 Hi, this is Jihan Yun from the University of Hong Kong. Today, I'll present our paper, Compact Seal Knowledge Proof for Facial ECDSA with trustlet set up. This is a joint work with Han Dongchui and Xian Xie from Matrix Elements Technologies. In this paper, I'll first give a very brief introduction about what is Facial ECDSA and why additive homomorphic encryption is used. After that, I'll talk about the main contribution of our paper, which is a seal knowledge proof proving the discrete log relation in some HSM group and the correctness of some cipher tests called the CI encryption. And then we'll see how they can be applied to two-party ECDSA as well as Facial ECDSA. So firstly, what is Facial ECDSA? Actually, Facial ECDSA allows MParties to share the message signing ability without trusting each other, such that if there are MParties there, then with less than T parties, they cannot jointly generate a valid signature, only with more than T plus 1 users, they can jointly generate a valid Facial signature. And Facial ECDSA signature is useful in practice. For example, in the setting of T is equal to 1 and N is equal to 3, it can be used for hot wallets of a crypto exchange company, such that the company holds SK-1 for online transaction and they keep SK-2 as a paper form backup and then the separate security firm will hold the SK-3 to validate transactions. So in this system, they need two keys to sign a transaction and losing one key from the exchange or the security firm cannot compromise the security of the hot wallets. And that's why Facial ECDSA can be useful in practice. Currently, how Facial ECDSA is actually implemented in some of the existing blockchain? They are done in a trivial way. That means that if I set the Facial as T, so we need to append T plus 1 ECDSA signature and we need to verify them one by one. So it is highly inefficient and it costs quite a lot in terms of transaction costs because this transaction fee in the blockchain transaction is related to the size of a transaction and that it is dominated by the signatures there. So appending T plus 1 signature is obviously not the best solution. And in this paper, what can we achieve? So the goal, the final goal of a scheme is to improve the efficiency of the CK proof in two-party and Facial ECDSA because they are the most complicated parts in this protocol and when applied to two-party ECDSA, the bandwidth for the QGEN is decreased by 47% while the running time is much faster in both QGEN and the sign-in parts. And when applied to Facial ECDSA, we have two solutions. Scheme one, they are very optimized for QGEN, 70% less bandwidth and 85% faster than the existing works, but at a cost of higher 20% larger bandwidth in the signing parts. So it may be good in some case, but not good in some other case. So we also propose scheme two, which provides an all-round performance. So we have 60% less bandwidth used, we've solved these 6% faster in QGEN without any additional cost in signing parts. So how do we achieve it? So actually, we achieve this because many CK proofs are involved in two-party or Facial ECDSA and we want to improve the implementation of the existing CK proof in those existing work. And this is one example of Facial ECDSA in the PKC 2020. So you can see that they use a CK proof of discrete log relation in the QGEN part and they use a CK proof for some sign for test in the signing part. And this is the most computationally expensive and the bandwidth, they use quite a lot of bandwidth in this part as well. So these protocols are dominated in running time and the bandwidth by these CK protocols and we want to improve that part. And before going into further details, we just give a brief introduction of the adaptive homomorphic encryption used there. Some of the earlier papers, they use payday encryption for that. But some of the recent papers, they use a adaptive homomorphic CL encryption, which is based on an unknown order group G, which contains a subgroup F, which is unknown order subgroup and the discrete log problem is easy to compute in this subgroup. And this group is based on the hardness of a so-called the hard subgroup membership problem. So we simply call this kind of group the HSM groups. And it can be constructed from some class group of immersion and quadratic fields. The CL encryption has certain advantages as compared to the payday encryption, like generation of the class group does not require trust per party and the group elements in the class group is smaller than the payday group elements and so on. And we will not go into further details about how it is constructed mathematically. We just need to remember that the group G there is construct, they have a subgroup F. And in that particular subgroup F of unknown order subgroup, the discrete log problem is easy to compute. So we just need to memorize this fact. How do the CL encryption? We also don't need to remember the details. We just need to remember that, okay, this form decipher test is in this form to encrypt a message M. We use an encryption randomness of row such that we compute F to the