 The next talk is about zero-knowledge arguments for matrix vector relations and lattice-based group encryption and this work is by Benoît Libert, Saint-Lin, Fabrice Mouartem, Roi Nguyen and Roi Xiong Wang and Roi will give the talk. Can you switch on the microphone? Okay, thank you and hello everyone. I'm going to talk about construction of lattice-based group encryption scheme and the zero-knowledge arguments necessary for that construction. This is a work with Benoît Libert, Saint-Lin, Fabrice Mouartem and Roi Xiong Wang. Okay, so first I will recall some background on group encryption and discuss our difficulties towards realizing lattice-based group encryption. Then I will state our results and describe the techniques that we use to overcome the difficulties. Okay, so let me start with group signatures, which is an important anonymous authentication mechanism proposed by Kelvin-Vanhest in 1991. In this setting, we have a group of users and each member can anonymously sign messages on behalf of the whole group. This means that group signature app is hiding the source of the message within a group of registered signers. Group encryption is a primitive introduced by Kyat, Sunit and Yung in Asia Crypt nine years ago. It is an encryption analog of group signatures. Okay, so we have a group of registered receivers and each sender can encrypt messages to anonymous group members. Okay, so in this way, group encryption armed to hide the destination of the message within registered receivers. Another interesting feature of both group signature and group encryption is that the users are kept accountable for their actions. In case of this build, there is tracing authority and opening authority who has some kind of secret key and who can identify the signer of the message or the receiver of the cybertext. Okay, so more formally, a group encryption scheme allows encrypting while proving that the following hold. First, the cybertext is well formed and it is intended for some registered group member who will be able to decrypt. Second, the opening authority should be able to identify the receiver should the message arise. And thirdly, the plan test should satisfy some properties like being a witness for a public relation or being a private key for a given public key. Okay, so this additional requirement may be useful for spam protection. As spotted by KGY, some possible applications of group encryption are in the context of 5.1 filtering for anonymous strategic third parties in cloud storage services. Group encryption also implies hierarchical group signature, which is a general form of group signatures. Okay, so let me now briefly review some previous work on group encryption. In the work that introduced group encryption, KGY also provided a modular design that based on ordinary digital signatures, anonymous secure public key encryption and interactive zero-knowledge proof. They also demonstrate concrete instantiation based on number theoretic assumptions. Okay, so the KGY scheme only considered interactive setting, but the scheme can be made non-interactive in the random oracle model via the phasomy heuristic. Two years later, Cataloeton introduced a non-interactive construction in the security standard model under parent bay assumptions. Subsequently, NM&E and CHO chairs suggest various improvements for constructing group encryption. Okay, and Libert et al. proposed a refined traceability mechanism that allowed to identify on the cybertext intended for specific group members without affecting the anonymity of all the other members. Okay, so for the time being, on existing realisation of group encryption rely on traditional number theoretic assumptions. So usually we don't want to put all of our eggs in the same basket. So it's maybe worth considering construction from other assumptions like a lattice base. So lattice base crypto is interesting and lattice assumption is still resist against quantum computers. Okay, so let me move to the context of lattice base crypto and in particular consider lattice base groups of natures. And this is a very active topic in the last six years. The first construction were proposed by Gordon Cat and Wacontana Tan in Asia Crypto 10. Since then various improvements have been made in terms of security, efficiency and functionality. And the most recent scheme already achieved the logarithmic size in the number of group users and work of dynamic groups when the first construction only achieved a linear size and only can handle static groups. Okay, but no lattice base group encryption so far. So we ask the question, what's the main difficulty here? Okay, so given that both of the primitives can rely on almost the same component like ordinary signatures, public encryption and supporting zero knowledge proof. Okay, so in the next I will describe that the main difficulty lies in the problem of constructing a suitable supporting zero knowledge proof for group encryption. Okay, so let's consider the existing zero knowledge protocols that's used for handling lattice bedulations. In previous work, under protocol in previous work can be categorized into two main classes, snorly and stent-like. Okay, snor protocols were originally proposed for handling discrete log relation, but it was then so very useful for lattice relation by Lubaszewski who introduced the rejection sampling techniques. On the other hand, stent-like protocol was first proposed in the context of code bay crypto and it was first considered in the lattice setting by Kawachi Tanaka and Sagawa and then it was empowered by Lindaton with TechnicCon, the combo season and extension. We observed that Zika two classes of techniques mainly deal with linear relations in the sense that the equation that contains only