 첫 번째로는 시그니처에 관한 것입니다. 이 시그니처에 두 소식이 있습니다. 첫 소식은 roundoptimal blindsignatures입니다. 산잠, 겔, 베네시드, 라오, 아미스, 하이, 도미닉, 슈레드, 도미닉, 울루입니다. 산잠과 도미닉의 소식입니다. 고맙습니다. 이 지옥은 roundoptimal blindsignature에 관한 것입니다. 세자와 표현력과 함께 두 papers the first was by Sunjam van Eschrie and Amit Unfortunatelly they had a similar idea submitted to the same conference And we had a similar idea together with Dominic O'Nrule Our submitted version you can find on ePrint under this URL So blind signatures were invented in 1985 by David Chowman The basic idea is that we have an interactive protocol between two parties 한 명의 기업을 당하고, 한 명의 기업을 상징하는 사안을 가해 그 사이니가 예약할 수 없을 때가 난수하지 못한esar 이 또한 유사는 또 다른 소음을 적용하지 못할 수 없죠. 그래서 블라인드 소음은 무엇일까요? 많은 소음이 있습니다. 이케슈의 소음은 이케슈의 소음이었습니다. 유사의 소음은 코인의 소음을 얻을 수 있습니다. 이케슈는 더 유명한 소음을 얻을 수 있습니다. 지금 이케슈의 소음이 더 유명한 소음이 있습니다. 다음 액션은 뵈요. 이케슈는 여러 개의 선언을 선택하지 못한 소음을 얻을 수 없죠. 그리고 그 선언은 어떤 사람을 선택하지 못한 소음을 얻을 수 없죠. 그리고 이 선언은 2002년에 두 번째는 VIVA를 사용한 가장 유명한 배우와 VIVA World Soccer Cup VOTOPIA를 사용하는 것입니다. VOTOPIA는 블라인드 시그니처 스키에서 사용하는 것입니다. 블라인드 시그니처 스키는 안원을 사용하는 것입니다. 예를 들어, 마이크로소프는 최근에 구경한 U-Proof을 구경한 것입니다. 구경을 구경한 것과 함께 사용하는 것입니다. 그리고 또한, 사이버 스페어 스페어 스페어 스페어 스페어 스페어 스페어 스페어 스페어 스페어요. 그리고 구경을 통했더라도, 일을 너무 오래 Ça이 To do this, I will go more and more into the related work and just point the main important papers. If I forgot yours, please apologize. And then Sanjom will take over and we'll discuss the idea of joint construction. And as you might know last year, Marc Fishlin and I had an impossibility result for three move blind signals. 정치 debates, He will discuss the relation. In regular signature schemes, unfortunately, you have an oracle, you can query this oracle. If you manage to output a fresh message and a valid signature, then you win. But in the case of blind signatures, it is more difficult because we don't see the messages. So we give the user the public key and we let him interact with the signing oracle 많은 times as you wish. And now we say the user wins if it managed to compute one more message signature pair. Which means after n queries, he has to compute n plus one message signature pairs. They must verify and all messages must be distinct. The basic idea is that if at least one, if he managed to compute one more signature than at least one should be fresh. blindness as I said before says that the user and that the signer cannot really see the message that he's signing. So this is defined in the usual indistinguishability game. We first flip a bit. The signer then outputs a maliciously generated public key maybe not but he could do so into messages. Then two user instances are executed on the message and the maliciously public key. And now the adversary completely schedules the interaction of the protocol and the user has now tried to compute the signature. If both signatures verify, then they are given to the signer and otherwise he receives bot bot. And he then tries to predict the bit B. Observe that here in this definition we're not really taking a board into account. So if some party aborts, then the signer is not informed which one. Even if the protocol takes 10 rounds, if it stops after the first round this is here not considered. But it's considered in a stronger definition that we also took a look at PKC. So again, let us come back to the very fundamental and easy question. Can we build the blind signature scheme with two moves in the standard model? To see why this could be difficult, we look back at the construction that we know over 18 papers had now been published. And the first one, it was the one by Schaum which is based on an RSA variant. And also Balderava managed to construct a scheme with two moves. Unfortunately, both schemes rely on an interactive assumption or I'll give you an additional oracle that could help you. And they both need the random oracle. Okay, if we add, and of course the, if we are willing to allow a trusted setup like the CRS, then we can do it with two moves as well. What happens if we add one round? Well, the situation is slightly better, the beautiful schemes by Porcheval and Stern or by Abbey only need the random oracle and of course some computational assumptions. Okay, what happens if we add one more round? In 2006, Okamoto found the first scheme in the standard model with four moves. So even after 80 papers that of course not every paper focused on the round complexity but when you construct an interactive protocol you really want to have a low round complexity. Okay, we want to reduce the number of rounds. What can we do? The obvious thing is reduce the number of rounds of a known scheme. We have no idea how this works. Okay, so can we prove one of the schemes that