 Hello, this is Chi-Hong Yun from the University of Hong Kong. Today, I will present my paper during generic construction of ring signatures with efficient instantiations. This is a John's work with Muhammad Asin, Joseph Neu from Monash University, and Cicero Data 61 from Australia, and Matt Hou-Ao from the University of Hong Kong, and Ji Ming-Ding from Wise University in the USA. In this presentation, I will first give a very brief introduction about ring signature, then I will give our construction of our scheme during, and then I will give two instantiation, one in the elliptic curve setting and the other one in the lattice-based setting. And finally, I will give some conclusion. So firstly, let me have a very brief introduction about what is ring signature. So, in a standard digital signature, one signer will output one single signature, and everybody can check that this signature is really come from Alice, the actual signer. But ring signature is something different that wants to provide anonymity to the actual signer. They can do so by adding some kind of decoy proper keys collected from other parties, and then they will jointly form something like a ring and then generate one signature output. In a way that it will hide the standard, the actual identity of the actual signer, and then so from the receive Bob's point of view, it cannot see whether this is the signature output from Alice or all other decoys. So one of the most important property of ring signature is to hide your region. Of course, it has to also satisfy the probability of unforgeability as well. So anonymity or unforgeability, they are the two most important properties of a ring signature scheme. Why this kind of signature is called ring signature? This is mainly because of the first field construction of ring signature in Asia-Crypt 2001 and 2002. So I will briefly reveal it because our scheme is highly related to this one. Let's recall one of the fundamental building blocks of a classical ring signature. So it is called a type T or free move signature scheme. And one classical example is to snore signature. So a snore signature or a free move signature, they consist of three steps. One, the first one is a commitment steps, which outputs a commitment value capital R. And then a hash function, we apply onto the message together with the commitment output a challenge. And then finally, there is a response function Z, which outputs a response small set. It's equal, for example, in the snore case, it's equal to R plus CSK. So it is a function on the randomness challenge and the secret key. And finally, in order to verify this type T signature, there is a verification function V, which reconstructs R from Z, Z, and of course the proper key. And then we will want the hash function to check if the C value, the challenge value is correct. In the snore case, the commitment value R is reconstructed in this equation, and then use it on the hash function to compute the challenge values back and check whether the C is equal to the C in the signature. So this is a classical type T signatures. There are snore, GQ, and many, many other forms of type T signatures in the literature. So let's see how an AOS ring signature is constructed. So assume that we have Alice, the atrocity there in the index J, and that all other decoys are located in different positions in this ring. So Alice the signer picks a random RJ, small RJ, to generate the commitment capital RJ through the commitment function A first, as shown in this diagram. And then the signer uses RJ and to compute the next challenge, CJ plus one through the hash function. So hash the message together with the commitment and then it computes the next challenge values. And then from the challenge, and then we go to the index J plus one. For this step, this is the decoy where Alice does not know the secret key, but she can picks a random response set and then to reconstruct the commitment R through the verification function V there. And then it will generate the next one to see J plus two the next, and then it will generate the next commitment RJ plus one. And then by RJ plus one, he can compute the CJ plus two through the hash function and so on and so forth. And then after J plus one, go to J plus two and then up all the way up to N and then go back to index one and all the way up to the index J minus one. So a ring is then formed sequentially. So you can see that why this type of signature is called ring signature in the first place. So the last step is to close this ring. So the last step, we have the commitment RJ plus one and then through the hash function, we have the challenge CJ. And then finally, the last step is to compute set J by the response function and using the secret key of Alice SKJ there. So the ring is completed and the signature is C1 set one up to set N. So this is the final signatures. In order to verify, then this is very simple because you can see that this ring is formed by some publicly computable function V and H. So the verify can simply run through this ring again and then complete the checking. So this is why this type of signature is called ring signature. But later on, we find out that this type of ring signature is not efficient because you can see that the signature size is N plus one elements there. So it is an