 Welcome to the video abstract of our work, Efficient Nistics and Signatures from Commit and Open Protocols in the Q-ROM. My name is Jelle Don. This is joint work with Serge Svir, Christian Mayans and Christian Schoffner. I'll start by explaining the words in the title of our paper. Commit and Open Protocols are a subclass of the three-round interactive proof systems, also known as sigma-protocols, where in the case of Commit and Open Protocols, the prover in the first round commits to a number of messages via a hash-based commitment scheme, which we can model as a random oracle in order to do a security reduction. And then, as a next step, we may apply via charming transformation to obtain NISIX, non-interactive zero-knowledge proof systems, or digital signature scheme. Now, to prove that such a scheme is online extractable in the quantum random oracle model, what we do in our work is adapt an existing framework of Q-ROM simulation to construct an online extractor, where online means that the extractor is given only black box access to the prover, then runs it just once, so no rewinding, while at the same time simulating the random oracle in order to answer queries of the prover. Then if the prover is successful, the extractor produces a valid witness, all in such a way that the distribution of the output of the prover while interacting with the extractor is close to the output of a prover in the normal run. Using our technique, we obtain a tight reduction, tight in the sense that if the attacker has success probability epsilon, our extractor also succeeds with probability epsilon up to a negligible additive error term, whereas the generic reduction that applies to any type of sigma protocol has a loss of epsilon cube over Q to the sixth, which in the previous work we managed to reduce for this specific class of commit and open protocols to just epsilon over Q squared, but now getting rid of the Q squared factor, we obtain the first tight reduction of a Fiat-Shamu-based NISIC or signature scheme in the Q-ROM. That's the main result of our work. We further show that this reduction also works on commit and open protocols that use a merkle tree for the commitment that allows for a special so-called octopus opening, which is just a more clever, more efficient way of opening multiple values at the same time. If you want to study this in more detail, I invite you to either pause the video or read the paper or come to our talk at the conference. And as another extra result, we show that the Umru transformation, which is comparable to but less efficient than the Fiat-Shamu transformation, but it was the first NISIC that was provably secure in the Q-ROM. It's also online extractable. It has the advantage that it can be applied to any Sigma protocol, but the proofer has to commit to a single response for every possible challenge, making it quite a bit less efficient than Fiat-Shamu. Especially when the commitment scheme is required to be a length-reserving hash function. And that's exactly the thing that we improve upon. We show that this requirement using our reduction is no longer needed. So summarizing, we managed to give the first tight Q-ROM reduction of a Fiat-Shamu-based NISIC for the subclass of committed open protocols. This reduction also works on merkle tree-based CNOs with octopus openings. Among other things, there is a tight Q-ROM reduction for the picnic signature scheme. And finally, we give a more efficient version of the UNRU transform. Thank you for listening. I hope to see you all at our presentation, which is on the Tuesday slot from 1350 to 1530 in the Latte-Liemen Hall. Thank you.