 Hello everyone. This is a talk on BlanchNOR signature and signed Elgamal encryption in the algebraic group model. I'm Antoine Plouvié and this is a joint work we did with Georg Fouchebauer and Yannick Soran. In this work, I will focus on the BlanchNOR part of the paper and the algebraic group model. First, I want to introduce the idealized models. I will talk about generic group models and I will also introduce the algebraic group models that we use in the paper to do all the proofs. Then I will talk about schnore signatures. I will introduce the scheme and we will see how we can prove unfortunately of the scheme in the algebraic group model. This will give a flavor of all the proofs that we do in the paper. Then I will introduce BlanchNOR signatures. I will introduce the scheme and we will see how we can attack with the ROS problem with those signatures. This will lead to the first result of our paper. Finally, I will talk about closed BlanchNOR signatures. I will talk about the scheme and we will see the second result of the paper. I don't know if you see but my slides are here. When I look here, I point my pen on the slide. First, let's start with the idealized model. This is the generic group model. The generic group model works with group G of order p which is a cyclic group and usually we use this model in security notions where in a game an adversary will interact with a challenger and the challenger may give as input some group elements to the adversary. What happens in the generic group model is that the adversary doesn't see the group elements. What the challenger does is it hides the group elements behind symbols and the challenger has a list of symbols corresponding to the group elements. Now, the adversary cannot do easy computations with a symbol. It cannot do any computation at all. But it can ask for the challenger to do the computations for him. For example, if the adversary asks for a simple addition to the challenger the challenger will give him an answer. If the sum has already been computed it will output a symbol that the adversary has already seen. If not, it will create a new symbol. In the end, the adversary may output a group element which means that the adversary outputs a symbol and the challenger is able to find in the list which symbol, where was the symbol so it can get from there the decomposition that the adversary used to create this symbol. This will be a decomposition depending on the inputs that the challenger gave. So, that's how the generic group model works. Let's see what is the difference with the algebraic group model. The algebraic group model was designed by Fouge-Bauer, Kitz and Loss in 2018 and this model works with an adversary and a challenger also. The challenger gives as input some group elements but now in the algebraic group model the adversary will see the actual group element. But when outputting a group element we consider that the adversary is algebraic. So, how we usually formalized it is we say that the challenger has access to an extractor algorithm which extracts from the adversary the decomposition that the adversary used to compute the group element. But what we want to do in the algebraic group model is we want to get rid of the extractor and to do that we will say that in the algebraic group model each time an adversary outputs an element y it will also output the vector alpha which gives the decomposition that the adversary used to compute y. So, this gives the decomposition depending on the input of y at the moment that the adversary computed y. So, we don't need an extractor anymore in our group. So, what I want to say also is the fact that the standard model stands in between the standard model and the generic group model meaning that if a property holds in the standard model it will hold in the algebraic group model and if a property holds in the algebraic group model it will hold in the generic group model. Okay, let's introduce now Schno signatures. So, I first want to talk about Schno identification. This is the simplest Schno protocol and in this protocol you have one user and one prover. This is in a group j of order p with capital J being a generator of the group. And the prover has a secret x that he wants to prove the knowledge of to the user. Capital X is the public key which is computed as this with the secret and the prover picks a random r and it will send r to the user. Then the user will pick a random c which is a challenge and send the challenge to the prover and the prover will build this answer s and give it to the user. Then the user can verify that the prover knows a small x by using this computation. This is the verification equation. So, let's see how we can transform this protocol into a signature protocol. So, we don't need a user anymore and now the prover becomes a signer who wants to sign on the message m. And what we do is the signer will compute its own challenge by using a hash function so c will become the hash of r and m. So, using a random protocol we can prove security of this signature scheme and in the end the signature will be the pair r, s. The verification equation is the same so if we see the message m and the signature we can use the verification equation here using the s of the signature, the r of the signature and the c here using the computation