みなさんこんにちは。お会いしましょう。アウトオプティマルブラインドスイグニチュースです。これが集中で一日の仕事です。ショウトヤマダです。タカシヤマカはエンティティーです。この仕事は、アウトオプティマルブラインドスイグニチュースプロトコルを紹介します。アウトオプティマルブラインドスイグニチュースプロトコルを紹介します。まず、CRSモデルのプロトカシヤマカを使用したりしてみます。時間軸とは、クラフトカシヤマカを使用してみます。つまり、コンプレクセリレベレッジンを使用してみます。まず、ブラインドスイグニチュースを用意しました。蓋のアンベロップし、 are digital analysis of sealed envelops with the carbon copy seat.Brain signatures, there are a signer and the user.Signers have a public verification key and secret signing key.A user has a message. The user puts the message into a sealed envelope with carbon copy seat and sends it to the signer.サイナーがCエンベロップを押さえ、ユーザーを押さえます。サイナーはメッセージMを見ません。ユーザーはエンベロップを押さえ、メッセージMを押さえます。ブラインスイグニチュースはクルーショブルーディングブロックスのプライバシープレザービングクリプトシステムを押さえます。このプライバシープレザービングクリプトシステムはエイキャッシュ、エイボーティング、アナオニマスクレディンシュール、プライバシープレザービングクリプトシステムのプロトコースを押さえます。プロトコースは多くのブラインスイグニチュースを押さえます。プロトコースは両側のトラストのセットアップを使う特殊なモラクルモデルとコモンレファレンスタイルモデルなどのプロトコースを押さえます。フィッシュバウアーと1つのフォロアップをBlood Signatures without Trusted Setupが必要ですが 強いインタラクティブアサンプションが必要ですBlood Signatures without any Trusted Setup from Standard Assumptionsは不可能ですが インタラクティブアサンプションが必要ですGarguetalはBlood Signature without Trusted Setup from Standard Assumptionsが必要ですが 強いインタラクティブアサンプションを使う強いインタラクティブアサンプションが必要ですGarguetalのGupterには強いインタラクティブアサンプションを使うしかし ウィルイングが必要です1. ポトコルは最初のポトコルが必要です3. 必要な物語を使うインタラクティブアサンプションを使うこの2つのセクリティの必要があります1つはアンフォージアビリティですこのセクリティゲームでマリシャスユーザーがQサイニングの制御を使用しているサイナーを使用していますもしマリシャスサイナーはQプラス1やもっと多いサイニングを使用していてプロトコールはアンフォージアビリティを使用しています2つのセクリティがブラインドです妊妓賞がするフレッシュな セクリティゲームでもマリシャスサイナーがQプラス ounceアンフォージアビリティを使用しています2つのセクリティを使用してフリップは簡単なクョインを使用しています種のガンダムはい広山 Anaリースマリシャスサイナーは、もしマリシャスサイナーは、ファーサーサイニングのプロセスで、プロトコルを意識することができます。私はプロトコルの基本アイデアを説明します。最初のポイントは、ガーゲットアウのプロトコルで、プロトコルはフォローです。マリシャスサイナーは、フォローのサイナーのスキュアパンクションは、マリシャスサイナーは、マリシャスサイナーで、アイデアのプロトコルを意識することができます。マリシャスサイナーは、フォローでadaver3を発表することができます。マリシャスサイナーの個体を使って、マリシャスサイナーがサイナーであまりにくいのができます。それを使って者・支援者の命出を非常に承認する方法を使用し、支援者の知識者のある予定文をという設定を取り、その play 課аютありがとうございました However, proving the unforgibility is a bit tricky. There are a few issues in proving unforgibility. First, we want to prove unforgibility of the blind signature by using unforgibility of standard signatures.But a reduction cannot pass a message to its signing oracle because user's message is hidden by figure function evaluation.Garget all resolved this issue by using complexity leveraging.That is, we assume signatures with super polynomial time securityand use a super polynomial time reduction in the security proof.Then the reduction can extract the messageby breaking the receiver security of secure function evaluation.The second issue is to move zero knowledge argument is impossible.We need to move zero knowledge to achieve a round optimal protocol.Pass overcame the impossibility result by using super polynomial time simulators.Garget all used the technique by pass.A super polynomial time reduction extracts the messageand runs a super polynomial time zero knowledge simulator.Our first idea is we use quantumly secure cryptographyinstead of cryptography with super polynomial time security.A quantum polynomial time reduction can break the receiver securityof secure function evaluation and extract the message.The work by Kallai and Klarna inspired this idea.However, simply using this idea does not workbecause we need to use complexity leveraging twice in the protocol by Garget all.We will see this issue more closely later.You might think that we can apply the technique by Kallai and Klarnato the protocol by Garget and Gupta since we use complexity leveraging only once.However, all building blocks of their protocolmust be pairing based since they usespecific algebraic properties of the gloss high proof system.So, the protocol is not compatible with quantum simulation.We saw two move the large argument is a crucial building block.So, we focus on this primitive hereafter.We review the two move the large argument by pass.It uses the well-known or proof trick.The verifier chooses an input of one waypumputationf and compute an output z.Then, the user sends randomness for zap and z to the proof board.Zap is a public coin to improve witness indistinguishable proof.The proof board generates a dummy commitmentand returns the commitment and a response for zap.The statement of zap is as follows.The statement x is true or com is a commitmentof the preimage of z.The latter statement is for simulation.We construct a superpolynomial time simulatorfor proving the large.The simulator breaks f by usingsuperpolynomial power and get the preimage y.Then, the simulator generates a commitment of yand zap proof by using the witness y.The modified commitment is indistinguishabledue to the hiding of commitment.Using a witness for the latter statementis indistinguishable due to the WI property of zap.Thus, their knowledge holds.Next, let's see soundness.This follows from the soundness of zapand one-wayness of f.We construct an inverter algorithm for f.The inverter uses the instance zas a part of the first messageand extract the preimagefrom the commitment by usingsuperpolynomial power.Here, note that theformal statement is falsein the soundness setting.The learning time of the invertermust be much shorter thanthe learning time of thezero-knowledge simulator.In the protocol, we usecomplexity-levelaging twice.So, let's see the relationshipamong learning time of reductions.The zero-knowledge