 line or not. Yes, our next speaker is right. Okay. The next talk is going to be about one shot fierschemier based musics of composite rigidity and logarithmic size ring signatures in the standard model. So this is a joint work by Beniolli Ber, Kon Guyun, Thomas Peters and Modi Jung. Thomas Peters will give the talk. Thomas, any time. Thank you for the introduction. So do you hear me well? Yes. Yeah, perfect. Thank you. So yes, this presentation is about non-interactive zero-knowledge arguments and more precisely to see how we can build concretely efficient arguments based on composite rigidity problem. And as an application we show how we can get really short ring signature in the standard model and this result relying on pairings. So for those who are not familiar with the concept of ring signature, let me give a brief recap of what it is. So we have a signer on the left. So we have Bob who we use the secret key SKB to sign any message. But at the signing time he also embedded in the signature a ring of other verification key that's come from other users. And why it does that because now anyone can check the validity of the signature as usual, but you can only learn that someone in the ring performed the signature but without knowing exactly who did it. So we have a kind of anonymity property there. So as far as the correctness is concerned, it means that as long as you have a verification key VK in the ring and you are using the associated secret key, you can sign any message and any ring and the signature will be deemed valid as long as you use the same ring R to make the check. So ring signature found an application in the whistleblowing context and cryptocurrencies and I will give only give additional work only for the whistleblowing case. So now we can simply think of Bob being a journalist that want to disclose some document that he received and he want to authenticate the document based on his reputation in order that anybody can believe in the document in the sense that it will not be considered as a fake news. But while other people might be upset by this disclosure, Bob want to hide his identity between a court of order user and user ring signature with other verification key of other journalist with good reputation as well. So yeah that's the idea. I think it's clear why we need the anonymity property but in ring signature the anonymity property that we target is really strong, meaning that the adversary should remain unable to identify who is the actual signer even if it knows all the signature, all the secret keys that are involved in the ring. In the paper we achieve that in a statical stance and even if the adversary is able to inject verification key that are malformed so that are not the output of the key generation function. As for the unforgeability we only reach it from a computational assumption of course and it simply tells that you keep the usual unforgeability as long as the adversary did not corrupt user data in the ring. But of course it can corrupt many other users in the system and it should not help him producing a new valid signature. Okay so that was for the application so let's come back at the beginning of the story so we start with Sigma protocols and thanks to the the previous presentations I can go really quick through that. So we have a three-step protocol here so X is the statement is the prover one to prove that X is in the language to the verifier and so first the prover here simply commit to some value that we call the first message A here to V and it is V that send back P with a challenge and here the challenge space as you can see is is big since it depends on the security parameter in the exponent and based on that the prover produce a response. So the verifier can check the validity of the transcript so the triple here is called the transcript and yeah because the verifier is the guy who picked the challenge it can be unsure of the validity of the statement and why because if X was not in the language actually you can rely on the special sonness property so special sonness property as we already heard about today simply means that when you have two transcripts that are valid with the same first message so you can see that A here and there are the same then you can easily compute a witness so that means that if you have two of course X is in the language so that also means that if X is not in the language once the prover commits to A there is only one challenge for which it is possible for him to produce a valid response so in the sometimes we do not have two special sonness we have something which is more general than that and we have we need more than two valid transcript in order to extract the witness so here we will need n plus one but all the time with the same first message A so that simply means now that if X is not in the language there exist at most n bad challenges and I call bad challenges those challenge for which it is possible to compute a valid response at the end. Okay so the purpose of the talk is about non-interactive proof we know in the random miracle model how to compile the sigma protocols into a non-interactive zero-knowledge proof and also a proof of knowledge so here the prover does everything and derives the challenge himself based on the hash function and as long as the hash function can be modeled as a random miracle we have a challenge which is uniformly distributed among these large challenge spaces that means that the probability not to fall on bad challenge is negligible because the challenge space is big okay you can also have extraction and and and proof of knowledge