 Hi everybody. My name is Abita Hawk and today I'll be talking about threshold ring signatures, new security definitions, and post-quantum security. And this is joint work with Alessandro Scafuro, my advisor, and we are both at North Carolina State University. So first I want to talk about the problem description. So what is a threshold ring signature and why should we care? So very quickly, a threshold ring signature is where key distinct parties anonymously set sign on behalf of a ring of n public keys. The identity of the signers remains private to any non signers. I want to break this down a little bit more and let's go backwards. The last word is signature. So with a signature you have a signer that uses their secret key and they sign a message. The verifier upon receiving the signature is convinced that the signature really did come from the signer because only somebody with knowledge of that secret key could have produced a signature. And those signatures have this property of unforgability. The next word is ring. So now with the ring we have a signer and we have the remaining members of the ring as non signers. So one of the members of the ring is going to sign the message with respect to their secret key and they're also going to sign with respect to the ring. When the verifier receives the signature he's going to be convinced that it came from somebody in the ring but he doesn't know whom. And therefore we additionally have this property of anonymity. So we still have unforgability and we additionally have anonymity. Finally we have a threshold ring signature. Now you have multiple signers who are going to work together each using their individual secret keys to produce a message on behalf of the ring. So the verifier upon receiving the signature is going to be convinced that at least threshold many signers must have participated but he doesn't know which particular members it was. So you retain unforgability and anonymity we just have a threshold version of both of those notions. Now why might we be interested in threshold ring signatures? Well with thresholds there's an increased tolerance to misbehavior of users. So this suits decentralized settings because maybe somebody wants to go offline for a while but you still want to get the quorum. So as an example let's suppose that there is an ad hoc voting mechanism for community projects which are posted on the blockchain. And with the picture here I said okay let's say that three out of five people voted and they say yeah we want to fund project B. Now what's on the blockchain is public so it's known that project B that there are three people who want to fund project B but it's not known which particular members want to do this. Next I want to talk about the current state of the art. So there are a few threshold ring signature schemes out there. However we noticed two issues with previous schemes one is passive security definitions and the other one is post quantum insecurity. So I already alluded to this but a threshold ring signature setting is an ad hoc setting where the users can generate their keys independently. And so a ring a ring has no center there's no manager everyone is sort of equal in this ring all you have to do is raise your sword and voila you are a member of the ring. But this means that users could join the system with dishonestly generated keys. Despite this previous threshold ring signature schemes only consider passive adversaries. And adversaries in this case adversaries can only obtain honestly generated keys. Sometimes they can't even choose to add more honest keys to the system and perhaps they can't even corrupt the keys. And as a Bender Katz and Marcelli observe that this passive setting does not reflect the open setting that a ring signature scheme should have and therefore what a threshold ring signature scheme should have. The next problem is post quantum insecurity. The first issue is hardness assumptions. So there are problems like discrete log and factoring are not secure against a an attack from a quantum adversary. So any threshold ring signature schemes that rely on these kinds of problems is not going to be post quantum insecure. Now there are schemes which use post quantum secure problems such as lattices or learning with errors. But they might have another problem associated with them. And that has to do with the proof techniques. So in a signature scheme it's very common to use the Fiat-Chemir transformation. But the security of the Fiat-Chemir transformation might not hold in the quantum setting. And that's because quantum rewinding is not trivial. I'll talk about this more in a second. There are some situations in which Fiat-Chemir is post quantum secure but this might not hold in general. So to give an overview of what the Fiat-Chemir transformation looks like it transforms an interactive protocol into a non-interactive one. And so this interactive protocol is a sigma protocol where first the signer is going to send over a commitment, the verifier is going to send back a challenge and the signer is going to send an answer. And instead of having these three steps we're going to squash it down into a single step. And the way that this works is instead of getting that challenge from the verifier there's now a random oracle. The signer can query the random oracle for his challenge and then he can send all the messages over in a single shot to the verifier. The verifier can verify that this response really came from the random oracle because he also has access to the random oracle and thus he can verify what he can verify what the signer is trying to show. Now most of the time in order to prove the security of a scheme that uses the Fiat-Chemir transformation is we use rewinding. So what would happen is the signer sends his first message and then the steps go as before including the use of the random oracle. Then we rewind back and we get a different challenge from the random oracle. And in the end you have two different transcripts and using these two different transcripts it's possible to usually break some sort of hardness assumption. Now this doesn't quite work out in the quantum setting. It works in the classical setting because on a single query so every time you request something from the random oracle you get a single response. Query response. Query response. However in the quantum setting you can get a superposition of answers. So now the an