 Hello, good afternoon everyone. So, in the following I'm going to present my joint work with Icocoutes and Daniel Masny for the optimal security pool for signatures from identification scheme. So basically in this paper we mainly talk about the five-sharmier transformation, which transforms an identification scheme to a signature scheme. So one of the famous, one of the textbook examples is the snore signature. And there's many results on the snore signature, for example the forking lemmer or the reset lemmer or some improvement on the security pool. And also at the same time there's some impossibility result showing that the reduction has to lose a factor of Q and so on and so forth. So in this work I'm going to propose a modular pool framework, which can simplify this security analysis. And also at the same time I'm going to give a tight reduction from the single user security to a multi-user security. So this talk is mainly focused on the tightness, so I'm going to explain what is the tightness. So basically the tightness is defined in terms of a success ratio. So basically it's the epsilon divided by t, so epsilon is the advantage of the adversary and t is the one time advantage. So usually in the security pool we always do this. We always assume that if there is a adversary who can break the scheme with a success ratio row, then we can construct some reduction which can break the underlying assumption, for example, the script log with a success ratio row prime. And there are some security laws, let's say capital L. So if the security laws is some constant, then we say the security reduction is tight, otherwise we say the security reduction is non-tight. For example, your security loss is some large polynomial of security prime to lambda. For example, the number of users. So why we care about the tightness? Because we want some efficient scheme. So let's say we want the scheme to have 80-bit secure. And if you have a non-tight scheme, let's say you assume your number of users is 2-30, then you end up with some, you need to essentially, for example, your group with a larger parameter. That's why we care about the tightness. So in the following, I just want to remind you what is the five-charmier transformation. So first of all is the identification scheme. So for identification scheme is an interactive protocol where you have the poover which holds the secret key. You also have a verifier which holds the public key. And it's a free-run protocol. So the first one is called commitment. So poover sends commitment. And then the verifier sends some random challenge. And then the poover needs to respond. And the verifier will accept it via a deterministic algorithm V. So either you accept the poover or not. So when you want to convert it to signatures, basically it's just one important step. You just need to compute your random challenge via hash, which is a random protocol. You just hash the R and the message as your random challenge. And then you get to a signature scheme. So as I said before, one of the important instantiations is snore signature, which is if you use the forking number, you can prove the security is based on a discrete block in a random protocol model. And also there are some impossibility results showing that your security reduction has to lose at least a factor of Q, which is the number of your random protocol queries. And for the security model, you have to use a programmable random protocol. You need the programmability for the security. So if you look closer to this impossibility result, actually it's quite specific to the snore case. For example, in a surround result, they assume the reduction is algebraic, which is really specific to the snore case. For example, for the FJS14, it's also assumed the reduction is a generic group algorithm. So a natural question to us is that is it possible to generalize this impossibility result to any signature schemes via the five charming transformation? And also at the same time, there's one important property is the multi-user security, right? Because now they, like usually the crypto system involves many users, so it's important to consider this security notion. So for the reduction from single user to multi-user, there's a tribal reduction, which you basically just guess the challenge user, the target user, and then you lose a factor of N, which is the number of your user. So in 2002, there's a paper showing that for snore case, actually you can do a type reduction in the standard model. But unfortunately, like last year, the person shows that actually the proof in 2002 is there is some issue there. And then he fixed it by proposing a variant of snore signature, which is called key perposing, and then for this variant of snore signature, then you get a type reduction. So now the question to us is that is there some way to fix the proof in 2002, right? So is there a type reduction for the original snore signature? Because the key perposing snore signature is some variant of it. And maybe more generically, is there any type reduction for any signature scheme, like generic signature schemes, while the five-sharmier transformation. So that's the motivations of this work. So in this paper, I'm going to give a modular proof framework, which simplified the security analysis. In particular, we generalized the impossibility result for any signature scheme from the