of the hash with r and m. So, let's see how we can prove the unforgeability of this in the algebraic group model. So, the unforgeability notion we look at is the existing unforgeability among chosen message attack. I just copied the verification equation here so we can keep it in mind. So, what the adversary does in this unforgeability game is it has access to the random oracle and it has also access to a signature oracle which means it can see as many value signatures as it wants and it has input capital J, generator of the group and capital X. It outputs a message m star and a value signature on the message. So, the proof will stand in two points. First, we want to solve the discrete log of X. So, if we want to solve the discrete log for X we don't know the secret X but we still need to simulate the signature oracle to the adversary. So, what we need to do is to simulate signature query without knowing the secret X. So, that's the first thing we should prove. Can we simulate value signature query? So, if the adversary wants a signature on m what we do is we generate a random c and s and we create r using the verification equation. Now, for the signature to be valid we only need to program the random oracle so that the h of rm would be equal to c and that's something we can do for a challenger because we program every algorithm so that the adversary has access to so we can program the random oracle and we can program the signature of all oracles that's what we are doing here. So, in the end we output the valid signature and the adversary can only see that it is a valid signature. Now, let's see how we solve the discrete log for X. So, first we say that the adversary outputs a valid signature which means that the verification equation holds for this signature and then remember that we are in the algebraic group model so this means that the group element r star has a decomposition depending on the input that the adversary received. So, this means that the adversary built r star using g and x and gamma and xi. So, remember that xi and gamma were computed in the same time r star was computed. It was done simultaneously. X is defined in the same time r star is defined. So, now we can regroup the two equations and see that if c star plus xi is non-equal to zero then we can solve the discrete log for X. We can divide here. So, let's look at the probabilities that this is equal to zero. So, now remember that c star is defined as the hash of r star m. This means that c star is defined after r star is defined. So, remember that xi here was defined the same time r star is defined. So, this means that xi is fixed when we define c star and c star is random because of the random model. So, this means that the probability that c star is equal to minus xi which is fixed is 1 over p. So, this is negligible probability and with high probability we solve the discrete log for X. This is the value for the secret X. And we just show that we've got a tight proof for inforgeability of Schnur signature. So, now let's have a look to Blanche-Schnur signature. So, first I want to introduce Blanche-Schnur's protocol in general. So, in general we've got a signer who has a secret key and a user who wants a signature on message M and after a few interactions the user will get a signature on its message. The properties we want to validate in Blanche-Schnur are the two main properties are blindness. So, to validate blindness the signer cannot link a pair signature message to the signing session. Okay, this is blindness. And inforgeability. So, inforgeability is after L signing sessions no user can obtain L plus 1 valid signatures. So, let's see how we can transform Schnur signatures into Blanche-Schnur signatures. So, first the user comes back and the user wants a signature on message M and the signer has a secret X. So, the first thing we'll notice is that the signer here has R and S inside but the signer knows R, okay? It creates R. So, the first thing the user needs to do is to blind-HAR so that the signer won't recognize R in the signature. So, what the user does is it picks alpha and beta and builds R prime which is equal to R plus alpha J plus beta X and it builds C prime which is equal to the hash of R prime M. Then it builds C which is equal to C prime plus beta because the user doesn't want to send C prime to the signer he wants to send a randomization of C prime. So, it sends C which is a randomization of C prime. Then the signer does the same thing and send S to the user but the user doesn't want S to be in the signature so it does the same thing. It randomizes S in S prime so S prime becomes S plus alpha and the signature in the end is R prime S prime. The verification equation for the user is the same because the signer didn't change its behavior but for the new signature we will see that the verification equation is still old so let's replace S its value so S becomes S prime minus alpha R prime minus alpha minus beta X and C becomes C prime plus beta and we can see that all elements depending on alpha and beta can sell out so in the end we get the same verification equation for the new signature which is great. So let's see how we can attack this scheme on unforgeability with the ROS problem. So what the user does in that attack is first he starts L interactions with the