 Okay, so the second paper is towards tightly secure lattice shot signature and ID base encryption The speaker is Jin Jin Lee Wait, all right. Hello everyone. I'm Jin Yi. This is joined to work with Xavier Okay, the the title of our paper is the is about tightly secure signature scheme and I be so This let me start with the motivations, so our we have two motivations the first motivation is that currently there is there is no both sure There is no the short lattice signature with tight security reduction And the second one is the currently we don't have a tightly secure lattice I be with all right So we do have mailing very nice Techniques for obtaining good the lattice signatures and the lattice I be is but none of them Satisfy these two requirements short and tight and tight I be so Then just to quickly go over the definition of the of the tight security So so usually I think most of people should familiar with this Theorem the template of the theorem and in particular we care about this part So if an adversary has an advantage epsilon We we will give a reduction showing that We will have this advantage to break some hard problems and here because this this theta We will lose some we will lose some Some some advantage here So we want to for tight for tight reduction. We want to this Theta to be as small as possible So theta mirrors the tightness of reduction. So to be more precise we in in our in our cryptographic schemes, we have a Security parameters lambda and the way sometimes in the security mode We also we also consider a number of adversary queries, which is Q so by tight by tight reduction, we mean that theta is the constant that independent of a security parameter and the adversary query Q and by lose reduction, the theta is theta depends on the Q so So the reason why we want to tight reduction is Of course in practice if the if the reduction is tight then we usually get shorter security parameters Which usually gives us more efficient cryptographic scheme and in theory, of course, we want to show how the hard how close the hotness of to Sorry, okay Okay, okay, thanks. Thanks. So in theory, we want to show that how Show the hardness of two computational problem is closed. So this the motivation So this is in practice. This is more important So this is our result and the wish we we give a tightly secure short signature Let it signature an IBE scheme without read more local from some conservative lattice assumptions and a concrete instantiation of a pseudo random function So this is no general in ours in our construction. We have to explicitly use some PRF So this is the result. So I want to read them, but they just look at this. So our reduction is tight Just by looking at this. So we have two here. So theta is two here. So Okay, let's go to our techniques. So here This signature will I will show you my technique of through the signatures So signatures we have this three algorithms and the way you need the correct list So and in the security model we consider in this exist Existential unforgability against the choosing message attack meaning that essentially adversary can choose many messages Adaptively and to obtain the corresponding signatures and finally the adversary We will try to fall try to make come up with our forgeries such come up with a valid forgery and where the the message hasn't been signed by by the by the challenger before so So here is our method. So We kind of like a combine lots of Nice techniques, but not necessarily related to signatures and IBE. So So firstly the the first technical we are using is this cuts one's magic bit So I use this magic bit this magic bit comes from Michelle Abdullah's Talk a few years ago So cats once magic bit for obtaining tightly secure signature scheme for food or man has fun Food or man has signatures. So this is the kind of inherent In the random or model, but we want to do in the standard model Also, since we are doing we are constructing something from let's say, so we will use this very powerful Ture called the two-sided lattice trapdoors and Our our signature scheme and IBE scheme is essentially inspired by boy on signature, which has already been mentioned in the last last talk and finally we we sorry finally we Will use this very nice very nice gsw fully homomorphic encryption and This fully key homomorphic encryption in the context of FHE and attribute-based encryption for circuit. So we come by all of them in a long trivial way. So So firstly cats once magic bit. So cats once magic bit is an unpredictable bit It's just a one bit and associated with every message. So usually we We would like to set up this this value by using a pseudo random function. So for each message we have Because the pseudo random function is deterministic. So we have one bit here. All right So the idea of the cats once magic magic bit is that in the real scheme each message has exactly two signatures and The Siner because Siner has a signing key. He can produce is he can produce both of them But for security reason we only give one of them So what happens in the security prove is that? in the during the quarry phase the simulator is able to create The signature which is associated with this magic bit, but not another one So but this this this does this fact that does give us the Advantage that all the side inquiries can be answered because at least we can answer one of the two signatures So during the forgery case a similar lead the adversary would output a forgery but but he doesn't know essentially he because because this This I'm predicting this beat is unpredictable. So adversely doesn't know which one He should forge. So with essentially One-half probability at the adversary will will choose a Forgery such that the simulator cannot produce then simulator can use that to solve the underlying heart problems Okay, so the next technique is the two-sided lattice trapdoor. So to two-sided Two-sided lattice trapdoor comes from this this Trapdoor's for for sis for sis problem, which we have already seen from last talk So here the sis sis problem. We are giving a matrix a we are asking to find a short Short solution sigma such that a times sigma equals to zero here of We have the key point here is that sigma has to be small. Otherwise, there