 Hello, I am Maxime Blossom and this video is the presentation for AG Group 1021 paper on lattice-based group signatures. So this is going to work with Vadim Yubeshevsky, Kahn and Guyan, and Gregor Zeiler. Okay, so now just a quick overview of what the paper is. So in 2018 there was a lattice-based group signature construction that was proposed, but since then there's been quite a bit of improvement in lattice-based zero noise proofs. So some contributions on efficiency, new techniques and some about the statements that can be proven. So this paper uses these recent results to improve upon the 2018 construction. Okay, so now about the structure of the video. So first I'm introducing technical background necessary for exposition. Next I'll define a high level from high level the previous construction from 2018 and then I'll give a list of the improvements we make upon it. Okay, so first BDLP lattice-based commitment scheme. So if you want to read there's notations on the slides. So how does the BDLP lattice-based commitment scheme work? So the setup is you sampling a uniformly random matrix A0 and then for every message you want to commit to, so a message is an element of RQ, you will sample a uniformly random vector A1 to Aα from RQ. So now to commit to these messages what you do is you sample a short vector R, so a vector with short coefficients R and the commitment is going to be this big matrix here times R plus 0 and then the messages. So the commitment is made of two parts, the top part which is A0R and then for every message you will send A transpose R plus this message. Okay, so now the next slide is just a reminder to make sure we're on the same page about this. So again you have notations, you can pause the video if you want to read and now the idea here is that to prove knowledge of the message in a BDLP commitment what you do is given zero knowledge proof of knowledge of the short randomness R that was used during the commitment. So if you remember from the previous slide. Okay, so I move on to a short list of the statements that can be proven on BDLP commitments. So first you can prove linear relations, so say you have commitment to M1 and M2 then you can prove that M1 equals lambda M2 for some lambda in RQ for very cheap. Now second one is product relations, so say you have commitment to M1, M2 and M3 then you can prove that M1 equals M2 times M3 for pretty cheap. And finally you can prove unstructured linear relations, so-called unstructured because here you prove that QM1 equals M2 where Q is a matrix over ZQ so you kind of forget about the RQ structure of M1 and you just consider it as a list of coefficients, M2 as well. Okay, so this also can be proven for pretty cheap and yeah, these statements will be useful later. Okay, so now I move to the second part of the technical background part of the video. So what a group signature is? So in a group signature you have three entities, you have the setup authority, the group manager which will be called the open-ass sometimes and some group members which will be called users or signers. So every group member has an identity i in the set demographic i and so what the setup authority will do is first generate a public key for the whole group and the open-ass secret key. And once this is done for every identity in demographic i, so every user pretty much, the setup authority will generate a signing key si. So when this is done, the setup authority will give the group manager his opener key and every group member of identity i will receive the signing key si. Okay, so now what we want is that some user with identity i should be able to produce a signature sigma of some message M that is valid under the public key of the whole group. So a signer should sign on behalf of the whole group and this kind of implies, so what we also want is that this signature doesn't give away his identity, so he should sign on behalf of the whole group and we shouldn't know who the signer is apart from the fact that he belongs to the group. And this brings me to the fourth item which is that the group manager should be able to open the signature and find out the identity of the signer. So the group manager should be the only one able to do this. Okay, so I move on to the security properties of a group signature, sorry. So first we have anonymity, which I kind of just mentioned but I'll explain it again. So the intuition is a signature should not leave the identity of the signer and so more formally what this means is that if the adversary knows all the signing keys then he should not be able to distinguish between the signatures produced by any two users. Okay, so now the second one is traceability, which is kind of the equivalent of unfoldability for group signatures. So if the adversary has some signing keys in a set S, sorry, and the opener's secret key then what we want is that the adversary is not able to create a valid signature that doesn't such that the opener, when the opener decrypts the identity from the signature he should find an identity that the adversary possesses. Okay, so the reason why this is the equivalent of unfoldability for group signatures is for example if you take S to be the empty set so the adversary doesn't have any signing keys, he just has the opener's secret key then this traceability property translates into the adversary should not be able to produce a valid signature at all. Okay, so now