 Hi everyone, so this is the video talk on the one more discrete logarithm in the generic group model. So this is the work we did together, Balthazar Bauer, Georg Krujbauer, and myself, Antoine Pluvier. And yeah, in this work, we give the first proof of security for the one more discrete logarithm in the generic group model. We also show that the previous get proof for the one more discrete logarithm security were flawed. Yeah, so the other talk will be, I will first introduce the generic group model. After that, I will just talk about some simple security assumption, which is the discrete logarithm. We will see how we can write the discrete logarithm game in the generic group model and how to simulate it without having any secrets. And this will lead to some security property of the discrete log in the generic group model. We will see how we can use the short simple lemma to prove its security. After that, I will be introducing the one more discrete logarithm, which is quite a more complex assumption than the discrete logarithm. We will see how we can give some intuitive way of simulating the one more discrete log game in the generic group model without a secret. But we will see that the intuitive way doesn't work, that's why the previous proof were flawed. So we will see an attack and we will see how we can give a correction for the simulation of one more discrete log in the generic group model. And we will see how we can prove its security from this new correction. Ok, so first I want to motivate our work by saying that the one more discrete logarithm assumption is very used in the literature. For example, for Blanchner signatures, the Blanchner signature unforgeability relies on one more discrete logarithm assumption, also on our problem, but on the one more discrete logarithm assumption. There are also other signature primitives, for example the multisignatures and transitive signatures, which are based on the snow identification protocol, but also some identification schemes based on the snow identification protocol. And also some negative results, so those results will be the proof that there is no reduction. For example, for some signature, you cannot reduce the unforgeability property to only discrete log. So you would have to suppose that one more discrete log is hard to prove that you cannot reduce the unforgeability to only the discrete log assumption. Ok, so that's for the use of one more discrete log. Let's talk about the generic group model. So the generic group model is an idealized model for cryptographic games defined over a group of prime order p, meaning that the group has a generator g. And for the generic group model, for a security assumption, we build a security game in which the challenger simulates a game for the adversary, and the adversary will try to break the security assumption. And what we want to prove is that the adversary has a really low chance to win the game, so to break the security assumption. So for simplicity, let's say that the challenger gives as input to the adversary some group element x1, xn. And in the end, the adversary could give as output to the challenger some group element y1, ym, and try to win the game. In the generic group model, what we say is that the group is a structure which is hard to understand for the adversary. So to formalize this, what we do is we just replace the group element by symbols that have no mathematical meaning. So for example, we replace the group element x1 by the symbols paid and the group element xn by the symbol art. And the challenger will just maintain a list in which he stores all the symbols corresponding to the group element. Now the adversary, it has only seen symbols, so it cannot do any computation, right? Because hard plus paid doesn't mean anything, it has no mathematical senses. So the adversary cannot do simple group operations. And it has to ask the challenger to do the group operations for him. So the challenger will just check in the list to which group element is paid and art correspond. And it will just compute the sum of those two group elements. So if the group element computed is one of the previous group elements in the list, the challenger will just give one symbol corresponding to this group element. And if the group element is new in the list, then the symbol would be new. And in the end, if the adversary outputs some group element, it means that it outputs a symbol which corresponds to some group element in the list because it must be a symbol that the challenger has shown to the adversary. So the challenger can get the decomposition that the adversary used to compute this symbol depending on the input because the adversary can only do simple operations, meaning that in the end, all the symbols correspond to some linear combination on the input. So that's how the generic group model works. And let's see on the discrete algorithm how we can prove the security of the discrete algorithm in the generic group model. So first, the discrete algorithm is just a game in which the challenger will have a secret X, which is a scalar, and the aim of the adversary will be to get the secret. So the challenger will just build a challenge, which is a group element X, which is equal to the secret X times the generator, and show it as input to the adversary. And the adversary will just output some scalar Z. The adversary wins if he guesses the secret, meaning that if X is equal to Z. And now the study of the discrete logarithm in the generic group model, which have been done by Schup when he introduced the generic group model, it's just you would replace the group