five-sharmier transformation, which shows that for all these signature schemes, it has to lose a factor of Q and also needs a programmable landmark. And also, we give a type security reduction from single-user setting to the multi-user setting. If the identification scheme is random self-reducible in a random argument, we sort of fixed the proof in the 2002. So now in the following, I'm going to give you a big picture of our framework, and then I'm going to sketch the reduction for the single-user to the multi-user security. So now I give the overview of our framework. So our framework starts from the recurs security notion for the identification scheme, which is called key recovery security against key-only attack. So what the basically doing is that the arrester only gets the public key, and he needs to sort of extract this very secret key out of that, which is the recurs possible. It doesn't get any other algorithms. And then in the end, we want to convert the identification scheme to UFCMA security. So the goal is to have UFCMA secure signature scheme. So actually, so here in the following, I'm going to consider a weaker notion, which is called UFKOA, like unfortunate ability against key-only attack. So basically, we don't have, the arrester doesn't have the signing queries. And there's a previous result showing that if the identification scheme is on this verified seal knowledge, then you can transfer it. So all the previous results just goes from the key recovery security to the UFKOA security. So it's a large step. But in our framework, we just consider this in a small step. So we simplify the proof and also we also simplify the impossibility. So let's see. So in following, I just dropped the CMA security. We just consider to the KOA security. So the first step, we just convert the key recovery attack to the impersonation attack. So impersonation attack is just a standard impersonation attack. So for this proof, we require the special soundness for the identification scheme. And we also need a rewinding technique. And in particular, if the identification scheme has the random self-disability, then this reduction is tight. And we also give a meter reduction to show that if you don't use a rewinding technique, there is no security reduction from KRKOA to MKOA. And the second step is that we transfer the impersonate. We have a, we parallelize the impersonation attack security to a PIM KOA security. So the reduction here, we require the gassing technique. We just guess where is the challenge section and then the security is going to lose effect of Q. We also show that this step is, the security loss is optimal. You can't do it better. And the last step is somehow trivial. You just need to program the random molecule, then you get the UFKOA security. So here we also show that you need the programmability for the random molecule, for this reduction. And that's basically the overview for the single user setting. And now I'm going to move on to the multi-user setting. I'm going to transform the UFKOA to the UFCMA in the multi-user setting. So for this step, I need random self-disability for the identification scheme and also the honest verified civil knowledge property. And this step is done in the random molecule set. And in particular, if we also show that from DDH assumption, or fire hiding assumption, you get a direct construction for the tight PIMKOA security. Which means that if you go through our framework, then in the end you get a tightly secure signature in a multi-user setting based on DDH or fire hiding assumption. So actually this step, like from the single user to the multi-user CMA security, we actually have two small steps. So the first step is that we convert the KOA security in a single user setting to the multi-user setting if the identification scheme has the random self-disability. And this step is done in a standard model. We don't require any property of like any random oracle here for the first step. And the second step we need a programmable random oracle and then we can convert to the CMA security. Okay, so let's see the first step. So what does it mean by KOA security in a multi-user setting? So basically it's also somehow straightforward. So in a multi-user setting you have N public key. And then like when you... And then the forgery is a forgery for the i-star public key. It's somehow straightforward. So here I need some property called random self-disability, which basically saying that there's a re-rand algorithm. If you give me a public key, I can re-randomize. I can re-randomize a public key. And also I also give you a chapter. And with the chapter, there's an algorithm called Chen, which can convert valid transcript for public key PKI to a valid transcript under public key. I can go back, so to say. But it's for the protocol transcript. Okay, so once you have this property, actually the reduction is somehow straightforward. Because your public key basically is just re-randing your public key and then you send your public key to the adversary. So when you get the forgery from the adversary, you use the chapter to convert to the public to a valid transcript for the public key. And then you have your security. That's somehow straightforward. And here we don't need any random algorithm. And the second step is more involved, actually. So the second step we need, the identification scheme has the