 Hello and welcome to the five minute introductory talk for our paper universal ring signatures in the standard model. First let's get into ring signatures. Ring signatures are just signatures where instead of using one key and signing and verification you use a whole ring of them. And the security notions you get out of this are anonymity and affordability. So for a verifying signature you want to learn that someone in that ring has made it, but you don't want to learn who exactly. And the first ever use case for this was whistleblowing. We will look into this today. So governments don't really like whist blowers and they do want to protect themselves against them, even willing to punish them. And the setup for a whistleblower with ring signatures is as follows. An employee wants to leak some data to a journalist and the whole reason we want signatures in this at all is they should be able to prove that they have the access to the kind of sensitive data that they send and they're not just a reddit troll. First we assume that the employee already has a public verification key and a private signing key for example for an RSA signing scheme. In a first step they will fix an anonymity ring by including the public keys of other people for example this might be everybody working in their departments. And then in a second step they use a ring signature to sign anonymously and send the signature to the journalist along with the leak. The journalist then knows that this is trustworthy data and the anonymity is protected. However, things are a bit complicated today because there's not just one signing scheme and it's not quite clear if there are ring signatures for every scheme and especially if you add multiple different schemes at the same time into a ring how this will work. There are some previous results that provide this for certain types of schemes with a certain structure but not for all of them. So a clever government might have the idea let's just forbid all the schemes that allow for ring signing at all and the question we ask is is this a potential protection so can you protect yourself by using a certain scheme from being used in an anonymity ring and the answer is no. Some terms and conditions do apply and you should come to my talk to learn more about this but the basic result is that we give a construction for universal ring signatures which is precisely that problem where you have to make a key ring from any keys from any schemes and in our constructions we do not use the CRS because in this whole whistleblowing thing you cannot assume trust and we also don't use the random oracle and we will explain a little bit more why in the full talk. However now for our constructions the first one is actually using complexity leveraging and we need super polynomial security for the underlying signatures which is not truly universal so we fix this in our next two constructions which are based on witness encryption the first achieves only linear size and then the second one we build a special witness encryption using IO and we do get logarithmic size but we do need IO. Also another caveat is that we only get an anonymity if we get a certain threshold of honest keys in our ring normally this would be two for normal anonymity but in our case we need three or four honest keys. So for more details on our constructions we've come to our talk I will be very pleased to see you there.