adversary can query a superposition and you can get a superposition of responses. It's actually possible to find all possible outputs using only a single query. So this is why instead of the Fiat-Chemir transformation we're going to use unrew and I will talk about that near the end. So next I want to talk about our contribution and how we were able to overcome some of the problems with previous threshold ring signature schemes. So the first thing is that we have definitions for unforgability and anonymity that capture active adversaries and two we provide a post-quantum secure proof for a threshold ring signature. We generalize previous approaches and we use the under transformation to guarantee post-quantum security. So we capture active adversaries by use of what particular oracles we give them access to. So these are the oracles that we're going to give are going to be key generation, sign, corrupt, and register. And for both anonymity and unforgability the adversarial power is the same. He can query on all of these oracles. For anonymity in the end the adversary is going to pick two signing sets and he's going to have to decide which one he received a signature on. For unforgability the adversary produces his own forgery and so long as he's corrupted fewer than threshold T members in the ring then he has forged a signature. So let's look a little bit more in depth at these oracles and I want to point out specifically key generation and register. So with key generation the adversary can actually ask for more honest keys to be added to the ring and you can grow this ring pretty much as big as he would like to. But he has access not only to honestly generated keys but also to register. So now the adversary is able to produce his own keys. He can provide a public key to the oracle who's then going to add it to the ring. And the adversary can for example look at previously honestly generated keys and combine them in certain ways to create to create new keys. So all of all of these oracles he can ask in any order that he likes. So with with the addition of these adversaries these these adversary powers the definitions for our unforgability and anonymity now capture active adversaries. Next we have a post-quantum secure proof. So in order to ensure that we have a post-quantum secure problem we make black box use of trapdoor commitment schemes. And in particular we use we we in order for it to be post-quantum secure we of course need a post-quantum secure trapdoor commitment scheme. And because of this black box use it's possible that anyone who would in in the future like to instantiate a particular uh threshold ring signature scheme can use these trapdoor commitment schemes uh can can instantiate with any trapdoor commitment scheme they like and they will have a post-quantum secure trapdoor commit a post-quantum secure threshold ring signature scheme. Next in order to guarantee post-quantum security our proof uh our scheme uses the under transformation and with the under transformation we can avoid rewinding um we we avoid rewinding by making all outputs part of the signature and we'll see how this works in a little bit. So with that I'm now ready to talk about our scheme and first I need to talk about the building blocks. The first is the trapdoor commitment scheme. I'll describe that by way of a commitment scheme. So in a commitment scheme the sender can commit to a message. The receiver cannot learn what the message is because this commitment is binding so basically this sender is going to put his message inside a lockbox and he's only going to send the commitment over. Later on the sender can open the message and the receiver can check to see that that was what was committed to. It is not possible here for the sender to open to a different message other than what he originally committed to and this is the property known as binding. However knowing a trapdoor it's possible to change your mind. So now um this there is a commitment but there's no message inside um with knowledge of a trapdoor T which I represented by this key the sender can actually open a commitment to any message they like. Now we retain the property of hiding and also with a binding as long as you don't have knowledge of the trapdoor. In addition we have this new property called trapdoor indistinguishability which means that this receiver can't tell whether the commitment message and opening she's seeing is from an honest commitment or from a trapdoor commitment. The next building block is the Shamir secret sharing scheme. So in order to illustrate this I'm going to show a three out of five Shamir secret sharing. So there is a secret which is called Zed and one way to share Zed is to come up with a polynomial where Zed is the constant term. So with if you want a three out of five Shamir secret sharing then you need to have a polynomial of degree two. So in general when you want t out of n you need a polynomial of degree t minus one. So we're going to share the secret Zed by use of this polynomial y is equal to ax squared plus bx plus z and what's going to happen is that the different secret shares are just going to receive points which are on this polynomial. Later on if they would like to figure out what Zed is they can combine points to uniquely create Zed. So with three of these points they can actually interpolate the polynomial and then figure out what Zed is. However with only two points it's not enough to recreate the polynomial and the reason for that is because with only two points there are lots of solutions to the quadratic polynomial but the second you add a third point you uniquely define the polynomial. In addition to the points that the shares hold the point zero Zed is of course a point. So you can recreate the polynomial using two points from any of these secret shares and with the point zero Zed. So with that in mind let's go into our protocol. For a three out of five threshold rings signature scheme we have well we have three signers and we have two non signers and the signers of course know their own secret keys. That secret key is the trap door for a commitment scheme and the public key is associated with the public information of that commitment scheme. Additionally they have a point x which is going to be the which is the same as the x that was in the Shamir secret sharing scheme. So now let's go over the template for what our scheme looks like. So because the