 This talk is about group signatures and more from misogynists and lettuces, generic, simple and efficient. It's a work by Yifu Lai, Ward Bulance, Samuel Dobson, Shuichi Katsumata, Federico Pintore, and Yifu Lai is giving the talk. Hi everyone, I'm Yifu Lai. Today I'm going to present this work with joint work with Warbillons, Samuel Dobson and Shuichi Katsumata and Federico Pintore. Firstly, we talk about the idea of group signature skin. Intuitively, a group signature is required any member in the group, like a company or a school or a government agent. Anyone, any member in this group can sign anonymously for the group on behalf of the group. But in case we abuse this anonymity, there is a special identity called group manager who can open the signature from the group, which means that he can know who is the signer and provides the proof for the opening result. And there are three following requirements for the group signature. The first one is anonymity. Of course, given a signature from any two people chosen by the adversary, it is possible to tell from which of the two. And if the adversary has access to the opening oracle, then it is called CCA anonymity, otherwise it's called CPA anonymity. It's quite similar to the public key encryption. And the other one is unforgeability. Any colluding members, we cannot forge a signature, not trace into any one of them. So if the opener is also corrupt, then it is called unforgeability, otherwise it's just called unforgeability. And the last one is traceability. Fairly signatures should be able to open to one and only one user in the group. It cannot be opened to more than two users. So we also give a brief history of group signatures. It's firstly proposed by Chong Feng Hayes and by using RSA and GOP assumptions. And it's later, the security notion is later formalized in these two walks, profile with framework using verifiable MDCCA, PKE, and use signature scheme based on trapdoor permutation functions. And it is so-called the site and input paradigm. And there has been a lot of applications and reward deployment by using group signatures like the direct anonymous attestation in his private CID, a variety of application in blockchain and cryptocurrency studies. And there has been a lot of post content proposal after 2010, mainly donated by latest instance. And recently several proposal has achieved logarithmic property where the signature size is logarithmic in the number of member, which means that even though your group is very, very large, your signature size still can be very compact. But most of them are latest instance and they use some new technique from latest cryptography. So, of course, this kind of technique cannot be applied to, like, say, ISA journey cryptography. So can we have an ISA journey group signature scheme that is competitive enough among other post content proposals? The answer is, of course, yes, that's why I'm here. But what's the difficulty is that the standard sign-in encryption technique requires the CCA for a firewall encryption scheme because we mainly need to use the decretion oracle in CCA GAN to answer the opening oracle in the anonymity GAN. And we also require MIZK for the ciphertext and the plaintext relation. But unfortunately, we don't have this kind of seen the practical tool in ISA journeys with some standard assumptions. This is because, like, SIDH or CSI, they all use, like, share secret key exchange to obtain encryption. They hash the share value and ask the padding to encrypt the message. So because we use that hash function here, we cannot have an efficient MIZK for this relation. So our solution is that we construct a new, verifiable MNDCP APK with unlike-extractable MIZK, which unlike-extractable means that if you are given a proof, then we can, like, by observing the render oracle, then you can extract the secret witness from your proof. But our PKE here is weakly decretable, which means that the message space of our PKE should be, like, small, like, polynomial size in lambda. But it is good enough to give us the following contribution. The first one, we present a new practical framework for group signatures based on group actions. We also give ISA journey and latest instantiations. And the signature size is logarithmic. We also provide tightly secure variants for our two instantiations. And it is also the first group signature from ISA journey and the only logarithmic one because there are some concurrent works. And the ISA journey instantiation has the smallest signature size in the literature among other postcompton proposals. But in this call, talk will mainly focus on the ISA journey instantiation here. And this is a simple comparison without the ISA journey station. And we have the most compact signature size and the best security guarantee for the users. So this is the super high level of our construction here. As you may know, if you have a relation and a statement and witness W, and if you have MISDK for this relation, or in our instance, we use SCAM protocol and Fiat-Schemier transform, you can have a signature scheme. And by example, it is spent by all proof relation. All proof relation means that there's a bunch of statements here and your witness is only for one of them. And if you have MISDK for this relation, you can have a written signature. It doesn't matter if you don't know what's written signature. And the next one, we add