element by symbols, meaning that instead of the generator G, you would show the symbol art. Instead of the challenge X, you would show the symbols paid. And the adversary, if he wants to do simple computation, you would just compute the sum of those two. So it would be X plus 1 times G, and show the new symbol corresponding to this group element. Ok, so how can we prove the security with this? So we can see here that all the group elements in the list of the challenger, they are defined like with polynomials of X times G, for example, you would replace it with polynomials, it would be P0 of X times G with P0 being equal to 1, P1 of X times G with P1 being equal to X, and P2 of X times G with P2 being P0 plus P1. So here, what is interesting is, the only thing that challenges is the polynomial, right? X is the same, G is the same here. So we could say, yeah, we could remove X and G and the simulation would be the same, right? We could do the same simulation with only polynomials and no X, no G. So it means, right now we are just simulating the discrete logarithm game in the generic group model without any secret, which means that the adversary would play the game and in the end it would give some output to try to get the secret, but there is no secret. So the challenger can just pick one random secret in the end and the adversary wins if the secret is equal to Z, but since Z is fixed before X is picked randomly, it means that this happens with probability 1 over P, right? And thus, the adversary has a low probability to win because P is big and 1 over P is really low, so negligible probability to win for the adversary. But maybe we missed something. Maybe we missed the fact that the simulation could fail, right? If we choose X equals 0, we could have X equals 0 because X is just picked randomly in Zp. So if we X equals 0, then we have 1 plus X equals 1 meaning that heart and diamond, they represent the same group of elements. So the two symbols, they should be equal. But when we were simulating the game, X was not defined. So the only idea we had was that we had P0 which is the polynomial which is different of P2. Those two polynomials are different. So the symbols we fixed, they were different. And this is a problem because in the discrete logarithm game, the symbol would have been the same. But in our game, the symbols, they were different. So that means we were not playing the discrete logarithm game with the adversary. The simulation failed. And the problem happens if X equals 0. But OK, we could say X equals 0. This happens with really low probability, right? So maybe this probability of simulation failure can be bounded. And yes, that's what we will do with a short simple lemma. So yeah, to want the probability of simulation failure, we just need to find what, at which condition the simulation fails. And we say that the simulation fails if when we pick one random X, there exist two different polynomials which have been computed by the adversary, which when we evaluate them on the secret X, they are equal. And actually, the short simple lemma, it can help us with that because it says that if there is a polynomial which is non-zero, so a multivariate polynomial, and if we pick one X uniformly random, meaning that the X is independent of the polynomial chosen, then the probability that this polynomial evaluated on X is equal to 0 is less than 1 over P. So this is nice because since the polynomials are different, it means that in our case, the probability that Pi of X equals PJ of X is less than 1 over P. And yeah, we just need to bond this probability for all the couples of polynomials that the adversary computed. And we say that the adversary is allowed to make at most M operations. So there are at most M-square couples of polynomials. And we say that the simulation fails with probability less than M-square over P. So in the end, we get the fact that the discrete log is secure in the generic group model because the probability that the adversary wins in the discrete log is just the sum of the probability for the simulation to fail plus the probability of the adversary to win in the simulation. So it means that the probability for the adversary to win is really low because P is big in front of the number of operations that the adversary is allowed to do. Ok, so that's for the discrete log. Now let's see what is the discrete logarithm game and how we can implement maybe the same idea for all the generic group models for the one more discrete logarithm. So in the one more discrete logarithm, the challenger doesn't have any secret at the beginning but the adversary has access to some challenger recall associated with a counter N and some discrete log recall associated with a counter Q. And what the adversary can do is just request the challenger for a challenge. So it would mean it would be a discrete log challenge to solve for the adversary and the challenger would just pick one random secret create a challenge associated to the secret and show the challenge to the adversary which will be a discrete log challenge for the adversary meaning that the adversary will have to find a secret corresponding to this challenge and the adversary can request as many challenges as he wants so he can for example request for a second challenge the challenger will just pick one new secret and show one new challenge to the adversary and stuff but now the adversary has also access to some discrete log oracle so it can request for the discrete log of any group element you want and the challenger would just answer with a discrete log every time and in the end it means that the