 The first paper will talk on short pairing free blind signatures with exponential security. Hello. Yeah, so hello everyone, good afternoon. I'm a PhD student from University of Washington and this is a joint work with my advisor Stefano to sorrow. So in a context of blind signatures, we have a signer with secret key and the user with public key and the user want to sign the message and by running an interactive protocol with a signer. And at the end, the user will learn a valid signature form and which can be verified using the public key. And on the other side will require a signer to be blind, which means the signer does not know the message during the interaction. And moreover, even given the message and signature later a signer cannot think them back to which session that issues them. My signatures have a number of well known applications. For example, it can be used in anonymous ecosystems, always in anonymous credentials. And more recently they have gained popularity is due to their ability to implement anonymous tokens in web applications, for example for privacy preserving at click management. Practically efficient schemes for into the following three classes. RSA based scheme snore style schemes and the parent base schemes, a snore style games requires three wrong for each signing, where the RSA based and parent base schemes require only two rounds. However, both RSA and parent base schemes have some drawbacks. So the main drawbacks of the parent base schemes that they require pairing friendly elliptic curves, which make them undesirable for many applications due to the lack of high assurance implementation for example in the internet browser. On the other side, the RSA blind signatures inherit all undesirable properties of RSA is like the large key size. Therefore, many applications might prefer using the snore style schemes to despite their higher round complexity, in particular because they are simple to implement, allowed efficient verification and also can be based on any standard elliptic curves. However, very recently, for her mother at for her mother at all shows a polynomial time attack against the most efficient snore style scheme by solving the so called RS problem efficiently. So therefore a big problem we address in this paper is that can we have a secure snore style scheme, which is also very efficient. First, we are not a first off this question. So let me tell you a little more about related works and however results are substantial improvement over the state of the art. So the original blind snore was proposed by Charm and Patterson 1993. It's the most efficient signature size is just two scalar and communication complexity is one group elements plus two scalar. However, as I mentioned, the scheme is actually broken. The alternative is a scheme proposed by our bed in 2001. However, the scheme is less efficient, and it's original security provost founds to be have a tree incorrect. But a recent result by Casper shows in its security in the algebraic model and the random oracle model. At this point, I'd like to point out that all the result that showed in this page. A more efficient scheme was proposed by a push power in 90 sorry in 2020, which is so called cloud spline snore. The signature size is exactly the same as a blight snore with a double communication. However, its security relies on a new assumption, namely the so called MRS problem is hard. Where MRS is a variant of RS proposed in their paper. The important point here is that there exists a substantial attack against MRS, which requires to choose large curve to achieve desirable security level. So as you can see, the existing schemes are either less efficient or do not have the best possible security guarantees. Therefore, the major contribution of this paper is we propose two schemes that are both efficient and have exponential security. So our first scheme, the signature size is just three scalar and the communication complexity is true group elements plus three scalar. And then we prove it security in the in a generic model. And for the second scheme, we can prove it security in the algebraic model, assuming all needed this great logarithm as hard in addition to a random oracle. However, we need to add an additional scalar to both signature size and communication. Very appealing feature of these second scheme is that it emits a partially blind version where partially blind means it allows a part of message to be known by a designer. You can see our scheme was a most efficient program free scheme so far with national security. And before we move on, I would like to mention a few more related works to give you a full picture of the area. So, first of all, they were security analysis for snort style schemes in some restricted setting. For example, some of them can be proved secure when the number of sessions is small or when these sessions are sequential. And this work, however, we targeted the more realistic setting where these sessions are concurrent and their number is unbounded. Interestingly, some of the work I listed here do not rely on the AGM or GGM. Another interesting line of work explores boosting techniques, which the goal is to transform a scheme that is secure only for a small number of signings into a scheme that is secure for an unbounded number of signings. However, one drawback of the resulting schemes is that their communication and communication complexities grow with a number of sessions. So