are lots of solutions So if if so here the the things that if we choose this a uniformly read them Then finding short sigma is hard This is the sis problem and on the other hand some somehow we can use some algorithm to generate a Metrics a along with a trapdoor and using this trapdoor we can we can efficiently find a pretty good solution here so the idea of this of the of our signature is is from this GPV style signature scheme where a trapdoor t of a will serves as a signing key and Value solution sigma will serve as a signature. So that's a general idea. So Here is the description of the two-sided lattice trapdoor. So that two-sided lattice trapdoor We have two sides. So we have this left side. We have the right side So we construct the somehow construct this function this this matrix if like this So are here is a is the low-long and the H is the scalar So the things that if we have so usually we will have a trapdoor for this matrix a If you have a matrix if you have a trapdoor for a then it doesn't matter What H you are going to pick you will be able to have a trapdoor for F then you can you can sign messages and In this and in the simulation in the proofs we will we won't be able to have a trapdoor for a but We will we will need to we can somehow use a structure of a right side right-hand side To to do something like for instance if H is not zero or though we don't have a Yeah, sorry so sorry so sorry So so so here for right trapdoor if H is not zero We will be able to have a trapdoor for the whole thing for F if H is zero then we lose a trapdoor Then we cannot sign but if we cannot sign on the other hand on the other hand We can we can we can exploit the adversaries for jury to solve this problem. So That's idea. So the idea. So this idea has been used Used in this boy on signature scheme Which which you have seen in last talk. So this boy on signature scheme looks like this Here this right-hand side metrics Depends on the message. So for each message you will get a different right hand You would get a different metric matrices in the right-hand side and because the signer has the has a trapdoor for this or left at Right Left-hand side then he can always generate a signature. So and the proof idea is the following So in a security proof, we won't be able to have trapped or for a That's that's that's that's a safe challenge But somehow we can create a right create our metrics in the right-hand side as This form so this is the hash function of M. H I can be seen as a constant So here M is depends on for for different M We will get different RM and RM is short and in the simulation The right-hand side is statistically close to the right-hand side in the rail scheme So that's a simulation and the idea of this proof is the is precisely the idea of the two-sided trapdoor So applying this principle if H H or H of M is zero then we lose We lose a trapdoor from the right-hand side But we can we can manage it to solve the six problem And if if H of M is no zero then by using this right hand the trapdoor from right-hand side We can manage it to to sample signatures. So Idea is here simulator hopes hopes that for all Signing queries H of M is non-zero so we can we can answer signing queries this happens with roughly this probability and In the forgery case we do hope that the adversaries forgery M makes H of M to be zero and This happens with with this probability and to put them together. We get a somewhat loose reduction here So Poirot milk, so our idea is that is the following So we we incorporate this magic beat in into this two-sided trapdoor So instead of using this this a harsh function here. We just put our Magic beat inside so essentially this part is going to be just one beat So depending on whether it's zero or one if it's one then we have right hand We have the right right trapdoor if it's zero we have We don't have trouble, but here we have two matrices. So the verification key consists of two matrices So we will be labeled we can make sure that we always have Have a have a trapdoor for either this guy or this guy. So So by doing this as required by the cuts ones idea, so we can Essentially generate exactly one here. I quote one because here essentially we are considering Value the signature from one set So here it's not just the one but from a set of signatures So we can generate signatures for for this metric from this matrix, but not for this matrix Because we we have trapped off for this guy, but we don't have trouble for this guy so this allows us to answer all the side inquiries and In the forgery in the forge case because this be this BM if you look at here this BM star is Is unpredictable so? Essentially adversary has no idea which one he he should forge then with essentially this probability His forgery give that give us power to solve C's so of okay, so This this is good. This is good, but by the things that It seems that because this this a magic beat is is output of a PRF How how can we embed this PRF inside this structure? I mean in cats one's original design this part The functionality of this part is done by using read more oracle, but we don't want to use rather more oracle So what we want to explicitly in embed this PRF inside so? Oh, so we can so here is the here is that not is the next step We can use the we want to we want to embed the PRF in and and come and somehow evaluate the PRF inside into this matrix so By looking at this so so here the things that the PRF can be expressed by by a small depth circuit Boolean circuit Usually we have a manning good candidate of PRF. They have a very low depth instantia implementation so here is the circuit we assume we have this circuit and This guy looks like a cipher test of the fully homomorphic encryption of GS GSW fully homomorphic encryption or the party key of the flea key homomorphic Inquisitions so so we can apply the the Homomorphic evaluation algorithm from these two papers to to embed the PRF inside so So here So we can express the so suppose so in this in this GSW FHE or the flea key homomorphic encryption system We can give in this two kind of matrices where they Where you and they are input of a logic gate and the W is the output of a logic gate we can Use the technique of from these