 Hello, my name is Maxime Blossom and this video is the presentation for the PCC 2022 paper that is joined work with Vadim Yubeshevsky and Kaya Nguyen. So first, just a slide of notation, you can pause the video if you want to read. Okay, so as a summary, the blank signature scheme is built upon three major components. The first one being an encryption scheme that tolerates some computation on the ciphertext I'll come back to that later in the presentation. The second one is a one-time signature scheme which originates actually from a 2018 construction upon which we improve. And the last one is a set membership proof which we just take as a black box. So, in the end, the scheme is round optimal, there's just two communications between the user and the server and the signature in the end is about 150 kilobytes. Okay, so the first part of this talk is the lattice-based one-time signature construction which I just mentioned. Okay, so the 2018 construction goes as follows. So you sample a uniformly random matrix A and the secret key is going to be uniformly random short vector S and Y. By uniformly random and short, I mean that every coefficient is drawn uniformly between minus B and B where B is some small bound. And then the public key is V and W which is AS and AY. Now, if you want to sign some message mu, so mu is a polynomial with binary coefficients, then you're going to compute the signature Z which is mu S plus Y. And now if you want to verify the signature, you're going to check that AZ is indeed equal to mu V plus W. And second, you're going to check that Z is indeed small. Why is Z small? It's because S and Y are smaller than B, the infinity norm, and the multiplication of mu only increases the size of Z by some factor K that is small. Okay, so this is the 2018 construction, but now I move on to the overview of the security of this scheme. So let's consider some adversary A against the infodability gain of this one-time signature. So A, the adversary C's the public key, V and W, and then he sees a signature sigma of some message mu. He produces a forgery for some message mu prime, which we call Z prime, this forgery. And now the challenger for this infodability gain knows the secret key of the public key. So he knows the S and the Y corresponding to the V and W, and then he can compute a honestly generated signature Z, which is mu prime S plus Y of this same message mu prime. Now what we can see is that we have two signatures Z and Z prime that pass verification, and that are signatures for this message mu. So we have A times Z is equal to mu prime V plus W, and the same thing for the Z prime. Now to conclude that Z minus Z prime is a solution to C's for A, we have to prove that Z minus Z prime is non-zero, otherwise this solution is trivial. So this is only the only thing that remains to be proven. So the intuition why Z is not always equal to Z prime, meaning that the adversary doesn't always output a forgery that is the same as the one that would have been honestly generated by the challenger is as follows. So the idea is we take parameters for the scheme that are chosen, so there exists at least another pair S star Y star that verify the adversary's view. So the adversary's view is this, so it's VW and the signature. And now what we say is that with the parameters we take, there exists at least two pairs of vectors S, Y, and S star Y star that verify this equation and that have small norm. So now from the adversary's perspective, both worlds, meaning the world in which the challenger sampled S and Y and the world in which the challenger sampled S star and Y star are indistinguishable, and therefore the adversary cannot always output Z equals mu prime S plus Y, or Z prime equals mu prime S plus Y, and sometimes he will pick the wrong one, which is the good one for the challenger and for us, and which is mu prime S star plus Y star. And so when this event happens, which happens with probability at least half, then Z is not equal to Z prime, and therefore the challenger recovers a Sys solution for A, a non-trivial one. Okay, so we're not going to use exactly this scheme, we're going to use a slightly different one, so we extend the previous construction to Gaussian for the secret key, meaning that our scheme, the one we're going to use in the blind signature, is exactly this one-time signature, except the secret key here is sampled from a Gaussian distribution rather than uniform with small coefficients. So everything else is the same, the signature is the same, the verification is the same, except the norm of Z now depends on these standard deviations sigma S and sigma Y. Okay, so now if we want to look at the security of this Gaussian version of the one-time signature, well we had to take a look at the original uniform distribution security, which was just a few slides ago, so what we wanted was that the adversary's view, which is VW in the signature, doesn't imply only one solution for S and Y, which means that the challenger could have sampled either of the solutions and the adversary cannot always find which one. So now with Gaussians it's slightly different because we cannot, since Gaussians are not finite support, just like the other version, there exists some other solutions that come from the same distribution as S and Y and verifies these equations, except we want that there's not only one solution that has non-negligible probability, because for example if the Gaussian, if the standard deviation sigma S and sigma Y are very small, then most likely there will be only one solution, which is the one that was sampled, S and Y, that verifies the adversary's view. And now we just have to take sigma S and sigma Y wide enough so there are many solutions to this equation with non-negligible probability for this distribution. And when this is done, then we can conclude the same way as we did before, which is the adversary cannot, in formation, theoretically find, always find the honestly generated signature as a part. Okay, so now I can move on to the second part, which is the blind signature, which is going to be built upon this one-time signature construction. So first, just a few definitions on blind signatures. So in blind signature you have two parties, you have a user and a signer. So after the interaction between the user and the signer, the user should obtain a signature for his message and they're the public key of the signer. Now it's not the only thing you want out of blind signature, you have some security notions that you have to fulfill. So the first one is blindness, which means that the signer should not learn anything about the message of the user. And he should not know, when he sees the blind signature that is produced in the end, he shouldn't know during which interaction this signature was produced. That's obviously because the message is part of, like, to verify the signature, you have to have the message and if you can link, then he learns something about the message