O and it is not efficient. So later on in the last two decades, researchers, they want to find out if we can improve the efficiency of ring signature schemes and we find out a lot of different construction using different primitives in cryptography, including using cryptographic accumulator. So the advantage of this approach is that it can output some constant size signature but in the RSA or parent-based setting, but it requires the use of a trusted setup. Recently, there are some Latin space accumulators without using some trusted setup but it will result in a rather large signatures, maybe several megabytes. So if we do not want to use the trusted setup, then you suggest to use the zero-knowledge proof-based approach, which will give an old log N size ring signature where N is the number of proper keys in the ring. And in the state of the art in this approach, most of the paper, they will use the technique called the one-hour plenty proof bulletproof approach, including the discrete log-based construction in GK-15 in your Crypto2015 or the Latin space approach in Crypto2019. This paper is also written by two of my co-authors. So we also summarized all of the existing construction here in this table. So the research question is whether we can do better. So let's have a look in the DL-based construction. We can see that in the last few years, from 2015 to 2020, we can see a lot of improvement in terms of pushing the boundaries from four log N, five log N elements to two log N elements in both CCS-19 and FC-2020. And this FC paper is also written by myself and together with some of the co-authors in this paper as well. So we push the signature size to a rather low level, and it is all log N size for the Latin space construction. Also for this DL-based construction. For the Latin space construction, we have the ON size signature, ring signature in ACNS 2019, but it becomes very impractical when the ring size becomes large. And the breakthroughs come from the CCS-19 as well as the ACN-20 paper. They give an O log N size ring signature, and they are already quite critical, but for a ring size of like around 1,000 to 4,000. But the question is, okay, can we do better, give a better construction in both DL-based and Latin space setting in one single construction? It is mainly because you can see that these two tables, you can see that the papers are different, so they use a little bit different approach to construct. And one unique contribution about this paper is that we give a generic construction using the classical ring approach, which hasn't been used for a pretty long time. And when it is instantiated in the DL-based or Latin space setting, it will give one of the shortest ring signature scheme in DL-based and also in the Latin space. For the Latin space schemes, we still have the ON size ring signature. So our ring signature is shorter for a ring size of maybe less than 1,000, but for large ring size, then the O log N size ring signature schemes are still better. So this is our main contribution. So let's have a look into high level idea of our construction and why our paper is called Beulering. And the overview is that actually we try to revisit the classical ring approach and we find out some solution to make it shorter, that is O log N size in the DL-based setting. When we think about what is the construction of the classical ring approach, the difficulty to further complicit is mainly because they include the hash function in the ring structure. And when we instantiate those hash functions, then we usually use those like SHA2. And that is very difficult to put it in a single knowledge proof to further compress it. So our very high level idea to form our construction is that we try to remove the hash function out of the ring and try to form a ring with a very simple algebraic structure. And that's why we can further compress it using some knowledge proof. And why we want to keep the classical ring approach is that the ring structure itself already provides a certain level of anonymity, just like the issue of O1 and O2 paper. And we want to build a very simple algebraic operation like addition or multiplication to allow compression in the ring. So our construction consists of two ranks, a ring of commitments and a ring of challenges. And these two ranks are linked by a hash function. So this is a very high level overview. And our construction, we also need something very similar to a type T signature. But actually we need something a little bit different. We call the type T star canonical identification. And what is the difference? So we roughly talk about it below. So firstly, we require that the verify function V, originally is a function on PKC and Z. Actually we require that this function can be separated into two parts, V1 set multiplied by V2 PKC. So we find out that this type of structure satisfies most of the construction we know in the three-move setting, like this north signature one, you can see that the commitment value R is computed from a function of Z and a function of PKC. So this is a V1 and the second part is the V2. And we also require that V1 is homomorphic, either effective or multiplicative. And then given the SK and Z, there exists a function T, which on input SK and Z output set prime, such that VK set prime is equal to V2 