power M times pk to the power row. This is the C1 and C2 is another generated GQ to the power row. Remember F is the part that this discrete log is easy to solve. Just need to remember this one. And this is just showing that it can be compute additive homomorphic operations. So let's quickly go into the main contribution of this paper, the CK proof part. So what do we want to solve? We want to solve that for two relations we want to show. The discrete log relation of some unknown order group element such as this one pk is equal to some generator to power sk or the relation about the well-foundedness of a CL side of a test. C1 is the encryption of the message together with the encryption randomness row using some proper key pk. So this is the second relation we want to show. How about the existing work? In crypto 2019, they use a CK proof of a single bit challenge. Such that if you want to achieve a signers of 2 to the power minus epsilon s, then the protocol has to be repeated for epsilon s part. Then it is highly inefficient. And this is how they use for both the relation 1 and relation 2. And in paper 2, pkc 2020 paper, they tackle them differently. For the DL relation, they use the LCM tricks, which reduce the number of repetition by 10 times. And they also tackle the CL side of test problem by using some new assumptions, the strong risk assumption in the HSM group. And we will look into the further details in the next few page. So let's see what are the existing problems. So the CK proof for the discrete log. Originally, if we want to achieve a signers error of 2 to the power 80, then we need 80 times for 1 bit challenge. And then by the scheme in pkc 2020, the repetition is reduced by 10 times. So we need 8 times for running the same CK protocols. But again, it is still not quite lots of course needed in terms of bandwidth, as well as computation times. So you need to repeat the process for 8 times also. So we want to reduce it to 1 time only. So this is our first goal for the DL relation. How about the second one, the CL side for test? Actually, the problem of the reference 2 here is that it does not allow a fast and trustless setup. So why is that? It is mainly because they use an assumption called the strong risk assumption. And this assumption states that when given a random group element W, it is difficult to output a group element U and an integer E, such that U to the power E is equal to W. So this is something similar to a strong RSA assumption. But here, we request that W is a random group element. But however, this random group element cannot be easily obtained. It can either be obtained from a standardized group, so we assume that all parties, they trust some standardizing authority, then they can use this. But again, this is not desirable for the applications like public blockchain, where no trust for a party exists. Then the next available option is that all participating parties, they can jointly generate this random group element interactively. But again, this solution greatly increased the right complexity and the bandwidth used. So no perfect solution for this one. So let's see how we achieve that. So we first illustrate how a simple DL relation can be proved. In our case, remember this is an unknown order group, so the discrete law is not easy to prove. And also in particular, the main difficulty here is that the group G, they have a subgroup F, and it makes the CK prove much more complicated. It can be illustrated by the following example. So assume that we use an assumption using some of the previous work, we call the adaptive root assumption. We try to use this one to make an algorithm one a simple CK proof. So what is the adaptive root assumption? This assumption states that for a random group element W, when you are given a prime L, you cannot output some U such that U to the power L is equal to W. So it means that computing the L roots of W is difficult. So this is the adaptive root assumption. So if we simply use this one to give a CK proof, it can be done in this way. So the verify sends a random lambda bit prime L, and the proof simply needs to find the quotient and the remainder of the X such that X is equal to Q prime times L plus R. And the proof computes the capital Q is equal to G to the power Q prime. And also they will pass the remainder to the verify. The verify just check the range of the remainder as well as checking this relation. The capital Q to the power L times G to the power is equal to W. So it makes use of this adaptive assumption to show the correctness. But however, if this group G here has a known order subgroup, this CK proof is not secure at all. Why is that? It is because we can give some proof which pass this protocol, but the W is not the same. It's not G to the power X. In fact, if W is equal to G to the power X times F to the power Y, where F belongs to some known order subgroup, then he can compute an alternative proof Q prime here, which is equal to G to the power Q prime times F to the power Y over L. Why we can compute this one? Because 1 over L can be computed because the order