 Hi, my name is Michael Rosenberg and today I'm presenting results for my work on blind signatures with John Katz and Julian Loss. Let's get started. First, we define what a blind signature scheme is. We start with the intuition that blind signatures are like digital signatures, except the signer learns nothing about the message that it signed. The security property is formalized as blindness, and essentially means that a signer who blindly signed two messages can't tell what order they were signed in, even if given the full transcript, message contents, and signatures later on. The next security property is similar to one in digital signatures. A signature scheme is unforgible if, given access to a signing oracle, the adversary can't produce a fresh message signature pair, i.e. one that the signer hasn't seen yet. The problem with this definition in the case of blind signatures is that every message signature pair looks fresh because all the messages were signed blindly. So, the standard version of unforgibility for blind signatures is a slightly different notion called one more unforgibility, or OMUF. This scheme just counts message signature pairs. A blind signature scheme is one more unforgible if an adversary who makes L-many calls to a signing oracle is unable to produce L-plus-one distinct message signature pairs. To provide motivation, we note that there are real-world applications for blind signature schemes. They have appeared as a primitive for an anonymous fair exchange mechanism for Bitcoin, as well as for a cryptocurrency imagined by David Chowam called eCash, which is actually the origin of the idea of blind signatures. Our paper begins by observing a gap in existing efficient blind signature schemes. We look at existing schemes and note some of the common caveats. First, the blind schnore signature scheme is only proven secure for logarithmically many signatures. In addition, it was proven last year that it is completely broken for more than log of two CAPA concurrent sessions where CAPA is the security parameter. Another observation is that other schemes supporting polynomially many signatures rely on non-standard assumptions, including the code-diffie-helman inversion assumption, the one more RSA inversion assumption, and the algebraic group model. Finally, there are some blind signature schemes which don't provide concurrency at all. In light of this overview, we aim to fill a gap in existing blind signature schemes. Specifically, we wish to construct a blind signature scheme in the random oracle model using standard number-theoretic assumptions that is provably secure after polynomially many signatures and with arbitrary concurrency. We achieve this goal by constructing a generic transformation that transforms a blind signature scheme supporting logarithmically many signatures to one that supports polynomially many. Specifically, our transformation operates on blind signature schemes which arise from algebraic hash functions with certain homomorphic properties. This is expanded on later. Secondly, we make no new security assumptions. Thus, after transformation, the only assumptions necessary are the ones that come from the underlying schemes, such as discrete log, RSA, or factoring. Finally, the schemes that this transformation outputs support arbitrary concurrency. Our transformation does come with caveats, however. First, the communication complexity depends on how many signatures have already been computed. This can be improved, however, to just being linear in the number of dishonest users who were caught being dishonest. We explain what this means later. The second caveat is that the estimated group size necessary to achieve 128-bit security is approximately 5,000 bits. To begin describing our transformation, we start with a transformation due to Poinscheval. We start with an ordinary three-round blind signature scheme. In Poinscheval's case, it is the blind Okamoto-Schnor scheme. The signer initiates the protocol, the user blinds their input, sends it to the signer to be signed, and then unblinds the signer's output. Poinscheval turns this into a six-round protocol by introducing a cut-and-choose sub-protocol. Let's examine this in detail. The transform changes the underlying scheme as follows. First, the user now commits to two sets of random coins. This is the randomness that's going to be used to blind their message. Next, the signer picks a commitment at random to leave unopened. The other must be opened. Next, the client sends the opening. And finally, the signer checks the opening. If it was valid, it completes the rest of the protocol as in the underlying scheme. If the opening was invalid, then the signer aborts the protocol and then halts forever, refusing to sign any future messages. We call this teardown because it can't be recovered from. In the real world, teardown would amount to updating the signer's key pair every time a user is caught cheating in the protocol. What does this transform set out to do? Poinscheval's proof strategy is to reduce the security of the underlying scheme, which, recall, can only handle logarithmically many signatures, to that of the transform scheme. Since the transform scheme is supposed to support far more signatures than the underlying scheme, there needs to be some way to bring down the number of interactions an adversary can initiate with the underlying signer. To do this, Poinscheval defines a simulator which can simulate the signer in the new scheme as long as the commitment to the randomness was honestly computed. So, as long as the user is on as the underlying signer doesn't need to be called. The way to check honest computation is by having the user make two commitments and open one of them. Thus, a cheating user gets caught with probability one-half each session. Does this achieve security for polynomially many signatures? Yes, it does. The reduction goes through and we get a log one more forger. There's a neat proof that does this by showing that if a potentially dishonest user's execution tree with the transform scheme has polynomially many leaves, then not too many of its branches could have been pruned, i.e. it could have only cheated logarithmically many times, hence the log one more forgery. So, since the number of cheating attempts is logarithmically bounded after polynomially many interactions, and since blind Okamoto Schnorr is shown to support logarithmically many signatures, Poinscheval concludes that the transform scheme supports polynomially many signatures. Some downsides of the scheme include the fact that it doesn't permit arbitrary concurrency. Rather, it only permits parallel execution, which is a weaker notion. Also, this requires a full tear down for every caught cheater, which can be annoying and costly to implement in practice. Finally, this transform is not generic. Poinscheval only states the transform in terms of the Okamoto Schnorr blind signature scheme. We now introduce our transform by starting with Poinscheval's. Our scheme doesn't diverge from it too much. The first detail of our transform is that its structure depends on the number of sessions that have already been initiated. In this sense, it is stateful. We denote the session number by n. In session n, the user commits to n sets of random coins rather than just two. Then, the user picks an index i, which will be the commitment that is not opened. The user opens all the commitments other than i. And finally, the signer checks all the commitments. On success, it signs just as before. On failure, it only aborts, rather than aborting and tearing down. This means that the signer can continue signing future sessions even if cheating is detected. We now compare this to the original Poinscheval transform. First, remember that we can only afford O of log cap of many signatures in the underlying scheme. The goal of both Poinscheval's and our transformations in their security proofs is to limit the number of such signatures. Previously, the probability of a user getting away with cheating was one half in each session. If a teardown weren't enforced, a user could cheat linearly many times, which would potentially break the underlying scheme. Thus, teardowns are necessary. In our transform, the probability of a user getting away with cheating is one over n in session n. Without using teardown, the expected number of times a user could cheat is logarithmic in the number of sessions they initiate, since this is a harmonic sum. Also importantly, we prove that with high probability, a user can't do much better than the expected value, so they can't escape the logarithmic bound. Since we've logarithmically bounded the number of interactions with the underlying signer, we conclude that our scheme is secure for polynomially many signatures without teardowns. We now compare concurrency. Recall that the Poinscheval transform only permitted parallel executions, which is weaker than arbitrary concurrency. In particular, with parallel execution, a session cannot advance faster than its predecessors. With our scheme, the only state is the session number n. So, if n is atomically incremented across sessions, the harmonic sum from the previous slide holds regardless of the number of concurrent sessions running. Thus, we achieve arbitrary concurrency. We also prove that you can do better than incrementing every time. In fact, we show that it suffices to only increment n when a user is caught cheating. Finally, we compare generosity. As mentioned before, Poinscheval's transform was only defined in terms of the Okamoto-Schnor blind signature scheme. Our result, which builds on Poinscheval's transform, also generalizes it to any blind signature scheme built on an algebraic hash function with certain homomorphic properties. We refer to these as linear function families in the paper. Examples of blind signature schemes built on top of a linear function family include Schnor, Okamoto-Schnor, Fiat-Schamir, and Okamoto-Giyuki-skate. That's it for my talk. Thank you for your time.