PK encryption relation here. We add the ciphertext to encrypt the index here and then with randomness R and we add R into the witness here. So we add ciphertext into the statement and add randomness R into the witness. And if you have unlike extractable relation MISDK for this relation, then you can have a group signature with CCA anonymity. And the final one is to have full unforgeability and we have to have MISDK relation for the decryption relation, which means the relation between the plaintext and the ciphertext and the key relation, which means the public key relation and the decryption key relation. And remarked that the PKE here we only require INDCPA. So a sigma protocol for a relation is a three move interactive protocol among a poof with the secret witness and the firefighter with the statement. They do commit, commitment, challenge and response and the firefighter accept or not because the shape is like a sigma. So it is called a sigma protocol. And we recall the definition of group actions. A group acts on a set by an action if it has identity and compatibility. And of course to have a cryptography construction, we need the hardness assumption here if you are given the operation of the action, GX and X, it is still difficult to recover G. For example, let M be a natural number, let G to be ZN and X to be the cyclic group of order M, define GX to be X to DG. The hardness here is based on the discrete logarithm of this cyclic group. And I start joining station we are taken from seaside together with the optimization given by BKV19 with the efficient sampling method. So we have a group action GX on a set, a super single curve, and we have a spatial curve that's called E0. That is a super single curve and well known can be taken from this set. And this is called group action in first problem, if you are given SE0 where SE is sample from the group G, it is hard to recover as the secret isogenic. And the final definition is the group action base PKE. There are two groups G and GM both acting on the same set X and GM contains the message space M acts on X by a public action. And the other action is given by the key generation algorithm. It is part of the public key of the encryption scheme and related to the secret key here. And we define the action, the encryption of message N is the cybertext is M acts on R acts on X PKE by the public action and the public key action respectively. We use the randomness R here. And we do not specify the decryption relation here but we of course we require the correctness. And we also assume the PKE is IND CPA secure. For example, we can also construct this so-called GA PKE instantiation from ISO journey by using CSI again. And remark that we require the message space to be small like a polynomial in lambda. This is because we have to to decrypt we decrypt by enumerating elements in the message space. Otherwise you return if you know such message form you return perp. And harness the this PKE is IND CPA based on the traditional CSI problem. And finally we can talk about our technical overview. We start from the OR proof or say the OR relation taken by BKP 20. Firstly, there is a statement OR relation we stated before. There is a bunch of statement here and you'll have a secret witness for one of them. And the verification key will be this bunch of statement here and the witness will be your secret signing key for each member. So we will do this by using SIGMA protocol. So firstly, the proofer produce a bunch of ISO journey and group actions and shuffle them and obtain a set. This is the commitment of the proofer. The next is challenge. Challenge is either zero or one. If a challenge is zero, then the proofer provide these bunch of school elements. And the proofer file just recomputes these sets, these elements and see whether the set he compute is identical to the one given by the proofer. If the challenge is one, then the proofer just provide SI plus SI prime. And by acting on XO, the proofer file will check whether this will fall into the set given by the proofer. If so, accept otherwise reject. And this is a SIGMA protocol. So the next step is we add the encryption relation into this relation. And the key idea is we concatenate and shuffle two proofs together. Recall that we have a cipher text now to encrypts the secret message I and to gather with the random SR. So we do something similar here and something and the information in blue, which means it's public like negative one, negative two, negative one. And this common statement here, cipher text one, cipher text two, cipher text n, they are public. And the proofer do group actions again with two n distinct group elements and obtain a set again and shuffle them together. So the pro challenge is also either zero or one here. If challenge is zero, then the proofer provide these two n group elements and for a fire recompute this power and see whether these two sets are identical. And if challenge is one, the proofer also provide si plus si prime, but he also provide r plus r i prime here. And by acting on the public set element, different taken from the public key from the proofer, from the opener, then the provider can check whether this element will fall into the set of the committee decipher text here, CTI prime, this set. If so, accept otherwise, he rejects. So the next step is to we need to make the proof to be logarithmic. We use student