 Good day everyone. I'm Tan and this is the work of Thomas and I. We propose an expressive anonymous attribute-based credential system which is called Monopoly. This is the outline of our presentation. We briefly go through the definition of anonymous ABC system then represent the research gap in the literature followed by our contributions which are trying to close the gap. Our first contribution is to propose a Monopoly set commitment skin which is the main ingredient for our Monopoly ABC system. We end the presentation with the security analysis and benchmark. An anonymous credential system has two protocols the issuing protocols and the presentation protocol. In the issuing protocol the user approach and authority to get the authority to sign on his private information in an anonymous way. So for instance here the private information is gender, name, ID, role, and branch. So the user first must this attribute set and send to the issuer who is the authority. The issuer first check that this mask is correctly generated and sign on the mask attribute set blindly. The signature produced by the issuer will be used by the user as the credential. So during the showing protocol the user acts as the prover and he can prove to a verifier that he hold a valid credential without revealing his identity. And in the attribute-based setting the verifier can take a step further. For example ask the prover to show that the credentials actually fulfill some access policy. So the example here the verifier asks the prover to prove that he is a manager in either branch X, Y, or Z. So the prover run protocol by proving that the credential is a valid credential then you proceed to prove that he is a manager in the branch Y. If the protocol ends successfully the verifier accept the prover else it rejects. There are highly efficient ABCs with optimal asymptotic complexity for finite set attribute space. By the term finite set attribute space we mean the attribute space with finitely many value for example gender only male and female and country code birthday and so on. And such ABCs can achieve the high efficiency because they perform pre-computation on the finitely many attributes. So these ABCs either has large public key or large credential size. We do not find a comparably efficient ABCs under the string attribute space. The attribute space that does not has finitely many values. So such as name, metadata, serial number and so on. And we also notice that there is a lack of systematic security analysis for ABC system. We will discuss more on the systematic security analysis or the systematic security model in the later slides. Our contribution the first contribution is we propose a monopoly set commitment scheme which can support the set intersection and set difference operations. And based on this set commitment scheme we construct a new ABC system with strong security assurance which is secured against impersonation and unlinkability. And it can be proven so in the standard model with type reduction. We also has a practical public key size and expressive yet efficient show proofs. Our show proofs can support the clauses of n or the threshold any, the negated n, negated all and negated any regardless of the attribute space. Our proposed scheme based on these two hard problems the QSDH problem and the QCOHDH problem. The only difference in these two is that the second one the QCOHDH problem has another Q element in G2. Our proposed monopoly set commitment scheme looks like this. In the public key these elements is the instance of QCOHDH problem and if the value n is already fixed we can actually delete the secret key x prime. In order to commit to a set of attribute the commit to compute the element C whose exponents here is the monopoly polynomial. And this monopoly polynomial can be represented by using only the coefficients mj and that's why we named this set commitment scheme monopoly. This is how our set intersection works. So recall that the commitment C is having this form the exponent is the monopoly polynomial. So if a committer would like to show that there exists a set i within the committed set A the committer can separate the set i from the committed set A becomes the set A minus I and the set I and everything inside this bracket can compress into a single element w which is the witness and these elements w can be verified using the verified intersection algorithm. Our set difference make use of the fundamental theorem of aromatic. Recall that the commitment value C has this structure the monopoly polynomial constructed by the set A. So if there exists another monopoly polynomial constructed by set D such that this set D monopoly polynomial cannot divide in the set A monopoly polynomial then there must exist a quotient and a nonzero value remainder and that's why in our verified difference we also check that the remainder is not a zero value. We proved that our proposed monopoly set commitment scheme is perfectly hiding in theorem 2 and in theorem 3 we proved that our monopoly commitment scheme is computationally binding if the core SDH problem is hard. Based on the set operation of the monopoly commitment scheme we construct the excess policy for our ABC system. Review the policy as a statement that can act on a set attribute set and the statement is constructed by a single clause or a composite of clauses. Table B shows the supported clauses or any AND negated or negated any AND negated AND and the signing algorithm in our ABC system is based on the C-House signature scheme which is proven to be strongly existential and forcible in the standard model under the Q-SDH assumption and this is our monopoly ABC system. Our key generation is the combination of the SDH base C-L signature scheme and the monopoly commitment scheme. We can see that this part is from the monopoly commitment scheme. This is how our issuing protocol works. So the user initialized the issuing protocol by running the proof of knowledge protocol with the issuer. So notice that the element a power of alpha j is the monopoly commitment. So if these protocols end successfully the issuer will sign on M blinding using the C-L signature then the user will compile the signature into a credential. Every time before the approval runs a presentation protocol he blinds the credentials and this is the way he blinds the credentials and it can be verified with this equation which is a slightly modified C-L signature verification equation and if a verifier asks the prover to show that he has valid credentials this is how the prover runs the proof of knowledge protocol. Notice that the prover only proves six secret exponents and this algorithm is the correctness equation on top and this part is actually the monopoly open algorithm. So since the equation always works irrespective to the size of attribute set A we have a constant size proof of possession. The scenario of end proof is when the verifier asks the prover to prove that his attribute set A inside the credential contains an attribute set A prime. So this is how the prover interact with the verifier. The prover use the monopoly verify intersection algorithm here and then it proves to the verifier that this credential is valid and this part the query attribute set the A prime is inside the credentials and notice that this element can be computed by the verifier since the verifier is the one who chooses