 joint work with Cineo Park at MIT and Harvard. The subtitle of this talk is Reputability and Claimability of Ring Signatures, but it might as well have been Unreputability and Unclaimability of Ring Signatures. So ring signatures defined by Rivas Chamiar and Taman allow our variant of digital signatures that allow signing on behalf of some set of parties that have the requirements that only a member of the set can have produced the signature, but they hide which member of the set was responsible. So parties can independently generate secret key, public key pairs, and post their public keys. And at any point afterwards, a party can take a set of public keys, including themselves, and sign on behalf of that set. And the signature provides the guarantees that only some member of that set can have produced the signature, but an outside adversary can't tell which member. So ring signatures are motivated in part by whistleblowing scenarios. So suppose a official wants to come forward with evidence of misbehavior in an agency. So they may be wary of retribution from higher ups. So they may want to use a ring signature scheme to sign on behalf of some set of senior officials where this set of people sort of provides some sort of reputation that someone in a position of information has provided this message. But then suppose that someone comes to each of these individuals in the ring and demands proof that they did or didn't sign the message. Can they comply? And it's not clear under the usual definitions. So for another example, suppose that someone wants to use ring signatures to harm the reputation of a celebrity or a politician. So suppose they sign a message on behalf of a set of parties, including themselves and including some celebrity where the contents of the message are some embarrassing statement. So of course this doesn't actually say anything about the celebrity having said anything embarrassing because anyone in the ring could have produced the signature but they may post this on the internet, it may go viral and it might harm the reputation of the prominent figure. So is there anything that Alice can do to recover her reputation and prove that she was not responsible for producing the signature? So to do this, let's take another look at the anonymity definitions for ring signatures. So we have the unforgibility definition and also the anonymity definition that an adversary can't tell which party in the ring produced the signature. So we want to be more specific about the power of this adversary and what information that they have. So there's a whole landscape of definitions for ring signatures. I'm gonna talk now about two of the strongest ones and anonymity against adversarily chosen keys and anonymity against full key exposure. So in the adversarily chosen keys setting, you have some honest parties that produce keys and you have the adversary that can corrupt as many parties as they want and can also generate malformed keys and at the end, the requirement that you have is that as long as there are some two parties that were not corrupted by the adversary, the adversary cannot distinguish which of these parties was responsible for the message. An even stronger definition is provided by anonymity against full key exposure in which the adversary can corrupt all of the parties but as long as some pair of keys was sampled honestly, even knowing all of the secret keys to the adversary still can't tell which party signed the message. These definitions don't tell us the whole picture of whether a signatory who wishes to later prove or deny authorship of a signature should be able to do so. And both versions are natural to consider and what we'd like is a guarantee one way or the other of whether this is possible or not. So in our work, we introduce four definitions that specify whether this is possible. So a reputable ring signature scheme is one in which a non-signer can prove that they were not responsible for producing the signature that some other party in the ring produced the signature. And conversely, an unrepeatable scheme, this is not possible. Even if I did not sign the message, I am not able to convince someone else of this fact. And we can also look at whether I can prove that I was responsible. So a claimable scheme is one in which if I produce the signature, I can later come forward and demonstrate that I was responsible for that the signature was produced using my key. If I choose to or I can never do this. And we can also define an unclaimable scheme in which no matter what I do later, if I, as long as I sign this user ring signature, an unclaimable scheme to sign this message, even if I later want to come forward and prove that I was responsible for signing the message, there's nothing convincing I can say that will assure you that I was responsible for signing the message. Now when you look at the idea of an unclaimable ring signature scheme, it seems like this shouldn't be achievable. It may seem like this shouldn't be achievable because suppose that you sign a message and you remember the signing randomness. Then you can always come forward and say, here's my signing randomness, you know, you shouldn't do this, but here's my secret key, here's my signing randomness. You can run the signing algorithm yourself and you can see that this signature is produced. So in order to have a meaningful notion of unclaimability, we need to guarantee that non-signers can also produce fake signing randomness that looks real. So even though I might remember the signing randomness and be able to produce it later, anyone else in the ring can also later come up with convincing fake signing randomness and claim that they produce this signature using this other signing randomness. So nothing I say later would be convincing to guarantee that I produce the signature. Now this guarantee feels somewhat in the flavor of deniable encryption where you also want to produce explaining randomness for a cipher text, but somewhat surprisingly, a deniable encryption seems to require a very heavy machinery, like in distinguishability obfuscation, but in contrast, this notion of unclaimability we're able to achieve from standard lattice assumptions. So sort of the intuition behind the guarantee of unclaimability is that anything that can be produced by the true signer can also be simulated by any other member of the ring and we can even require that the simulation is information theoretic. So in this work, we define these four notions of ring signature schemes and we construct each of them. We construct claimable ring signature schemes and a generic transformation from any ring signature scheme, unclaimable from SIS, lattice assumptions and reputable ring signatures