 Hello, this is our work on the post-quantum security of signatures and ring signatures to appear in PQC22. This is joint work with Kaiman Chung, Zhao Liang and Julio Malavolta. We start with the post-quantum security of signatures. Signatures satisfy inforgeability, wherein an adversary gets to talk to a challenger which provides it a signing oracle. In the classical case, this means that the adversary can query individual messages and receives the corresponding signatures from the challenger. Eventually, the adversary produces a forgery which is said to be successful if the message corresponding to the forged signature was not queried before by the adversary. And this is indeed the standard definition used for classical inforgeability. If the adversary is a quantum polynomial time machine, however, it can make quantum queries which means that its messages may not be restricted to being individual messages, but can be queries which are a superposition over the message space. The challenger in turn has to reply with the appropriate superposition over signatures. Since these superpositions may range over the entire message space and the challenger clearly cannot measure the adversary's queries, it quickly becomes clear that we cannot meaningfully define the notion of what message was really queried. And so it becomes difficult to define when the adversary actually succeeds in forging a signature. For example, the adversary may query a uniform superposition over the entire message space and just measure the challenger's response to get a signature on a uniformly picked message. Does this mean that the adversary succeeded in getting a forged signature? It's unclear, so we have to turn to other definitions to see what we can do. One of the first definitions considered in the quantum setting was that of one more unforgeability, which was first introduced by Bonnet and Zandri in their work. Classically, this is similar to unforgeability for blind signatures where the adversary queries the signing oracle on several messages, let us say Q of them and receives the corresponding signatures. Next, the adversary has to produce forged signatures but not just one as in the standard definition but Q plus one of them. If all of these signatures are valid, the challenger accepts the adversary's forgery. The generalization to the quantum cases immediate the adversary switches to querying quantum states which are superpositions over the messages and the oracle replies with the appropriate signatures as we have seen before. And it does this Q times as before, for example. And we expect the adversary to finally produce Q plus one classical signatures and the challenger accepts if all of these are valid. In this case, we can further see that there is nowhere that we can use superpositions to win the game where a classical adversary wouldn't. And of course, as we have seen, this is equivalent to the standard definition classically. And this serves as a well-defined definition for forgibility in the quantum case and it has been used in several works. There are certain concerns that can be had with the one more unforgibility definition. Broadly, the issue is that does definition discrease slightly with our intuitive understanding of the generalization of forgibility to the quantum setting. For example, we can consider an adversary that produces several forgeries. However, it queries the signing oracle on superpositions that come from a different part of the message space than for which it produces the forgeries. In more detail, you have an adversary and you have the message space and you have a certain subset of the message space. And suppose an adversary queries superpositions on points outside of the subset S and it gets back certain signatures. And in the end, it manages to produce a forgery that comes from S, while all its queries were supported on points outside S. Clearly, intuitively, we feel that this should not be allowed. But the one more unforgibility definition does not rule out attacks of this kind. This is not just of notional interest because in the work of AMRS 20, there is an example of this kind of scheme that achieves this kind of forgery but also satisfies the notion of one more unforgibility. Details can be found in that paper. To counterman these issues, we consider moving to a different definition of unforgibility. We consider the notion of blind unforgibility that was proposed in the work of AMRS 20. As before, we have the adversary talking to a signing oracle and a corresponding message space M. This has various messages and now the adversary may submit superposition queries over these messages and the oracle returns the corresponding signature also in superposition. The catch is that the oracle in this definition maintains what we call a blind set of relative weight epsilon by uniformly sampling points from the message space with probability epsilon. The parameter epsilon is part of the game parameters and can be chosen adversary really. The function of the blind set is that the oracle is considered to be blinded on the messages that are in the subset. So in more detail, if the adversary submits a superposition over messages where some of these messages may be in the blind set, the signing query only answers on those components that do not come from the blind set. So here, for example, we have that the signing oracle computes the signatures, the components that come from the points outside of the blind set, but for the points inside the blind set, it just computes the signature to be bought and then prepares the final signature in superposition appropriately. We don't know this blinded signature by prefixing B epsilon. Eventually, in this definition, the adversary must output a challenge and the challenger has to check that this forger is valid and the message for the signature comes from the blind set. It is not hard to see that the classical restriction of