onisverify-ceo-knowledge property. So what it's saying that is that for onisverify-ceo-knowledge, basically there is six simulators, which inputs the public key that you have, that you output a protocol transcript which distributes identically to the real transcript with respect to the public key PK. That's the onisverify-ceo-knowledge. So now I'm going to first define what this means for UFCMA in the multi-user setting, which is somehow straightforward. You have M public key. And so here is you are in the random article, then you can have like random article queries. And also you can ask signing on the under the public key PK IJ and then you get back the signature and then you send the phone to me. It's a straightforward. So in forward, I'm going to come to a reduction which can break the UFKLA in the multi-user setting. So actually it looks at the first time you it looks quite straightforward, right? Because we can try to solve the trivial solution. But actually this solution does not work. So what does it mean? So basically for the public key, I just forward the public key. So when you comes to random article query, I just forward. So the random article query from the left-hand side, I denote it as H prime. So basically that's the random article query for KOA. And so when you ask me for the sign, I just use the onisverify-ceo-knowledge to sign, the simulator to sign it. And then a program, the random article H. So far so good. So because the public key is distributed properly, everything's fine and your signature is distributed. So now comes the question is that when the words will give you the forgery, okay? So how can you break the security of the KOA? So another way to ask if this forgery is also a valid forgery for the KOA security. That's the question. But actually it's not always. Sometimes it is, but not always. So let's consider the following, sort of like the critical case. So let's assume the adversary just asks one signing query. And then the adversary will use the message M and also the R for its forgery. And if this happened, actually the hash is inconsistent on the point R comma M, right? Because on your right-hand side, the hash value is programmed locally by the reduction R, which is inconsistent to the random oracle of your left-hand side, which is H prime. And S star, and also like S star is valid, but it's only for the H, only for the random oracle query of your right-hand side, but not for the H prime. Which means that if you put it to the, if you give it back to the KOA challenger, it's going to up a zero. You're going to, it's not a valid forgery, okay? So in the following, so how to fix this critical case? In the following, I always assume it's always in the critical case, because the other case is simple. So our solution is to randomly generate a public key, such that with probability one over two, we know the secret key, such that we can generate a signature by asking the random oracle of your left-hand side, by asking the random oracle, such that the hash query is consistent. So how you do that? So you just pick a random coin, BJ, and if the random coin is zero, then you know the secret key. Otherwise, you just forward the challenge public key. And when you simulate the random oracle query is the same. So when it comes to critical, you know, when you come to the signing queries, so there's two cases. So either BI is equal to zero, which actually is a good case, because I know the secret key, and then I simulate a signature, and when I simulate the signature, I ask the random oracle h prime. And then I program the h, such that these two are consistent. And if BI is equal to one, which is the bad case, but it only happened with one over two probability, which is a constant. So when you're done with this, now you come to the forgery, and now you want to extract the forgery for the KLA security. So now for the BI, for the hash query, so now it's consistent with one over two. And we also need to make sure that PKI star is really coming from the challenge, which also happened, which means the BI star is equal to one, which also happened with one over two probability. So in the end, the reduction can break the UFKLA security in the multi-user setting with one over four times the epsilon of eight. Then you finish your, then the reduction is tight here, okay? And that's basically the security proof, okay? That's basically the idea, okay? And now I'm going to summarize this paper. So basically this paper gives a new framework to prove the security of the five-shot mesh transformation. It starts from the weakest possible, which is called key recovery attack against key recovery security against key only attack. And then we go all the way until UFCMA in the multi-user setting, okay? And all these steps are tight, except the one in between in and pin. And also like the other directions are trivial because there's trivial. And which means, so here which means that actually the single user security and the multi-user security, they're equivalent, they're tightly equivalent in a random oracle model. And also in particular, from the DDH assumption on finding assumption, we have a direct construction of the tightly PIMKLA security, which basically is the cut one identification scheme or GQ identification scheme. And also for multi-tile, we can go to our e-promotion and that's all for my presentation. Thanks.