 Hello everybody, I am Federico Pintore and I am going to present Calamari and Falafel logarithmic linkable ring signatures from Isogenes and Lattices, which is a joint work with Ward Beulens and Shwichi Katsumata. Ring signatures allow a signer to produce a signature on behalf of a group of users, called ring, and the signature hides the real identity of the signer. They were introduced in 2001 by Rives, Shamir and Tauman, who motivated them as a means to protect whistleblowers. Ring signatures have recently found other practical applications in electronic voting systems and in cryptocurrencies. Recently, cryptocurrencies providing privacy by default have been proposed. Among them, we can mention Dash, Monero and Zcash. Monero uses ring signatures to achieve privacy. Unfortunately, the security of the ring signatures used in Monero relies on the hardness of the discrete logarithm problem, which can be solved in quantum polynomial time. Given the threat represented by the realization of quantum computers, there is the need to identify quantum-resistant replacements. Calamari and Falafel are two new ring signature schemes from post-quantum assumptions. They are instantiations of a new, simple and efficient genetic construction of all proofs for a class of group actions that we called admissible group actions. Admissible group actions are group actions required to satisfy some general properties that capture different cryptographic frameworks. We instantiate the admissible group action both with isogenic assumptions obtaining Calamari and with lattice assumptions obtaining Falafel. The reason for designing a new all proof is that all proofs can be converted into ring signature schemes. In our case, the ring signatures have sites which depends logarithmically on the number of signers N. The factor multiplying log of N is just a constant C, which depends on the security parameter, times the output length of a hash function. Therefore, the dependence on log of N is very mild and our signatures scale better than previous post-quantum ring signatures. Calamari is the instantiation with isogenic assumptions and it is the first isogenic-based privacy-preserving signature scheme. It produces the smallest signatures among post-quantum alternatives. Falafel is the instantiation with lattice assumptions. Signing is much faster than Calamari and from N approximately 1024 the sites of the signatures produced by Falafel are smaller than any other lattice-based ring signature. The all proofs we proposed are actually true. It leads to ring signatures, the other to linkable ring signatures. Since they rely on the same general idea, in the following I'll focus just on the first one. Post-quantum ring signatures having signature sites which scales logarithmically in N have been proposed only from symmetricy primitives and lattice-based assumptions. In terms of signature sites, the state of the art for symmetricy primitives is the scheme by Katz, Kolesnikov and Wang, KKW in the graph. As you can see the signatures produced with Calamari and Falafel have sizes that are smaller than those produced with KKW due to the better multiplicative factor of log of N. The state of the art for lattice assumptions is the ring signature by Esjin, Zao, Steinfeld, Liu and Liu, E, Z, S, L, L in the graph. For a fair comparison, for Falafel we consider the signature sites for a parameter set that achieves NIST security level 2, Falafel 4-2 in the graph. From N approximately 2-10 the sites of the signatures produced with Falafel is smaller than the sites of E, Z, S, L signatures again because the multiplicative factor of log of N is smaller. In terms of efficiency for post-quantum ring signatures the state of the art is the lattice-based scheme Raptor. Falafel has similar performances compared to it but Raptor produces signatures of sites that scales linearly in N and from N equal to 2-5 the signatures of Falafel are shorter. In the following I'll recall what an OR proof is and I'll give the definition of admissible group actions. Then I'm going to present the new OR proof and finally I'll give a few details about Kalamarian Falafel. An OR proof is a special SIGMA protocol. A SIGMA protocol for a polynomially computable binary relation R on the Cartesian product of two fine sets X and W is an interactive protocol between a prover and a verifier composed by four algorithms. P1 and P2 run by the prover and V1 and V2 run by the verifier. The protocol is three-move and the interaction is between a prover and a verifier. The prover holds a secret key W for the verification key X and the verifier holds the verification key X. The goal is making the prover prove to the verifier that they possess a wide secret key for the verification key X without revealing anything more than the fact they know W. The interaction goes as follows. The prover produces a commitment running P1. The verifier runs V1 to produce a challenge CH. The prover runs P2 obtaining a response with some probability. In that case, the response is a special symbol denoting a board. Finally, the verifier runs the algorithm V2 to either accept or reject. There are some standard properties usually required to a SIGMA protocol. Among them, we just mentioned non-abort honest verifier zero knowledge, which is that the response produced by the prover does not give any information about the secret key. An OR proof for the binary relation R is a SIGMA protocol for the extended binary relation ROR. ROR contains pairs where the