if we rewind but that's not what we are focusing today but unfortunately this only works in the RAM and not in the standard model so people cryptographers try to find what are the good property of the hash function in order to avoid some hold the bad challenges without relying on ideal as object so an important advances was proposed with correlation intractable hash function so this particular hash function that are related to a relation so we are now given a relation for which with the hash function it's hard to find an x such that x with this image are actually in relation so here we will see oh we can use that in our non-interactive protocol if h given x and a so x the statement and the first message of the prover so you see that as your input if it is hard to find an input for which the challenge here will be the bad challenge then you are okay even if it's not uniform you just avoid the bad challenge and you have the songness but correlation intractable hash function is what's hard to to to build and yes many cryptographers try to make advance in that direction and recently in 2019 Kennedy et al show how to build collision intractable hash function when the relation is efficiently searchable and what does that mean that means that once you are given one of the two elements of the couple here it is efficient to find the other one okay so that means that if we now want to use everything together that means that the hash function even if you know what should be the output of the hash function the hash function will not fall on that value okay and now if you can compute these bad challenges for that you need a trapdoor then you can build an uninteractive proof based on fiat shamir and such kind of hash function based on a trapdoor sigma protocol so the trapdoor sigma protocol is what allows you to find the bad challenges this is simply what you can see on this slide so the trapdoor sigma protocol now you have a crs and based on that crs you have a trapdoor value toe and as long as you have now a statement a full statement so a next which is not in the language and any first proven message then to allow you to find all the end challenges the bad challenges so if the underlying protocol has n plus one special songness we can then simply apply the collision intractable of canity al et al which is based on free homomorphic encryption and special property of the secret key but the same year peckett and shenian also show oh is it possible to build such kind of hash function based on lwe solely okay so we can simply say now that's the end of the story because once you are given a sigma protocol with binary challenge you can turn it into a trapdoor protocol okay so what's the point now the point is that with binary challenges if you want to have a real songness at the end because here with one half you you may find by chance the the one for which you will be able to produce fake proof now you have to repeat the underlying sigma protocols and you need to make a linear number of repetition in the security parameter if you want to decrease the error songness probability to make it negligible okay so that means that so far not only the generic construction but so far all the instantiation needs for trapdoor protocol needs parallel repetition so parallel repetition of course is something which gives you less efficiency if you can compare it once you have cut and choose technique and then more technique like snore like protocol and this is exactly what we want to bring here such kind of communication improvement one important thing here to see that it is not for free in term of the trapdoor of the system is that if the underlying sigma protocol is not only two special songness but n plus one special songness for n strictly bigger than one that means that during their parallel repetition the number of bad challenges will blow up so that means that repetition anyway will make it hard to find to rely on on such kind of transformation so the goal of our paper is to show how we can do that in the standard model in one shot meaning that we can directly have a negligible songness error when and using a large challenge space okay so we here is a just a an example starting example of a trapdoor protocol so we start with a basic sigma protocol and yeah here thanks to the previous presentation we can see that we have an homomorphism so I can go through that really quickly but what kind of homomorphism do we have we work in the dcr setting so the dcr setting is the setting where the paye encryption has been defined so we have we have a lst modulus n which is the product of p and q and the language here is the n-spower so you have to prove that an element is an n-spower of something modular n-square so based on that now I think that you can understand the the basic sigma protocol so here there is no trapdoor you simply pick the randomness you do exactly what you you did here you get the challenge the response the very the very far you can check this equation this is exactly the one that we had on the slide before okay so now where the trapdoor can come from so as I said this is related to the paye encryption and actually the language here can be seen as the ciphertext that encrypt zero so that means that if x is not in the language actually it encrypts something different and there is something which is really important here is that actually any element modulo n square are the ciphertext are encryption of something so there might be the case that actually x is not in a is not an encryption of something even if it is in a in a range for which it is indistinguishable to tell