of F is known here. So this is 1 over L mod the order of F. So it can pass the verification because we can simply plug in everything there and then we can see that it passes the original verification equation as shown in the last page here. And the R also fits the range. So it can pass this checking, but W is not the relation we want to prove. W is not simply G to the X. W is G to the X times F to the power Y. So this is not secure at all. So next I will show why we can achieve this one. We can eliminate this attack. So our solution, roughly speaking, is to use an extra run of challenge to eliminate the elements of all the Q in W. So this attack appears because we have some elements with known order. So we want to remove all those elements with this known order here. So what we do here is simply use an extra run using the order Q here instead of using the prime number L. So here you can see a protocol with six steps while step five and step six. And also part of the step four is the same as step one, two, three in algorithm one. So you can see that the last three steps are the same. So the main modification is the addition on the first three to four step. So what it's done here is that the prover computes a commitment. R is equal to G to the power K first. Then the refire computes a challenge C. And then the prover computes something just like a snort signature as it is equal to K plus CX. And then the prover needs to find the quotient D and the remainder E such that S is equal to DQ plus E. So here this format is similar to this one Q prime L plus R. But we replace the prime L with a fixed prime Q where Q is the order of the subgroup. So we send the capital D and small E there and the checking is similar as below. So this is a six run protocol. So why is it safe against the previous attack? So if the prover knows X, Y in this format, he can, if N, if he can pass the verification, it means that. So here you can see that on the left hand side of the equation, there are no elements in the subgroup. Because here capital D to the power Q, this Q is the order of F. So all subgroup elements is eliminated by the Q there and G is not the subgroup element at all. So we have no subgroup elements on the left hand side. So it means that the right hand side should not have any subgroup element as well if we can pass the verification. So we can see that what are the subgroup elements on the right hand side. So it is F to the power CY. But if we do not have any subgroup element there, it means that F to the power CY is cancelled out by R. But by the setting of this knowledge proof, R appears before we know C. So R is the commitment, C is the challenge. So the probability of this R cancelled out F to the power CY is negligible. That's why our protocol is safe against this attack. So we can achieve a run-run protocol for proving this DL relation in the unknown order group. So let's compare a scheme with the two previous schemes on the same sadness error and statistical distance of activity. So compared, you can simply see that our scheme is much more efficient. 97% shorter than the CCL plus 19 and 74% shorter than the CCL plus 20 paper. So this shows our scheme is highly efficient in terms of bandwidth. How about other comparison? So when we look into the assumptions, the CK proof in the CCL plus 20, they use a strong root assumption, which is similar to the strong RSA assumption, as I mentioned. And we use an adaptive root assumption, which is more similar to the RSA assumption. So this is comparison on the assumption side. And in the CCL plus 20, they use a CK proof, but they only prove the relation of a modified version, which is x to the power y is equal to g to the power x for some proper value y. They are not proving x is equal to gx. They are proving x to the y is equal to gx. So the relation is a little bit modified. And on the other hand, our security proof, we need to use generic group model, but the security proof in two does not need that. So these are the difference between our proposal and the previous work. This is the first contribution, and the second contribution of our paper is the CK proof of a well-formedness of a CL-cypher test. We recall that a CL-cypher test is something in this format. The C1 is the encryption of some message, and together using some encryption randomness row here, and C2 is also using the encryption randomness row. So again, the proof here for building the CL-cypher test is quite similar to the DL proof, but we only need to take care of this term M there because M is something related to the unknown order group. So we can build a similar six-step protocol for the CL-knowledge proof for the CL-cypher test. So this is a diagram for that, and for details, you can refer to the paper, but the idea is quite similar to the DL proof. So let's look at the comparison. There are again, there are two existing work, the Crypto-19 and the PKC-20 paper. We can see that the Crypto-19 paper is not efficient at all. They use more than 100,000 bytes for the communication, but they don't need any extra security requirement. Our scheme