first component is a list of verification keys X1, XN and the second component is a pair composed by a secret key in index I between 1 and N, such that W is a valid secret key for XI. By applying the Fiat-Chami transform, an OR proof can be turned into a ring signature. In particular, V1 is replaced with a hash function and a ring signature is a tuple composed by the commitment, the challenge and the response. In terms of efficiency, the compactness of the ring signatures produced with a transformed OR proof depends on the response sites of the OR proof. I'll now specify what we call admissible group actions. This concept is rather general and it captures different cryptographic frameworks. An admissible group action is a tuple composed by a group G, two symmetric subsets of G, S1 and S2, i.e. sets that contain the opposite of each of their elements. Then a fine set X, an integer delta between 0 and 1 and a distribution DX over a set of group actions of G on X. We recall that a group action is a map from G times X to X itself and it is such that the zero element fixes the elements of X and the action respects the group operation. The requirements for this tuple are only two. The first one determines the probability of aborting of P2 in the OR proof we are going to detail. It requires that the intersection S3 of the sets S2 plus G for G in S1 has cardinality equal to delta times the cardinality of S2. The second requirement is that the group actions should provide a hard problem. In particular, given G star an element X0 of X where G is sampled uniformly in S1 and star is sampled from DX it should be hard to find G. We also require some natural efficiency properties but they are not reported here. We note that the traditional D.F.Helman on a group H of prime order Q is an instance of admissible group actions. From now on we fix an admissible group action and we use the following notation. With sides of G we refer to the number of bits necessary to represent elements in the group G. With X we denote the number of bits to represent elements in the finite set X. Furthermore with the sides of trans we denote the sides of a transcript i.e. a tuple composed by a commitment, a challenge and a response. Finally, sides of SIGMA denotes the sides of a ring signature. It's now time to describe our new OR proof for admissible group actions. Our starting point is the standard graph isomorphism proof which we modify to obtain an efficient OR proof. V standard proof is for the trivial case n equal to 1. So a SIGMA protocol for a relation R containing pairs composed by only verification key X and a secret key S in S1 such that S star X0 is equal to X. The prover samples a random R in S2 and computes its action on the verification key X. The result R is the commitment. Then the challenge is a random bit. If it is 0 the response is R plus S and the verifier checks that R plus S star X0 is equal to the commitment. If the challenge is 1 the response is R and the verifier checks that R star the verification key is the commitment. This SIGMA protocol is zero knowledge and has special soundness. Now consider the binary relation ROR which as we saw is composed by pairs where the first component is a list of verification keys X1, Xn while the second component is a pair with a secret key S in S1 and an index i between 0 and n. Sorry, between 1 and n. The property of S and i is that S star X0 is equal to X i. Informally the SIGMA protocol should allow a prover to prove to a verifier that they know the secret key of one of the verification keys without revealing anything about the secret key and anything about the corresponding verification key. So let's try to reproduce what we saw for the trivial case of the previous slide. The prover samples an element R in S2 and computes its action on all the verification keys. The commitment is composed by all the obtained elements R1, Rn. Challenges and responses are as before. When the verification algorithm receives R plus S it checks that R plus S star X0 is equal to one of the elements of the commitment. But the obtained element reveals the index of the verification key of the prover. Therefore, the verification reveals i, the index, and the interactive protocol is not zero knowledge. To solve this issue we can shuffle R1 and Rn. In particular we can apply a random permutation pi to the indices of R1, Rn reordering them. Listed in this different order the elements are again part of the commitment. Now when the challenge is zero the prover not only reveals R plus S but also pi of i the new index of the commitment produced from Xi. On the other hand when the challenge is one the permutation is revealed. But also in this case the protocol is not zero knowledge because it leaks information about the index i when two verification keys are equal. Hence shuffling R1, Rn is not enough we need to mask them. Our solution is to cook R1, Rn with a commitment scheme and then shuffling them since the need of shuffling remains. Now the commitment is composed by the shuffled committed values and the responses are as follows. When the challenge is zero three elements are revealed R plus S and pi of i as before and this time also the random bits used to create the commitment for R i. When the challenge is one the prover reveals R all the random bits used to compute the committed values and the permutation pi. In terms of sites when the challenge is zero the size of a valid transcript is equal to two lambda times N which is the size of the