 Ok, dobro bojne za preseklje. As Marko..., ise je z Zario Catalanov jo do Drio Fiorhe in je za programama oblastvost. Naš je v propozivnosti s nema. Naš vso motivacija je, da ima naša oblastve z vsegthera dne rovnoja, včosti vsegthera, da je za srevnoja, ide zročne je oМы, kiideri taj izgledan veliko početnja za tako, kar bojne jesti prve. Srevne je od kaj ne početno, primer je, vseč na vseč, je resoz onočnjev, in nekako je, da nekako je resoz, so je to nekako objezov. In nekako je, da je resoz, nekako je resoz, nekako je resoz, nekako je resoz, nekako je resoz. Saj njih je, da je ineristik, in nekako je resoz, nekako je resoz, nekako je resoz. In izboljamo, da sem izboljava, v zelo v moderniji modelu. In je ovečen, da bilo vzelo do težko, je začala in v 2008 prikazati v taz, ki biti vse z vršenje mjelosti v gru ''g'', in ovo je prikazati, ki je vse vzelo v zelo v pospečenje vzelo v zelo v zelo v zelo v zelo v zelo v zelo vzelo, kaj je vzelo v zelo v gru ''g'', Trapdoor modne konstruče, kaj je začali dve generatori, tudi tukaj je začali in gdje je bila tako, ki je hvitega hrata, ki je zelo gdjev, gdjev, hrata. Včetko, kaj mi je tukaj, kaj je zelo dželj, kaj sližba, da se našli, ki bo, da dobro zato se zelo, tako, da v tkore modu konstrukačen, prejstva sega za reprezentaciju bez sega z kisičnega treda, odkaj sega za reprezentaciju z sega z kisičnega treda, je zelo, da je dobro po lego. Kako malo kljavimo, kako sega vza naprezat, da kako sega na zapečenem vsega in na zapečenem in na zapečenem tajga zapečenem, tkore modu reprezentacije je tkore vsega in več in strančen, kaj si to je z našem particuloj svejga za pravno glasba G na zašelji. Zobaj, izgledanj smo v temga nekako zelo iskod, nekako je zašelja se, kaj je zelo počkana, tako da je zašelja se, kaj je zašelja se. V pačnev potrebnosti tjeg je nekaj razgleda. Vsih je, če je nasjela? Bastečno, kjer smo vse programmabolice, informacije česke, z pizni, nečistno, nača, ko je tako tebe sezver變ene. Ko je nekako predpravila in veče template. Proto, in je doblizoma, da tebe sezver programmabolice časovite vbidno, danes razviti. PSN nekaj uvo jest dajno, sezver od, tko dobro nekako, časovite, da predrželjno boljši sprem. Vedu poveda, da sljima je nekaj pravdu, što je nekaj pravdu v cube randomast kot bolj vse, da sem utavljila v izglednjočnoga. Kakom je zapravljena?�o je srdči da se z vstanečnega in prejanje, in se让u s bonus vstanečnega kestiva večjo, ki besnečije veče gradi. So let me introduce this new tool, the asymmetric group hash function. First of all, they are defined over biliner groups. So basically we have a map from g1 times g2 to gt, and an asymmetrical hash function, an asymmetric group hash function consists in three algorithms, a key generation algorithm, which given a security parameter and a biliner group description outputs a couple of secret key and public key, a private evaluation algorithm, which given an input and the secret key gives an output of the function, which is secret, so cannot be computed with just the public key, but in addition we have this public evaluation algorithm, which allows everyone who gets the public key to basically compute an homomorphic copy of the output of the function in the target group gt. Moreover, we have these two trapdoor algorithm, a trapdoor generation algorithm and a trapdoor evaluation algorithm, where the trapdoor generation takes the security parameter, the biliner group description, two generators of the first group, which are namely g1 and h1 equals to g1 to the y1, and two generators of the second group, which are g2 and h2 equals to g2 to the y2, and output the trapdoor information and the public key, while the trapdoor evaluation algorithm taking the trapdoor and an input gives in output the description of a degree d polynomial in the variables y1 and y2, which are the discrete logarithms of h1 and h2, which is of degree d. And the trapdoor evaluation algorithm is such that h of x can be written like g1 to the cx of y1 and y2. So let me introduce the concept of programmability, which, as I told you before, it's quite similar to the one relative to the programmable hash function introduced by Yofec and Kiltz. We say that the hash function is m and d gamma delta programmable if there exists a trapdoor generation and a trapdoor evaluation algorithm such that correctness holds, and we saw it in the previous slide, that such that we have statistical closed trapdoor keys, which means that a public key, which is output of the standard mode generation, key generation algorithm, and a public key, which is output of the trapdoor generation algorithm, have a statistical distance, which is gamma. And then we have a well-distributed logarithms, which is a property, which is quite similar to the one before. So if we have two different subsets of inputs, which are disjoint, the probability that CXI0 is zero and CZJ0 is different from zero is greater or equal than delta, where with CXI0 we mean the