terms of the form of public matrix multiplied with some secret vector where the secret vector may satisfy some additional constraint like asmonics or have some special arrangement of entries. Okay, so the typical example of the kind of relation is the ISS relation and the LW relation. In the ISS relation we have an equation A times X equal to U mod Q where the matrix A and vector U are public and the secret vector X is small. The LW relation as represented by the equation A times S plus E equal to B where matrix A and vector B are public, vector E is small secret noise and the secret S may be small. Okay, so this also holds Zika two classes also work for encryption scheme based on LWE and signature scheme based on SIS problems. Okay, so now let me go back to the context of lattice bay group signature and see how the techniques work well for group signatures. A modular design for group signature is concise and encrypt and proof. It consists of the following. First, each user has a signature system on his identity ID and that signature is issued by the group manager who manages that group. In the process of generating group signatures then each user he asks to encrypt his identity ID to a cyber taxi and that is done using the public key of the opening authority. Then the signer has to prove in general knowledge that the following holds. First, he has a secret valid message signature pair with respect to the manager's public key. That means that he is a certified group member. Second, C is a well-formed cyber text of ID with respect to the public key of the opening authority. That means that he has done the encryption honestly and the opening authority can recover ID should the needs arise. Okay, so if we use SS Bay signature and LWE encryption then the relation underlying this statement can be represented by linear equations and it can be handled by previous techniques. Okay, so now if we consider the context of large group encryption then things become more complicated. Okay, so the modular designs by KTY he has followed. His member has a key pair SKPK for an anonymous encryption scheme and the manager signs the member's public key PK and public the pair PK and the signature system. When the sender wants to send something to the group, so a message meal, then he uses PK to encrypt message meal that satisfies some relation R and obtain a self-taxed C. The sender also encrypts the public key PK under the public key of the opening authority and obtain a self-taxed CLA. Okay, that's for enabling the opening feature. Then the sender has to prove that the following two parts. First, C is a correct encryption of some message meal with respect to a hidden public key. And second, the sender knows a valid signature system on that PK with respect to the public key of the manager and that COA is a correct encryption of that PK with respect to PK-OA. And also the message meal satisfies some relation R. Okay, so we observed that the statement in the second part are similar to the one appearing in the context of lattice-based group signature and it can be handled with previous techniques. The challenging part is essentially the first part where everything except for the self-tax is hidden. Okay, so even the public key that the sender used to encrypt the plan test is hidden. Okay, so if we use some LWA-based encryption for this, then the problem would boil down to proving an LWE relation with hidden but certified matrix as you have the form X times S plus E equal to B mode queue. Where this matrix X here is also hidden but we additionally have to show that we have some signature on it. Okay, so we call this quadratic relation and we identify this at the main obstacle on our way towards realizing lattice-based group encryption. And our common difficulty likely requires some new ideas. Okay, so now let me state our result and describe the techniques we use. In this work, we introduce a yellow knowledge argument for quadratic relations. So it's including the relation that I described where matrix X and vector S may satisfy some additional relations. Our approach is to develop sense protocol and to improve its capability from handling only linear to handling quadratic relations. In the process, we propose some new techniques that may be of independent interest. Okay, so once this most difficult part is realized, so we can use to build the first lattice-based group encryption scheme. The scheme is proven secure in the KTY model under the SIS and the LW assumptions. Okay, so now let me recall Stan's clever ideas. Stan's protocol is a yellow knowledge protocol for the syndrome recording problems where given public matrix A's and public vector U, we have to prove that we know a secret binary vector X and we have fixed him in way W. So Stan did it with two main ideas, first permuting, which means to prove the constraint of the witness using random permutation, specifically the proven sense to verify a permuting vector pi of X. Okay, so we observe that the following equivalence holds vector X has the constraint binary vector with weight W if and only if pi of X does. Okay, so if the verifier sees that pi of X has this constraint, he should be convinced that X is a valid witness. And moreover, because pi is random, it completely protects the actual value of X from the verifier's view. The second idea is markings. That means to prove the linear equation using a random masking vector R. Specifically, we send the verifier with the Y that equal to X plus R and show him instead that A times Y equal to U plus A times R was sufficient to convince the verifier that the original equation A times X plus U equals U holds. Okay, so let's go back to our quadratic relation. We will employ a two-step solution. In the first