 which aims at enabling anonymous authentication. So there are many applications for this, which are eVoting, electronic cache, and anonymous authentication. And in order to build this so-called privacy-preserving cryptography, we need two main basic tools, basic building blocks, which are a signature scheme and also zero-image proof, which should be compatible with the signature scheme, which should allow us to prove statements about this signature scheme. And later on, we'll focus on group signatures. So what is that? I will motivate it with an example, so the public stamp transportation example. So we have a user who wants to commute, and to do this, he will ask the stamp machine a challenge, which is, for instance, a timestamp, which he will sign. And by doing this, he will authenticate himself. But in fact, he doesn't want to authenticate himself, but just to prove that he possesses a valid subscription for the public transportation system, which means that he wants to stay anonymous in the set of users who possesses a valid subscription. So he also wants some anonymity property. And on top of that, we have the public transportation company. We want also some properties, like dynamicity, which should allow new users to rejoin, to subscribe for a valid subscription at any time dynamically. And at last but not least, we also want trustability, which means that in case of a user misbehaved, an authority, for instance, the police, should be able to lift anonymity of a given signature and trust back a user who misbehaved. And we will focus mainly on the dynamic setting, which is an improvement of the static setting, a more powerful primitive. And it allows us to add new users to the group without having to rerun a setup phase. It also enables powerful security properties because no one can impersonate you, even the authorities if they call you. And finally, we saw, like with our example, that most use cases will require dynamic groups because beforehand, we don't know the size of the group, who will be in the group, the size of the group, and also the group can evolve with time, so it can grow with time. And now we'll move on a very similar primitive, which is called anonymous credential, which basically enables the same functionality as group signature, which is anonymous authentication. But here, anonymity is non-revocable. It's unconditional because a user can authenticate himself, but will say anonymous in any case. And why I tell you about this primitive is that because to construct this, we have a general construction based on the signature with efficient protocols we construct here in this paper. And so what is this? So signature with efficient protocols are basically a signature scheme. And with efficient protocols, so first of these protocols is a protocol to sign a message on a committed value. And also another protocol should allow us to prove knowledge of a valid message signature pair for this signature. And what we can notice here is that this signature with all the existing constructions are based on stronger assay or by linear maps. So in order to not put all the things in the same basket, we want to build this primitive in the lattice setting. So what is it? So basically, a lattice is the integer linear span of some definite set of independent vectors. And what is interesting here is that this hard problem on this is to find non-zero short vector in the lattice. And we'll basically rely on this because it's conceptually simple and authentically efficient. It's also still conjecture resistant to the existence of a quantum adversary. And we also have nice security property for cryptography. For instance, we have a connection between average case lattice problems and worst case lattice problem. So it's kind of nice. And before going further, I'll just show you another view of the history of... Oh, sorry, our security proof, we rely on two intractability assumptions which are small integer solutions which basically is finding a solution in the solution of some homogeneous linear systems. And this solution should be small and integer which makes it hard. And also the well-known learning with seros which in its decision version is basically distinguishing this distribution from the uniform. And so now a quick overview of the group signature history. So it has been introduced in 1981 by Shom and Van Aest. And we have to wait until 2000 before having the first scalable and secure solution from Atenis and others. And in fact, since the introduction by Shom and Van Aest, there were many different security definitions which has been unified in 2003 by Belarame, Shansho and Varensky, who proposed a model that implies all these previous security notions. For the dynamic settings, in fact, we have one year later, KSNYM and Belarame Shizong proposed at the same time two different models which are equivalent up to some details. And for the lattice setting, we see that we have... First construction is from 2010. So 10 years after the first construction by Atenis and others based on other assumptions. And this scheme has some problem is that the signature size will grow linearly with number of users, which is non-desirable. And in 2014, we have the first log-sized signature from Atenis. And these two schemes are for static groups. So until this work, there are no dummy group signature scheme based on lattices. And we aim at filling this gap. Okay, so now I will go further into the details. Like, I will motivate more the anonymous... Our schemes. And then I will show our construction. Our construction. Okay. So as I said, to enable anonymous credentials, it is implied by signature reception protocols. And so it's basically a signature scheme. We have a key-gen sign-and-verify algorithm. And with