if it's an encryption or not but we do not have that problem and in that sense we are the first to provide a trapdoor sigma protocol because basic idea have already been used before but we are the first to do it completely so no d here is simply the decryption of the paye encryption so p and q are allow you to decrypt so if x is not in the language that means that x encrypts something different that zero modulo n and even if it is a middle of p we do not care we do not have to avoid that case if it is a multiple of p it's not a multiple of q and then we have this property over the plain text space modulo q then and this value alpha x is not zero modulo q that means that we can find we can compute solve this equation and find the challenge and if it fits in the the challenge space then we we found the bad challenge the only one that can exist here okay and so this equation if you do not see simply come from the verification equation that you decrypt right so that's the first construction that we give in the paper and now based on that and other trapdoor sigma protocols we build a ring signature in the standard model so here this is just a a quick recap of the state of the art so using a crs cryptographers managed to produce ring signature that have size which is sub linear and and recently it was possible to make logarithmic size ring signature but without relying on a crs but actually those two last works are really theoretical so the hidden constant are really really huge you it's just impossible to use that in practice even if of course from a theoretical point of view this is great advances so in this paper we assume that we have a crs and based on that we keep the logarithmic size signature but our goal is to provide concretely short signature in the sense that it is comparable to the one that you can have in the random miracle model so we prove everything based on the dcr assumption so decisionally composite residuality problem and l w e and l w e is only used for the collision and tractable function all the other building blocks that we provide in the paper are proven based on the dcr assumption okay so let's me give you some hints of our reconstruction so it is based on the growth and coal vice construction which was given in the random miracle model and so the idea there is that all the verification key are actually additively homomorphic commitment to zero so we see in a trapdoor sigma protocol that we can use the commitment but we need our commitment to be perfectly hiding in order to get a statistical anonymity so we will need a commitment and not a pie encryption but here it is detailed and so the idea there is to perform a ring signature by making a signature of knowledge what does that mean that means that you just incorporate the message that you want to sign in the hash function which is modeled as a random miracle in that work and you prove that actually among all the the commitment in the ring that are the verification key you can open one and they provide a logarithmic size proof for that okay how can we turn that in the standard model now so that's our main question because we need trapdoor sigma protocol and as we see we cannot rely on the discrete lock setting because we do not have a way to find the bad challenges in that case or except if we repeat but if we repeat we have an exponential number of bad challenges so we are stuck so we we rely on the trapdoor sigma protocol that I just presented you a few slides go great so what does that mean so that means that now each verification key our commitment to zero in the dcr setting we turn the sigma protocol into entrapdoor sigma protocol showing that one out of our commitments opens to zero and in order to compute the bad challenge we actually have to solve a polynomial equation of degree small r and small r is the logarithm of big r and you can do that with a big challenge space okay but of course we have many other difficulties that we have to circumvent in order to have our final construction so the problem is that oh can we approve the unforgeability in the standard model result relying on the random miracle because in the random miracle by using the forking lemma you can the rewind the adversary and then extract the witness and as long as you have a witness you you of course have the soundness and you have you know that it's not possible to it's not feasible to to have a through a valid signature or valid proof so the idea is that we do not need to prove knowledge we simply need to argue membership so we rely on unbounded simulations on argument and we provide in the paper some a construction in the dcr setting based on lossy encryption and so our idea in the proof is to force the adversary to make a forgery related to a commitment that will no more be a commitment to zero and then break the the the simulation soundness right but that's not enough because oh now do we define that the adversary wins so we force in the we want to force in the security game that the the adversary actually uh is able if it is able to produce a forgery that means that he's actually able to produce an opening of a verification key so that means that we want to rely somehow on the soundness property inside the protocol and we want to know which one of the verification key in the ring is actually attacking if you want so that means that now in the security proof we will simply guess which position will be um the the one of the verification key that the adversary try to to break in some sense and then we will turn it into uh in the next step in the proof turn it into a commitment to one but uh that's