 Hello everyone, I am Kwong Nguyen from the University of Wollongong, Australia. Today, I am going to talk about a new approach to address the tension between privacy and accountability in multi-user authentication systems. This year, I tried work with my colleagues at the University of Wollongong, Puchung Kuo, Willy Sushilong, and Guomin Yang. We call our new cryptographic primitive multimodal private signatures. Here in the plan of my talk, first I will discuss several prominent examples of previous multi-user signature systems with privacy and accountability features and our observations regarding their shortcomings. Then I will demonstrate how our new primitive can address these shortcomings. Next, I will sketch our definitions and conclusions for multimodal private signatures. Finally, I will list several interesting questions that we left open. Let us first consider the setting of print signatures, one of the most well-known private signature systems. We have a group of users. Each user has a secret signing key which can be used to sign messages in an anonymous manner. Here, signers with personal identifiable information ID can issue a signature on any message in a way such that the signature verifiers can be convinced that a signature was from someone in the group but cannot determine who is the actual signer. Here, recent nature provides absolute privacy for signers. Absolute anonymity could be a nice feature that protects the users in certain situations, such as wish-of-lawing. However, it can also be abused for an ethical or illegal purposes. Therefore, it could be desirable to restrict the accepted anonymity of users in print signatures. In fact, there have been several attempts, such as linkable signatures or traceable signatures. However, the linking and tracing mechanisms in this system can only be activated if the signer in the questions has generated at least two signatures. If a man is a signer, only issue one controversial signature and then went offline forever, then it can avoid accountability. If we look for a primitive offering both anonymity and accountability, then the most well-known example is group signature. In group signature, we have an opening authority who the secrecy can be used to trace any valid signature and recover the identity of the signer. This authority is supposed to take action only in case of these bills. But wait, if this authority is corrupted, then it can open all signatures at will and in that case, there is essentially no privacy for users. There have been several attempts to restrict the power of the opening authority in group signatures, such as traceable signatures, group signatures with message-dependent opening are accountable tracing signatures. However, in this system, there is always a party who can break signer's privacy without any consent. So on the one hand, we have ring signature and variance that give too much privacy for users. On the other hand, we have group signatures and variance that provide too much power for the authorities. Finding a solution that is reasonably fair for both users and our authorities, a solution that balance privacy and accountability was a challenging problem for a long time. A new approach towards solving this tension was proposed last year at Eurocrypt in a work by Libert, myself, Mithos and Jung. We introduced bifurcated anonymous signatures, or bias for short, which can be seen as a hybrid of ring signature and group signatures. More precisely, a given bias could be traceable or non-traceable, depending on a predicate bit P computed by the signer before signing. If P is Euro, then a signature is non-traceable, and the authority can learn nothing about any as in ring signature. If P is 1, then a signature is traceable, and the authority can recover ID as in group signatures. Since the user knows P in advance, it can control its privacy and accountability. In the traceable case, it can decide whether to sign the given message or not. On the other hand, the authority can also ensure that signers of all traceable signatures will be kept accountable. So, bias seems to have provided a nice solution to the tension between privacy and accountability. However, there are still problems. There is in fact a crucial disadvantage of bias of group signatures and all similar proposals. We observe that accountability in the systems is realized via a total tracing procedure, during which the whole identity of the trace users must be disclosed to the authorities. This level of accountability is indeed a serious violation of users' privacy. Why privacy can be a very complicated notion. In its purest sense, it can be defined as the right of an individual to control which piece of information about herself or himself can be disclosed. Furthermore, in many real-life situations, it is not necessarily the highest priority for authorities to perform a total tracing. For instance, the authorities could only be interested in learning whether an anonymous user is over 18 years old, or works in a given organization, or lives in a particular area, or has an annual income exceeding certain thresholds, or has been fully vaccinated against COVID-19, etc. This observation motivated us to consider systems in which users and authorities have certain agreements on which piece of information can possibly be disclosed for each signature. Our proposal can be summarized as follows. When setting up a system, we specify a list of signing functions and a list of K disclosing functions, denoted by G1, G2, and so on to GK, where K is a positive integer. If user ID wants to sign message M with respect to a signing function F, then it first computes F of M, W, and ID, where W is an auxiliary information that we call a witness. It serves as an evidence for the signability of the top of M, W, and ID. The value of F is an integer between Euro and K. If it is Euro, then M cannot be signed and a user aborts. Otherwise, when F is non-Euro, the user can generate a valid signature that is anonymous to everyone but the opening authority. So, what the opening authority can learn then? If F is equal to 1, then it can learn the function G1 of ID and nothing else. If F is J for some integer J, then it can learn the function GJ of ID and nothing else. The value of F indeed determines which disclosing function will be activated. Looking back, our proposal captures ring signatures, group signatures, and bias as special cases. Ring and group signatures correspond to the case of a single disclosing function. For ring signatures, it is the Euro function. For group signatures, it is the identity function. Meanwhile, bias corresponds to the case of two disclosing functions, the Euro function and the identity function. As an example application, let us consider the scenario where we have anonymous financial transactions. Each has a hidden amount of money, such as in the privacy-preserving cryptocurrency system monitor. The authority, for instance, can regulate the system as follows. When an amount