commitment plus one which is the challenge plus the size of G which is the size of R plus S plus lambda which is the size of the random bits used for the commitment plus log of N which is the size of pi of i. When the challenge is one the situation is worse since we have two terms linear in N the first one corresponds to the commitment the second one is lambda N which corresponds to all the random bits used to produce the committed values so the whole proof we constructed is zero knowledge and has special sadness but it is inefficient in particular we would like to get rid of these terms linear in N for one of them the solution is easy and I'm referring to lambda N indeed a pseudo-random generator can be used to deterministically produce from a random seed of length lambda the random group element R the bits used to create the committed values and also the permutation pi then in the response for the challenge one it is sufficient to reveal the seed which has sites lambda so we have replaced the last three terms of the sites of trans one with only lambda the problem is that the other two terms linear in N are still there and they are due to the composition of the commitment to squeeze the sites of the commitment we can use an accumulator and in particular a Merkel tree the shuffled committed values are the leaves of a Merkel tree and then the root of the tree is the commitment of the sigma protocol in our construction we use a modification of the standard Merkel tree technique which avoids the need of the index of a leaf to reconstruct the root of the tree from a path starting from the leaf the consequence no indices are involved in the verification and the permutation is no longer needed so we can get rid of it the commitment remains unchanged and when the challenge is zero the response is R plus S the bits used to commit and a path in the Merkel tree to prove membership for the other case the response hasn't changed it is just the seed of the PRG therefore when the challenge is zero the sites of the transcript is two lambda which is the commitment plus one which is the challenge plus the sites of G which is the sites of R plus S plus lambda which corresponds to the bits for the committed value and two lambda times log of N minus one for the Merkel tree path and at this stage we don't have terms linear in N when the challenge is zero the sites of the transcript is two lambda plus one commitment and challenge plus lambda which is the seed so simplifying the first sites we obtain this formula and note that the proof sites has become logarithmic in N so the all proof we have constructed is efficient to enlarge the soundness error and therefore the challenge space lambda parallel executions of the protocol can be executed however since when the challenge is zero the sites of the response is bigger and it is the only case where the prover can abort depending on where R plus S lies we choose two positive integers M and K and we set the challenge space as the set of bit strings of length M with precisely K zeroes so if the cardinality of this set is bigger enough so is bigger than or equal to two to the lambda the soundness error is negligibly small with this modification the abort probability is reduced the sites of the proof is smaller and it is constant indeed all the signatures have the same sites and this is the sites a further optimization can be obtained at the expenses of a slower verification the optimization is obtained using a primitive to generate a number of pseudorandom strings and later disclose an arbitrary subset of M this technique can be tuned to obtain different trade-offs and it allows to reduce the term M minus K times lambda to lambda to conclude let's have a look at the esogenic-based instantiation and the lattice-based instantiation of the genetic construction for the esogenic-based instantiation we exploit the seaside paradigm in particular given a prime P usually chosen smooth for efficiency reasons the ideal class group of the order Z of square root of minus P and transitively on the set of supersingular ellipt curves E over Fp such that the endomorphisms of E defined over Fp form a ring isomorphic to the order this action falls within the admissible group action framework with the hard problem which is the group action inverse problem among the set of seaside parameters the structure of G is known only for seaside 512 and this set gives the most efficient variant of Kalamari in that case lambda is 128 and we set M to 247 and K to 30 when the number of members of the ring N is 8 the size of the signature is approximately log of N plus 3.5 kilobytes while signing takes almost 80 seconds for the lattice based instantiation we exploit the M-LWE based group action the group G is Rq to the L times Rq to the K where Rq is a quotient of the ring of univerite polynomials with integral coefficients it acts on the set Rq to the K and the action is determined by a matrix Rq of dimension K times L also this action falls within the admissible group actions framework with the hard problem which follows from both the MCs and the M-LWE assumptions for the implementation we consider the medium parameter set from the NIST PQC candidate deletion and we set M to 1749 and K to 16 when the number of members of the ring is 8 the size of the signature is approximately 0.5 times log of N plus 29 kilobytes while signing is much faster compared to Calamari since it takes only 90 milliseconds that's all from me, thanks for watching and bye-bye