is somehow in the middle, and we need two assumptions. One is the generic group model, and we also need to ensure that the proper key is generated correctly in the correct group element. So this is what we need. And on the other hand, the CCL plus 20, they need a random group generator, as I mentioned before, and they may need an interactive algorithm for all parties to jointly generate a random group element. And therefore, although the CL, the CK proof for CL's hypothesis is less, but they need some other runs of communication for generating a random group element. So they have some hidden costs there. So when they are all added together to build facial ECDSA, then the efficiency is in fact less efficient than the method we use here, using our method here. And let's have a look when we go to the details about the two-party and facial ECDSA. So for two-party ECDSA, we mainly follow the original two-party ECDSA protocol in crypto 19. And for the CK proof part, we actually need to prove something extra following the original protocol in reference one. So we need to prove two more relations here, as shown here. But this adding this relation is simple because they are all discrete log relation. Then we can just simply plug in our existing tools together and then we can effectively prove the CL knowledge for this particular relation. And after plugging that in, this is the result of our overall two-party ECDSA protocol. We can see that the signature size is the same for all these three schemes, but our scheme has a much better bandwidth than the existing two schemes, including the original CCL plus 19 paper and their improvement. But of course, we need to use the extra security assumption, the adaptive reciprocal assumption. But we can achieve a much more significant saving in terms of bandwidth, as well as running time as well. So this is the comparison in terms of running time. We can see that the original paper CCL plus 19, they are very slow in key generation. The improvement, the later improvement, they significantly reduce the key-gen running time at a cost of doubling the running time of the signing part, which is not desirable. And our scheme, we can show a significant improvement in both the key-gen part and while keeping the signing time to be the same. So this is the improvement for our paper. How about threshold ECDSA? Actually, the threshold ECDSA, we have two solutions. They are suitable for different scenarios for our scheme one. So we modify the threshold ECDSA in PKC 2020. So we modify the spool two part in the key-gen part. We update their CK proof of discrete log relation. And in the eye sign part, we update their proof of cipher test. So these are the two part we plug our scheme in. And we have a second solution by keeping this eye sign and the key-gen original protocol as the same, but we modify the interactive eye setup part. The eye setup part is used as part of the eye key-gen. The eye setup part, we modify them using our DL relation. So this is the second scheme. We modify in a different place of the threshold ECDSA scheme. And we have different improvements. So this table summarized what are the benefits of these two schemes. So here, this is a complete comparison. And the red rectangle shows the part that is more efficient than others in the same category. So we can see that our scheme two and the original CCL plus 20 paper, they have shorter side signatures. So our scheme, comparatively, our scheme two has a much shorter bandwidth in terms of eye key-gen. You can see from here, from this table to this table, but we use one extra assumption, of course. So this is a scheme two. Well, on scheme one, we can produce a best solution with the shortest bandwidth in eye key-gen while keeping the assumptions to be minimal, but at a cost of a slightly larger part of our signature size. So maybe for those who want to implement this special ECDSA, then you should choose one which is more suitable for application. And we can also show some actual parameters for different fashion, using different T and different N, as shown in this diagram. So this is comparing the CCL 20 with our scheme two in the eye key-gen communication and the eye key-gen running time. So we have a significant improvement in both the eye key-gen communication size and the running time. For different fashion. And how about comparing scheme one, scheme two, and the CCL plus 20. So this is the running time for both eye key-gen and eye sign. So we can see that our scheme one is very efficient in terms of key-gen, but we have a little bit high cost for the signing part. So if you want to keep the signing part minimal, then maybe you can choose scheme two instead. So this is a very rough comparison, and there are some further comparison in our paper, so you can refer to them. And to conclude, we propose a complex CK proof for the DR relation in XSM group and also for the CL cyber test. And when applied to two-party and fashion ECDSA, it can significantly improve the performance in terms of bandwidth used and the running time. And that's all for my paper. Thank you.