 Hello, everyone. In this video, I would like to present our paper. From a sigma protocol, a look on drought-efficient threshold UCDSA from an encryption space on class groups. I'm Xin Xuan Zhang. This is a joint work with Yi Deng, Shunlin Ma, Heilong Wang, Xu Yang Song, and Xiang Xie. Before I talk about our contribution, I will introduce some background knowledge firstly. A drought-efficient threshold signature allows parties to share the ability of signing. Parties draw the key generation protocol to generate a common Wi-Fi key, as well as their own signing key. Started in the signing phase, any subgroup of at least T plus one parties will sign in messages. In the meanwhile, any subgroups of T plus one parties will feel to do that. Threshold ECDSA is one of the most famous threshold signatures. It is a threshold warning of traditional ECDSA. Little has been widely used in various applications, such as TLS and SSH. The construction of ECDSA is shown on the slides. As you can see, in order to construct the threshold ECDSA, we must know how to generate the public key, capital Q and signature IS in a distributed way. So, in our presentation, we consider special case of threshold ECDSA, the two-party ECDSA. Informally, in the construction of two-party ECDSA, the capital Q and R can be generated using a protocol, similar with the famous development case change protocol. To generate S, one can require party 1 to include a signing key using a homomorphic encryption scheme. In this way, the party 2 can do homomorphic operations on this encryption to have party 1 generate the signature. And of course, this encryption could be generated in the key generation phase, without the signing phase. However, there's still a gap from a secure two-party ECDSA. To generate secure ECDSA, both parties need to generate lots of dialogual proofs to make sure that they behave honestly. Here is a specific construction of the key generation in LinDiao 17 and CCR plus 19. In our paper, we focus on the choice of homomorphic encryption as well as the corresponding dialogual proofs to make sure that the encryption CK is indeed an encryption of signing key. In LinDiao 17, they chose the courier's encryption, which supports large message space but causes an exponential dialogual proof due to mismatch between courier space and the ECDSA space. In CCR plus 19, they chose CL encryption, a homomorphic encryption based on class group. This encryption also satisfies a large message space. However, using this encryption also needs an exponential dialogual proof or an efficient dialogual, but based on non-standard assumption, such as the large assumption and the strong rotor assumption. We hope to construct an efficient dialogual proof for CL encryption without these non-standard assumptions. So what is CL encryption? As we have said, CL encryption is a homomorphic encryption based on class group. In fact, CL encryption is similar with the famous L gamma encryption. Both encryption uses a pair of elements as public keys and uses the logarithm as a secret key. However, those elements of CL encryption come from an unknown order group, while the ones of L gamma come from a group of order p as for encryption. And the slide shows the CL encryption uses an extra element f coming from a DL easy group to generate the encryption, while the L gamma only uses the elements coming from a DL hard group as for decryption. As shown on the slide, both encryption want to extract a message from the faction C2 over C1 to secret key. However, in CL encryption, this faction comes from a DL easy group, while the one in L gamma encryption comes from a DL hard group. That's why CL encryption supports a large message space, while the L gamma encryption supports a small one. Go back to the specific construction of ECDSA. Besides the truth of the homomorphic encryption, once you need a DL knowledge proof, the proof that the encryption CK is indeed an encryption of the signing key. Here is the sigma protocol for proving the knowledge of CL encryption put forward in CCL plus 19. The proof sends a random CL encryption in the first round to mask the witness, and then the Wi-Fi sends a challenge from the side of CL and Y. And finally, the proof opens a specific encryption depending on the challenge. Although this protocol is secure, the status error is very large, and Y has to repeat this protocol many times to get an acceptable status error, which makes this protocol very expensive. So how about that the Wi-Fi choose to change from a large space? Unfortunately, if the Wi-Fi choose to change from a large space, this protocol is no longer secure. In fact, there is a lower element attack. Suppose PSTAR owns a lower element G-prime, then it could generate an invalid encryption C-prime as shown on the slide. Then if G-prime to E equals Y, then PSTAR could convince an honest Wi-Fi with an invalid encryption. Although this protocol is not secure, we still find a key observation which shows that this protocol still certifies some more security. In fact, we found that for any encryption C, if the malicious approval could generate an acceptable proof with a non-negligible probability, then this encryption C can be easily turned into a really safe test C-prime. More specifically, suppose there is two accepting proofs with the same force message and a different challenge. It shows these two equalities shown on the slide, which shows that the pair of C1 to capital delta E and C2 to capital delta E is a really good encryption of capital delta Cm, which also claims that we could use capital delta E to turn C into a really good encryption. We denote by MTLDA as shown on the slide. Then we could see that C is close to a really good encryption of MTLDA. So, given C2K and capital delta E, I could easily obtain the MTLDA. Suppose that PSTAR could convince Wi-Fi with a high probability. Then for random capital delta E, the probability capital delta E certifies our provise analysis is also high. Therefore, I could choose a random capital delta E itself and try to extract MTLDA only using the secret code. However, there is a question. How could we know that the extracted message is what we want? In other words, how