 Hello! I'm Octavio Perez-Kempner and I will be presenting the paper Improved Constructions of Anonymous Credentials from Structure-Preserving Signatures on Equivalent Classes. This is a joint work with Ashlyn Connolly and Pascal LaFourquête. I will start by introducing the concept of attribute-based credentials and the main motivation of our work. Right after, I will give an overview of our results and comment on the main building blocks, which are Structure-Preserving Signatures on Equivalent Classes and the recent credential framework from Fush Bayer, Hanser and Eslamaling from 2019. Before concluding, I will dive a bit into the notion of signer hiding, which is one of our main contributions. So, attribute-based credentials, or AVC, for short, allow a user to get a certified set of attributes from an issuer. The main idea is that users can later unauthenticate themselves to a verifier by showing some of the attributes or by proving relations between them. Anonymous AVCs allow users' authentication without leaking any other information besides the shown attributes. Some system can be multi-shown, which means that they allow an arbitrary number of unlinkable showings. In other words, once issued credentials can be reused. Finally, multi-authorities AVCs allow users to obtain a single credential for attributes not necessarily issued by a single authority. In this work, we consider multi-show AVCs in the single authority setting. The main differences between recent constructions include the expressiveness, for example, if they allow predicates over the attributes or not, and to which extent, the efficiency in terms of computational cost and bandwidth, the communication in terms of whether or not they provide non-interactive features, the security model, whether they use the generic group model, random oracle, etc., and on how and if they manage revocation features. Broadly speaking, one can identify different lines of work with respect to the underlying signature scheme that is used to build the credential system. Initial constructions were based on Kaminish-Lisienskaya signatures. More recent work includes aggregatable signatures, sanitizable signatures, reductal signatures, and last but not least, structure-preserving signatures on equivalent classes. One thing that none of the previous work addressed was the problem of leaking the issuer identity. In many scenarios, the identity of the issuer can reveal user information like the country or company where it belongs to. To address this issue, we proposed an ocean called Siner-Hiding, and it refers to the ability of hiding the identity of the issuer during showings. This concept was recently developed on concurrent and independent work under a similar name of issuer hiding and presented at Cannes 2021. To motivate the application of having Siner-Hiding features, let's consider the following scenario. We have a seller offering discounts for European non-Spanish residents. A user could claim its fringe, but that would give away too much information to the verifier. Furthermore, if credentials are issued by home countries, no matter what attribute users decide to disclose with the verifier, their home country will be leaked. What we want in scenarios like this one is to avoid such things and find a way in which users can convince the verifier without giving away information from their own country of origin. A way to convince the verifier about being European but not Spanish is to hide the issuer's identity in a set of valid countries. In order to see how one can build a credential system allowing this functionality, I will now introduce the concept of Structure Preserving Signatures on Equivalent Classes, which will be at the core of our Siner-Hiding feature. The main idea is that they allowed a control form of variability, where one can update a signature to a new message that is related to the original one. This control form of variability is possible if the message space can be partitioned into equivalent classes. If we consider a message space of vectors of length L, the following relation partitions the message space into equivalent classes. And for stability holds with respect to classes. No adversary should be able to update a signature and obtain a new one for a message that is not in the same class. In other words, switching representatives in a class is no longer seen as an attack, but rather as an advantage of the scheme, and the only allowed form of variability. Besides the notion of affordability, these types of signatures should also be unlinkable. If the equivalent relation provides indistinguishability on the message space, like in the previous example, and updated signatures are distributed like fresh signatures, message signature pairs falling into the same class are said to be unlinkable. Another important aspect is that the notion of equivalent classes has been recently extended to consider equivalent classes on the key space as well. When the signature acts on both, the message and key spaces, it is said to be a mercurial signature. We will be using this later on when discussing the notion of signer hiding, but now let's move on to the ABC framework used on this work. So, in a brief, a credential is a signature on a randomizable accumulator representing a set of attributes. A credential showing involves the joint randomization of a message signature pair. The accumulator uses batch