 OK, so thank you for the introduction. So blind signature schemes are two body protocols where a user can obtain a signature on some message from a signer in such a way that the signer cannot link the resulting message signature pair to the signing process. And these are important billing blocks for e-voting, eCache, and one show at real base credentials. So the motivation behind this talk was that round-optimal blind signatures are notoriously hard to construct in the standard model. And so far, in over 30 years of research and out of over 50 different constructions, only two of them are in the standard model. And these two constructions make heavy use of complexity leveraging and, therefore, practically inefficient. So the main difficulty here seems to be the malicious key model, where the adversary fully determines the public key and that reduction has no access to the secret key. And this is even underlined by some impossibility result by Fischler and Schröder, which determines certain criteria for schemes under which it is impossible to find reduction from the unforgability of a blind signature scheme to non-interactive assumptions. And OK, so vice round-optimality desirable. It's, first, an important measure for efficiency. And secondly, it automatically gives concurrent security, which has to be dealt with otherwise if it is round-optimal. OK, so what we will see in this talk is, firstly, a new way to build round-optimal blind signatures. And we are going to build them from structure-preserving signatures on equivalence classes, which have been introduced at last Asia Crypt. And this is the first practically efficient standard model construction, and we will also give an extension to partially blind signatures. And we will also show how to build one-shot ABCs in the standard model using a similar approach. There is, however, one main caveat, namely the blind disease holds under an interactive variant of the DDH assumption. And secondly, the second part will focus on new results on structure-preserving signatures on equivalence classes, SPSEQ. So we will see a first, but in some way, restricted standard model construction. We will see that SPSEQ implies ordinary structure-preserving signatures. And this also means that optimality criteria determined by arbitral carryover to SPSEQ as well. So throughout this talk, we will need type III by linear groups. And I will denote the generate of group G1 by P and the generate of group G2 by P hat. And we will also talk about structure-preserving signatures. These are signature schemes defined on bilinear groups, which allow us to sign group element vectors. Signatures and public keys are, again, group elements. And verification is just done by the evaluation of pairing product equations and group membership tests. OK, so what does it mean when we talk about signing equivalence classes? When we've got a prime order group G and consider G2DL, then we can define a projective equivalence classes on G2DL, which are lines going through zero without containing the zero vector itself. So in other words, two elements m and n fall into the same class. If one is a multiple of the other. And signatures scheme defined on such equivalence classes has the functionality that once we obtain signature on one representative of such a class, we can obtain arbitrary signatures on arbitrary other representatives of the same class. So and if the DDH assumption holds on the underlying group, then we get some sort of indistinguishability notion defined on the classes for free. So like ordinary structure-preserving signatures, SPSEQ have a bilinear group generation algorithm, a key generation algorithm, a signing algorithm, and a verification algorithm. And additionally, we've got an algorithm which performs that change of representatives by taking input and message signature pair. And this is output. This algorithm then outputs signature for another representative of the same class, depending on some scalar mu, which is used for choosing the other representative. OK, so what about the security properties? We have got correctness, EUFCMA security, and basic notion for the distribution of signatures, which we termed class hiding. And which we are going to supersede with other notions subsequently. This notion says that a random message signature pair coming from one class we have already seen is indistinguishable from random message signature pairs. And EUFCMA security is here defined with respect to equivalence classes. So the game requires that the adversary outputs a forgery m star sigma star such that the message m star defines an equivalence class different from all the equivalence classes defined through the queries. So now we need some properties during this talk for the signature distribution, which are stronger than class hiding. So the first one is perfect adaptation of signatures. It demands that an adapted signature has the same distribution as a freshly issued signature. And an even stronger notion is perfect adaption on malicious keys, where we just require that the signature output by the change wrap algorithm is a uniform element in the space of signatures on the updated