I will move on to the second part of the video which is defining the 2018 lattice-based group signature construction. Okay, so let's take it slow, we have a set of identities, that is made of RQ elements that are stable and there are some two automorphisms. So the setup algorithm goes as follows, so first you generate an MLW instance, so you have your sample uniformly random A, short trapdoor R and you set B equals AR. Now next what you do is you sample S1, S2 from a Gaussian and you let U to be AS1 plus BS2 and so the public key is going to be AB and this U. So if you have some user with identity I, you want to sample a signing key, what you do is you sample S1I and S2I from a Gaussian under the condition that this equation here holds. So the G is a simple matrix that allows the sampling using the trapdoor R and you can notice that the identity of the signer here is part of this matrix. Okay, and so this is the signing key of a user and now the last step is to generate a key pair for a verifiable encryption scheme. So every user with identity I will get his signing key S1I, S2I and the group manager will get the secret key for the verifiable encryption scheme. Okay, so now how does signing go? So let's say we have a user with identity I, so he has the signing key S1I, S2I. So what he will first do to sign a message is commit to his identity I with some random R under BDLOB commitment scheme and he will give a zero-knowledge proof that his identity is part of calligraphic I. So another contribution of the 2018 paper is a way to prove automorphism stability and so yeah, this is done by proving that I is stable under the two automorphisms that define calligraphic I and yeah, this is done. So there's this commitment to prove by one and then the second part of the signature is a proof of knowledge of the secret key S1I, S2I. So it's the proof of knowledge of a short solution of this equation here and this is, so in 2018, this couldn't be done directly and so yeah, it's rather more complicated than what we can do today. And so finally, the user will encrypt the randomness R that he used for BDLOB. So he will encrypt it with the group manager's verifiable encryption public key and yeah, he will also compute a proof by three that the ciphertext is well formed so the verifier knows that this encryption knows that the group manager is able to decrypt this R. So okay, now the signature is made of the commitment F, the ciphertext C and all three is your knowledge proofs. So the first one is the proof that the identity is an identity. The second one is the proof that is the proof of knowledge of the secret key and the third one is the proof of wealthfulness of the ciphertext. And so if the opener wants to know the identity of the signer, what he does is use his secret key for the verifiable encryption scheme and decrypt the randomness R in the BDLOB commitment. So when this is done, he can infer the identity from it. Okay, so now I move on to the last part of the video which is a list of the improvements we bring on this lattice-based group signature. So first we extend this scheme to module WE, which, okay. Second, we give a simpler and more efficient way to prove the knowledge of the secret key for the signature of a user. And third, we give a more efficient membership proof by one. So we use a different set calligraphy I and this comes with a different zero-knowledge proof. Okay, and finally the encryption almost comes free. And the wealthfulness proof of the ciphertext as well. And so overall we shrink the size of the signature from 580 kilobytes to 203 kilobytes. Okay, so now I will give a little more details on items 2, 3 and 4. So item 2. So what we need to prove is the knowledge of a short preimage S1 and S2 of this U for this matrix here. So now the problem is that this matrix A and AR-IG contains the identity I. And this identity I cannot be given away because this would break anonymity. So this I is committed to and as I just said in the 2018 construction, this is done in a way that increases the length of the rings' solution to be extracted and this implies pretty bad parameters, I mean worse parameters. So an ID that could be good is to see that this matrix product contains actually a product proof somehow for PDLOB because I is committed to and so if you have a commitment to S2 then you could prove this equation here using the product proof I talked about in the introduction. So now there is a problem with this which is if you commit to S2 then this increases a lot the length of the signature and this is not something you want to do. So we have a different solution for this which is as follows. So let's define A' to be the matrix A and B-IG. So now what we see is that if A' was public then the verification equation would be something like A'z equals W plus Cu. Okay and now from the homomorphic properties of PDLOB commitment scheme we know that the verifier can infer a commitment to A' so from the commitment to I the verifier knows a commitment to this A' because A, B and G are public. So our solution to prove knowledge of S1, S2 is to commit to the W instead of sending it in the clear and then the verification equation which is I remind A'z equals W plus Cu is linear in the committed messages. So as I just said we have a commitment to A' we have a commitment to W and everything else is public so this is a relatively cheap BDLP linear proof that we prove. So