from verifiable random functions. The fourth variant, unreputable, we show is implied by the stronger of the preexisting notions of ring signatures that I presented earlier, ring signatures anonymous against full key exposure. So in this talk, I'll focus on the other three. So our work also gives some taxonomy of the landscape of ring signatures. We can show that unclaimable is a stronger definition than unreputable, it implies it. And also claimable and reputable ring signatures are compatible notions, so we can have a single ring signature scheme that's both claimable and reputable. And the other thing I want to mention is that the claimable and unclaimable are not opposites and neither are reputable and unreputable. You can have a signature scheme that's neither. For instance, if claiming requires remembering signing randomness, our notion of claimable is stateless, but you can have a notion where you can claim some of the time or only if you're stateful. So there's room for definitions in between as well. So for an outline of the rest of the talk, I'm going to talk about the three notions of claimable, unclaimable, and reputable ring signatures and constructions for them. So I'm going to start with the simplest to build, which is claimable ring signatures. So to remind you, ring signatures claimable if the signatory can later come forward and reveal their identity and prove that they were the signer. So the intuition for this is that if we could remember the signing randomness, it seems like if we build things carefully, this should constitute a convincing claim. There's two issues that we need to deal with. We need to make sure that the signing randomness uniquely determines the signer, which since I'm going to talk about unclaimability in the next section, that's not true in general. And finally, we don't want to remember the signing randomness. So this notion of claimability sort of seems partway between a ring signature and a standard digital signature. So let's start by, so suppose we want to take a ring signature scheme and a standard digital signature scheme and combine them. So if we want to sign a message, we can produce signatures under both schemes. But in order to preserve anonymity, we can't release the digital signature signature. So we might mask it using a commitment. And then the signature that we can produce is consists of a ring signature and also a commitment to a standard signature. And then the other thing we have to worry about is we don't want to remember a signing randomness so we can sort of store a compressed version of the signing randomness using PRFs and keeping the PRF key as part of the secret key. And then if we want to claim, we can simply decommit to this commitment and reveal that this signature contained a commitment to an ordinary digital signature that's tied to my identity. But if I choose not to decommit and I never open the commitment, then it hides my identity. So it also satisfies the definitions of a normal ring signature. So now I'm gonna move on to the second notion, unclaimability, which we build from lattice assumptions. So the idea behind unclaimability is that the signer cannot later come forward and prove that they were the signer. So in order for this to be the case, non signers must be able to come up with convincing signing randomness so that anything produced by the signer, something indistinguishable can be produced by any non signer in the ring. And the key technical tool for this will be lattice traptors. So our scheme is a, our unclaimable ring signature scheme is a simple augmentation of the lattice-based ring signature scheme of Bruckersky and Kalei. So, and in this scheme I'm gonna, in this talk I'm going to present a simplified version that only allows you to sign random messages. But in the paper we give the full scheme. So the public key is gonna be an SIS matrix. So an LWA matrix with a random matrix with an SIS traptor. And then to sign a random vector, you use the traptor to generate a short vector x where all of the entries are small so that a times x is equal to the message y. And then you can just release this. So this would be a digital signature for random messages. But of course it reveals which matrix was used to generate the signature, to verify you need to know which public key was used. So it's not a ring signature scheme. But suppose that we have a bunch of different, a bunch of different public keys generated by different parties and we want to produce a ring signature with respect to the set of public keys. So we can concatenate them into a matrix. And then we can ask, we have a message that we want to sign. We can ask, we want to produce a very tall vector with small entries so that the matrix vector product equals the target message. And using traptor extension techniques, you can generate a short x using the traptor for any one of these A matrices. So any party in the ring can do this. And so basically one way to see this is you can break up this matrix vector product as the sum of a bunch of products of smaller matrices with pieces of the vector. And then you can say, suppose I'm party two. I can take all of the other terms in the sum and move them to the other side. And then my traptor to matrix two, allows me to produce a short vector x two that, so that this equation is satisfied even though I don't know traptors for any of the other A matrices. So this allows me to, so pre-images generated under different traptors are indistinguishable. So the signing randomness generated by different members of the ring are also indistinguishable. And this means that no one can credibly claim authorship of a signature because anything that the true signer can produce could also have been produced by any other member of the ring. So what I described here is a simplified scheme for signing random messages but using the same transformations used by Bricker-Skin-Klei, we can turn this into a unclaimable ring signature scheme for arbitrary messages. So now I wanna turn to the final part of the talk where I'm gonna talk about repeatability, which we construct from verifiable random functions. So in a repeatable ring signature, non-signers are able to prove that they were not responsible for signing the message, that some other party of the ring in the ring can sign the message. What was the party that signed the message? So this really consists of two separate guarantees. Firstly, we want to make sure that even in the presence of a malicious signer non-signers are always able to repudiate in the scheme. And secondly, we want to make sure that no signer can later repudiate if they want to distance themselves from a message that they actually produced. So the key ingredients, the