simulatorlands in time t and needs to break f.The inverter for flands in time t primeand needs to break the commitment.There are three security levels.Using quantumly-securetheatography works for two security levels,but not for three.Now, let's see our design idea.We introduce the notionof a blind signature confirmingzero-knowledge argument in this work.This is two-move zero-knowledge argument.First, we replace commitmentin passes protocol withpublicity encryptionand generates a dummysyphatix for zap.The encryption keyis given to theverifier before the protocol starts.So, this is not theprame model, but this isokay since we considerthe blind signature setting.The prover corresponds tothe signer in blind signatureand can registerthe encryption key asthe part of the signer's public key.We use non-uniform securityof f as gag at allto prove soundness.Non-uniformly algorithmsare two-stage algorithms.At the pre-computation phase,the algorithm computesan advice stringby unbounded computational power.At the online phase,the algorithm isgiven a problem instancealongwith the adviceand tries to solvethe problem in polynomial time.That is, the invertercan get the decryption keyas an advice in thenon-uniform model.The signer's public keyisgiven before the protocol starts.That is,before the verifiersends z to the prover.Therefore,we can constructa non-uniform reductiontof such that the decryption keyisgiven as an adviceand extract the pre-imagefrom the ciphertexCTP.An issue is that a provermight malicious regeneratethe key pair.If the public key,EKP,is ill-formed,we cannot extract Yfrom the ciphertexCTP.Here,the PKE scheme must becontimately secure,since we consider quantumperimeters to use quantumpower.However,there isnoquantum resecure PKE wherewe can efficiently recognizethat a public key ishonestly generated.So,the verifier alsouses PKE.The verifier generates a key pairand sends the public keyas a part of the firstmessage.The prover also generates a dummy ciphertexand a verifier's public key.The OR part ofthe ZAP statement is alsomodified accordingly.Thus,even if EKPis malicious-regenerated,we can extract Yfrom CTD.However,this incursanother issue,since the verifiercannot register the public key.So,EKP isnot certified,and it couldand zero knowledge.To prove soundness,wewant to guarantee that wecan extract the ORpart witness Y when theprover cheats.So,we use lossy encryptionand another ZAP to handlethis issue.The prover puts the firstmessage of ZAP in the public key.This is okay,sincethe firstmessage ofZAP is reusable.The verifier generates akey pair of lossy encryptionand sends the public keyand the ZAP proof aspart of the firstmessage.The second ZAP statement is likethis.Lossy encryptionpublic key is lossy modeor EKP isirformed.I defer explaining how to provethis statement.To provezero knowledge,we usethe former statement.In zero knowledge,EKP ishonestly generated since theprover is honest in this setting.So,EKPmust be lossy mode andCyphatix CTV givesno information and does nothand zero knowledge.To prove soundness,weuse the latter statement.In this setting,amaliciousprover generates anirformed P-EKP andthe former statement could beforce.So,we usetheinjective modeof lossy encryptionand extract the preimagewife fromCyphatix CTV.Notes thattheinjective mode andthe lossy mode are indistinguishable.There is a subtlefinal issue.In the soundness setting,areduction cannot decide whetherthe ZAP proof froma maliciousproverreally violates the soundness of ZAPor not.To efficientlycheck the winning condition,we put another public keyof PKE in theprover's public key.The prover sends a cyphatixof the witness W as a partof the second message.The statement of ZAP is modifiedand guarantees that the witnessW is encrypted under thenew public key.We also use non-uniformsecurityof PKE.A non-uniform reductioncan extract the decryption keybehind the new public keyand puts ittheinadvice.So,the non-uniform reductioncan efficientlycheck the proverviolates the soundness of ZAPor not.Lastly,we explain how toprove an encryption key isuniformed.We can achievesuch a proof for REGF-PKE scheme.In REGF-PKEa public key consistsof a basis of latticeL and vectorV.A secret keyis the closest latticepoint to thevector V.Anuniformed public keymeans the vector V isfar from lattice points.Hallonoff andLave shows that a latticeL and a vector Vconstitute an NPlanguage if V isfar from lattice points.So,we can prove a public key isuniformed by ZAP.However,there isa subtle issue since theirproof system is for GAPslanguages.Marisha Spruber may choosea public key that is notfar from lattice points, butnot close to them.In fact,we can definea secret key for sucha public key in the gray zone.Such a secret key is sufficientfor extraction.Therefore,the proof system worksin our protocol.Let mesummarize my talk.We present a round optimalblind signature protocol inthis work.It isbased on standard classicaland quantum assumptions and doesnot rely on any trustedsetup.In addition,it doesnot usecomplexity leveraging.We introduce severalinstallating techniques toachieve our protocol.In particular,we introducethe notion of blindsignature conforming zeroknowledge and use the quantumpower in reductions.We also use a proofsystem for ill-formed public keysas a crucial tool.That's it.Thank youfor watching my talk.