 Hi, welcome to the presentation of the paper, signatures from sequential or proofs. My name is Patrick Harasser, and this is joint work with Marc Fischlin and Christian Jansson, all from TU Darmstadt. And just a quick heads up before we get going. I will be taking part in the live session on May 13th. So if you have any questions about this work or my presentation, I'll be happy to take them there. Okay, so let me start with a bit of motivation for our work. This paper is about security proofs for group and ring signature schemes. These are special signature schemes where one individual can sign a message on behalf of an entire group of users without revealing who specifically put the signature. And there are many variants of group and ring signature schemes out there, but usually the difference between these suprematives is that ring signatures can be generated spontaneously and cannot be de-anonymized, while group signatures require some form of setup and can be opened by a designated authority. Now, one possible design strategy to actually build these signature schemes is to base them on Sigma protocols. And on a high level, this works as follows. So consider a group or ring of users and suppose that Alice here on top wants to sign a message M on behalf of all of them. She would first generate a commitment for her own protocol and simulate protocol executions for all the other parties in the group. And then she would somehow combine all the public information available so far to obtain a challenge for herself. And since she knows her own secret key, she can answer this challenge. And the final signature is then somehow derived from the sequence of all the transcripts. So a bit more abstractly, a group or ring signature in this setting is nothing but a proof that the signer knows the secret key corresponding to one of the public keys in the group with the challenge somehow derived from all the protocol executions and the message to be signed. Now, in practice, this computation of the challenge usually involves a hash function, which in security proofs is then abstracted to a random oracle. And usually the security proofs of these schemes rely on the so-called rewinding technique. So what happens here is the adversary is first executed, then its internal state is played back and the random oracle is reprogrammed to a different value. And then the adversary is executed again. And this proves that forging signatures implies being able to extract a witness, which is supposed to be hard. Now, the main goal of this work was to study the existence and feasibility of security proofs for these types of signature schemes, but in the non-programmable random oracle model. So in a model where the hash function is indeed model as a random oracle, but the security reduction is not allowed to reprogram it. And we believe that it is interesting to know whether such proofs exist, since the NPROM is much closer to the real world than the plain random oracle model, given that we currently do not know any hash functions that support programmability. More specifically, we investigate two OR techniques for Sigma protocols. So we show that the signature scheme derived from the well-known OR technique by Kramer et al. Does probably not have a security proof in the NPROM, whereas the one obtained from the technique by Abe et al. can be proved secure without using programmability. Now, before presenting our results in more detail, allow me to give you a bit of background and briefly recall the basic building blocks that will be important during this talk, starting with Sigma protocols. So on a syntactic level, a Sigma protocol is a protocol between two parties called Prover and Verifier, who get a bunch of inputs and then exchange three messages with the Prover speaking first, and where the only message sent by the Verifier is a uniformly random string. The goal of the Prover is to convince the Verifier that he knows a witness matching the statement the Verifier has. And at the end of the conversation, the Verifier decides whether or not he believes that this is indeed the case. And one usually requires a few properties from Sigma protocols. The first one is completeness with respect to a relation that the protocol is associated to, which says that if the inputs are sampled from the relation, the protocol execution is very likely to go through. Next, there is special soundness, saying that if one is given a statement and two accepting transcripts for it, which share the same commitment but have different challenges, then it is very easy to compute a witness for the given instance. And finally, we have a version of the zero knowledge property, which says that there exists a machine associated to the protocol called the simulator, where you can put in a statement and a challenge value, press a button, and the machine will return a transcript that is indistinguishable from a real protocol execution where the Verifier uses the given challenge value. And this is usually formalized by asking that no one can distinguish real and simulated transcripts for any given instance, even when the challenges used in the executions can be chosen adversarily. Now, I mentioned before that Sigma protocols are three move protocols, but there is a well known strategy to make them non-interactive if one has access to a random protocol. The non-interactive prover would simply start running the prover of the Sigma protocol, and then compute the challenge as the random oracle evaluation of the instance and the commitment. The original prover then computes a response to this challenge value, and