now come to a technical part of the talk. So, or security definition, I will not define a blindness formally. We rely on an intuitive understanding. So in this talk, I will mostly discuss how to achieve unforgeability. However, unlike the vulnerability for the normal signature scheme, which is defined as the adversary cannot forge a signature that is not been issued by a signer. Here, as you can see for blind signature, it is unclear which signature actually is been issued during the signing process. Therefore, we need to use another notion called one more unforgeability. So in a security game, the adversary can interact with a signer for L sessions. And the goal, so the adversary wins if they can output L plus one valid method and signature pairs. So here, all the sessions can be arbitrarily concurrent. So one more forgability means the adversary cannot forge a number of signatures, which is more than the number of signing sessions. So the overview of the resume talk is as follows. So to give you some intuition about our constructions, I will first recall what's the what blind snore signatures are and show the relation with the RS problem. In particular, I will show how one can break the one more forgability of blind snore by solving the corresponding RS problem. And since the RS problem is solvable in polynomial time, this gives a polynomial time attack against a blind snore. And next, I will show our idea to avoid the RS attack that underlies our schemes. Under some assumptions, we can show the security of our scheme is equivalent to solving the WFRS problem, which is a problem we define in other paper. And in contrast to our problem, we can actually show WFRS is exponentially hard, which is implies the exponential security of our scheme. In particular, I will define what is WFRS and provide some intuition behind its harness. So to start with, I will first describe the non-blind version of a blind snore signatures. So the public parameter consists of group G with size P and generate the little g and it has function H. The secret key is a scalar randomly sampled from GP and the corresponding public key is G to the X. And during assigning, the signer first sample a random nouns A uniformly from GP and send the G rise to A to the user. And then the user can view the challenge C as the hash of A and M. After receiving the challenge from the user, the signer computes an ass as A plus C times X. And then the final signature is just C and S. And to verify signature, one can recover the A from C and S, and then check whether the C is consistent with a hash value. And then we get a perfect blind version of it by adding two random masks as highlighted. Therefore, we're now looking to the one more flexibility of the scheme. So where the user becomes the adversary, so we only need to consider the signer's protocol here. So I will now describe how one can break the one more flexibility of blind snore by solving the corresponding RS problem. So this is an anniversary that starts to concurrent signing sessions. So here I use subscript one to know the first signing sessions and the subscript two to know the second. So firstly, I will show how we can generate a signature, which is a linear combination of two sessions. So how we can extend it to an attack where the adversary can output three distinct and valid messenger signature pairs. And then we will see where the RS problems appears. The first of all to combine two sessions. The adversary can pick two arbitrary coefficient R for one R for two, together with the message M. The adversary said a should be a one to offer one times a two to the offer to and that is C to be the hash of a and the message. And then you will see we can pick C one and C two such that the value C is a linear combination of C one and C two with coefficient alpha. And after the adversary received the C S one and S two from the signer the adversary now sad as to also be a linear combination of S one and S two with coefficient alpha. And I will show that then the CS is a valid signature for for the message to see why this is a case you can see from the signing pro signing protocol, we can get these two equations. And then we can linearly combine this equation with coefficient alpha. And now let's rise G to the value on both side of the equation. So from the left hand side we get G to the S and from the first two term of the, of the right hand side we get basically give give you a, and from the last term it will give you the X to the C. So this is exactly what we need to show the signature is valid. And now to extend it to an attack. The idea is that instead of picking just one triple of one of two and message, we now pick three of them. And then we pick C one and C two such that the highlighted equation a hold for all of them. And then the adversary can output a signature for each triple. So as you can see, the main, like the main problem here to make this attack work is how to pick this alpha and how to pick the C one and C two. And this is exactly the RS problem for parameter two. However, the RS problems do hard for for two, but we can extend this attack to our sessions easily. And that's what we at all shows that when L is larger than log P, the RS problem is efficiently solvable. So therefore it means the blind score is insecure when L is larger than log P. There will now come to our schemes. So remember that the key step of doing the RS attack against blind score is that we can