation algorithm that outputs description of a prime P and three groups of prime order P, which are generated by some generator G and H. And then you have this bilinear map that takes elements from the two base groups and map it into the target group. There are different types of bilinear groups, depending on whether you have maps between the two base groups, right? So there are type one groups where you have an efficiently computable isomorphism between G and H. Then you have type two groups where you have an efficiently computable homomorphism from H to G, but not the other way around. And then you have the type three groups where you don't know any efficiently computable homomorphism from G to H or from H to G. And we're going to look at the third type of bilinear groups, but our results also do apply for the other two types of groups, I believe. Okay, so a structure preserving signature we'll define in the following way. First of all, everything has to be group elements and it has to live in the base group, okay? So the public key consists of group elements in the base groups, the messages are group elements in the base groups, and the signatures are group elements in the base groups. And the second property we want is that the verify only has to verify evaluate some pairing product equations. So these are equations where basically you take pairings of group elements, multiply them together and see what that gives, okay? Finally, we'll need one more property. We're going to look at signature schemes where the signer only uses generic group operations, okay? So it can take group elements, it can multiply them together, raise them to some exponents and so forth, but it wouldn't look at specifically at the bit structure of some group element, okay? And the consequence of the signer only using generic group operations as well, then we know that the signature will be on this form that you take, I don't know, some message element, raise them to some exponent, you have some of the other group elements from the public key and so forth and raise them to some exponents, okay? So as I already hinted at, right, I mean the idea with structure-preserving signatures is that they can compose really well with other pairing-based schemes, okay? So because the signatures are all group elements, it would be very easy to do algorithm encryption and encrypt these group elements. Because the verification equation, the pairing product equation, it would be very easy to apply non-interactive zero-in-law techniques and prove that you have some signature that verifies correctly even without revealing that signature. And there are several applications of structure-preserving signatures because now you can modular manner construct a lot of different things, group signatures, blind signatures, lots of other protocols, okay? So now I'll get to the results, what this paper tells us about structure-preserving signatures. And what we have is a lower bound which says that a structure-preserving signature with a generic signing algorithm has to consist of at least three group elements, okay? And then we also have a construction which actually uses exactly three group elements. So an optimal structure-preserving signature scheme. And I'm going to start with the lower bound. So I want to show that if you have a structure-preserving signature scheme with a generic signer, then the signatures have to consist of at least three group elements, okay? And the proof of this is going to really use the structure-preservation in an essential way. It's going to use the fact that the signer only uses generic group operations. And well, obviously you will have to use these kind of properties, right? Because we already have examples of shorter signatures, okay? But these examples of shorter signatures, well, they reveal some exponents. Maybe they use a hash function. A hash function is really good at destroying structure, right? It's structure destroying, you could say, okay? And also, well, we really need to use the generic group model. I want to note that typically when you use the generic group model, the most common usage of it, has been to prove that, well, there's some assumption that cannot be broken by a generic group algorithm, and therefore we have some reason to believe in that assumption, right? Here it's a bit different. Here I'm saying, hey, the algorithm that we're using in the scheme has to be generic, right? And if somebody wants to come up and beat our lower bound, then maybe they'll have to go out and come up with some pairing-based signature scheme where you use non-generic group operations. Okay, so I'll try to sketch the idea behind this proof of the lower bound, okay? First of all, without loss of generality, we can just look at signatures for one group element, right? Because if you can sign very long messages, then you could always just connect, coordinate with some ones and sign one group element. So I'll just give a lower bound for, let's say, a single message that belongs to G, okay? And we're going to have three theorems, okay? One which says that you cannot have unilateral structure-preserving signatures. So the structure-preserving signature consists of some group elements, and we're saying that it can't be that all the elements on G or all the elements of the signature on H, okay? You have to have some kind of mix from G and H of the group elements. And that rules out one element group signatures, right? Signatures, because, well, either this group element would be in G or it would be in H, and therefore it would be unilateral. And it also rules out that we could have two group elements in G, two group elements in H. So the remaining difficult case is where we have well, a signature that is on the form S and T where one of them belongs to G and the other element belongs to H. And we're going to show that that's impossible and along the way we'll use the fact that it's impossible to have a single verification equation. So that's another lower bound, a structure-preserving signature scheme. You need to have at least two or more verification equations, okay? So let me first look at a really simple case, okay? And show that there's no single group element signature or no single element structure-preserving signature where the element belongs to G, okay? And the proof goes like this. So without loss of generality, we can write the verification equations like this where you could imagine B and W and Z are derived from the public verification key, okay? And if we have two signatures and two different randomly chosen messages that satisfy this equation, you can simply take a linear combination of those and you have a new signature on a new message, all right? So this is very straightforward linear algebra to show that that approach doesn't work, right? And it generalizes very easily that even if you have many elements from D, they still cannot perform via a structure-preserving signature, okay? So then let's look at another case. What if we have just elements in H? So suppose, for instance, we have a single element signature in H. And here we use the fact that it's a generic signer, right? What can a generic signer do? It's not really allowed to look at the bit structure of