the only message sent by the prover to the verifier consists of the commitment and the response. And later, when the verifier wants to check the transcript, he first recomputes the challenge by querying the random oracle, just like the prover did before, and then runs interactive verifier on this transcript and accepts or ejects accordingly. Now, an interesting feature of this transform is that it also yields a signature scheme in the random oracle model if the Sigma protocol has unpredictable commitments. So to sign a message, the signer proceeds exactly like the non-interactive prover would, but also appends the message he wants to sign to the random oracle query. And the signature of M then again consists of the commitment and the response. And to verify the signature, the verifier would again recomput the challenge by appending the message M to its random oracle query, then let the original interactive verifier check the transcript and accept or eject the signature accordingly. Okay, now, the final ingredient that we're gonna need before discussing our results is a technique to prove the disjunction of two statements. So suppose we now have two Sigma protocols and that we somehow want to combine them into a new protocol which allows the prover to show that he holds a witness for one of the two instances, ideally without revealing which one. And there is a well-known solution to this problem which goes back to the work of Kramer et al from Crypto 94, which works like this. The orprover first computes a commitment for the statement that it does know the witness of, here it's not, and then simulates a transcript with a random challenge for the other instance. And he then sends the two commitments over to the verifier. And upon receiving the verifier challenge, he computes the challenge for the real subproof by exhoring the one he just got with the one he sampled in the first step and then computes a response. And finally, he sends the two challenge shares and the two responses over to the verifier. And in order to verify the transcript, the verifier now checks whether the two challenge shares add up to the value he sent over to the prover. And whether the two transcripts verify independently and he accepts if all these checks go through and rejects otherwise. Now, observe that we can, of course, combine these two constructions we have just recalled to obtain a signature scheme based on the or combination by Kramer et al. We call these signatures parallel or signatures for reasons that become clear when we have more than just two signers. If you have, say, five possible signers with Alice here on top signing the message, what happens is that Alice computes her own commitment and then simulates transcript with random challenges for all the other parties. Her own challenge is then computed as the hash of all the keys, the commitments and the message, XORed with all the other challenges. And finally, Alice computes a response for her transcript and so completes her transcript. So you see here that all the challenges are computed or obtained more or less in parallel and hence the name. Now, as I hinted at before, this construction has one major downside in that it inherits the loose security reduction coming from the proof of Fiat-Chemier signatures where one rewinds the adversary and reprograms the random oracle to be able to extract a witness. And so we wondered whether it is actually possible to give a security proof of the signature scheme that does not reprogram the random oracle. And our first result is that this is likely not the case. More specifically, we show that if we have a parallel or signature scheme with a PPT black box reduction from the affordability of the signature scheme to winning some game G that does not program the random oracle, then we can construct another efficient algorithm winning the game G directly. And this means that G wasn't a hard game after all and thus not a suitable basis for the security of the signature scheme to begin with. And let me give you an idea of how we do this. We used a meta reduction technique. So our proof proceeds in two steps. On a high level, we first construct a very specific unbounded adversary which is able to break unforgeability of the signature scheme using its super polynomial power. And this means that if we let the reduction interact with this adversary, we get an unbounded solver for the game G. And we then move on to show that the interaction between R and A can be simulated efficiently, thereby yielding the efficient solver B for the game G. And a bit more specifically, our adversary A works as follows. It first requests a signature for the message that consists of the verification key. It is started on and checks the signature. This is done to make sure that at least one of the two key parts has a witness as it is unfeasible for the reduction to sign messages if this is not the case. The adversary then uses its super polynomial power to find the first lexicographic witness of X naught or if none exists of X one. He then samples a random message and signs it with the witness he just found. Now, of course, if we let the reduction interact with this adversary, we get a solver for the game G. So this solver would get an instance of G as input and then start the reduction. The reduction is now free to communicate with the random oracle and to start an arbitrary amount of instances of our adversary A that forges signatures. And in the end, the reduction returns a solution to the instance, but of course, the solver is not polynomial time because the adversary A is unbounded. So