 Hello, I'm Rohit Chatterjee and I will be presenting our work in crypto compact ring signatures from Learning with Errors. My co-authors are Sanjum Garg, Muhammad Hajiabadi, Dakshita Khurana, Shauli Ang, Julio Malavolta, Omkath Pandey and Sina Shihar. Let us start by defining compact ring signatures. We have a scenario where there are multiple users, each with their own public and signing keys, and one would like to sign on behalf of a ring with multiple users. Crucially, we require that the signature be generated without any prior setup or interaction with other users in the ring. We expect the signature to satisfy unforgability just as standard signatures, and anonymity, meaning that signatures should not reveal which user in the ring created them. We also want compactness, that is, the signature should have at most polyrhagorid size with respect to the quantity of users in the ring. There are the related notions of sub-linear and linear ring signatures which grow sub-linearly and linearly in the ring size respectively. Finally, ring signatures have been studied for a while and they have myriad applications such as authenticating data for visa blowers, which was the original motivation as well as more recent ones such as usage in cryptocurrencies to authenticate transactions. Ring signatures have been studied in the random oracle model, the CRS model and in the plain model, that is, without any modeling assumptions. All works mentioned here are compact or sub-linear ring signatures. However, there are earlier initial works that were linear. Recall that compact signatures grow polylogorhomically in the ring size, while sub-linear signatures grow sub-linearly. Off-note are the works by Malavolt and Schroeder who built a compact ring signature using a knowledge of exponent assumption. Bacchus, Hangelek and others who built a sub-linear ring signature based on pair rings and finally Bacchus, Totaling and others who give a compact ring signature based on pair rings, which is of closest interest to us. However, in work so far, there is no compact ring signature construction in the plain model instantiable solely from LWE. This brings us to the key question we address in this work, namely, can we build compact ring signatures from polynomially hard LWE? And in this work, we do show how to construct a compact ring signature scheme using components instantiable from polynomially hard LWE. So the answer is yes. Our construction builds upon the BDHKS framework. So let us take a brief look at their construction next. We start by describing the components they use. They use a public key encryption with additional properties, a standard signature scheme, a somewhere perfectly binding hash, which can be thought of as a variant of a Merkle tree, with stronger statistical properties that can be instantiated from FHE schemes. And finally, a non-interactive witness in distinguishable proof system, which can be based on a de-randomization assumption involving NP, by linear maps, or in distinguishability obfuscation. We can note here that the first two components can be obtained from a variety of standard assumptions, including LWE. Similarly, somewhere perfectly binding hash schemes can also be instantiated based on LWE via FHE schemes. Neve proofs, however, are instantiated in most cases from pairing based assumptions, which are known to be broken by efficient quantum attacks. So for our purposes, we're looking to replace the usage of neve proofs in the BDHKS construction. Let us now take a closer look at the actual construction. The components are as before. For setup, we pick signing and verification keys as follows. We sample signing and verification key for the standard signature scheme. We also sample a public key for encryption, that is, we sample it without a corresponding secret key. The encryption scheme allows this to be done indistinguishably. We will see why this is necessary soon. Finally, the overall verification key consists of the verification key for the signature scheme, along with the encryption public key. The corresponding signing key just has the ordinary signing key inside it. We next take a look at how to construct a simplified version of their signature. The public and signing keys are as described before. To sign a message M with respect to ring R, which contains our ring verification key VK, we first generate a hash key for the SPB hash. Next, we compress the ring R into a short digest H using the SPB hash. This can be thought of Merkel hashing the ring, and H can be thought of as the corresponding root. Next, we generate a signature using the signing key for the ordinary signing scheme. Finally, we encrypt the signature under the chosen public key. The ring signature consists of the encrypted signature, the hash key, and the Neve proof proving the following statement. The cipher text encrypts a valid signature under some verification key VK, and there exists an SPB opening, which is like a Merkel tree opening, showing that VK is consistent with the hash root H. Let us now look at the properties of this construction, starting with the size. The encrypted signature and hash key are unrelated to the ring size by default, and so do not grow with it. Turning to the proof, we note that firstly, the statement is small because the hash root H is compact, and then the witness is also small because the SPB opening, which is like the Merkel tree opening and is log size in the ring size, is compact. So we can conclude that the overall proof is compact. Therefore, the ring signature as constructed is also compact. Next, let us turn to inforgeability. Consider a successful ring signature forger. The crucial thing to note is that this forger is forced to either forge a signature sigma for the standard signature scheme or violate the soundness of the proof pi. Given this, it is easy to reduce to either the soundness of the Neve by just simply forwarding out the proof or inforgeability of the signature scheme. This can be done as follows. The reduction switches to a hybrid where it now has the secret keys for every encryption public key it generates. Note that from