this, we have two companion protocols, which is for signing a committed value and proposition of a signature. And the security notions, which goes along with this, are unforgeability because it's a signature scheme. We have the security of these two protocols and also anonymity because it's a privacy-based primitive. And from this primitive, we have many applications from privacy-based cryptography as we saw before. And also we saw that all the constructions are rely on stronger assentions and are built in their maps. So this is why we want to build it from lattices. Also, from dummy group signatures, it's more formally, it's a tuple of five algorithms. We have the setup algorithm, which will take as input the security parameter and an upper bound on the group side, which is important here in order to construct the different parameters, like the public parameters. And it also outputs two secret schemes, so one for the group manager and one for the opening authority. We have the join protocol, which is an interactive protocol between a user and the group manager. At the end of which, the user will get some public membership certificate which will attest for some secrets that the user will be the only one to know. We also have sign and verify algorithm which will act as standard signature except that the verify algorithm will take as input the group publicly because users don't have any public... Users don't have any public key. And also the open algorithm which, given the secret of the opening authority and the signature, will output the identity of the user who signed this signature, hopefully. And so for security, the security notion that goes along with this protocol are, first of all, anonymity, which states that without the secret of the opening authority, no one can lift anonymity of a given signature. We also have traceability, which is a security of the authorities against users who want to escape from traceability, so no user can, for the signature, on behalf of another user or a signature that won't open to a valid user. So that won't open, that won't open. And I can notice that these two notions are the notions that are given in the static setting because in fact, in the dynamic setting, as there is no... In the static setting, there is no dynamic join, so we don't need the dual of this, which is a security of honest members against these less authority who want to frame them, and which is the last security notion we have, it's non-framability and it's introduced by the dynamic setting. Okay, so now we'll move on to the construction, how we build these two primitives. So first of all, the signature scheme with efficient protocols. So to build a signature scheme, we'll rely on a signature scheme which was introduced by Bouillon in 2010, which is a small integer solution based signature because we can see that the signature here is a small integer solution for some linear equation. And the thing is that given a short basis for this lattice, for this matrix, we are able to compute a signature for a small integer solution and without it, it's a hard problem. And in fact, we won't work directly on this one, but from a variant due to Bull and others, which is a tag-based signature, we have here a tag which is a random string, and we moved the message from inside the coefficient of the system to the non-homogeneous term. And when we do this, we just... So we'll see it right now. So to construct our signature reception protocol, we first compute this random tag as I presented before and we'll then generate a short vector S which will be used to compute this commitment. So this is a commitment scheme due to Kawashi and others. And we built it like this because we saw that for signature reception protocols, we need one protocol to find another committed value. So we embed this commitment inside the signature and we embed it in this manner. So we can see that we use the binary representation of the commitment instead of the commitment itself because the second companion protocol we want for signature scheme is to prove the knowledge of a valid message signature pair. And to do this, we'll use Stern-Ax protocol which requires that the coefficients of this vector are small, so binary is basically small. And so this is how we do this. So as I said, we already embedded a commitment scheme in our signature, so we can basically make sign committed value by signing directly this commitment. But when we're trying to do the proof, we notice that we have one problem is that one of the signature queries won't have the same distribution as the other. Actually, the center of the Gaussian won't be exactly the same. So we cannot use directly an indistinguishability argument to make the proof. So how do we overcome this difficulty? We use a technique due to Bayan others in Asia-Cup last year which is basically using a rainy divergence instead of the statistical distance to bound the adversary's advantage. So to do this, we use a nice property of rainy divergence which is called the probability preservation which will allow us to bound the probability of this event with respect to the rainy divergence of the two distributions. So with that, we manage to prove security of our signature scheme while signing a committed value. And now the next step is to prove knowledge of Bayan message signature pair. And to do this, we use the standard protocol which was introduced in 1993. And so what is it? So it is the knowledge proof for syndrome decoding problem which is as follows. So we have a somewhat similar to inhomogeneous small integral solution except that instead of having a small vector here, we have a vector of a fixed hamming weight here. And it's also binary. So there are many extensions on this protocol which has been