signers have their own secret keys they can create trap door commitments but like I said for the non signers they don't they don't know the secret key they have to commit to something in particular and what they're going to commit to is going to be points y and so later on the point x q y q is going to be a point on the polynomial. So right now they have two points from these two non signers so they need a third point in order to get a quadratic polynomial. So what they're going to do is they're going to gather up their commitments into a vector and then using this vector they're going to go call in the random oracle and they're going to get z and now all of a sudden they have three points they have the points from the non signers and they have this point zero z so they can interpolate a polynomial. Now once they've interpolated this polynomial the signers actually now know what to open their commitments to. They open it to whatever if they have the point x s they open it to the point y s that's on this polynomial that they've interpolated and now they have openings that all lie on this polynomial and they're going to send the openings to the verifier. The verifier is going to check that all of these openings fall on a polynomial of in this case degree two and because he knows that there are five people in the ring and he now has a polynomial of degree two he's convinced that at least three people in the ring must have contributed to this signature. So now I'd like to talk about give the overview of security. To prove both anonymity and unforgeability the technique is to swap every trapdoor commitment out with an honest commitment and we'll go step by step. At the end signers and non signers are going to look perfectly alike. There's no such thing anymore really because it's all honest commitments. So with anonymity at the end with all honest trapdoors the the two signatures are going to be exactly alike and because we went step by step replacing trapdoor commitments we can conclude that these original two sets must have been indistinguishable as well. Unforgeability is slightly more involved than that and this is where I want to take you back to thinking about Fiat Shamir the Fiat Shamir transformation and then I'll show why the under transformation is is needed. So now we have this this vector of commitments and this vector of commitments can be sent to the random oracle to get a Z and that produces the polynomial that we can interpolate on. But late and then to prove this with Fiat Shamir you would normally rewind get another point Z prime and therefore get a new set of openings and with these with these two sets of openings it's possible to well it's possible in this case to break the binding of the commitment scheme but so far this this uses rewinding and we cannot really do that with a quantum secure scheme. So this is where the under transformation comes in so rather than um rather than rewinding we're going to include all the outputs in the proof and we we need to make the random oracle invertible so you see here um the requests of the random oracle you know you can ask on X you can ask on a superposition of X and then get H of X in return when the proof is produced it's possible to invert only in the reduction to get an X and figure out a witness. So using this technique instead of making a single commitment first of all we make these signers are going to make N commitments and then for each of these N commitments they're actually not going to answer one challenge but M challenges all at once and here here are the the M challenges that they're going to answer now each of these are going to be hidden again by use of the random oracle I used the value G here to show the what the output would be and only one particular vector will be opened so you so the verifier will only see one set of openings however because this set of openings is picked randomly um it must with high probability it must be the case that the the signers um actually know their secrets now for the proof of unforgeability we now have this um basically this matrix of uh of um hidden uh openings to the commitment in the reduction by giving access to the inversion it's possible to invert everything and then it's possible to find two valid responses to the commitment and this allows you to break binding of the trapdoor commitment scheme so with that I'd like to give a summary of what I talked about um we are the first to provide formal definitions for a T out of N threshold ring signature scheme in the presence of active adversaries that leverage malicious keys in their attack this generalizes the definitions from bender at all from one out of N to a threshold T out of N two we created a scheme which uses black box trapdoor commitments that means that parties can use any post quantum trapdoor commitment scheme to instantiate our threshold ring signature and then finally we are the first construction that is provably secure against quantum adversaries that have quantum access to the random oracle and we achieve this via use of the under transformation so I'd like to leave off with questions about future research so one issue with the under transformation is that it is very heavy because all the outputs have to be produced at the time of the signature you have a very large signature so the question is is it possible to use fiat shemir for threshold ring signatures in a way that's provably post quantum secure I mentioned earlier that there is some work looking at how to make fiat shemir um post quantum secure and it is in certain situations so the question then is can you apply these situations to threshold ring signatures the second question is can we make a post quantum threshold secure signature where we have anonymity even among the signers as you might have noticed during the description of the template these signers at least have to know who the others are and they have to cooperate with one another but there's a question of whether it's possible for the signers to not have to cooperate for example what if it was possible to produce just a one out of n ring signature and then a list of t of those would suffice as a threshold ring signature somehow the verifier would still be convinced that this really came from t distinct signers and not the same one over and over again and so with that that is all and if you are interested in reading further our paper is available on eprint thank you