before, we can do this change in an indistinguishable manner because of the properties of the encryption scheme. Now it can extract the signature by trying to decrypt by using each secret key in turn and picking the right one. The resulting signature it obtains will be a forgery for the originary signature scheme. To show an anonymity, we rely on the wi property of the proof. Recall that anonymity requires that we cannot tell which user in the ring actually created a particular signature. We do this by gradually modifying the signature using a sequence of hybrids, moving from a signature signed under one particular key, say vk0 to another, say vk1, where both of these keys are in the ring. Basically, the signature uses another dummy block or another encrypted signature and hash key pair. To show an anonymity, we switch gradually from the dummy block to one using vk1. Then we switch the proof to now using this block. And next, we switch out the original block, which was using vk0 to now also use vk1. Finally, we switch back to the original block for proving the proof and then turn the alternate block into a dummy block back again. Note that this now looks like a legitimate signature using vk1 and has no trace of the key vk0. And this suffices to show anonymity. As a side note, we use a strong security notion for anonymity where the randomness for key generation is provided to the adversary for every party in the ring. This is the reason we normally generate public keys without a corresponding secret key because if the adversary could obtain the secret keys using the randomness, then it would trivially compromise anonymity. Now that we have summarized the BDHKS construction, let us see how we can replace the Neve proof. We begin by using an observation from Bender, Katz, and Morsely, where instead of using a Neve, we try to use a specific two round WI argument or a zap, which has a public coin first message. The idea is simple. Instead of using the Neve, we place the zap first round message in the public key vk and use the second round response in place of the Neve proof in the ring signature to prove our statement. This seems to work, except that using the first message from the signer's own verification key may violate anonymity trivially. So instead, we use the first message from the lexicographically smallest verification key in the ring. It seems now that we would essentially be done if we could build zaps from LWE. And in fact, there is a rich and recent line of works that constructs zaps just from LWE. However, all of these works crucially require sub-exponential hardness from the LWE assumption. This is specifically to show soundness where these works all utilize some form of complexity leveraging type techniques, and we will elaborate on this later. We have, in fact, no zap constructions that can be instantiated from just polynomially hard LWE. The key observation for our construction is that we only really need a zap that captures NP-intersection co-NP languages. This is due to the nature of the unforgability reduction, which we show allows some extra leverage for proving soundness. Basically, the prover can only cheat in one of two ways, either using a malformed encryption or encrypting an actual forgery. We show that in either case, we can construct a short non-witness or proof of the forger's cheating and use it as leverage while proving soundness. This will make it so that having a zap system for NP-intersection co-NP languages is enough for us to satisfy ring signature construction. We'll not discuss this further in this presentation, but rather focus on describing how to construct our new zap scheme for NP-intersection co-NP from LWE-based components. To construct this zap, we will imply the recently popular framework of using correlation intractable hash functions to compress sigma protocols in the plain model. This just takes a sigma protocol and creates a non-interactive proof where the verifier's response is simply the output of a randomly chosen hash function on the first message. These CI hash functions can be constructed from LWE, and this approach has helped in constructing both zaps and nizics from LWE. In our case, in particular, we will only show soundness of our construction for languages in NP-intersection co-NP, and our key ingredient for this will be a commitment scheme that is extractable given a non-witness. We now describe these components in a little more detail. Traptor sigma protocols are also general sigma protocols satisfying both honest verifier's zero knowledge and special soundness. Further, they also satisfy the following traptor property relating to the bad challenge function for the protocol. Recall that the bad challenge function is defined by the unique verifier response given a prover's first message that allows the prover to provide a successful proof for a false statement. The traptor property is as follows. The bad challenge for the verifier is efficiently computable given the prover's first message C. In fact, the commitment scheme used by the prover in the first round message is actually extractable, and the bad challenge function can use an extraction traptor for this commitment scheme to recover the prover's secret. Correlation intractable hash functions are used to instantiate the fiat-chamade transform. Essentially, this allows any efficient adversary to plant pre-computed correlations between the input-output pairs for the hash function. In more detail, for a given circuit class, a hash family h is correlation intractable with respect to this class. If for any circuit C from this class, given a uniformly chosen hash key, k, an efficient adversary cannot find an input x such that the hash with this key on input x, output C of x. We briefly discuss how the CI hash property helps with fiat-chamade compression. Any cheating prover that wants to break soundness has to find the first message, such that the hash of it evaluates to the bad challenge. However, if we pick the hash function from a family that is correlation intractable against this bad challenge function, this is not possible, and so we obtain a