degree zero term of the polynomial output of the trap evaluation algorithm. In addition, we have this completely new property, which is the programmable pseudo randomness property, and we model the definition via an experiment between an adversary and the challenger. So basically, after giving the challenger to a generator of G1 and a generator of G2, the adversary is able to perform some queries, and he gets back the output of the function over the input and a value TB, which can be either G1 to the CX0, is again the degree zero coefficient of the polynomial CX or a random element in G1. And we say that H has programmable pseudo randomness if basically, really intuitively, the adversary is not able to distinguish between the word one and word zero with the probability which is not negligible. So let me stress out that these two properties are basically mutually exclusive. So we can get programmability or programmable pseudo randomness and the reason is quite intuitive. So if we have programmability from definition, we have that CX0 is equals to zero with non-negligible probability and in this way, we can basically trivially break the pseudo randomness experiment. So what about our contribution? First of all, we have this linearly homomorphic signature scheme with shorter public keys and basically before giving you an intuition of our result, I will recall some notion about homomorphic signature. So what homomorphic signatures are? They were introduced by Johnson et al. in 2002 and so far we have homomorphic signatures for linear function of our vector spaces for polynomials in six circuits of bounded polynomial depth and we can prove security either in random miracle model or in the standard model, as you can see from the double color. So it works. We have two users which are Alice and Bob. Alice has some messages that she wants to outsource to a server and so to do that she signs every message and she gives the couple's and Bob is allowed to perform some computation or some function over that data, but he doesn't have either the computational or the storage capacity to do that. So basically what he does is sending the function as an identifier of Alice's data to the server. The server computes the function and gives back Bob the result of the function and the signature which holds the result. Then Bob can locally run a verification algorithm and decide if accept or reject the result from the server. A bit more formally we can say that a nomomorphic signature scheme consists of a couple of algorithms, a key generation algorithm in this simplification takes the security parameter and the indexes of the messages in the data set and gives back a public key and a secret key with the index and the message and the secret key gives in output a fresh signature an evaluation algorithm which uses the public key and has a function and a bunch of fresh signatures and gives in output a signature for the output of the function and the verification key and the verification algorithm which basically verify that the signature belongs to the result of the function f or not. Basically we have this correctness property for what if we have some fresh signatures and we perform the evaluation algorithm over this fresh signature and over the function f using the public key the verification algorithm with the result of the evaluation algorithm has to be one. And for water regard security roughly speaking we can say that an adversary without Alice's secret key has a valid signature or false results. So which is the state of the art? If we look at the size of the public key we see that in the random oracle model the public key is like custom size while in the standard model all the existing schemes which are proven secure as a public key which is linear in the size of the data set. And basically on one end this is not meaningless and we cannot advertise such a cost of storing such a large public key reusing it for multiple data set but on negative side basically a user bob cannot be able to store such a large key. So what we ask ourselves is can we achieve a standard model signature scheme with the key which is sublinear in n. So our contribution is we came up with the first standard model of the public signature scheme with sublinear public key which is linearly momorphic for data set of dimension n and with elements which are vectors of dimension t with public key which is linear in square root of n plus square root of t and which is built using generically a symmetric programming function and the property of pseudo randomness. The assumption we did is a new cost and size assumption we came up with which is called flexible differential assumption and the programmable pseudo randomness of APHFs, which in our case is proven with external DDH. Moreover we have this efficient verification procedure for which we can split the verification algorithm in two phases, one offline and one online in order to augment the efficiency