have to move without the random oracle or without the interactive assumption? This could be possible. Or we construct a completely new scheme. Okay, what's with this two round moves that we know? Well, this slide I showed at EuroCrypt last year and I exactly stated that they simply don't exist in the standard model. So where's the contradiction? Well, of course this was a motivating slide and we defined a very general class of schemes where all known schemes fall into and we showed that with black box techniques you won't be able to reduce it to a non-detective assumption. And this result has been extended by PASS also to unique blind signatures. He did much more but this was part of it. Okay, so the simple question remains what about two moves in the standard model? Sanjambal now explain the idea of the construction. Of course the construction is a bit difficult. That's why please take it as the idea and look for the actual construction in the proceedings. Thank you. Morning everyone. Thanks, Dominique for the great introduction. I'll quickly, without wasting time, get to the construction. So the idea is going to be to use general techniques from secure multi-party computation and to adopt them to setting off blind signatures. So we know that Yau's Garble circuit construction allows us to evaluate any circuit privately and securely. And we want to use it to do blind signatures. So it would be natural to consider allowing for evaluation of a signing function in this manner. In addition to Yau's Garble circuit for this to work we need a two round OT protocol but we do not know of fully simulatable OT protocols which can be implemented in just two rounds. However we know two round OT protocols which have some limited security just like the Nor-Pinkus or AIR protocol. These protocols provide computational security for the sender and statistical security for the receiver and as you'll see this would in some sense suffice for our purposes. So we're trying to use Yau's Garble circuit with the two round OT protocol. The user first sends the first message of the OT protocol and the signer responds with the second message of the OT protocol along with the Yau's Garble circuit. So now a question to ask is, are we done? Is it already secured? Well there are certain problems. Yau's Garble circuit construction does only provide semi-honest security. So we cannot directly use it. The second problem is, as I said, OT is not fully simulatable so that has problems with respect to the proof. So we cannot live with semi-honest security because in real life there is nothing like semi-honest security. We need to make it fully secure. So the question to ask is what can a cheating signer in this protocol do? So a cheating signer, the goal of the cheating signer is to break blindness as explained by Dominique and this cheating signer actually can do a lot of bad things. The situation is actually really horrible. Since Yau is only semi-honest, the signer can encode any arbitrary function and make the user evaluate this arbitrary function on his message rather than actual circuit evaluating the signature. The second problem is that the signer can actually manipulate the randomness that is being used in the evaluation of the Yau's Garble circuit and effect the randomness used in the signing process. Thereby correlating the randomness used in a specific interaction with the signature that the user obtains ultimately leading to total loss of blindness. Let me talk about the second problem first and actually as it turns out it's easy to solve. If the signer uses unique signature then we can solve this problem easily. In fact it's even easier if the signer just uses a pseudo-random function and applies it to the message to obtain the random coins being used in the signing operation then this problem again does not come up because it is in some sense essentially making the signature scheme unique. You can do that without relying on specific signature scheme. It can be done for any general signature scheme. The second, the first issue which I pointed is that the Yau's Garble circuit construction only provides semi-honest security and this is in fact a more fundamental issue and we need to evaluate to get around this and enforce some way and have a way that the signer cannot cheat in this protocol. So what we want is that the second message of the signer which is the response to the OT messages and the Yau's Garble circuit construction they are actually generated using the correct algorithm following the correct security. So in some sense signer additionally needs to prove the correctness of the messages sent. And the idea is to use