in the next step of our proof, we show how to overcome this obstacle. The idea is to run the reduction and to efficiently simulate its interaction with A whenever the reduction starts a new instance of the adversary. So our efficient solver B would first start the reduction and give it the instance that it has to solve. And now remember, the reduction expects to be able to make two types of queries. So there's random oracle queries and forgeries by A. The former are handled by B via leasy sampling. And on the other hand, whenever the reduction wants to start a new instance of A, B first queries and then checks a signature on the verification key just to stay consistent. And he then samples a random message and simulates transcripts for the two signature parts. The catch is now that there is no guarantee that the hash of the two commitments and the message equals the XOR of the challenge, which is how things should be for honest signatures. But luckily, B controls the random oracle. So B can now simply set the answer of the random oracle on the two commitments and the message to be the XOR of the two challenges and inform the reduction that this query has been made with the corresponding answer. And finally, B returns to the reduction, the message signature pair it has computed and proceeds with the simulation. And with this technique, the entire construction now runs in polynomial time and in the end, the reduction returns a solution for the instance that B had to solve. So B has solved his problem. Now, let me mention very quickly that there are a few details to take care of in this proof. The proof becomes much more involved than it already is. If we must take into account that the reduction may schedule or reset the adversarial instances in some strange way, this can be avoided by slightly modifying the adversary A and actually making him deterministic. But the overall idea remains the same. And of course, B must be able to set the random oracle so that it simulated signatures look legitimate. We can show that this is possible with overwhelming probability via a simple union bound making the random messages long enough. And finally, we must of course make sure that the reduction doesn't notice that it is being played. This is relatively easy for the simulated random oracle queries. It is much tougher for the simulated instances for the adversary A. This part heavily relies on the zero knowledge property of the involved protocols. And if you're interested in this, may I invite you to have a look at our paper or ask me during the live session. Okay, so now that we know that parallel or signatures do probably not have a security proof in the non-programmable ROM, we wondered whether the state of affairs for some reason intrinsic. So our question was whether it is at all possible to have security proofs for specific or signatures that do not program the random oracle, or if for some reason programmability is always necessary. And luckily we can answer this question in the affirmative because there is at least one other, a bit less prominent or like technique present in the literature going back to the work of Abbey et al from Asia Crypto 2. Similarly to the construction of Kramer et al, also this technique combines two or more sigma protocols, but it yields directly a non-interactive protocol and works only in the random oracle model. And we call this technique sequential or because the challenges of the single subproofs are derived sequentially. So to illustrate this, it is again useful to have a look at how this technique works with more than just two parties. So again, suppose that we have five possible provers and that Alice here on top who wants to give a sequential or proof. Alice would start by computing her own commitment and then uses the random oracle to derive the challenge for the next prover. She then uses the simulator for this sigma protocol to derive a transcript and then queries the simulated commitment to the random oracle to derive a challenge for the next prover. And then again, a simulator transcript. And she goes on like this until she closes the circle and there is a challenge for herself which you can now answer since she knows her own witness. So you see here that in this construction the challenges are computed sequentially, hence the name. And let us review in more detail the construction with just two parties. So the sequential or prover first computes a commitment for the statement that he does know the witness of. And then queries the random oracle to get the challenge for the other sub proof. He then uses the simulator to generate a transcript for the second protocol with this challenge. And then again, queries the random oracle to obtain a challenge for this first sub proof. And finally, he computes a response to this challenge and sends the two commitments and the two responses over to the verifier. And in order to verify the message the verifier just recomputes the two challenges as the prover did before and then checks the two transcripts separately. Okay, so now that we have these two or techniques let's have a look at them one next to the other. We wondered whether the two techniques have similar properties or if for some reason one is somehow superior or inferior to the other. And at first the two techniques seem to be incomparable because the protocol on the left is three move in a standard model whereas the one on the right is non-interactive in the random oracle model. But of course we can overcome the syntactic obstacle by just considering the Fiat-Chemia transform of the protocol on the left. And we