membership proofs to allow constant size showings. Observe that by randomizing the accumulator and the corresponding membership witness, no information from the user is leaked, but the verification still succeeds. The same applies for the updated signature. In this work, we will be referring to the credential accumulator as a set commitment scheme, which was the original name given in the previous work. Although one can have constant size showings because of the batch membership proofs, the main drawback of this primitive is that expressiveness is limited. Only a selective disclosure of attributes is supported. For users to prove that they do not have a particular attribute, they would need to encode the negation of it as an attribute. While doing so would work, it is far from being efficient and other alternatives are preferred. Taking the previously mentioned points into account, we focus on improving the following aspects when compared to the previous work from FHS 19. Expressiveness extending the accumulator, efficiency leveraging user and verifier computational costs, security model moving away from construction space on the genetic group model to one in the standard model requiring a common reference stream. Let's now have an overview of the results. We obtain a new structure preserving signature and equivalent classes which acts on both the message and the key spaces. Our departure point was a recent scheme proving secure under standard assumptions, which we modified to obtain a mercurial signature and to use a different non-interactive zero knowledge argument for our proof that improve its efficiency. We extended the accumulator to support batch non-membership proof. We call this extension set commitment scheme supporting this joint set. We see users can now prove that they do not have a given set of attributes in their credentials by showing a single witness for the whole set. Another improvement was the addition of a proof of exponentiation to outsource computational costs from the verifier to the user. This can be useful in some scenarios. It can be seen as an optional functionality and it basically allows the user to pre-compute some of the exponentiation that a verifier would normally have to do in order to verify a witness. For this to work, the user is required to provide a proof of correctness for those exponentiation. As one would expect, checking the correctness of the proof of exponentiation is cheaper than doing the exponentiation from scratch. We also propose a one out of n or proof so that users can hide the issuer identity during a showing. Finally, we extended the security model from FHS-19 to take into account the previous modifications. As can be seen on this slide, the modifications introduced on this work are marking gray. If we look at top down, we first replace the or proof on the original signature scheme. Then we built a set commitment scheme supporting these two sets based on the original set commitment scheme plus the use of batch non-membership proofs and the proof of exponentiation. Having a new instantiation for the ABC framework, we added the designer hiding part to it. Now that we went through the main building blocks, it's time to discuss more in detail our approach to achieve designer hiding property. How can we use the fact that signatures can be updated to verify under a different but equivalent public key? Well, the main idea goes as follows. We first randomize the credential and the issuer's public key consistently. Now the updated signature on it will verify under the randomized public key. Here it is important to stress that because of the unlinkability property, randomized public keys look like fresh public keys, which means that without knowing the randomizer, it's hard to tell whether or not two given public keys belong to the same equivalent class. The next step is to present the updated signature and public key to the verifier alongside a proof of correct randomization of the issuer's public key. This ensures that the user did not sample a public key and self-signed his own credential. For the proof of correctness, we can use a one-out-of-n or proof, which in our case is a fully adaptive NISIC argument. We see users can select arbitrary long sets of public keys to compute a proof with linear cost. The corresponding formalization reflects this. As can be seen, the idea is that an adversary should not be able to distinguish which was the organization that issued a credential when interacting with the environment under the role of a malicious verifier. Conclusions and future work. Our results explore multiple paths to extend the ABC framework from FHS-19, and although we did not mention it much on this talk, we also discussed revocation features. All in all, we obtained a more flexible framework leveraging different trade-offs. The proposed signer hiding notion enables more use cases, in particular for federated scenarios in where multiple authorities coexist. As future work, we think that exploring the use of aggregatable signatures with structure-preserving signatures on equivalent classes in the multi-authority setting could enable even more use cases. Finally, devising other ways to define equivalent classes could lead to new and more efficient constructions, and till now, all the now constructions rely on the difficult man-assumptions to achieve the desired properties. Thank you very much for your time.