 Hi everyone. My name is Chelsea Kamlo and I'm here to present joint work with Dan Bonnet on threshold signatures with private accountability. So just as a quick recap about what threshold signal signatures are, they're a public private scheme where some set of signers is represented by a single public key. And the private key is secret shared among some set of signers where only a threshold are required to issue a signature. So here we can see a message coming into the set of signers. Two signers will sign and send what we call signature shares to a combiner, and the combiner will output the final signature that represents the group. And what's important is that when signers perform signing, they aren't sending their secrets to each other. They're kept locally and the full secret is never actually reconstructed. So in the literature, there are two types of what are mutually exclusive threshold schemes. The first are what we call PTS's and they're fully private threshold schemes, and you can think of some of these as those that require that rely on shimmer secret charm. And the second type are what we call a TSS so accountable threshold schemes. And these are also known in the literature as accountable subgroup multi signatures. So, really, where PTS is an ATS is different is who learns what information from this signature. So in an ATS, everyone learns the signing quorum and everyone, everyone learns the threshold, whereas in a PTS only the signers that participate in signing learn the threshold and the signing quorum. So in this work, we introduce a new type of threshold signature. And what this is is a threshold signature that is both private and accountable, and we call this scheme attacks. So like a PTS for a taps, the public does not learn the threshold or the signing quorum. But like an ATS, the signing quorum can be recovered, but it can only be recovered by a designated entity. Basically, we get the best of both worlds of a PTS and the ATS in the same scheme. So a bit more formally, a taps is a couple of five algorithms key gen sign combine verify and trace. And a taps must be inforgeable like any signature scheme. And it must be private and we differentiate between two privacy notions, the notion of privacy against the public and privacy against other signers. And the scheme must be accountable. For unfortunately, this is the same notion as for any threshold scheme. So we assume an adversary can control up to T minus one signers, and the scheme is unportable if the adversary cannot output a valid signature. And for accountability, we don't make any assumption on the number of parties that the adversary controls, and we say that the scheme is accountable if the adversary can't output a signature that traces to an honest non signer. For privacy. We say that a taps is private against the public. We don't reveal anything about the threshold or quorum of signers to anyone that's not trusted to be a signer. So that's what we refer to as the public. For privacy against signers, the taps reveals nothing about the quorum to any signer. So from a tap signature, even if I miss, if even if I'm a signer I shouldn't be able to tell who signed. We then give a generic taps, and what the generic taps is, is it proves in generic zero knowledge that an encrypted ATS signature is valid. So the signature includes a cyber text, which is the encryption of an ATS signature to the tracer or this designated entity includes a zero knowledge proof that the ATS is valid. And it includes a signature that it was issued by the combiner. Give a schnoar construction. But we first observe that proving a schnoar signature is valid in generic zero knowledge is actually quite expensive, because it requires proving that the output of hash function is derived correctly. And so we actually have an insight on our short taps construction. And this insight is that publishing the schnoar commitment, which is a commitment to randomness does not actually hurt privacy, and only the response needs to be protected. And so this insight allows us to improve over generic zero knowledge. And so in our short construction the verifier actually drives the challenge directly. And this results in a simpler zero knowledge statement and something that's more efficient. So overall, in this work we introduce the taps, which is a new type of threshold signature that is both private and accountable. We then define a generic construction that employs an encrypted ATS. And then we build on this generic construction with an insight about the structure of schnoar signatures that simplifies the zero knowledge statement. And then finally we define Sigma and bullet proof instantiations of the zero knowledge argument for the schnoar construction. Thank you very much.