 Hi, my name is Shu, and this is a work with Rafael Del Pino. So what we do is that we propose a more efficient lattice space around optimal blind signature in this work. And our work can be extended to satisfy partially blindness, and it's also the first scheme to be proven securing the quantum random oracle model. We follow a generic blind signature recipe by Fishlin05, where the user commits to a message and creates its comm. And the signer will sign on this commitment. And user, when given this signature, will provide a zero-knowledge proof that this signature is a valid signature on this commitment, which is a valid commitment on the original message here. And the whole issue here is that this signature and this commitment must be kept hidden for blindness to home. And our work is basically providing a new approach to this component. So prior to our work, there were three main lines of work for blind signatures. One is a short type blind signature. And this has been the most active area of research, but HONK et al. recently showed that provable secure parameters require a signature of several megabytes. There's also a very recent work by Lubaszewski et al. that constructs a new type of blind signature from one-time signature with an OR proof. This is an interesting deviation from prior techniques, but it requires an upper band on the number of signatures at setup. Finally, the third one is instantiating fish in the generic construction. And agrar al. et al. creates, well, provides two generic constructions. And the first one is based on random oracles and evaluating that random oracle using FHE. So this is rather heuristic. However, the second one is very efficient, but it requires a one more SIS assumption, which is non-standard and needs a bit more cryptanalysis to have to base confidence on. So our work in more detail is that we provide the first round optimal and a scheme that supports unbounded signature. So the verification keys can support any unbounded polynomially mini-signature. It's also based on standard lattice-based assumptions. And it's the first to be secure in the quantum random oracle model. And it is more efficient than prior works, so it provides around 100 kilobyte for the signature. And since it's a generic construction, we could be able to plug in recent NIZKs to further lower the signature size. And agrar al. et al. recently updated their paper. And what they did was that they used the recent NIZK by Lewoszewski et al. in crypto this year to achieve a shorter signature size than what we did. So at the heart of our construction, we provide a new commit, then sign, and zero-knowledge proof protocol. So here the client will create a commitment to this message. It will send it to the signer. The signer will sign this and then provide a signature back. And what the client wants to do now is that it wants to prove in zero-knowledge that it has a commitment and signature pair such that this commitment opens to this public message and that this commitment is also signed by this signer. And here we want to keep the commitment and signature private because this is how we get blindness for the resulting blind signature. And we know how to do this efficiently in the classical setting using discrete log or DDH type of arguments. But it's surprisingly non-privile to do this in the lattice setting. And this is basically why most prior techniques or all prior techniques requires a relatively inefficient scheme. So at the core of our idea is that we use an ABB style signature for this signature and to proceed with this commit and prove protocol. So for ABB signatures, the message is embedded into this lattice and the short vector E will be the signature. And this is a transformation inspired by Del Pino et al. But here we'll just replace this message times G by a commitment C. And this commitment will be using a very traditional lattice-based commitment and it will be in the form of BR plus message times G. And here, if we combine these equations together, the client can recompute this equation and transform it into this kind of public matrix time private short vector equation. And at this point, this is a simple SIS relation with an accompanying efficient NIZ team. So for more details, please refer to our full presentation or our paper. And although I didn't explain it in detail, the most technical part of the work was not at the core idea, but it's a more subtle part where this commitment C has to be proven well-formed via NIZK. But here, due to security-proof issues, we need this to be multi-proof online extractable, which is a very strong property. And to achieve this in a relatively efficient manner, we rely on the recent techniques to get this strong NIZ game. And this will give us also as a bonus, security in the Q-ROM. Thank you for listening.