or the interaction. Okay, so the second one is one more inforgerability and it goes as follows. After some interactions, say some number L of interactions between the user and the signer, the user should only be able to produce L signatures. So basically, you should not be able to produce L plus one signatures because, well, then there's at least one signature less, not the result of an interaction, of a honest interaction between the server and the signer and the user. Okay, so now the intuition of our construction. So let me just first present a naive approach that is not going to fulfill the blindness notion. So let's see. The public key is going to be a collection of an one-time signature public key. So here the one-time signature is the Gaussian version of the 2018 construction that I talked about in the first part of this talk. So second, the user will send his message to the signer. So this is obviously not blind then because the user just gives away his message to the signer. We'll come back to that later. So the signer just got the message and he can compute the one-time signature of this message for the ETH public key of the scheme because the scheme is n one-time signature public key. So he just picks one. It's actually his state which he will update every round during each interaction. So the signer sends this one-time signature to the user and then the user can compute a zero knowledge proof that he got basically this one-time signature for some index. So basically the user recovers z from his interaction with the server. So z is a one-time signature of his message for one of the public keys and then he can prove this statement here and this snot leak which index it is. Okay, so now this was the non-blind approach. So there's a few things we have to change. So first, so the public key still just a collection of n one-time signature public keys but now instead of sending directly his message to the signer the user will encrypt it and send the ciphertext to the signer and a well-formed s zero knowledge proof to the signer. Now before the signer had the message and so he could compute the one-time signature directly but now he will homomorphically compute this like an encryption of the one-time signature directly on the ciphertext which he will send to the user and then the user can decrypt the signer's response and just keep on just like on the naive approach I just explained before. Okay, so a little more specifically now. So the server setup is going to be as follows. So he samples a short trapdoor which is a matrix R and then he sets the public key the public matrix A to be constructed like this which you might recognize allows him to use his trapdoor to sample pre-images of vectors and then he will sample uniformly random vi and wi which is going to be the public key of the one-time signature. Now you can remember that in the one-time signature the setup was you first sample the matrix A then you sample the secret key s and y and you compute v and w as the public key. Now here the server is going to do it the other way around which is he's going to sample A with a trapdoor in it then he'll sample v and w and sample a pre-image s and y a short pre-image s and y from a Gaussian that is going to fulfill the same the same equations as the the one-time signature. So the public key is just this matrix A and the vi and wi and the secret key of the server is this matrix R. So as I just said for every signature the the server will have to sample a secret key si and yi using the trapdoor and for each signature the user should generate a key pair for an encryption scheme and run the setup of the set membership proof for every signature. So even if he interacts several times with the server he should have a different the server should not be able to link every anyway. Okay so the blind signature itself so the communication between the user and the server because this follows so first the server the user will has a some message mu which he will encrypt into tnt prime using the public key just generated and then he will compute a zero knowledge proof that the ciphertext is well formed and it will send everything to the to the signer. So the signer has some state i between zero and n minus one so he first verifies this will form this proof and if the verification passes then he will sample the secret key from the one-time signature which is si and yi from gaussians verifying this equation here and next he will compute an encryption of the one-time signature of mu directly on the ciphertext he received from the user and he will update his state and send the ciphertext to the user. So the user received the ciphertext which he decrypts and gets a one-time signature for his message and there the eith public key of the of the server the signer so first he verifies that indeed there is an index for which he has a valid one-time signature and then he will compute this this zero knowledge proof that he the of the of the statement I just said which is he has one valid one-time signature for one of the index and one of the indices. Okay so that was the the idea of the of the blind signature scheme now I'll just explain a little more about what the encryption scheme is and how the computation on the ciphertext is done. So first just two slides you can post a video if you want to read further about this encryption scheme but the idea here is that this encryption scheme is a regular type encryption and so the signer can homomorphically compute an encryption of the of the of the of the one-time signature of the message mu because it's linear so if he computes capital F and f prime this way so just the the encryption of a vector is just the encryption of every coordinate of the vector okay so the adversary can do this now there's a one one run problem which is this leaks the the secret key of the signer and this is not something you want because this would break one more one more unforgeability so now to fix this problem we use drowning which is as follows so we generate the server would generate an encryption of zero with wide enough Gaussian noises so first he'll sample y y prime and y prime with independent Gaussian coefficients and then he will compute some masks so we have this capital M and m prime which are basically encryption as of zero except the distribution of the noises during a honest encryption say is supposed to have a different distribution but so here it's wide gaussians and then he will compute capital F and f prime as this as we just shown here plus the masks which are encryptions of zero and therefore the decryption of f and there are some other conditions I'm going not going to mention further here this the the decryption still gives z the one thing signature of the message mu okay so now just a final slide about the parameters of our scheme so you have everything here is a screenshot from the from the paper so you can pause the video and read if you want to see okay thank you very much bye