go on to show that these two protocols actually share many interesting properties. It is well known that the protocol on the left is complete, witness indistinguishable and witness hiding if the unreliable relation is hard. And we show that the protocol on the right actually has the same properties. And I recall that the next step in the definition of a signature scheme out of the protocol on the left was to simply append the message to be signed to the random oracle query. And the interesting observation here is that we can actually do the same thing with the protocol on the right-hand side. So we can obtain a signature scheme by just appending the message to be signed to the two random oracle queries. And the natural question now is whether maybe this sequential or signature scheme has a security proof in the non-programmable realm. And our second contribution is to show that this is indeed the case. So we can prove unforgeability without needing the reduction to be able to program the random oracle. And again, let me give you an idea of how we can do this. So the proof proceeds via a sequence of game hops. We start with the usual unforgeability game. And in the next game, we force the forger to query both messages to the random oracle that yield the challenges for his signature. This is always possible because if the original forger does not make these queries, we can modify him to make the desired queries just before he returns to signatures. So this is no problem. And the next step now is to consider the timeline of the execution of the adversary and to focus on the random oracle queries involving the message mstar for which he later returns to forgery. So for the sake of argument, assume that this timeline represents the execution of the adversary with the orange dots being all the random oracle queries. And among these queries will be those queries that return the challenges for the forger signature. And now remember, the adversary has access to a signature oracle provided by the unforgeability game which supplies signatures with respect to the public key X naught, X one. But the forger does not know if the oracle uses a witness for X naught or a witness for X one to produce the signatures. This follows from the witness in distinguishability property of the sequential or protocols. This means that there is roughly a 50% chance that the first among the queries involving mstar made by the forger is about the commitment for the instance that the signature oracle does not have a witness of. And in the next game hop, always switch this other instance to a no instance. So to an instance that does not have a witness. The forger will notice this change because we are assuming that the underlying relations are decisionally hard. So we are now in a situation where the forger has to answer a random challenge to a commitment made beforehand for a no instance. And by the special soundness property of the protocols, this is very unlikely. So this cannot happen. And we can thus rule out the existence of the forger of the sequential or signature scheme without having to program the random oracle. Okay, so now we know that parallel or signatures do probably not have a security proof in the non-programmable ROM, but sequential or signatures do. The big elephant in the room now is whether sequential or signature schemes do also have a security proof in the quantum random oracle model that does not use programmability. And at present, this question seemed to be difficult to answer since all techniques that we currently know of in the Q-ROM use some form of programmability. But still, we thought it would be worth investigating if sequential or signature schemes are secure in the plain Q-ROM at least. And the final result in our work is to show that this is true. Observe that we cannot simply reapply the proof from the classical case, since that heavily relied on establishing a timeline of interesting random oracle queries and to see which commitment the adversary queried first. But now, superposition queries are allowed. So this line of reasoning no longer works. And to overcome this obstacle, we leverage a technique by Don et al from crypto 19. The rough idea is to use their technique twice to obtain an adversary that makes two classical queries. And then we can again proceed along more or less the same lines as in the classical case. We are currently in the process of discussing our proof with the authors of the crypto 19 paper. But let me mention that Don, Fair and Mayans have since extended their technique to directly handle also cases with more than one measurement, which somehow was the limitation of their original technique. So their new technique applies directly to our use case here. And it even gives a better security bound than the one we have in our paper. But again, this proof relies on programming the cure. So to wrap up, we analyze signature schemes derived from the OR techniques for Sigma protocols by Kramer et al and Abe et al. We show that the first scheme does probably not have a security proof in a non-programmable ROM, whereas the second scheme does have a proof in this model. We know that sequential OR signatures can also be proved secure in the Q-ROM, albeit by programming the quantum random oracle. And an interesting open problem is whether we can actually forego programmability also in the Q-ROM. Hope still lives on that this is possible for sequential OR signatures, while of course our impossibility result in a classical case rules this out for parallel OR signatures. Thank you very much for your attention and see you on May 13th.