random number generator, Merkel tree and commitment skin. Here the proofer, he use two n distinct group elements. And here we just use two, two elements here with s prime and r prime. And then the proofer do the commitment with randomness beats one to beats n. And then the proofer apply Merkel tree and obtain a root. This root will be the commitment of the sigma protocol. And all randomness s prime, s prime, r prime and beats one to beats n, they are all generated by a, to the random number generator by a single seed. And the challenge is also either zero or one here. And if challenge is one, the proofer now just provide a seed and the firefighter recompute is all randomness and compute whether the firefighter can obtain the same root. Now, if the challenge is one, then the proofer provide the randomness be for the commitment skin and the path of the Merkel tree lead to the root and the firefighter just check whether this additional information can lead to the same root. If so, accept otherwise, he rejects. So, in this, in this signal protocol, we can have online extractability, which means that if you obtain a proof, we can obtain the we can extract the secret witness by observing the random oracle. And we do this by modeling our should remember generator commitment skin and Merkel tree as a random oracle. And the reason we can do this because the challenge is the side space is just to, and the response can one of the response, the C here can be obtained by observing the random oracle because we model the pseudo random generator as a random oracle. And I'll repeat the secret protocol we mentioned before lambda time the interactive protocol will has two to the lambda security strengths. And by using fiat chemo first transform, it can be non interactive. So the proof, roughly speaking, the unlike stability and I'm this period will give us CCNality. And with harness assumption of the action, it gives us unfortunately, not but not the full unfortunately. And remark that we have a cipher text here in the statement. So the manager just who on the secret key the decryption key of this public in commission. So he can the manager can just open the signature by using the decryption key now. So it suffices to construct an IDK for the decryption relation and the key relation to have traceability and for on for jeopardy. And we specify the relation here and by using the similar method we mentioned before we can obtain a magic for this relation. And the proof of now the open or say the opener the manager provide the proof for the opening result using this and IDK, then we will you can have traceability and for on for stability. And with other results, like we, we further reduce the signature size by using the on balance challenge space, which means that because you can see when challenge is zero, then the proof adjust profile see which is much smaller than the response for challenge one a bunch of stuff here. So we use more zero challenge than one, then we can have a more compact signature size. So we give the APK for latest instantiation by using Linda Fiker framework. So we don't, the message space can be large here. And we also reduce the signature size for our latest in this instantiation by using get back a brace method. So we specify the criteria secure fire and by using the so called cat one measure, the unfortunately reduction loss is simply one half. In January in the other work it is, he has a quadratic loss followed by a square loss. And of course, in our, in our first year is just a constant concrete it is 0.5 to 0.6 kilobytes, but the signing key and for a fake verification process will be slowed down by a factor of two. So it is quite a cheap, quite a cheap. So finally, in this war, as we mentioned before, we present the most secure, the most secure group signature among the group signature proposals. And I saw the instance has the smallest, the most compact signature size in the literature. And this is a free summary of a few of our contributions. Like we mentioned before, we present a new framework from global teacher by using corrections with it's attorney and ladies instantiation achieving all idea of security properties. And the proof the framework is logarithmic the size is very compact. And we also provide a tightly secure variant for our two instantiations. And we propose the first group signature from us our journeys and the only logarithmic one. And this is the work we present. Hope you find this is interesting. Thank you for listening. Do we have any questions. I've seen some other ring signature constructions where the verifier is logarithmic. Sorry, the signature size logarithmic but the verifier is actually linear. Is your construction like this or is the verify also logarithmic. You mean the verification key. The ver, the verification time for the signature verification kind for the signature and the perfect chance for signature you have to do. The computational cost of the verifier I think is the question. Yeah, exactly. Oh yeah, it is you need to do if the there are members in the group, then you have to do and times. You have to do and times group actions check. Okay, so there's not like, like in some constructions there's like a succinct representation of the group of users that then the verify users to save time, but it's not like that. Yep. Okay, thanks very much. Any other questions. Then let's thank the speaker again.