 Hello everyone my name is Yu Yu Wang. The title of our paper is How to Obtain Fully Structure Preserving Signatures or Fully Automatic Signatures from Structure Preserving Ones. This is a joint work with Zhong Yang Zhang, Takahiro Matsuda, Gui Qirou Hanaga, and Keisuke Donagao. At first I introduced the signature schemes. As you know in the signature scheme the signer is the signing key SK and the verifier has the verification key which is VK and by making use of SK the signer can sign messages and by making use of VK the verifier can check if the signature is correctly generated. There are several standard security definitions for signatures such as the UFCMA security, the one-time security always say one-time CMA security and RIM security and the Structure Preserving Signature schemes were first introduced by Abe and others in 2010. In fact it's the same as a standard signature scheme except that it's required that the public parameter includes a bilingual group and the verification key, the message, and the signatures consists of only group elements and the verification act with only evaluates the pairing product equations and there are a lot of applications for Structure Preserving Signature schemes such as the plan signatures, group signatures, and the homomorphic signatures and so on. Last year Abe and others proposed the fully Structure Preserving Signature schemes which is the same as the standard Structure Preserving Signature scheme except that it's required that the signing key also consists of only the group elements and there exists some PPEs that can check the correctness of the signing keys with respect to the verification keys. There are several applications of the fully Structure Preserving Signature schemes such as preventing the real key attacks in the big eyes, making the anonymous credentials use a secure and so on. And last year Kaminish and others also made use of the fully Structure Preserving Signatures to construct the unincurable, redactable signatures. In our paper we also defined the fully Automorphic Signatures. A signature scheme is said to be fully Automorphic if it is fully Structure Preserving and Automorphic. Automorphic Signatures allows a signer to sign its own verification key and this property is wanted in applications done in the anonymous credential change. This is the generic construction given by Abe and others in AKOT 15. It combines the XRMA secure fully Structure Preserving Signatures and one-time SPS. Here the XRMA security is the same as the standard RMA security except that it allows the adversary to know the exponents of messages. But this construction is not very efficient. The reason is that to make the one-time signature compatible with the XRMA secure FSPS scheme, we have to make the verification key of the one-time signature three times larger. So they gave another construction which combines the XRMA secure FSPS scheme and the Structure Preserving Tribal Commitment scheme. This one this construction is very nice and it's more efficient. But as far as we know there is only one time date for the XRMA FSPS scheme and the Tribal Commitment scheme respectively except for the variants. So this will derive several drawbacks such as the instantiations of these constructions are based on at least the SXTH and XD assumptions and the verification key and the signature of their most efficient FSPS scheme consists of more than 10 N group elements in total if the message consists of N squared group elements which we think it's a little it's still a little large. And they only provided the instantiations in the type 3 bilinear group and the fully automatic instantiations I mean derived from their constructions are not very efficient. The reason is that the verification key of their XRMA secure FSPS scheme consists of elements in two groups but the messages only consists of elements in one group. So they need to use another additionally use another one-time signature scheme which will make it less efficient. Although the 10 dates all the just few candidates for the XRMA secure FSPS and the Tribal Commitment scheme the standard structure preserving signature schemes are widely researched and they have a lot of 10 dates. So it's natural to ask if we can construct fully structured preserving signatures from standard ones. But we found that it's a little difficult to directly construct FSPS from SPS. For example if the message is elements in G1 and the signing key is X which is in ZP. Then in the signing procedure we usually need to compute M to the X from M and X. But if we put the signing key into the group which means that the signing key is G to the X now then it's hard to compute M to the X from the capital M and the capital X. This is due to the CDH assumption. So we need some bridge to obtain FSPS schemes from SPS1. Our basic idea is that we make use of the capital X which is the signing key of scheme one to sign the lowercase v which is the exponent of the verification key of scheme two. Then we use the signing key of scheme two which is X prime and it's in ZP to sign the message. By doing this we can make sure that both the signing key and the message are in group and we formalize the first scheme as the triple signature scheme and the second scheme as the signature with auxiliary key. And the triple signature schemes and the signatures with auxiliary input will be our bridge to convert structure preserving signature schemes to fully structure preserving ones. This is our definition of the triple signatures. In the key generation algorithm the key generation algorithm outputs the vk, sk and additionally a trapezoid key which is tk and the signing procedure is the same as the standard signature schemes. It just makes use of sk to sign the message and the verification algorithm takes as input vk, gamma m and sigma where gamma is some efficiently computable projection and it doesn't need to know m to check the correctness of the signature and additionally there is another algorithm which is td sign. It can directly sign gamma m by making use of the trapezoid key tk. This is the CMA security for the trapezoid insurers. In fact it's similar to the f1 vulnerability. The adversary just make the sending