the A prime. So we have a constant size proof again. For the threshold proof the any and all proofs it works similarly. This part is taken from the monopoly verify intersection algorithms and this can be computed by the verifier. For the negated end and not proofs this part is the monopoly verify difference and this can be computed by the verifier. The same goals do the negated any proofs. This is from verify difference again and this can be computed by the verifier. This is the impersonation resilient security model that we consider in our work. We consider adversary 1 2 3 and 4 where we allow the adversary to has the ability of sniffing the communication between the user and issuer during the issue protocol and we allow the adversary to corrupt the user. During the presentation protocol we allow the adversary to sniff the communication and we also allow the adversary to corrupt the verifier. Since adversary number 4 implies adversary number 3 because if you are verifier then you can see all the communication between proof and verifier. So we consider only the adversary 1 2 and 4. We allow the adversary to make adaptive and concurrent queries and the adversary's goal is to run a complete show proof with the verifier using the challenge access policy and the challenge attribute set such that the challenge access policy cannot be satisfied by all the previous query attribute set AI. So during the impersonation phase the adversary will approach the verifier where the verifier will ask the adversary to complete the show proof using the challenge access policy. So if the adversary can complete the show proof successfully then the adversary wins the game. We prove that our proposed ABC system is secured against impersonation under the active and concurrent attack in the standard model with tight reduction. This is based on the assumption that the co-SDH and the SDH problems are hard. Instead of the anonymous security notion we consider the full attribute unlinkability notion. In the full version of our work we show that our attribute unlinkability notion is a stronger notion compared to that of anonymity. So in our attribute unlinkability scripting model we consider four adversaries. We allow the adversary to sniff the issuing protocol communication as well as that of the presentation protocol. We allow the adversary to corrupt the issuer and with that set the adversary knows the secret key of the issuer and we also allow the adversary to corrupt the verifier. So instead of using only one mass attribute set as the challenge we allow the simulator to use two mass attribute set which is marked by B and 1-B to represent the sequence of these two attribute set. Since the issuer who is now the adversary knows the secret key he can sign on these two mass attribute set and return them to the simulator in the same sequence B and 1-B. The simulator then run the presentation protocol with the adversary using the challenge access policy and the simulator will answer the show proof of these challenge access policy in the same sequence B and 1-B. So the goal of the adversary is to guess the value B. If the adversary can guess it correctly it means the adversary managed to link the attributes to a credential and the adversary wins the game. So we prove that if the initialization of the issuing protocol and the presentation protocol have random self-reducibility and their witnesses committed attributes as well as the randomized credential are perfectly hiding our proposed ABC system is attribute unlinkable under the active and concurrent attack. We also consider a new scripting notion namely the full protocol unlinkability. In the full version of our work we show that protocol linkability and attribute unlinkability are two different notions. There exists no reduction between these two notions. So again we consider four adversaries and they are the same compared to the attribute unlinkability but we have a difference in the challenge. So the sequence is now B1 and 1-B1 and B2. So which means that during the showing protocol the prover may change the sequence of the credentials and it executes the show proof with the verifier who is now the adversary with the different sequence. So if the adversary can guess the correct transcripts of the issuing and the correct transcript of the showing such that the credentials are the same then the adversary wins the protocol unlinkability game. So similarly we show that if the initialization of the issuing protocol and presentation protocol have random self-reducibility and other parts are perfectly hiding our ABC system is protocol unlinkable under the active and concurrent attack. This is the comparison on the squareity properties for the related ABC system in the literature. So we can see that some ABC systems they consider only anonymity, some consider only unlinkability and some consider only the squareity for the presentation protocol but not the issuing protocol. For ours we managed to cover all the squareity properties and then we are the only one that has tight reduction. This is the asymptotic complexity comparison for the show proofs in the related ABC system. We can see that our proposed monopoly ABC system is not the best in the in terms of complexity because those specially designed for finite attributes has lower complexity or even constant complexity. For example the ABC system based on prime encoding has 01 complexity but if we consider the string attribute space then ours is better because taking the all proof as example in the ABC system based on prime encoding the complexity is hyped up to n times k where k is the size of the query set while ours is only n plus k and ours is also the only ABC system that can make use of all the clauses efficiently. We also present the efficiency comparison in terms of the scalar multiplication in G1. We provide only a comparison for proof of possession and n proof because not all the ABC systems in the previous table can support more than n proof. So in proof of possession our proposed scheme is here and there are only two that is better than us and these two are the ABC system that works in the finite attribute space. For the n proof our work is here while the only one that is better than us again is the one that works under the finite attribute space. We also implement the proposed ABC system using AMCL version 3 Java library and we run our system for 1000 rounds with multiple numbers of attributes. For the 128-bit security we use the Curve BLS 461 and for the 256-bit security we use a Curve BLS 48. So at 128-bit security if the number of attributes in a credential is less than 500 then our show proofs can be completed within one second. For 256-bit security at 500 attributes in a credential our show proofs can be completed within five seconds. As a summary we propose a set commitment scheme that can support set operations and we propose a monopoly ABC systems which is provably secure in the standard model with tight reduction. Our ABC system achieve IMP ACA, AUN LACA and PUN LACA. Our ABC system has practical public key size and expressive show proofs. Our show proofs also support the access policy with composite clauses. At the moment our ABC's performance is the fastest in the string attribute space and is comparable to the ABC's that works under the finite attribute space. This is the end of our presentation. Thank you for your time.