proposed. So the first one by Kawashin and others who managed to go from Modulo 2 to Modulo Q. But they still have this constraint on hamming weight so we don't have exactly the lattice languages that we want. And Ling and others in 2014 proposed to extend this in order to leverage this constraint. And they go to prove SAS and LW statements. And since last year we have many protocols that uses this standard signature like the one co-op presented yesterday or last year. And the problem with this is that for some of this scheme, they will build standard protocol from scratch. And in order to avoid it, we proposed a framework to deal with this. So it allows us to construct a zero-edge argument of knowledge of linear Modular Equation of this form. And thanks to linearity of lattice statements, many of these statements will fit in this setting. We can reduce them to this form. And moreover, as we can prove some special property on this equation, we can also capture more complex statements. And to do this, we use Ling and others decomposition extension framework and do it in a combinatorical manner as standard protocols. So then we have our signature scheme with session protocols and we use this scheme to construct our group signature. So how do we do it? We build it from a static group signature due to Ling and others. And the main problem we want to go over is to provide non-framability. And to do this, we need to introduce a non-homogeneous term in order to avoid a user to tamper with its membership certificate to escape from traceability. And the problem is that we use this scheme because other solutions that have been proposed use membership certificates made of a complete basis, which will basically give to a dishonest user too much freedom. And so it won't interact well with this non-homogeneous term. So to sum up, we have many difficulties we want to overcome. So we first want to separate the secrets between the opening authority and the group manager because in the static setting there is no group manager at all. We also want to give the user a membership certificate. So we want to bind actually some secret of the users to some public value, which here will be a syndrome, so the multiplication of secret vector and the public matrix. And to do this, we'll use our signature scheme with session protocol to embed this inside our signature. And we also want to achieve non-homibility while not compromising the previous security notion we add from the static setting, so namely the anonymity and traceability. So now how do we do this? So we first generate the public parameters, which are this matrix and the vector, which came from our signature scheme with session protocols. And what's interesting is how we managed to do the join algorithm, which is a new algorithm in the dynamic setting. So first of all, the user will compute a short vector, a short integer vector, and compute this public syndrome. Then send this public syndrome to the group manager. We will sign it using our signature scheme with session protocols. And actually, we see that the tag of the signature scheme will be seen as a user identity, which will be the membership certificate which will be sent back to the user. We will just verify that it's indeed a valid signature for this syndrome, and then save it as its membership certificate. So now we can see that we can notice that the join algorithm consists of only two messages, one in each direction, which makes it round optimal, and also that there is no proof of knowledge that is extended here, which allows the concurrent join. So now we want to build the signature scheme. So we want full anonymity, which means that we want anonymity even in the presence of an opening oracle. And to do this, we... Basically, I use the construction from Belaris Sezon, which will use the CCAPK. And to construct the CCAPK, we use the Kennedy-LVCAT transformation on an IDE. Actually, it will be the Gentry-Peket and Bogotan-Atenet IDE. We will construct our CCAPK on. And how we do this? So we will first encrypt the public syndrome, which is asignated to some users. So the other will do this. And then we'll prove that the underlying VI indeed verifies the signature equation, and that it's a correct encryption. And the message here is bound inside this proof of knowledge through the catch-amir transformation. Okay. So now to verify, we just have to check that this proof of knowledge is correct. And to open, the opening authority will just decrypt this safer text. We'll get the public syndrome and just check in the record which is the I which corresponds to this VI. And that's it. So to conclude, we managed to provide the first lattice-based signature reception protocol, which we believe to be of an independent interest of its own. So it allows us to obtain signature on a committed message and proving possession of valid method signature pair. Using a simplified version of this signature scheme with section protocol, we construct our first dynamic group signatures based on lattice assumptions, which has some nice properties, like it's round optimal and enables concurrent joins. And we can see that this join can be seen as a method for signing public so that we can efficiently prove the knowledge of the underlying security. And at last but not least, we provide an unified framework to prove modular linear equations using Stern combinatorical techniques. And we managed to overcome the difficulty of combining Bell and other signatures with Ling and other zero-nature proofs to provide our signature with efficient protocols. So thank you all for your attention. If you have any questions, I'd be glad to answer them. Is there any question? Short question? Alright, there's no question. Let's thank the speaker again.