not enough i'm just checking the time uh that's not enough because um we want to prove the security in the standard model but without erasure so that means that if you remember the adversary can corrupt user in the unforgeability game and once he corrupt the user we have to give to the adversary all the coin the random coin that we use to produce a previous signature that it asks so now the idea is simply not to simulate uh the the signature and the proof but simply to guess which uh which identity will never be corrupted and the one that for which the adversary try to produce a forgery it looks simpler here but actually uh in order to be sure that we have a probability one out of r to to make a good guess we still need to have information theoretical argument there so that means that we need something which is uh sufficient which is perfectly hiding but at the same time we also need to extract the position so we have some conflicting properties uh that's need to work together so we have to to solve that we have to to build sometimes extractable perfectly hiding commitment in the dcr setting okay and we are already done uh to show the security of the scheme so there is one problem left now is that we want to switch uh at some point between a commitment to zero and a commitment to one so that means that for that we have to rely on the dcr assumption of course but at the same time we need to extract uh the the bit the position the bit swing here of the position of the the verification key in the ring in the forgery but for that we need a membership trap there related to the dcr setting which is uh of course related to the factorization of the module that means that if we want to extract and at the same time being able to make an indistinguishable transition there we have to work with distinct groups and then distinct moduli which is of course make life harder and the problem that comes from the working with two distinct groups is because in the way the the ring signature of a growth and call vast works actually the answer of the the underlying answer in the in the signature related to the bits the position of the verification key are actually used to select the verification key that it is used during the signature process so that means that these zj have to be exponent of the commitment and so now we go into trouble because the two groups there is no homomorphism between the two groups and so in order to avoid problem we had to ensure that the zj there there is no implicit reduction in it because otherwise we lose the the information that we want to carry over the commitment so this is what we we solved also to to construct a ring signature and so somehow the proof related to the position must work over the integers so yes that's it for the unforgeability there are additional difficulty for proving anonymity but i do not have the time to to go on that but to summarize what we have we propose the first one-shot trapdoor sigma protocol so in a single shot we have a negligible soundness error we do not have to make repetition and so we no more have to rely on something like it ensures technique in terms of comparable efficiency if you want and also our ring signature is concretely efficient in the sense that now the ring signature are simply keys that is a single commitment module n square and the secret key are the random coin of the commitment so it is is really short there is nothing hidden there and the size of the signature is actually only uh tries uh the one that you get in the random oracle model so to to summarize that mean that we uh affirmatively answer the question whether it is possible to build concretely short privacy preserving signature in the standard model without bearings thank you for your attention are there any questions from the audience with time yeah would you like to step here to the microphone thanks for the talk um maybe you already mentioned it and i didn't hear but um were you able to show adaptive soundness for your construction or only non-adaptive soundness uh so in the actually in the ring signature um it is adaptive in the ring in the ring signature anyway since uh yeah it depends of what the adversary already asked um uh just how can i explain so i think yeah the soundness is adaptive here but i do not remember oh okay i'm sorry i do not remember well i mean we can discuss more offline maybe i would send you an email thanks are there more questions then maybe i have one uh could you please go back to your difficulty too yeah i'm i'm just curious about um so here you rely on argument worshiping to the knowledge and use loss encryption i'm just curious about how novel these techniques are to which extent use specific features that were unique to your setting and so on so forth i just curious about the approach yeah yeah so here the fact that you want to use in simulation soundness argument of course here it's not new uh is just that we uh have to provide all the ingredients that are needed and for the lessy encryption actually for the in the this year setting we had to adapt existing techniques but the building block in itself in the this year setting we have to propose one that did not exist but of course rely on simulation soundness here to make in the in the construction it's of course something that it is not uh that is not new and the construction uh constructing unbounded simulations on earth's argument from us encryption is also something which is not new so here it's just for the purpose of the construction okay thanks let's thank the speaker again and yeah that was our last talk of this session so thank you