representative under the same public key. OK, so now let's talk about the blind signature construction. So it is black box from any SPSCQ, EUFCMA secure, perfectly adapting SPSCQ, and blind under an interactive variant of the DDH assumption and malicious key model. And we can also prove blindness in the honest key model under the DDH assumption. So the basic idea here is to use that the user at first compiles a Peterson commitment to some message m using a commitment key Q, which is part of the signers public key. Then sends an arbitrary element of the equivalence class defined by the normalized representative holding the commitment C in the first component. And as I said, it's normalized so that it holds the generator of group G1 in the second component. Obtains a signature on this from the signer. And then using the change wrap algorithm, so this inherent property of SPSCQ, the user can derive a signature on the original normalized representative. So the user then finally outputs a signature plus a modified opening of the Peterson commitment. So in more detail, at first, the user holds a message. And the signer has a public key and a secret key. Next to, besides containing the SPSCQ secret key and public key, these two keys contain additional values. The secret key contains a scalar Q, which is the commitment trapdoor. And two values Q and Q hat, which is basically the commitment key. And we require here the second value Q hat, which is in G2 for modified opening of the Peterson commitment. So at first, then, as I said before, the user compiles a Peterson commitment by choosing some random SR and using the commitment key Q. And extends this to a vector with the generator of G1 in the second component chooses a random from scalar S, which the user uses to choose an arbitrary representative of the class defined by this normalized representative. Gets back a signature P on the blinded message of the so blinded message. Is able to run the change-trap algorithm in order to obtain a signature on the normalized representative, so the unblinded message. And then outputs a signature tau holding the signature sigma. And two values R and T for a modified opening of the Peterson commitment. So when a verifier is then given message M and signature tau, the verifier first recomputes the Peterson commitment using the value T. And then checks whether the corresponding normalized representative of the class verifies under sigma. And additionally, the verifier has to check whether the discrete locks contained in the value T with respect to base P are times Q. And does so by using these two pairings here. OK, so what about the security of this scheme? It's unfortunable under the EUF-SMA security of the SPSEQ and the Diffie-Hellman inversion assumption. And blind under SFRA set under an interactive variant of the DDH assumption in malicious scheme model. So throughout this talk, I will focus on the blindest proofs as the unfortunability proofs are rather straightforward. So as a warm-up, I'm going to talk about how to prove blindness in the Oniskey model. And here I will give an idea of the experiment. So here in order to prove blindness, the adversary is in the role of a signer. And the experiment at first picks at random a bit B and runs the adversary on a key pair SKPK. So then the adversary outputs two messages M0 and M1. And is given one time access to two user oracles, depending on one for a message and B and one for a message M1 minus B. OK, and finally, the adversary has to output a bit B star and wins the game if B equals B star. And if one interaction fails, then we set both resulting signatures which result from the user oracle to BOT. OK, so how to prove this now by a sequence of games? The original game series, the original game. And as you can see here, the values which in front of the commitment key Q, which are color blue here, are the randomizer for the commitment and the blinding value S. And now in game one, we exchange these for the first user oracle with some random value T. And we do so in game two for the second user oracle. So in game two, both messages are perfectly hidden from the adversary. So and under the DDH assumption, then game zero is computationally indistinguishable from game one, and so is game one from game two. Now how to simulate the user oracle? We do so by embedding a DDH instance and perform the blinding and un-blinding with respect to this DDH instance. And since we've got access to the commitment trapdoor, we can recompute the blinded message with respect to this DDH instance. Now how can we perform the un-blinding and obtain a signature on the un-blinded message? We perform the un-blinding with respect to the other parts of the DDH instance. And as we've got access to the secret key, we can recompute a fresh signature on this un-blinded message. So of course, we have to take care of the distribution of this signature and perfect adaption, the perfect adaption property guarantees us that it is identically distributed to some signature output by the change trap algorithm. So now if the T in the DDH instance equals R times S, then we have simulated game zero, and otherwise we have simulated game