generate a signature, which is a linear combination of two sessions. So therefore our idea to avoid it, just simply add a Y to this equation. So suppose the Y one and Y two are chosen randomly and hidden to the adversary before picking C one and C two. It's not possible anymore to combine two sessions to get a signature. So basically, we don't know how to pick the Ys here to make the equation hold. So I will now describe how we construct our first scheme with this idea. Basically, I will only give a non-blind version here. We can get a perfect live version of it easily following some common tricks. So for our scheme, the parameters, public parameter settings and the key generation are exactly the same as blind score. And for doing the signing, the signing will additionally samples a Y, which is a non-zero uniformly from ZP and send the X, the public key, right to the Y to the user. And now to compute the challenge, the hash function will also take the Y as input. And then the sign will set S to be A plus C times Y times X. And then the final signature now is CS and Y. And to verify it, we just reject if Y is equal to zero and otherwise we can recover the A and Y from the CS and little Y and then check whether the hash is consistent with the C value. So one thing to notice here is that we do not allow Y to be zero because it is easy to follow the signature for Y to be zero. For our second scheme, the only difference is that we change the big Y to be a partisan commitment of little Y where the Z is a part of the public key. So because the commitment Y now is perfectly high as the value of little Y, we can relax the assumption from GGM to AGM plus this log assumption. And also to get a partially blind version, we just need to change the Z to be a hash of info for each signing where the info represents the part of the message that is known to the signer. And due to the time limit, I will only show the mean theorem we get for scheme one. So formally for any GGM anniversary, the probability to break one more for the ability of scheme one is bounded by the probability of solving the corresponding WFRS problem, but an actual term. Well, here, the HUH represents a number of queries to the hash function H and L represents a number of signing sessions and Q5 represents a number of group operations performed by the anniversary. So for the number of time anniversary, we can see the extra term was actually negligible. So therefore, our scheme one is secure as long as the WFRS problem is hard. So for the harness of WFRS, we can show that for any anniversary, the probability of solving WFRS is bounded by QH times QH plus 12 over P minus one. Okay, so we'll note that P is the original group order. Therefore, for an anniversary to break to solve WFRS, either the QH or L have to be roughly the scale of square root of P, which implies the exponential security of our scheme. Finally, I would like to convey some ideas behind how we define WFRS and why it is hard. So record that the main intuition was that in other construction, it's not possible to combine two sessions linearly to get a signature. However, actually, there are other ways that one can combine two sessions. For example, a trivial way is that we can set both C1 and C2 to just be the C. And then we can find we can linearly combine these three equations to get a signature. But however, this does not help at all to break the security, because if you're thinking about it, what you're doing is just getting one signature from two signing sessions, and then both sessions cannot be used for generating other signatures. So basically, this action does not help. However, it is unclear whether the anniversary can do some other arbitrary things or the combinations. So we define this following WFRS problem to capture all possible ways the anniversary can combine different sessions to get a new signature. But due to the time limit, I will not go into details here. But the main reason why WFRS is hard is because, essentially, the only way that the anniversary can break, sorry, can combine different sessions is the trivial way I showed in the previous slides. And this is mainly because we have sample random y here. So by the end, I would like to mention a few open problems. So, first of all, all of our results assume either the AGM or GGM. So a big open problem is whether we can get snore style schemes with exponential security, assuming only the random miracles. Also, it's interesting to know whether there are other applications for WFRS. So yeah, that's all my talk. Thank you for listening. Well, thank you so much. Do we have any questions for the speaker? Perhaps I can ask. So intuitively, why do you need algebraic group model and not standard model where you got this necessity of it in your construction. Yeah, actually, so yeah, so the main reason like we need the algebraic model is because we need to extract basically what's the adversary do. So basically we extract the RFN and beta. So basically that represents what the adversary do to combine different sessions. So our main argument is that if they do something like that, then the adversary cannot break the scheme. So if you're in a standard model, you have no idea what it was redo, although it might not be able to do something more but like we just don't have form argument to argue that. Okay, that makes sense. Thank you so much. Yeah, thank you. If you have any further questions, then let's thanks the speaker again.