this definition is comparable and is actually equivalent to the standard unforgability definition. So this seems to meet the basic requirements that we'd want from a quantum unforgability definition. Unfortunately, we do not know how to compare this to the one more unforgability definition in the quantum setting directly. However, as mentioned, it seems to meet all the requirements we would want and also agrees with our intuitive understanding of unforgability in the quantum setting. So we use this definition. With this definition in mind, we show several signature schemes that satisfy it in different settings. Before our work, the only known schemes that provably satisfied blinded unforgability were one-time signature schemes. We first show that a signature scheme based on quantum PRFs and the quantum hardness of SIS is blinded unforgible in the quantum random oracle model. We also give us new scheme based on the same assumptions that is blinded unforgible in the plain model. Both these signatures turn out to be compact, meaning that the signatures size can be made independent of the size of the message itself. We also have results in the ring signature setting. Firstly, we develop a meaningful extension of the blinded unforgability definition to the ring signature setting. We also present a construction of ring signatures satisfying this definition, relying on the previous construction of ring signatures by Chatterjee, Gurg and others from Crypto21. The definition of ring signature and forgability proposed in that work had several drawbacks, stemming from the fact that it was based on one more unforgability. Our new definition removes these drawbacks and we also find the way to meet it. Let us talk now about the blinded unforgible scheme secure in the Q-ROM. The scheme that we show to be secure was given by Gentry Pieckert and Vaikunternathan in 2008. Here we will quickly recall the scheme. This relies crucially on the notion of pre-image-sampleable function families. PSFs are family of functions associated with public and private keys where a public key allows for evaluation of the PSF in the forward direction and the secret key allows for sampling a pre-image. PSFs have several properties with the main one being that the joint distribution of the image and pre-image taken together are statistically close whether the image is for sample uniformly or the pre-image is. Secondly, for any given image, the corresponding pre-image has super-law logarithmic minentropy. The third property that they have is collision resistance, meaning that it is hard to find two different pre-images for the same image. PSF satisfying all these properties can be constructed from the hardness of the SIS problem. So what does the GPV scheme look like? The first thing to note is that it is a deterministic scheme that is de-randomized using a quantum PRF, but we won't be going into that here. The scheme has a secret key that includes the secret key of the PSF. Given any particular message, we first evaluate the random oracle on the message to get a hash digest. And then we compute the inverse of the PSF given by the secret key on the hash digest to get the actual signature. Colloquially, this is known as a hash and sign signature scheme. The public key includes the public key of the PSF and allows for evaluating the output of the PSF on the signature, which if the signature was computed correctly, should be equal to the hash digest on the message. And this is simply the verification procedure. One can check that this signature scheme can be made compact because the size of the random oracle output does not need to depend on the message. We now sketch the security of this scheme. The first thing to note is that we presented the scheme in the classical setting, but it makes perfect sense as a quantum scheme given access to the quantum random oracle. We show security using a hybrid argument. In the hybrid form of the unforgability experiment, any given message is signed in a slightly different manner described as follows. For any given message, we simply evaluate a pre-image for the PSF family sampled using message-dependent randomness. The randomness is derived from a random function that is unrelated to the random oracle and is present only in this hybrid. And this one be mitigated using quantum PRF techniques. Next, the random oracle is programmed to make the hash digest the output of the PSF on any signature sigma. By the properties of the PSF, the joint distribution between the hash digest and the signature on a given message are statistically close to the real experiment with their sample as described previously. Of course, in the blind unforgability game, the adversary never gets to see messages or other signatures for the messages in the blind set. And finally, of course, it has to produce a forgery that lies in the blind set. So suppose we have a forgery that is m star and sigma star. Now let sigma prime describe the signature that would be returned by the challenger if the adversary were to query m star. We have one of two possible outcomes. Either sigma star is equal to sigma prime, which violates the pre-image minentropic condition because the adversary should not be able to predict sigma prime with more than negligible probability, or sigma star is not equal to sigma prime, which would in turn violate collision resistance. In this way, we are able to show that the scheme is blind unforgible in the quantum random oracle model. Let us now move to our signature scheme in the plain model. Let us get into the key components required for a plain signature scheme. The techniques we use are a combination of the left track backdoor paradigm, as in Agarwal Boy and Boney 2010, and key homomorphic evaluation techniques from Brackersky and Vaikon-Tonathan 2014. To keep things short, we won't get into these techniques, but their core can be summarized as follows. For any string x, we can