contradiction. This implies that our compressed protocol must indeed be sound. We briefly discuss why previous ZAP schemes required sub-exponential hardness from LWE. For concreteness, we use the construction by Lombardi, Vacodinathan, and Vix from 2019. Here, the verifier and prover each pick a public key pk and pkprime respectively. The verifier sends its public key along with an honestly chosen hash function from the CI hash family in the ZAP first message. The prover now uses the encryption scheme in lieu of the first round commitment in the compressed sigma protocol. It sets the public key for this encryption to be pkexort with pkprime. Now the extraction trapdoor for this encryption is simply the corresponding secret key for pkexort with pkprime, and so crucially it depends on the choice of pkprime. This implies that the bad challenge function also depends on the choice of pkprime because it needs to decrypt the first round message and obtain alpha. So essentially the only thing that the verifier can do is use complexity leveraging to brute force or guess this value of pkprime. And essentially this necessitates using sub-exponential hardness of the LWE assumption, otherwise we cannot do complexity leveraging. This shows us that we need sub-exponential hardness of LWE to show soundness in this template. We now come to our ZAP construction for np intersection co-np. Our construction uses a special two round commitment scheme with the following properties. The first round commitment message takes an arbitrary string t as input. The second round commitment message takes the committed value and an associated instance x as input. Crucially we use the commitment scheme with respect to the language l complement which is also an empty language by assumption. The property that we want is extractability when the instance x is not in l that is. We want the committed value to be extractable when x is in l complement. The protocol now works as follows. The verifier's first message consists of the first commitment message with respect to a random string t and also a hash function h that is correlation intractable against the bad challenge function as mentioned before. The prover's message in turn has the second commitment message which uses alpha as the committed value and x as the associated instance as well as the sigma protocol transcript compressed with the hash function h. We will next describe our special commitment scheme. We call our commitments fitness extractable commitments. As discussed this is two rounds and is defined with respect to an np language. Here we will denote the language by l complement for the sake of continuity. The commitment has the following properties. If the encoded string in the first round is a witness for x being in l complement then the receiver can extract the committed value alpha. Conversely if this is not the case then alpha is in fact statistically hidden from the receiver. We build this commitment scheme by using malicious circuit private FHE which is known from polynomially hard LWE. This construction has a property that the commitment size is decoupled from the size of the related np verified circuit for the associated language and depends only on its depth. This property turns out to help us with the compactness of our ring signature construction. We also construct a witness extractable commitment without this property using OT and garbled circuits. Our commitments are constructed as follows. The receiver encrypts its input which is a potential non-witness using the FHE scheme and sends this as the first message. The committer now evaluates a circuit G homomorphically over this cipher text where G has the instance and committed value hardwired and simply computes our desired functionality namely it outputs the committed bit if the receiver cipher text is indeed an encrypted non-witness and zero otherwise. That is all that we need. We quickly go over how this construction satisfies all the stated properties. Compactness follows from that of the FHE scheme. The evaluated cipher text depends only on the depth of G and not its size and this is guaranteed by the properties of the FHE. Extractability follows simply by the correctness of the evaluation procedure. If the receiver encrypts a non-witness then it also obtains the bit committed by the committer and finally hiding follows from the malicious circuit privacy of the FHE scheme. Note here that the receiver has full control over the generation of the encryption keys and the cipher text. In particular it could be generating these maliciously. Malicious circuit privacy of the FHE scheme provides the exact guarantee that we want namely that even in this case the evaluated cipher text computing G homomorphically reveals only the correct output and nothing beyond it. In particular if X is not in L bar nothing is revealed because no string can serve as the non-witness. This gives us all the properties that we want. Finally we briefly discuss how the properties of the commitment are used in our ZAP protocol. To show witness indistinguishability we note that there is no non-witness for the verifier to use in the commitment. Thus no matter what string T the verifier may use in the first round commitment message the value alpha is statistically hidden. This allows us to then use the honest verifier zero-knowledge simulator for the sigma protocol to show witness indistinguishability. In turn consider a cheating prover trying to violate soundness. We can build a soundness reduction that works as follows. This first switches the first commitment message to an encoding of a non-witness for the prover statement and this will allow the reduction to extract alpha. And this value can then be used to break the CI property if the prover is successful. Thus we have all the properties that we want from our ZAP scheme. This brings me to the end of my presentation and I would like to thank you for your time and attention. I invite you to look at the full version of our paper which is up on the e-print at the following link and to ask us any questions you may have in the live session at crypto. Thank you.