one. Now what about proving blindness in the malicious key model? Here, the public key, as I've said before, is fully determined by the adversary, and the reduction has no access to the secret key. The rest of the experiment stays the same. OK, so what we at first have to do is we have to replace the perfect adaption property by the perfect adaption on a malicious key property. And then the second problem we are facing is that we can no longer embed the DDH instance since Q and Q hat are fully determined by the adversary, and we don't have access to the commitment trap or scalar Q. So what we can do now is replace the DDH assumption by an interactive variant of the DDH assumption, which is relative to Q and Q hat. But still, for the un-blinded, we can't recompute a fresh signature then. But what we can do is we can use the adversary A assigning Oracle by revining the experiment. So what does this interactive DDH variant, I was talking about, look like? So the adversary first outputs Q and Q hat, which come from G1 and G2, and are required to contain the same discrete logs, which we can check efficiently using two pairings. So then the adversary has to decide when it is given RP, RQ, SP, and TQ, whether the T in there is random or the product of R and S. And this assumption is hard in the generic group model. OK, so now I'm going to sketch how the proof in the malicious key model looks like. So as I've said before, we use revining. So we've got two runs for simulating one Oracle. And in the first run, we perform the blinding and un-blinding honestly by picking a scalar S prime at random. And due to the knowledge of S prime, we can then run change-wrap and obtain a signature on the normalized representative from the signature returned by the adversary. So after, we have derived the signature sigma B, which we store and we remind the experiment to the step before the blinding randomizer S prime has been chosen. So then in the second run, we hold the signature obtained in the first run, sigma B. And we perform the blinding and un-blinding with respect to the interactive DDH instance, similar to the way we have done it before with the DDH instance in the honest key model. OK, then we send a blinded message, which is for which computation we use the interactive DDH instance to the signer get back signature P prime B, which we can discard. And then the adversary finally outputs signature tau B containing sigma B from the first run and two values, r and t, for the modified opening, which are also stamped from the interactive DDH instance. So far, we don't know any standard model SPSEQ construction, which we can use to instantiate this blind signature scheme. And we only know a generic group model construction. And when we instantiate the scheme with this construction, then the user and designer algorithms just need a few scalar multiplications and verification is just done by evaluating certain pairings and one scalar multiplication. OK, so how about partially blind signatures? In order to build partially blind signatures in a similar way, we just extend the vector length from 2 to 3 and use the additional component to include the common information. And in a similar way, we can also build one show ABCs by exchanging the Peterson commitment for a generalized Peterson commitment, which allows us to commit to message structures. And additionally, during issuing and showing, we need proof of knowledge over the attributes. So we also have got some new details on SPSEQ. Namely, we know that SPSEQ implies ordinary structure preserving signatures. And we do so by, when we want to sign a vector m, we additionally include a component holding the generator. And so we restrict each class to one valid representative. And this is just like the standard UFC main security of structure processing just then. And this also means that the optimality criteria determined by ARVET, I'll carry over to SPSEQ. So we can't do better than having three signature elements coming from both groups, G1 and G2. And we need at least two bearing product equations for verification. And furthermore, it also means that for optimally short SPSEQs, there is no reduction to any non-interactive assumption, which also means that the generic group model construction so far is optimal in this sense. So we can only prove it in a generic group model. OK, so what about the standard model construction? As I've said before, it's a rather restricted construction since it is only class hiding. And we derive it by using a trick of ARVET, where we include two random elements into two additional random elements into the messages, which we then sign additionally and include into the signatures. And this UFC proof is more involved than the ARVET. OK, so now I'm going to conclude this talk. So what we've seen is a new way to build efficient round optimal blind signatures and how to derive partially blind signatures, one-show ABCs, and all of these constructions are secure in the standard model. And we've also seen some new results in SPSEQ, standard model construction, new properties, and that SPSEQs imply ordinary structure-preserving signatures. So thank you for your attention.