create a corresponding wide matrix Bx of the following form. The left part of B has a matrix A sampled at random with entries in Zq for a large enough model use q. A can be sampled with an SIS trapdoor Ta that allows us to generate short integer solutions corresponding to A. The right half of the matrix Bx has the form A prime minus f of x for some efficient f along with g. G here is the gadget matrix, and it's a fixed public matrix. So we also have a fixed public trapdoor SIS trapdoor for G. The point now here is that we can sample SIS trapdoors for the whole wide matrix Bx in two ways. Either we can use the left trapdoor Ta or the right one Tg, and this will be crucial to our signature scheme. Let us turn to our actual signature scheme. For any message m, we can create the following matrix Bm, where the role of the function f from before is now taken over by a bit PRF. Namely, Bm has the following form where A is a random matrix sampled just as before, and the right half has the following form, namely A prime minus A subscript f and m. It can be seen as an encoded form of the output of the PRF on the message m. As described previously, we sample A along with the SIS trapdoor, and in turn, our signature scheme has a public key consisting of the components required to create Bm, where the matrices C0, C1 can be seen as encodings for the message, and the matrices Ki can be seen as encodings of the PRF secret key. The corresponding secret key is of course the SIS trapdoor Ta. A particular combination of techniques are similar to the work of Boyan and Lee from 2016, who create a similar signature scheme. A signature sigma is actually just a vector in the null space of Bm, namely, Bm times sigma should be zero. And of course, given the secret key, namely the SIS trapdoor for A, one can create such a signature easily. Note that the signature is also compact, meaning that the signature size is not directly dependent on the message length. Let us quickly go over why the signature scheme is secure. We consider a hybrid form of the unforgibility challenge with public keys generated differently. Namely, the component matrices in the public key are sampled in a different manner, with the end result being that the wide matrix Bm now appears as follows. The left part of Bm is still a random matrix A with entries in ZQ. However, A is no longer sampled with an SIS trapdoor Ta, and it is no longer available to the challenger. The right part of A has the form A times a matrix R plus one minus F of M along with G. F is still a PRF, but now it becomes an epsilon biased bit PRF, which we will come to shortly, and which will be crucial. R is a low norm matrix with short entries, and TG is the trapdoor, SIS trapdoor for the gadget matrix G, and it now becomes a secret key for the challenger. The two following cases can be easily seen. If F on M is zero, then the challenger can easily sample SIS solutions for Bm in this hybrid, and therefore can sign. If F on M is one, however, the challenger can no longer sign, and in fact, any signature that is forged by the adversary can be used as an SIS solution for Bm, which can be transferred to an SIS solution for an independently sampled instance. So using such a forgery, we can break the hardness of the SIS problem. Now the important thing to note here is, if F is a normal PRF, then it outputs zero or one with equal probability over the message space. This is not useful to us. However, if F is an epsilon bias bit PRF, meaning it only outputs one with weight epsilon or probability epsilon, then this models an uniformly sampled blind set of weight epsilon for us, and so we can directly use it in the blind unforgeability challenge. And this technique will actually give us a reduction from the unforgeability of the signature scheme to the hardness of the SIS problem. Finally, let us turn to the quantum security of ring signatures. Firstly, what are ring signatures? Well, they consider the setting where we have a set or a ring of users each with their own corresponding public key. Any user in this ring can produce a signature on behalf of the entire ring which is identified with the list of public keys. The crucial thing is that there is no interaction required between this user and the other users in the ring. The properties we expect here are unforgeability, which in this case means that no entity outside of a ring can forge signatures on behalf of that particular ring and anonymity, meaning that nobody can tell which particular user in a ring signed a given message. Ring signatures have various uses, including but not restricted to whistleblowing and blockchains. In this talk, we will be focusing on the unforgeability property as extending anonymity to the quantum setting is relatively straightforward and does not present new technical challenges. It helps to start from the classical version of the definition. This involves an adversary and a challenger as before, but the challenger now generates a universe of Q public keys, vk1 through vkq. To generate a ring signature, one has to specify a message and a ring of his choice and the adversary can do so in terms of signing queries and get the corresponding signatures. The adversary can also issue corruption queries where it can get the signing key for a particular user, which is considered to have been corrupted. Finally, the adversary has to produce a forgery on a message and a ring of his choice. This forgery is considered to be valid only if it is a valid ring signature and the ring presented by the adversary has no members previously corrupted by it. Since we use it as a starting point for a construction, let us also look at the construction of the ring signature from Chatterjee Gurg and others. This signature scheme uses as components a standard signature scheme, an encryption scheme, a ZAP system, and a somewhere perfectly binding hash scheme. The verification key for the ring signature