challenger would have N secrets x1, xn so we say that this is a vector of secret x and the adversary would have done Q queries to discrete log so it means that it has Q answers of the discrete log oracle y1 until yQ and it outputs some vector z trying to guess the secret x so the adversary wins if x is equal to z and Q is strictly less than N meaning that there is strictly less discrete log queries than challenge oracle queries so there is strictly more challenge than answers to discrete log given to the adversary so this is one more discrete log now how is it transformed into a generic group element so just as before the challenger shows a symbol instead of group element so there is a symbol art that would correspond to the generator there is a symbol spade that for example would correspond to the first challenge requested by the adversary so the challenger defines a secret x1 and the spade correspond to x1 times g so if the adversary requests for a second challenge then the challenger would just define one new symbol corresponding to the new challenge and after that if the adversary wants to do simple computation this would just correspond to one oracle that the adversary also has access to to request for the simple computations of two group elements and the challenger can just as before do the simple computations of those two group elements and obtain this new symbol here so we could say it's just the same as before if we want to implement the one more discrete log in the generic group model we could do the same as before we could simulate it without the circuit but just replacing all of those group elements by polynomials just now there will be multivariate polynomials the first variable would correspond to the first secret the second variable would correspond to the second secret and so on yeah, so that's nice but now what happens if the adversary requests for the discrete log of some group element so it requests for the discrete log of symbol because group elements are symbol for the adversary and the challenger just picks one random scalar because here for example it does discrete log for the first secret so the challenger would have to define the first secret right now it would pick one value y1 uniformly random and show it to the adversary now since the adversary has done two requests of challenge and one request of discrete log it could and the game here and I will put one vector z and as a challenger it can just pick the second secret uniformly random and have the secret here which is equal to y1 x2 and the adversary wins if x is equal to z but since x2 was defined after z is defined it means that the adversary wins with probability less than 1 over P just as before so this works exactly the same right but we still need to have a look on the probability of simulation failure so here the simulation fails if for the same condition actually the condition will be the same just now we have multivide polynomials and we have a secret that has n components and if two polynomials are completed by the adversary and are different but on the secret they are equal then it means that the simulation fails and since the principle lemma is also valid for multivide polynomials we could say we could apply it right away right because it's just the same but no, in fact there is a problem in the chassis polynomial we say that x should be picked uniformly random independently of P this uniformly randomness of x is here just means that x is independent of the polynomial P and here since y1 is defined before x2 is defined it means that actually it's not defined uniformly random from every polynomial that the adversary could have computed maybe some polynomials they could depend of y1 and in fact this is an important problem because there is an attack we will see how the adversary can make the simulation fail with probability 1 what the adversary can do is just request for some challenge for the challenger the challenger would define one challenge and show it to the adversary corresponding to one secret after that the adversary can request for the discrete log of this challenge the challenger would just pick one random scalar y1 corresponding to this request and this corresponds to the first secret now what the adversary can do is he can just add the generator y1 times because y1 is a scalar and doing this it can do it efficiently and doing this it will build a constant polynomial corresponding to the constant y1 so it means that there is a new symbol here corresponding to this polynomial here and we have two polynomials x1 y1 which are different meaning that the two symbols are different but when we evaluate the amount of secrets they are equal meaning that the two symbols they should be equal in the one more discrete log game they would be equal so it means that the adversary knows with probability 1 that it is not playing in the one more discrete log game it means that the simulation fails and this is what what are the flaws of the previous proof the previous proof we are not seeing that the simulation fail at this point that we can measure the simulation fail at this point so in order to correct the simulation what we could do is just when the adversary request for the discrete log of such a group element here we could say ok so this y1 corresponds to the first secret so we could say ok the variable x1 would just become y1 so we update all the polynomials we say that ok the variable x1 now is y1 but this leads to some problem in the writing because here it's simple to write because the polynomial is easy but if spade were representing some complex polynomial here it