queries such as CMI to the challenger and get the answer back and at some point it outputs the forgery which is m star and the sigma star and the security guarantees that if m star is different from all gamma m then the probability that the forgery is successful is negligible. We can see that setup gene td sign and verify forms a standard signature scheme which makes use of the signing key tk not sk tk to sign gamma m and we prove that if this signature scheme is CMA secure then our trapezoid signature scheme is also CMA secure. That's how we obtain the security of the trapezoid signature schemes from I mean standard signature schemes. And we also define the signing key structure preserving property for the trapezoid signature schemes. This property says that if setup gene td sign and verify is structure preserving and the signing key consists of elements in just consists of group elements and there exists ppes to verify the correctness of the key pairs and then it is sk sp they satisfy the sk sp property and notice that the messages and the trapezoid keys are not necessary I mean consist only of group elements and we prove that all the well formed sps schemes can be converted to an sk sp trapezoid signature where the I mean the bijection gamma maps from zp to the group if the SWATS zp demo holds here well formed means that I mean roughly speaking it means that spaces of the randomness and message elements are super polynomially large and generating signature only involves group operations and scalar operations. This is a very natural property and as far as we know all the existing structure preserving signature schemes are well formed. This is our definition of the signatures with auxiliary key or we call it AKS scheme. It's the same as a standard signature scheme except that the key generation algorithm additionally outputs the outputs and locks the real key and it's required that the verification key is equal to gamma ak. Gamma is also an efficiently computable bijection here. It's a straightforward fact that all the sps schemes with algebraic key generation algorithm can be converted to a structure preserving AKS scheme. Here the syntax and the security of the structure preserving AKS scheme is the same as the standard sps schemes except that the key generation algorithm additionally outputs the auxiliary key. This is our generic construction. We use the blue blocks to denote the SKSP triple signature scheme and use the green block to denote the structure preserving or AKS scheme and it's required that the bijection the underlying bijection of these two schemes should be the same. In the key generation procedure the algorithm just takes as input the public parameter and outputs the VKSK and TK and in the signing procedure we firstly I mean samples VK prime SK prime and AK prime for the AKS scheme and then we make use of SK to sign AK prime and use SK prime to sign the message and the signatures are sigma and sigma prime respectively and the final output will be VK prime sigma and sigma prime and this is the verification procedure we make use of VK to verify if sigma is correctly generated signature with respect to VK prime not AK prime and we use VK prime to check if sigma prime is correctly generated with respect to the message thanks to the SKSP property and the structure preserving property we have that the VKSK the message and the signatures are all consist only of group elements and we can use PPS to check the correctness of the key pairs and the signatures and this can be treated as a generalized version of the well-known EGM paradigm this is our generic construction we just use the SKSP triplet signature scheme and SP AKS scheme to obtain the FSPS scheme and in fact we can relax the security of the triplet signature scheme to RMA security as long as the triplet signature scheme satisfies a property called random auxiliary key property this property is very natural and it's satisfied by almost all the SPS schemes we can also replace the one-time secure AKS scheme with the CMA secure AKS scheme or the two-tier AKS scheme this may help us to achieve better efficiency this is the comprising of the FSPS schemes based on standard assumptions we can see that our I mean compared with AKOT 15 our signature size I mean the most right column is longer but our verification size the signing key the signature size is shorter and the number of PPE is smaller and our assumption is weaker we don't need to use the x-dealing assumption and this is the comprising of fully automorphic signatures the same as before the signing key size is longer but the verification key size the signature size and the number of PPE is I mean is better we also listed I mean other instantiations in this table most of them are automorphic and the third one is derived from the I mean structure preserving signature scheme proposed by Jin Scott last year and it's a little heavier than the fully structure preserving scheme by Jin Scott but as far as we know this is the most efficient fully automorphic signature scheme by now and this one is the one we introduced in the previous table it's derived from the structure preserving signature scheme by kills and others and as far as we know it's the most efficient FSPS scheme and fully automorphic scheme based on standard assumptions and the three I mean the three FSPS schemes are the first FSPS schemes in type one group I mean type one bilinear group and we also proposed other I mean one time secure instantiations they are relatively more efficient than the fully secure ones and this is the conclusion of our work thank you any questions or comments so if there is no question then let's thank the speaker and all the speakers in this session so excuse me have one small announcement so for those who go to the excursion this afternoon then please please go to the manhole downstairs on the right hand side 10 minutes before two so it's 150 so we and then we first we go to the museum and after the museum we go to to see the puppet the water puppet theater and because that time should be the traffic time in in Hanoi so you should be in time and follow the instruction of the garter so that we can go there in time okay so have a nice afternoon