a proof protocol and the immediate question would be what proof protocol to use because we know that standard zero-knowledge protocols require three rounds and we are really constrained in terms of the round complexity. We have only two rounds and we cannot use a standard zero-knowledge protocol. But fortunately for us we know of a weakened notion of zero-knowledge it's called a super polynomial simulation based on zero-knowledge where a prover can prove to verifier that some statement is true in just two rounds. So let me now describe the weakness. The weakness is that for every cheating verifier the prover can actually argue that there exists a simulator S that actually runs in super polynomial time and can simulate the view of the verifier. So what we have achieved? We have achieved, we have this protocol we have the first message from the OT and the first message of zero-knowledge protocol and the second response to the OT message and the Garbel circuit and additionally there is a proof that the OT message and the Yau's Garbel circuit are correctly formed that sent along and by this we've achieved that Siner uses deterministic signatures so he cannot arbitrarily choose randomness and we're enforcing correct behavior by a zero-knowledge protocol. So have you solved the problem of cheating Siner? Actually some subtle issues still remain and the proof of security in arguing blindness we need to be able to extract the signatures that are being generated in order to argue blindness and for that we can rely on super polynomial extraction that the protocol zero-knowledge protocol that I just described already has. However that can be avoided by using specific revinding techniques. I'm not gonna get into details of that and you can look at the paper if you like. The second problem is of unforgibility we do not want a user to be able to come up for signatures on messages that more messages than the number of interactions it has with the cheating Siner. And to argue that we would have to reduce the unforgibility of our scheme to the unforgibility of the underlying signature scheme. However in doing so we're going to be relying on a simulator that is going to simulate the view of this cheating user who's forging for which we're relying on a super polynomial simulator. And that's problematic but it's actually easy to deal with this problem by assuming that we have a signature scheme which is secured against adversaries that run in super polynomial time. This is a well-known technique called complexity leveraging that we're using here and it allows us to bypass this problem. And argue unforgibility and reduce it to the unforgibility of the underlying signature scheme. So, as Rumi pointed out they had along with Mark Fishlin he had a result on the impossibility of three round blind signature schemes. However in order to make the problem tractable they restricted themselves to blind signature schemes that satisfy some technical properties. One of these technical properties is that blindness holds even against a cheating signer who has access to an oracle who can forge signatures on other messages for arbitrary public keys. And our scheme avoids this property thereby circumventing their impossibility and instill achieving full security even in two rounds. So, let me conclude finally with some note on the open problems. So, our construction requires some strong assumptions and it will be a good idea to improve these assumptions. We specifically rely on sub-exponentially hard one-way functions. We rely on trapped reprimitations for construction of NISIX in the protocol and we rely on the DDH assumption for the OT protocol. In an impossibility result by Katz Schroder and Ercunium in TCC 2012 they argued that actually trapped reprimitations are necessary for the construction. Finally, I also want to stress that our construction is only a feasibility result and it would be really nice if we can construct constructions which are really efficient and can be useful in practice and then can be done in two rounds. Thanks for my co-authors And any questions? We have some time for questions. Do you have any questions? No, but if you interacted in 100 interactions already you have to produce 101 signatures on different messages. I know that's your definition. Yeah, because we have unique signatures so that would not be a problem. Yeah, actually you also have a... Interesting point is we have a transformation that if you add randomness to each message then this is automatically implied. So this transformation can easily be adopted to our results as well independent of the unique signatures. Let's thank to the speaker again.