could we make sure the consistency of the extracted message and the message hiding in encryption see? In order to secure, to ensure the consistency, we try to combine the sigma particle for algorithmic encryption and the sigma particle for CL encryption. Note that algorithmic encryption only supports small message space but has sigma particle satisfying some list. And CL encryption supports large message space but is a sigma particle that doesn't satisfy some list. That's our first idea. Forming a sigma particle. Forming a sigma particle is used to prove that the consistency of two texts, one is an algorithmic encryption, another is CL encryption. However, here we use blue for algorithm and red for CL encryption. In the fourth round, the plural send a random algorithmic encryption and a random CL encryption with the same message encrypted using for mask the witness. In the second round, the Wi-Fi are challenged from a large space. And in the last round, the plural open specific algorithmic encryption and corresponding CL encryption with the same plan text depending on challenge. It is easy to find that our primary sigma particle satisfies the completeness property and the answer Wi-Fi or zero-knowledge property. Although our particle doesn't satisfy the soundness property, it satisfies a kind of weak soundness. We call it a promise extractible property. The promise extractible property contains two parts. Rewinding extractible and the solution line extractible. Rewinding extractible claims that using Rewinding, one could extract the message and the randomness for algorithmic encryption, capital C, which also claims that the algorithmic encryption is a winners' encryption. The proof of this property is easy because our promise sigma particle contains a complete sigma particle for algorithm. As for the solution line extractible, it claims that one could use both secret keys to extract the message encrypted in algorithmic encryption. In fact, we have shown that a sigma particle for CL encryption shows that one could extract message from CL encryption. Using the secret key of algorithm, one could extract the message extracted is indeed the one encrypted in algorithmic encryption. Meanwhile, our promise sigma particle would ensure the conclusions of about two messages. The solution line extractible property is an interesting property because we know that a standalone algorithmic test is not decryptable for large print tests encrypted. However, with the help of our promise sigma particle and CL encryption, the algorithmic encryption is decryptable for large message space. Here, we remind that our promise sigma particle doesn't ensure that the CL encryption is a winners' encryption. However, we are sure that our particle is enough for many applications, such as threshold ECB ACA. We also construct another two promise sigma particles. One for consistency of messages and another for homomorphic operations. Due to the time limit, we refer listeners to our paper for more details. Go back to the construction of two party ECDSA. We use our promise particle to prove the consistency of capital Q1 and inclusion CK. Our promise sigma particles for performance is much better than the ones used in CZL plus 19. However, we will meet trouble in the simulating of homomorphic operations in signing phase. Here is the construction of signing phase in Lingdao 17 and CZL plus 19. Note that the party 2 will send a C-prime the last round, which is generated by doing homomorphic operations on inclusion CK. However, the simulator doesn't know the homomorphic operations. It only knows the messages supposed to be included in C-prime. So he can only send the inclusion of this message. Here we denote by A and B as shown on the slide. Using A and B it could simplify about the situation. As shown on the slide, party 2 does homomorphic operations using A and B. While simulator encrypts A times X1 plus B directly where X1 is extracted by revising the proof. Then if C is valid, then the randomness used in homomorphic operations or inclusions could be able to match A, which makes the output of party 2 and simulator interchangeable. However, all promised semi-political can ensure that C is valid C-L inclusion. Therefore, we need to know how to simulate homomorphic operations and invalidate the text with a promised semi-proof. So our idea is to make A-prime be able to mask A again. So we require the party 2 and simulator uses C1 to A-prime and C2 to A-prime to re-randomize C-prime. However, in this way, party 2 will be equipped A times X1 plus B plus A-prime times X1 from C-prime, which means that we will fail to equip A times X1 plus B and fail to generate the signature. Therefore, we have to require the party 2 and simulator since A-prime modulates P to help the inclusion. However, how could we use A-prime mask A under the situation sending A-prime modulates P? In fact, we found that A-prime is chosen from a large enough space and the order of C1 and C2 times F2 minus X1 is framed with P. A-prime could still re-randomize C-prime. And from the promised Sigma proof, we know that the inclusion C is close to the inclusion of X1. We show the connection between the order of C1 and GP as well as the order of C2 times F2 minus X1 and H. Therefore, with the help of our promised Sigma protocol, we could transform the secondary requirement into that P to print with the order of GP and H which could be easily achieved. So up to now we finish the simulation of the homomorphic operations on the subtext with the promised Sigma proof and we also finish the proof, we also finish the construction of our efficient two-party ECDSA. Using the same technique we could also construct an efficient multi-party threshold ECDSA compared with CCL plus 19 and CCL plus 20. Our efficient two-party ECDSA is significantly improved in the K generation phase and slightly efficient in signing phase. Compared with CCL plus 20, our multi-party threshold ECDSA is significantly improved in the K generation phase but it was more important our multi-party threshold ECDSA removes the non-standard assumption the loud assumption and the strong rotor assumption. That's all. Thank you for your attention.