building blocks for our scheme are zaps and VRFs. Zaps are two message public coin witness indistinguishable proofs and VRFs are verifiable random functions, are pseudo-random functions that also have the capability to release a proof of the output associated with any individual input without jeopardizing residual pseudo-randomness of any other input. So suppose we wanted to use a VRF to produce a ring signature. Well, what we might do is we say, okay, we can use the message as the input to the VRF and we can produce an output and then we can also prove that that output is correct. So the public key would consist of the VRF public key and then to sign a message, you can release a VRF evaluation and proof of the message. The problem is, of course, that this is tied to an identity. So we might want to try to hide which identity was used to produce the signature by using a zap. Now, this isn't gonna work. So the zap will say this is the right message, this is the right output for the VRF on input the message. This isn't gonna work because zaps provide only a witness and distinguishability guarantee. So if there's only one witness, they're not guaranteed to hide anything. So this won't hide which member of the ring was responsible for producing the signature. It does give a digital signature, but not a ring signature. So instead, let's try to use two VRFs and then use a zap to prove the statement that either the output under the first VRF is correct or the output under the second is correct. And here, in the security proof, we can switch from using the VRF of one party in the ring to the VRF of another party in the ring. So we can get the anonymity definitions of ring signatures. This does give a ring signature. But then when we want to repudiate, we have to show that both of these VRF outputs is incorrect. And to do this, we still can't do this. I mean, we can do this once by revealing our key material and showing that these are the wrong values that my VRF outputs are different, but then I'm revealing my VRF outputs and anyone else can forge the same message under my key. So we don't want, so this is not good. We want to make sure you can repudiate over and over again as many times as you want without violating anonymity of later messages that you sign and without allowing the adversary to forge on messages that you repudiate. So this isn't gonna work either. So one didn't work, two didn't work, let's try four. Okay. So now the statement we want to use the Zap to prove is that one of the first two VRF outputs is correct and one of the last two VRF outputs is correct. And then our signature will consist of the Zap proof and the four outputs. So now in order to repudiate, we want to show the opposite of this statement. We want to show that if I want to repudiate, I want to show that for my key, either one of the first two outputs is incorrect, either both of the first two outputs is incorrect, or both of the second outputs is incorrect. So in order to do this, I can produce VRF proofs of each of these. I can produce a, I'm sorry, I can evaluate my VRF on the message and produce these output values, Y1 prime and Y2 prime. And then I can prove that my VRF outputs are different using a Zap. And then the other two values, Y3 prime and Y4 prime are not used in the honest repudiation, but they're used in the proof to hybrid over, to hybrid from one, from repudiation under one signer to repudiation under another signer, and to show that releasing these repudiation does not jeopardize the other properties that we want. So to summarize, we present four new variants of ring signatures, claimable, reputable, unclaimable, and unrepeatable that provide functionality for allowing members of a ring to prove that they were or were not responsible for producing a particular signature, and also definitions that guarantee that they should be impossible. We give constructions of these from various, and we give constructions of these from various assumptions. Thanks very much. All right, thank you Adam. We have a little bit of time for questions. If you have a question, please step up to the microphones in the aisle so that everyone can hear you. Yes, thank you for this nice talk. So regarding your construction of unclaimable signature from SIS, do you think that it's possible to transform it into a claimable one? So the question is, can we transform the unclaimable construction from SIS into a claimable one? So you can take any ring signature construction and transform it into a claimable one, but if you start with one that's unclaimable, once you apply the transformation, it will no longer be unclaimable. So you can turn it into a claimable one, but then you'll lose the structure that made it unclaimable to begin with. Okay, thank you. Thanks for the question. Yeah. If we have an unconditional anonymous ring signature, would it be unclaimable by default? If you have an unconditional what ring signature? Anonymous. Anonymous. Yes. So there are some DL-based ring signatures that are secret keys uniformly masked in the group. So for any secret key, you can find randomness in the group. So if- And this would be unclaimable, I think. So I'm not sure of the particular constructions you're referring to, but if you can produce randomness for any signature, that is indistinguishable from- If any member of the ring can produce signing randomness that's indistinguishable from real signing randomness for a particular signature, then it would be unclaimable. Okay, final question. Yes, sir. So how's your definition of the claimable ring signature different than the designated identifiable ring signatures? So thanks for the question. In the designated- So in our definition of claimable ring signatures, there's no designated honest party. And the definition you're referring to, my understanding of it is that you can, at the time of signing, you can refer to, you can designate some public party who's identified, who later has the ability to de-anonymize you whenever they want. In our signature, there's no public party, there's no trusted parties at all in our claimable definition. So that you don't need to have a trusted party who can have the whole world to be designated identifiable very fast. But the designated party can de-anonymize you. So you're not anonymous with respect to the party that you designated, that's my understanding. I might, we can talk offline. Also like, how's the reproducible definition different from the step out ring signatures? Because the step out ring signatures also has this property where a non-signer can prove that they did not sign it. So I need to look at the paper you're referring to, I'm not sure. Okay. Thank you. All right, let's thank the editor again.