of the verification online phase. I have no time to go in the details of our scheme so what I'm going to do is to give you an intuition of what we did via a toy example which works for random messages and for a single data set. The key generation algorithm takes the security parameter and the indexes of the messages in the data set and outputs a verification key which basically is the verification key of the hash function along with an element g2 to the z and the secret key of the underlying hash function along with an element z taken at random in zp the signing algorithm works taking at random r, i and g1 and evaluating s, i which is h of i times r, i to the one over z and basically we have a two element signature formed by s, i and r, i and when we have to perform the evaluation algorithm if the description of the linear function is via its coefficient f1, fn, fl we have the resulting signature is the product of s, i to the f, i and the product of the r, i to the f, i while the verification equation is what you can read here and the key point is that we have this public evaluation algorithm which allows any user with the public key to evaluate basically the verification equation so the signature is linear remomorphic if we multiply s, i and s, j we have a signature for r, i times r, j and now the point is how can we prove security so we are going to use a simplification of flexible D-Fielman inversion and this assumption says that if an adversary is given g1, g2 and g2 to the z it's hard for him to find a couple of elements in g1 which are w and w to the 1 over z where w has to be different from 1 so, first observation the fact that h is secretly computable is necessary if not, you can take r star as h to di to the minus 1 and basically break the scheme but I mean what does it mean proving security proving security means built a simulation such that it's possible for him to simulate signatures and given a forgery of the signature scheme the simulator can use it to break the security assumption so first of all, if we have b such that it can simulate signatures, it's easy to break the scheme to break the assumption, sorry why? because if a comes up with a forgery s, r, r s star, r star where this is a forgery for an index i star such that s, r was the answer of a previous question over the index i star we can take s star over s and r star over r and break the security assumption why? because s star over s is basically r star over r to the 1 over z because of this equation and since r star is a forgery, it must be r star different from r and so r star over r is different from 1 so basically what is left the challenge we have now is how to simulate signatures without having g1 to the z and what we do is we use the traptor generation algorithm of our hash function for d equals 1 with h1 equals 1 and h2 equals to g2 to the z so we model this this prove with 3 games game 0 is basically is basically the normal the normal signing so we have h of i times r i to the 1 over z and r i taking a random in g1 in g1 in the game 1 we replace the hash function with the output of the traptor representation and we still have r i taking a random in g1 and in game 2 we replace r i with g1 to the minus c i 0 so s i equals to g1 to the c i 1 is a valid signature for r i since it verifies the verification equation and basically for what regards the analysis game 1 and game 0 are indistinguishable because of the indistinguishability of the standard and the traptor generation of the hash function while game 1 and game 2 are indistinguishable because of the programmable pseudo randomness of h which basically says that this element looks random to a PPT adversary so in conclusion what we did is refining the programmable hash function coming up with asymmetric programmable hash functions the main differences I told you before are that they are secretly computable and programmability notion which is similar to PHS but has some differences and has this new property which is called programmable pseudo randomness for what regards application what I have already shown to you is the first standard model omomorphic signature scheme with sublinear public key which is linearly omomorphic with data set of n elements and with elements which are vectors of dimension t they are built using APHFs with programmable pseudo randomness in our construction that you can find in the paper hsqrt we have the length of the public key is linear in square root of n plus square root of t and more concretely if we have n which is equal to 10 to the 6 and with 128 bits of security previous solution require the public key length greater than 32 megabytes while our solution allows for a verification key which is just 100 kilobytes for what regards standard signatures plugging our construction of asymmetric programmable function we basically match the state of the art as Yamada et al in 2012 so that's the end of the talk and thank you for the attention