would mean that we would have to search for the coefficient which is non zero and replace the variable corresponding to this coefficient by this polynomial here things get a bit messy to write there's a second problem which is we still need to compute the probability of the simulation to fail for example if we have y1 which is equal to 1 then it means that heart is equal to spade but since those two polynomials they were different it means that yeah there is a few things to check we need to check the probability of some of those polynomials when we evaluate only the variable x1 and replace it by y1 what is the probability of those multivariate polynomials to be equal to zero and actually this is not the first polynomial because there is a problem which only evaluate the variable x1 and it means that we evaluate a polynomial over a ring and schradtipal lemma works for polynomial over fields so really not the same thing so we cannot use it that's why we introduced a second idea which is theoretically the same just simpler to write we said that the challenge maintains a list which will contain every polynomial corresponding to the discrete log queries for example here it will just it will just contain the polynomial x1 minus y1 which corresponds to the polynomial which the adversary knows that it is equal to zero on the secret x and all the computations of the polynomials will be done modulo the list L so it's just the same as before just it's more easy to write because for example if the single spade correspond to some polynomial q we just have to store q minus y1 in the list so this is more simple and the probability of simulation failure it can be formalized this way we say that if we are for two polynomials they are equal modulo L but when we evaluated their symbols the symbols were different it means that the simulation failed somewhere because if those two polynomials they are equal modulo L it means that when we evaluate them on the secret they are equal so their symbols should be equal so in the end of the game the adversary would output some vectors z and it would have done q discrete log queries so the list would contain q polynomials here and and yeah so the challenger can just pick one x which satisfies every equations here so those are only linear equations and since q is strictly less than n it means we can sample x in the set of size p so we can pick x uniformity random in such a set meaning that we still have the probability for the adversary to win strictly less than 1 over p so this is nice but we still need to compute the probability for the simulation failure and let me give you some idea on how we can do that so I just recall as the simulation failure condition we wrote so when we simulate the generic group model without the secret x the only way of writing the failure condition is we have two polynomials they were equal modulo L but when we attributed two symbols to them the symbols they were different by doing some hybrid in the proof we prove that this failure condition is equivalent to a failure condition while simulating properly the generic group model game with the secret x when we add two different polynomials modulo L but equal when we evaluated them on the secret so this resembles a lot to the condition we had before because before it was only the two polynomials that were just different now there are different modulo L and this condition here is the same and we have to check this not for x picked uniformly random in a set of zp at the power of n but for x picked uniformly random such that it verifies all the linear equations defined by the discrete law queries so those linear equations here we say that it's a space, affin space defined this way so it's an affin space and since x verifies q of those it means that it is in an intersection of such affin spaces we find also that maybe x is not also in some other affin space because since we have some symbols which are different it means that we have some polynomials which are different pi of x minus pj of x is different of 0 so this means that x is not in some other affin space so we have to remove some affin spaces basically the intersection would just be some affin spaces so we pick x from a set which is an affin space from which we remove some affin spaces which has this form here and in the end we give just a new lemma which would replace the use of the short simple lemma in our proof so we say if we have such affin space so x belongs to the intersection of those and not to in those and if we have one polynomial p of degree 1 under the hypothesis of p is independent of all the polynomials q i computed by the adversary with the descriptor queries also if this space is non empty and if we pick x uniformly random from this space we can bound the probability of this polynomial evaluated on x to be equal to 0 and actually this bound here is the one we use and we say that just as before the probability that the adversary wins is m squared times the probability of one polynomial being equal to 0 so this is the probability of the simulation period plus the probability of the adversary to win in the simulation game so this is the theorem of our paper the probability of the adversary to win one more descriptor is negligible ok so further results we have in our work a security proof for the one more computational differential in the generic group model and our work can also lead to some security proofs for the one more discrete log rated assumptions in the generic group model such as for example one more discrete log free base and stuff like that ok thank you a lot for your attention bye