we prove the verification equation instead of just proving the statement directly. Okay so this was the second item now I move on to the third item so as I said we have a different set of identities, calligraphic I so our set of identities is the integers in our Q from 0 to 2 to the d minus 1 minus 1 and now I'll explain what the zero knowledge proof of that I is in calligraphic I so I'll explain what this zero knowledge proof is so it goes in two steps first we add an extra commitment to I B which is the inverse entity of the binary representation of I so once this is done remains two things to prove so first we prove that I B is indeed binary so no we prove that I B's entity is binary because it's the inverse entity of some binary representation so this is done using the product proof you have the equations here if you want to check it so this is the first step the second step is proving this unstructured linear relation so let's read this slow so we prove that Q times the entity of I B is equal to the entity of I so if you remember I B so it's still written on the slide I B is the inverse entity of the binary representation of I so entity of I B on the left here is the vector that is the binary representation of I and what we prove is that Q times the binary representation of I is equal to the entity of I so this contains two statements actually so first we prove that the entity of I here is made of the same coefficient all the way because this matrix Q has the same rows so the entity of I is made of only the same coefficients all the way and this means that I is an integer because so you can check it if you want the only RQ elements that have entity coefficients all the same are integers so this second equation here proves that I is an integer and finally since the binary representation only has length D then this also proves that I is an integer in the range 0 to the D minus 1 and this is actually a proof that I is in the calligraphic I so now the last part which is explaining the title of the paper the almost for free encryption so to have this verifiable encryption almost for free what we do is use the commitment as a ciphertext so to do this what we do is we add an extra commitment to root Q times I and so we get a ciphertext that looks like this so we have F0, F1, F2 and the setup authority will plant the decryption key in the public A1 and A2 so it will look like you can check the slides if you are interested in the technical details so we notice that even though A1 and A2 contains a decryption key this doesn't change the distribution because under MLWE this new A1 and A2 are still uniformly random so this change is secure and so again if you want to see how the decryption goes you can pause the video and read the slides and so the proof of wealthfulness for this ciphertext is just the same proof as for the commitment scheme so it's sent already so we prove knowledge of the short R in this equation here and we also prove that the second commitment which is to root Q times I is indeed of root Q times I so this is a BDLOP linear proof which is very cheap and so yeah as I just said the first item here is proven already because we need to prove that the commitment that we know the message in the commitment already and the second one is as I said very cheap so in the end this verifiable encryption comes almost for free okay so there's one more problem that we need to address so in the soundness of the zero-knowledge proof for BDLOP which we use as the proof for the wealthfulness of the ciphertext only ensures that there exists a challenge difference C bar such that this equation holds and what this means is that even if the proof is valid then the verifier is not sure that the decryption is going to be correct and yeah this is not something that we want because all we know is that for the challenge C that is used in the proof there exists a C prime such that C minus C prime times F is a valid ciphertext for C bar times I and yeah so what we do to correct this is change a little the decryption algorithm so instead of decrypting directly F the opener will sample a challenge C prime take C bar to be C minus C prime and try and decrypt C bar times F and then divide it by C bar so as to get the I in the end and this makes sure that the verifier is convinced that the opener will be able to actually open the signature and know who the signer is and so we also give a proof in the paper that this decryption is correct under some conditions and that this decryption terminates because we sample this challenge C prime and we have to make sure that there exists enough C primes so this decryption can go through okay so now there's one open question on the slides so it goes like this so for the traceability reduction we need to add a uniformly random copy so a uniformly random matrix B prime that has the same size as B to the public key so the public key instead of being just A B and U it's going to be A B B prime and U and this has quite a big cost in the signature and now the thing is this B prime that we use seems to be another fact of the proof and yeah if we remove it doesn't seem to affect the security we need this B prime to make the proof so yeah it would be an interesting question to find a traceability proof for this group signature that doesn't rely on this B prime to reduce the size of the signature okay so I guess this is it thanks for watching, bye