less than 100, the transaction will be anonymous to everyone, including the authority. However, when the amount is between 100 and 1000, the authority will be able to learn the country of the sender. When the amount is between 1,000 and 10,000, the authority can identify the country and the organization of the sender. Finally, for an amount at least 10,000, then the full identity of the sender can be traced. In other words, we can have a fine-grained accountability feature. Depending on the underlying transaction amounts, the authority can learn different pieces of information about the sender. Now let me summarize our contributions. First, we propose the concept of multi-model privacy signatures, or MPS, which is a new approach for addressing the tension between privacy and accountability in multi-user signature systems. Signatures in MPS are anonymous to everyone, except the opening authority, who can learn some bachelor information of the user identity. That piece of information can be defined in a flexible and fine-grained manner, based on a set of disclosing functions. Privacy is naturally achieved in MPS because the sender can decide which piece of personal information can be disclosed. Accountability is also achieved, since the authority can learn the desirable information if needed. Next, we provide rigorous definitions for MPS. This step is quite exciting and is not straightforward at all. We would like to make our definitions as general as possible by capturing not only the privacy and accountability of ring group and bias signatures, but also the fine-grained controls on who can sign which message, as in attribute-based, policy-based, and functional signatures. It is also worth highlighting that the privacy definitions for MPS is quite involved, since we have to address the case where the opening authority is fully corrupted. This level of privacy is impossible to achieve in ordinary group signatures. We provide a generic and modular construction of MPS for arbitrary functions based on commonly used cryptographic building blocks. Our construction can be instantiated in the standard model from pairings. We also obtain a concrete lattice-based construction in the random protocol model. Regarding security of MPS, we require two main properties, privacy and responsibility. Privacy roughly ensures that each party in the system can only learn the piece of signer's information which the signer intends to disclose. There are, in fact, two notions of privacy that we should consider. First, without the OA secret key, it should be invisible for everyone to learn anything about the signer's private information. Second, even a fully corrupted OA cannot learn anything beyond the value tj of id. This is a very strong requirement indeed. Unfortunately, it captures several requirements. First, it should be invisible to generate a valid signature with respect to a double MW id which is not signable. Second, it should also be invisible to mislead the signature opening. And third, no one, even a coalition of corrupt group manager and corrupt opening authority can issue signatures on behalf of an honest user. The second and third requirements, in fact, resemble the notions of full traceability and non-framability in dynamic group signatures. In terms of constructions, we obtain a generic construction of MPS for arbitrary signing functions and arbitrary disclosing functions. The construction relies on commonly used cryptographic building blocks, namely ordinary distal signatures, CCACQ public inclusion, and non-interactive unit proof for general statements. As a feasibility result, the construction can be realized in the standard model from parents via the Roth-Oschlopsky-Sahaya proof system and from lattices via the Piper-Sahaya proof system. Our construction follows the sign-z-include-z-proof paradigm which is typically used for designing group signatures. The group manager certifies the membership by signing the user's identity when issuing a signature, the user encrypts something and grows well-formedness of CypherTest as well as knowledge of a valid membership certificate. Note that in group signature, user typically encrypts its full identity id, in bias, the CypherTest contains either id or euro. Here, the main difference is that CypherTest contains exactly what needs to be disclosed. Proving well-formedness of such a CypherTest in general knowledge is the most important step of the construction. As illustrations, we instantiate the system with concrete signing and disclosing functions. The correct evaluation of which can be efficiently proved in general knowledge. We obtain a parent-based construction in the standard model as well as a lattice-based scheme in the random model co-model that potentially enjoys most quantum security. To be more specific in both instantiations, we consider the setting with a single signing function F and four disclosing functions. We let message M be a commitment to witness W and define function F based on integer ranges. This is to capture our motivating example about anonymous financial transactions with hidden amounts. We also consider this closing function as linear transformation of id, which are sufficient for many applications. The parent-based and lattice-based construction follows the same paradigms as the generic construction, but we employ some of the dedicated building blocks for efficiency reasons. Specifically, the parent-based scheme employs a bit of same commitment, a structure preserving signature by KINDSR, the vulnerable young signature, type-based BKE by KINDSR and the growth cypress. Meanwhile, the lattice-based scheme uses the KTX commitment, a signature scheme of efficient protocols by Libertadon, a CCACQ PKE obtained from the GBV IVE and the CSK transformation, and the Sterlite general argument systems. Finally, as the first work on multi-model privacy signature, we do not expect to provide a total study of this primitive. We leave several interesting open questions for future investigations. The first question is to construct practically usable MPS schemes with expressive signing and disclosing functions. Designing efficient MPS schemes with both quantum security is also a fascinating question. Note that our proposed parent-based and lattice-based construction do capture quite expressive functions but are not purely efficient. From the theoretical perspective, it is worth studying the connections between MPS and other advanced primitives like functional encryption. In fact, the idea that the encryption reveals a function of the identity is closely related to the spirit of functional encryption. However, so far we have been unable to obtain a concession of MPS based on functional encryption. Another appealing question is to equip MPS with additional functionalities such as verifiable opening of user revocations. Let me conclude my presentation here. Thank you for your attention. I am happy to answer your questions either online after the talk or via emails. Thank you.