PKC. And then we also require that this changed space is a group. It is set aside in mode setting. And we also require that the canonical identification has a special sign in the DL-based setting. So we found that most of this game we know is actually satisfied this property, like the north identification, the identification scheme from the cast one signature, the Trump-Pederson identification, or the Occamal-Tosch-Nor, and as well as the GQ identification in the RSA-based setting. We also find out that the DL-based identification from the Fiat-Chemier with a broad approach, they also satisfy this setting. But for the DL-based setting, the special signage definition does not directly apply to that because there exists something we call the knowledge gap, such that the witness extracted from the two transcripts is not identical to the original one. Therefore, we need to modify the definition for this special signage a little bit for the DL-based setting. In our paper in the conference version, we used a notion called the special impersonation. That is a combination of special signage together with the impersonation for canonical identification in order to deal with this issue. So, we add a new security notion there. So, this is a new building block. And then let's look into the construction. So, remember we have two ranks, the R-rank, the commitment-rank, and the C-rank, the challenge-rank. And we use the same setting. The actual signage Alice is at the position J there. So, to start this one, first, Alice, the signer picks the small RJ, the randomness. And then the signer picks the random challenges C1 up to Cn except CJ. So, they will pick all other random C there. And then Alice will form an R-rank together in one single steps by a computation of... following this equation, R is equal to A RJ times V2PKJ plus 1CJ plus 1 all the way up to V2PKNCN multiplied to V2PK1C1 all the way up to V2PKJ minus 1CJ minus 1. So, one single computation will complete this R-rank. Then we have a commitment R using the V2 function. And then we use this R to compute the challenge. It's equal to the hash of R, the set of all proper keys, and the message M. Next is to form a C-rank by a simple computation. For example, we want to compute CJ that satisfies this relation. C is equal to C1 times G2 all the way times Cn. So, assume that this symbol is the inverse of the multiplication sign there. So, after the hash function, we have the small C there. And then we divide by CJ minus 1, divide by CJ minus 2, up to Cn, and then divide by C1, divide by C2 all the way, divide up to CJ minus 1. Then we recover CJ. And then the last step is to use this CJ to form the small set. And this small set is computed by the capital set, the response function. So, you can see that the signature here now is a little bit different. It's one single response together with n challenges. So, it's a small set, C1 up to Cn. Recall that in the AOS construction. This is one challenge and n response. This one is one response and n challenges. So, remember this one. This difference is quite important for our electric space construction. So, how to verify? For the verification, actually the R is reconstructed from the V1 function and the V2 function. The V1 function is onto the single response Z, and the V2 function is on all properties and all challenges. And then finally, we use the hash function to check whether the C value is correct or not by this equation. So, this is the high level overview of our dual rate. And we prove the security of our scheme. Firstly, we show that the anonymity is actually provided by the ring structure in the random oracle model. It is quite similar to the Asia Crypt O1 and O2 paper by the ring structure. Actually, no matter where the Alice designer start, she can be in the position J, position 1, position 2. It doesn't matter if no one is able to determine which location she is. And for unforgability, actually our paper reduced the security of this type T star identification is reduced to this one in the random oracle model. That means that if there is an adversary that can forge this dual ring, then it can break the security of the underlying identification schemes in the random oracle model. So, once we have the dual ring, then it's not very difficult to get the ECC base as well as the lateral space construction. So, remember that our signature, the dual ring, the genetic construction, actually gives an old N size generic ring signature. It consists of one response and N challenges. But we know that by applying a suitable instantiation and a suitable seal knowledge proof, it is not difficult to compress it to an old log N size proof using the reasons advanced in the seal knowledge proof system. In the DR base setting, actually the relationship between C and C1 up to CN is following this addition relation. So, C is equal to C1 at C2 all the way up to CN more P. And then in this paper, we propose a non-interactive sum argument of knowledge. We call the NISK to compress this C1 up to CN using a seal knowledge proof system. Actually, this construction is quite similar to the bullet proof for inner product relation. Actually, you can see that this one is a simplified version of an inner product relation. This is an inner product of this challenge vector, multiplies a one vector, and