step, we will pre-process the given quadratic relation so that we obtain somewhat more familiar form. Second, we will exploit Stan's idea, especially the permuting idea, where we will set up some kind of permutation into a similar equivalent like the apparel and then exploit the random permutation. Okay, so in the first step, we transform the term matrix X times vector H into the form of a public matrix times a secret vector. To this end, we do the following. First, we write this one at the sum of all of the product Xi si, where Xi at the columns of matrix X and Xi at the entries of vector S. Okay, so all of them are elements of ZQ. Second, we look at each of the terms Xi times Si and use a decomposition matrix to break on the entries of vector X into binary and obtain an equation that Xi times Si equal to that public matrix multiplied with a vector whose entries are X ij times Si, where X ij are binary and Si are still element of ZQ. Next, for each of these terms, X ij times Si, we do the same decomposition process and obtain the form that... Okay, so it can be represented as a public vector multiplied with a binary secret vector. So, combining all of these sub steps, we will obtain the form X times S equal to Q times Z mod Q, where this Q is a public matrix and vector Z is a binary secret vector. Okay, so this looks quite familiar, but actually the harder part is still ahead. Why? Because vector Z is still quadratic. It still has some kind of quadratic nature because each of it... NG is a product of a bit from matrix X and a bit coming from vector S. Second, the component bits also additionally satisfy other relations. Okay, so now we go to the second step when we handle this vector Z. We will employ a divide and conquer strategy where we view the whole problem as a bunch of sub-problems. Where for each sub-problem, we aim to prove that a secret bit Z has the form Z equal to C1 times C2 while preserving the possibility of demonstrating that the component bits C1 and C2 satisfy other equations. To this end, we will use a permuting technique that's based on two bits. Okay, this follows. First, for every big C, we denote by bar C the bit 1 minus C. Then for every two big C1 and C2, we define a vector... a binary vector of length 4 that we call extension of C1 and C2 whose entries are the following. First, C1 bar times C2 bar. Second, C1 bar times C2. Third, C1 times C2 bar. And fourth, C1 times C2. Okay, so now for every two bits, B1 and B2, we define a permutation called T of B1 and B2 that transform an integer vector of length 4 that we call V whose entries are V00, V01, V10 and V11. Two, the vector whose entries are V, B1, B2, V, B1, B2 bar then V, B1 bar, B2 and V, B1 bar, B2 bar. Okay, so why should we come up with some kind of artificial permutation? Okay, the final goal is to obtain an equivalence. Okay, for all of C1's... all of the big C1, C2, B1, B2, we have the equivalence. But the V is the correct extension of the big C1 and C2. If and only if the permutation T, B1, B2, of V is the correct extension of two bits, C1, XOR, B1 and C2, XOR, B2. Okay, so how does it work? Let's consider an example to see what's happening here. Suppose that C1 is 1 and C2 is 0 then V, which is the extension of C1 and C2 would be the vector consisting of the entries 0 times 1, 0 times 0, 1 times 1, and 1 times 0 would be exactly vector 0, 0, 1, 0. Okay, so we look at the entries of this and we denote by V, 0, 0 is 0 V, 0, 1 is equal to 0 V, 1, 0 is equal to 1 and V, 1, 1 is equal to 0. Now, let's consider the permutation. Suppose that we will permute with the two bits B1 equal to 1 and B2 equal to 1. Then the permutic vector T, B1, B2, of V will be the vector V, 1, 1, V, 1, 0, V, 0, 1 and V, 0, 0 which is the vector 0, 1, 0, 0 in this case that is exactly the extension of two bits 0 and 1 and 0 is exactly C1, X of B1 and 1 is exactly C2, X of B2. Okay, so how can we make it useful? Actually, this already gives us a solution to the sub-problem. To do this, we first extend this secret bit Z to vector V, which is the extension of C1 and C2 the two component bits, then we permute this vector V with random bits B1 and B2 and give the verifier the permutic vector. Okay, the verifier can check that the right hand side of the equivalent host which convinces him that the left hand side also holds and which convinces him that the original bit Z must be well formed. Furthermore, the random bits B1, B2 here essentially act as kind of one-time bits that perfectly hide the value of C1 and C2 from the verifier's view. Okay, so secondly, we also have to prove that the same big C1 and C2 satisfy all the equations. So to do this, we set up a similar mechanism where all the appearances and use the same one-time bits at all of Z places. So that's the main idea. So once we have the solution to this sub-problem, then we can also obtain the solution for the whole problem. Okay, putting everything together, so our Neustern-like techniques allow us to handle the quadratic relations. And to instantiate our group, let's say group encryption, we use the following ingredients. For encryption, we use an anonymous CCA2CQ public key encryption that obtained from the ABB identity-based encryption via the CSK transformation. For signature, we use the signature scheme that will appear as a conference in my college, Fabriz, we present it to you tomorrow. The signature scheme interacts with zero-knowledge proof. And finally, combining with known Sturn-like techniques for encryption and signatures, we obtain the zero-knowledge protocol that is required for the group encryption construction. And that's it. Thank you. So unfortunately, we're quite late, so let's skip the question session and give people a chance to switch tracks. Thank you.