the message it will just do group operations. But the message belongs to G, right? And it's trying to come up with some signature in H. So basically it will have to choose the signature independently of the message. And well, if you choose the signature independently of the message, either it's not a good signature for all messages or it's a good signature for all messages. So you can't have that. And that also generalizes straightforwardly to many elements from H cannot be a signature on a message. So now we've ruled out the unilateral cases, right? And the remaining question is, can you somehow create a structure-preserving signature where you have one group element from G and one group element from H? And to prove that, we'll need first a theorem to help us a little, which says there's no structure-preserving signature, which has just a single verification equation. And I'm not going to prove that, but basically the strategy for proving is that you look at the most general public key you can think of. So you have some elements U that belong to G, some elements V that belong to H. You come up with the most general way you could imagine a verification equation looks like, and you do a lot of linear algebra and you show that it's possible to forge. So the remaining is this question, can we find some kind of two group element structure-preserving signature on some message in G? And the strategy is, well, we already know that it cannot be unilateral, so the only possible option for structure-preserving signature would be one that has one element in G and one element in H. And we know that it's a generic signer, so we can actually write the signature on this form here because it only uses the generic group operations to create the signature. Of course, alpha and beta and tau can have all sorts of complicated relationships with each other, but it has to be on this form. Okay? And what we will show is that when the signature is on this form, actually, even if you have many verification equations, they're all linearly related in some way, and they all collapse to just a single verification equation. And that was impossible, so therefore you cannot have this two group element signature. Okay? So I'll try to sketch how that goes. Okay? So without laws of generality, you can write the verification equation on this form. It doesn't matter so much what all these components are. You can take discrete logarithms of those and use the fact that the map is bilinear and then you'll get this type of equation for the exponents of these elements. Now you can use the fact that it's a generic signer that generates S like this and T like this, and you can actually plot that into the verification equation. And look here, you have some component here which gets multiplied by whatever the discrete logarithm is of the message, and then you have some other component that's independent of the message. And it's a generic signer. So the signer doesn't actually look at the message and doesn't try to compute the discrete logarithm or anything like that. So we can conclude that if the signature scheme is to be correct, then this equation here, the first part has to be zero and this second part has to match up as well. So each verification equation gives rise to these pair of equalities. So now we have possibly many verification equations and all of them give some pair of equalities. And then you do some linear algebra on this and you show that they're all linearly related. So they're all equivalent to just one single verification equation. You might as well have used just a single verification equation. And that we ruled out and we can therefore conclude that it's not possible to have a structure for the signature scheme consisting of just two group elements. So that was the lower bound. Now we know that we have to use at least three group elements to have a structure preserving signature and we know that we have to use at least two verification equations to have a structure preserving signature scheme. And now we actually have a construction that does that. So the messages, and now we'll try to generalize as much as we can. So we say we have some messages. It can consist of some number of elements in G, some number of elements in H. We'll have some public key, which is slightly larger than the messages that we're trying to sign. And the signing key will just be the discrete logarithms of all these values in the public key. And signatures consist of three group elements which are computed like this. And verification is done by checking these two pairing project equations. So I want to highlight here that the messages can be really large, but even so, we still just have short signatures. The signatures are just three group elements. So this is optimal. The signature size is three group elements. The verification equation uses just two pairing project equations. And this signature scheme has the best kind of security we could imagine. It's strongly existential and infortable under adaptive chosen message attack. And it's proven secure in the generic group model. So we don't have a nice reason to believe that it's secure. It is a generic group model proof. Okay. Some further results. So one thing I want to highlight is that it is actually possible to do one-time signatures that beat all these lower bounds. Okay. So we actually have a one-time signature scheme for unilateral messages where the signature scheme is unilateral. It's only two group elements and it only has a single verification equation. Okay. And well, the underlying reason is that in all these proofs here, the tags we have require two random messages attack. Okay. So we don't have two-time signatures although our lower bounds hold, but not for one-time signatures. Another question you might ask is can we build structure-preserving signatures on non-interactive assumptions, right? Something that's better than just using the generic group model to argue that something is secure. So, and we actually have constructions which require four group elements for unilateral messages and six group elements for bilateral messages. And we have some work which is going to appear data-crypt which actually indicates that you can't build three group element structure-preserving signatures based on non-interactive assumptions. So, kind of, we're forced to use the generic group model for the three element construction. But then, if we want to have non-interactive assumptions, well, we can do it with four group elements. And finally, I want to highlight that. Well, so the signature scheme we constructed here is one which is strongly existential and forgeable. Sometimes it's actually useful to have quite the opposite property that you can randomize the signature scheme, okay? And we also have a construction for that which is three group elements, but it only works for unilateral methods and still open problem to come up with one that works for bilateral messages, okay? So, to summarize, we now have a lower bound of at least three group elements for structure-preserving signature scheme, right? At least two verification equations. And we actually have a construction that gives us exactly that. Thank you. We have no time for questions, so let's...