two papers to deterministically compute a unique Matrix AW such that AW has this form and of course are our RW has no long if are you and RV has no long So I won't I won't go to the details, but you just believe me We can we can evaluate the gate by gate by doing this kind of thing So what happens that we are going to express this PRF as a Boolean circuit With binary input so our first input is that is the sacred key of the of the of the PRF so we encrypt each bit of the PRF key by by doing this and We encrypt the the message of the of We encrypt the message by doing this so essentially this is say MI and the BKI they are Cypher test the of the of the GSW FHE scheme so By using this Using this a matrices we can and and this the evaluations Evaluation method we can we can take as this this matrices as input and we can get this this guy This is what we want so this this is the idea in the proof and This is the our real scheme So in our real scheme, there is no PRF there is no PRF key inside this BI BKI BKT or C0 C1 But in the proof we are we will we will use we will embed the the secret the secret key and message inside of them So the system is looks like this So in the real system as you can see we have a trapdoor for this a For this a so if you look at here, we have a trapdoor for a then we have a right Left we have a left trapdoor then we can all the the signer can always produce the signatures But in need He will only output to one signature exactly one signature Based on this magic beat not to he can produce to but he won't so so here is the is the key point Only one of them is is gonna be issued so by the similar idea of from from these papers GPV signature and IBE and ABB 10 IBE and This boy on signature we we can we can turn this Signature scheme into a into a IB scheme essentially because we are not We are not throwing into new randomness during our signing algorithm or signing algorithm So apart from the message there is no more So we don't randomize the message like what what people did by using comment on hutch function or something like that So here we can we manage to construct the IB scheme just directly from the signature scheme So here is the here is the idea So in the key generation the key the identity key in our IB scheme are essentially the signature signatures, so For each identity we will have two two identity keys But we only give one and the two two input message We are going to use a we are going to construct the two this kind so-called you reggae encryption scheme, so we have we construct two separate is two separate is and And to decrypt of course, we only have one one key So maybe this key works for this guy all works for this guy, but not both so the decryptor has to try Has to try so with we probably we need to Put some redundancy in the cipher test Okay, so here's something I want to I want I need to mention is that if you look at the cats runs paper They use this PRF to to to make a Signing process stateless if they don't use PRF then of course they get a really tight reduction, but the Signing process has to be stateful and Another thing I need to mention is that because here we need to explicitly use some concrete PRF So we need to if we if you are considering this lattice bit pure lattice based construction We will need to use these PRF's so but these PRF's they they need to require slightly strong LW assumption so and Last but not least I should mention that our system is not efficient. It's actually quite inefficient But so we actually don't gain efficiency from this type reduction So but here I I need to see that If you really want to get so it's kind of a little bit of awkward But but if you really want to get the efficient I be what what what we have is that you should pick up this Selectively secure I be systems and then do this so-called the complexity leveraging So essentially you have in the security proof you have this Selective security model adversary will come into your his challenge identity and as a simulator You just you you just guess that identity of course identity space is very big So you lose something but it turns out by doing this a complexity leveraging you you get Really good real-world efficiency then this natural natural Naturally proved the adaptive risk your I be schemes So but you want but to do this complexity leveraging in a real world you should you should really? considering you should really calculate your parameters carefully, oh and You should consider these parameters really really carefully and After doing this you still get the efficient to adaptively secure I be or maybe signature scheme in the in the standard model. So This is also mentioned by who you take away in this talk. So there is a practice and the theory to gap there So to conclude we have a way we combine We combine this we combine lots of nice idea from very different contexts So we we use this cast once idea for proving For domain hashi signatures in the red molecule model. We use this lattice trapdoor we use this a nice fully homomorphic encryption idea and we obtained Signature scheme with a short signatures and type security reduction and our I be scheme Achieve that type security and unbounded pollution in the standard model in the first time so so Yeah, that's That's my job. So, thank you Any short questions or comments? First of all, very nice talk. Thanks So I seen that you presented it in a very abstract way. So presented, you know, this technique of One one and then there is this very cool idea of the encryption scheme the fully homomorphic I would like to ask you if You know that this thing can be abstracted away from the lattice setting to a more general setting Or there is some point of this construction which you really rely on some specific property of the Lettuce assumption. Okay, I think the the the evaluation part of the of the PRF is Only only thing we can do from lattices because from like a discrete log We don't know how to do this fully homomorphic Evaluation or fully homomorphic encryption, essentially, I think perhaps if you use something like a ring LWE I think probably you can do the similar theme, but Yeah, but This is not yeah. Yeah. Yeah, thanks. Okay, so let's thank the speaker again So the third paper is