consists of a verification key for the standard signature. A public key for the encryption scheme. And finally, the first message of a ZAP proof that comes from the verifier. The corresponding ring signature signing key has the normal signing key in addition. The actual signatures itself is made of the following components. Firstly, a standard signature for the message is generated and then encrypted using the public key for the encryption scheme. Second, we generate a hash key for the SPB hash scheme. The SPB hash is not important to our construction and can be simply thought of as a variant of a Merkle tree with certain statistically binding properties so that it allows for compressing the ring of public keys into a small digest stage. Finally, the signature has the corresponding prover message for the ZAP scheme with respect to the first message that is part of the verification key. This ZAP proof simply proves that we have a component ciphertext that is properly generated and that encrypts a properly generated signature with respect to the ring in question. This is just a sketch of the construction and the actual construction has a pair of encrypted signatures and hash keys because we rely on witness indistinguishability. Next, let us take a quick look at why the signature scheme satisfies all the desired properties. The signature has the following form where it is an encrypted standard signature followed by a hash key along with a ZAP proof. Note that the entire signature does not use the ring anywhere and the hash key allows us to hash the ring into small digest which is also used in the proof meaning that the proof itself does not depend on the size of the entire ring and can be made logarithmic in the ring size thus naturally guaranteeing compactness. Next, unforgibility is shown by moving to a hybrid where we then essentially managed to show that either the ZAP proof provided by the adversary proves a false statement or we can extract an encrypted signature and in turn extract the signature from the encryption that is bound to be a forged signature. This relies on properties of the underlying encryption scheme. Finally, as mentioned before, we don't touch on animity in detail but this follows from a simple swapping argument that uses the dummy block effectively and relies on the witness indistinguishability of the ZAP. Finally, let us turn to our quantum definition of ring signature unforgibility. As mentioned before, this draws from the blind unforgible definition and proceeds as follows. The adversary interacts with the ring signature unforgibility challenger which issues as universe of public keys as before. The adversary is now able to query for signatures on superpositions that are over both the message and the ring and look as follows. It remains to be pointed out that this is a natural generalization and something we would expect. Each user in a ring signature generate signatures on their own and the ring is just an additional input parameter to the signing algorithm and so it makes sense to consider superpositions over them. The challenger returns the corresponding signature in superposition with the signing oracle being appropriately blinded. Additionally, in this case, we have to maintain a blind set that is over both messages and rings and not over each individually. The corruption queries, however, remain classical in our definition because there is no meaningful intuition for considering quantum corruptions. Indeed, to corrupt us user means to take over their signing duties and at least at the moment, it is unclear how we would consider such a task in superposition. So we retain classical corruptions. Finally, the adversary must produce signature a forgery as before and now in contrast to the classical definition, we simply have that the signature must be valid and the message and the ring must lie in the blind set. A hidden detail here is that to properly construct the blind set, we have to fix the size of the rings used by the adversary, but this is not a problem. How can we make the previous template secure against this definition? Well, the first step, of course, needs to be that we make the underlying signature scheme blind and forgible in the quantum sense. Additionally, our zap must be sound against efficient quantum provers, which is already the case for the zap used in the previous template, so we don't have to worry about it. In our reduction from this definition to standard blind and forgibility, we need to maintain consistency between the blind sets in a certain form and unfortunately, this means that we have to sign the message along with the ring to ensure this consistency. This makes this construction non-compact and we can remove the hash key for simplicity since now it serves no purpose. With these modifications, we can adapt the reduction from the previous template and use it to show that the resulting construction satisfies the blind and forgibility definition for ring signatures. This brings us to the end of our content and now we can consider a few open problems that might be interesting to think about. First, standing open problem follows easily from the last slide, which is can we construct compact ring signatures under our definition? And of course, we don't have an answer yet. Additionally, we could consider more efficient standard signatures or signatures in other models and assumptions based on this definition, which might be interesting because this definition is very appealing. Finally, we could consider further definitions that might be adapted to different cases in the quantum setting and may offer additional advantages that may be appealing just as blind and forgibility does over standard one more unforgability in the quantum setting. That brings us to the end of our talk and thank you for watching and listening and following along. We invite you to check out our full paper available at this URL. Thank you.