it is equal to the proper value C. So, we can simplify the bullet proof, and then this is shown in the diagram on the right-hand side, but I will not go into the details. But we can see that actually because of this simplified relation, our NISK actually saved about half of the computation in the bullet proof system due to us the simplicity of this relation. By combining During with the NISK, and then we also need to move the parameters a little bit, swap a little bit, and then we can give our construction of the ECC base During. We call it During EC. And we also implemented it, and we compare them with our signature size with some of the existing schemes. We can see that our scheme is actually the shortest one for all the ring size. And we implement our running time in a MacBook using Python. And then the running time shows that for a ring size up to 1,000, then the designing time is a little bit slower, like 10 seconds, but it's still acceptable. And the verification time is somewhere between 2.5, around 2.5 seconds. And if someone can optimize it like using C and fast libraries, perhaps we can still have a shorter verification time. And our scheme is quite practical in that sense. So that summarized our elliptic curve-based construction. For the elliptic space setting, remember that our scheme is O-lock O-end size in the generic construction. And unlike the elliptic curve-based construction, there are no very efficient or highly efficient CK proof in the elliptic space setting that we can use. But interestingly, our scheme is already highly efficient in the elliptic space setting. It's mainly because our scheme consists of one single response and n challenges. And we know that the size of challenge in the elliptic space schemes are rather small, like 256 bits, as compared to the size of a response in the elliptic space setting, which is usually at least a few kilobytes. So we can see that we only need one response and n very small challenges. So we obtain a very compact elliptic space range even without requiring a elliptic space sum argument. And we give our type T canonical identification from the elliptic space setting using the rejection sampling technique. And we will give our concrete parameter setting in the paper. But the results are summarized below. Our scheme is the shortest one for a range size between four to 1,946. We believe that it is quite useful in practice, for example, the range size of a monary. Because a range size of a median ring members is not practical because you also need to send all one million proper keys of the ring members. So it is not practical to have this extremely large ring size. So we believe that something around 1,000 is more reasonable in that sense. So this is the contribution of our paper, although our paper is over n size in the elliptic space construction. Our ring size, our signature is still quite small. And we also notice that in this conference, Group 21, there is another paper. They propose another ring signature in the elliptic space setting. And they improve the previous result by quite a lot by reducing the constant terms in the elliptic space construction. And we can see that they can even create a ring signature of 1,024 ring members, which is smaller than our construction. So when we compare our scheme with theirs, our scheme, the elliptic space LB, is still the shortest run between ring size of four and 452. And for the figure between 4,053 to 505, we do not have an actual figure in their paper, so we cannot compare. And for a ring size larger than 505, then their papers are better. So this is a very rough comparison between our scheme and their scheme. But we also want to point out that one very important part of our point of our scheme is that the computation of our scheme is extremely fast. It's mainly because of the computation of our challenge ring. It's very simple. Just a computation of a 256-bit string or numbers. So the only slow part is the computation of the R ring. So the computation is extremely fast. And we compare with one of the fastest scheme in Cripples-19, which has an implementation so we can compare them. When it was in the same paper, running in the same computer, we can see that their scheme can only run for a ring size up to 64. Because the next parameter setting in their paper is a ring size of 1024, and we cannot run their scheme in reasonable time. So we can see that their scheme is already very slow in 64, the ring size of 64. But our scheme is still practical for a ring size of maybe more than 200. So we can see that our scheme is extremely practical when it is implemented in a MacBook using private. To conclude, our paper actually proposed a generic construction of ring structure using a new dual-ring structure following the classical ring approach, which is quite different from the papers in the last few years. When it is instantiated in the discrete log-based setting, it is the shortest one without using trusted setup. And in the lattice-based setting, we give the shortest ring signature for a ring size between 4 to 500. And when it's implemented, our schemes, both in the BL-based and the lattice-based setting, they are both quite practical. So thank you for listening to our schemes. And if you have any questions, feel free to send me an email. Thank you.