signer in parallel. It doesn't give the C but it makes the signer wait and it starts by asking L, R from the signer. So when it has the L values for R what the user does is it builds the coefficients C, J and rho i, J with J between 1 and L and i between 1 and L plus 1 and those coefficients they must be the solution of L plus 1 of the system of L plus 1 linear equations which are those ok and so there is one equation for each value of i and one so this is a theoretical attack that was designed by Schno in 2001 and so if theoretically the user gets those coefficients then it can send them back to the signer and the signer will give the answer to the user and the user will get L value signature here Now what the user will want to do is to build L plus 1 value signatures So what the user does is it builds R i star here being the linear linearly dependent of the R J here so it's the sum of the rho i, J, R J and we can see that we got R i star that appears here so we already got C i star being the hash of R i star being the same linear decomposition of the C J So let's do the same for the S i star and we've got now L plus 1 signature so let's see if they are valid or not So this is the verification equation Let's start with R i star plus C i star X so we replace R i star by its value and C i star by its value and then we remember that R J are part of the signature so if we use the verification equation here now we can see that all elements depending on X can sell out and in the end we get exactly the value S i star So this makes a valid verification and the signatures are valid so there is one signature for each value of i so we've got L plus 1 valid signatures So the user in this attack is able to forge L plus 1 valid signatures and the fact that the user picks those coefficients is the computationally hard part of the problem so that's what we call the ROS problem and the first result of our paper is that in the algebraic group model plus random oracle model if we use the assumption one more discrete log which is the variant of the discrete log and the ROS problem so if those two assumptions hold, the branch node is unforgeable but what has been shown by Wagner in 2002 is for fixed secure parameter and L actually the ROS problem can be solved in time and space 2 at the power of 55 so this is quite bad news for the branch node signatures the ROS problem is not that strong and that's why in the paper we find a fix to branch node signatures so we introduce closed branch node signatures so remember the branch node signatures the signer sends a random R to the user then the user sends a challenge corresponding to R to the signer and finally the signer answers with S and now what we will do in closed branch node is we will do two branch node sessions in parallel so what the signer does is send R0, R1 to the user and then the user will compute C0 and C1 but now what the signer does is it picks a random bit and it above the session that doesn't correspond to the bit so it ends the session corresponding to the bit sends the bit to the user and sends the value SB that correspond to the session of the bit to the user and the user only gets one signature in the end ok so how does it prevent the previous attack so remember in the previous attack the user was starting L sessions of interaction with the signer getting L values for R and then it was building the row IJ such that and the CI such that it ends the interaction with the signer and the row IJ such that it can get this decomposition for the RI star it also gets the same decomposition for the SI star but the problem the user will have now is for half of the RJ the SI, the SJ here will be missing because the signer won't give all the SJ here half of the session are aborted by the signer so in order for the user to win the game when the user sees the RJ the user must know which RJ it has to use to win the ROS problem to build the RI star so it has to know for which RJ it will have the SJ and for which RJ the session will be aborted so what the user must guess is which session will be aborted so the more the user starts session the more guesses it will have to do in order to deduce which session will be aborted and so the more it will be hard for him it is exponentially hard for him to deduce which session will be aborted so that's why the attack doesn't work now in order to win this attack the user now has to win what we call a modified ROS problem which we believe is quite more difficult so that's the second result of our paper which is in the same model as before using one more discrete log assumption and the modified ROS assumption we get that closed-blanked NOR is unportable okay also what we can say is that the new scheme the closed-blanked NOR signature leaves the signature scheme unchanged so that's good news because now new signing protocol can be dropped in replacement for existing scheme so I want to discuss also further results of the paper what we show in the paper is that closed-blanked NOR satisfies blindness we also show that in the algebraic group model plus random or occult model the signed L-gamal is indistinguishable on the chosen ciphertext attack 2 under the DTH assumption and this is the type proof thanks a lot for your attention I would be happy to answer any comments or questions that you have