 Hello everyone. Today I'm going to present you our new two round and Schnur-based multi-signature scheme. Multi-signature protocol is a signature scheme where it allows multiple parties collaboratively sign a message. And it can be verified by anyone who has the public keys of signers. And it consists of following algorithms. The first algorithm is the key generation algorithm with the secret, which outputs the secret and public key pair for a signer. And the other one is the signing algorithm, which runs with the input of the secret key and the message, and it's an interactive algorithm run by the other signers. There's also a key aggregation algorithm, which receives the public key of the signers as an input and then outputs an aggregated key. There is also verification algorithm, which verifies a signature with the aggregated public key. As I said, our scheme is based on Schnur signature scheme, therefore I would like to remind you how Schnur signature scheme works. It works on a group of order P, and G here is the generator, and the secret key is an element from ZP, and the public key is X multiplied with G. And signer signs the message as follows. It first picks the random element from ZP and then generates the T, which is R multiplied with G. And here we call T the commitment of the Schnur signature scheme. And also it hashes the message, the public key, and the commitment and obtains the C value, and it obtains the finally SS value, which is the sum of R and XC. And the signature consists of C and SC. The verification works as follows. Given the message and signature, the verifier checks whether hash of the message, the public key, and SC minus the X is equal to C. And if the signature is correctly constructed, then SC minus the X should be equal to T. One common approach to construct a Schnur based math signature scheme is letting parties to collaboratively, letting parties collaboratively generate a commitment T, and then using the linearity of the Schnur signature scheme, obtain the final signature. So in three round case it is much easier to do the generation of the commitments collaboratively, but in two round case it is not as easy as in the three round case. Because in two round case, first each parties send some messages to generate this commitment, and then they send their partial signatures to obtain the S value of the Schnur signature scheme. However, here we should be very careful in the commitment generation process to prevent adversarial choice of randomness that depends on the parties, unsparted randomness. This is an existing two round Schnur based math signature schemes. There has been many before but it has been proven it has been shown by drivers at all that the existing ones are not secure at all by showing an attack that is called case of it. And this attack is based on the adversarial choice of randomness that depends on the unsparted randomness. The drivers at all propose a new scheme that's called NBCJ. It's a Schnur based scheme but the form of the signature is not the same as the Schnur signature scheme therefore the verification is less efficient and domain size, the public key size and signature size is bigger than the Schnur signature. The most existing ones actually are in the form of Schnur signature, therefore they all have the same verification efficiency and the same domain. Okay, the other interesting protocol is music TN and music TN has a different approach to prevent the adversarial choice of randomness. It's based on deterministic nonsense, so that the adversary has only one option to choose his randomness. However, it requires many heavy zero knowledge proofs in the signing process therefore the signing process is not efficient. Music 2 is a concurrent work with ours and we both use a similar approach. Here are parameter M and V corresponds to the same parameter and they show music 2 is secure if they choose a parameter B equals to 4 in this standard model. If they choose the parameter equals to 2 then it is secure in the algebraic group model. The version in the algebraic group model is the most efficient existing to rational based mass signature scheme. And similarly we also show that our protocol is secure in the algebraic group model if we choose M equals to 2. And with an optimized network, which is based on a tree structure, the signing process can be executed much efficiently. In a nutshell, in this paper our contribution is as follows we construct a two-round Schnur based mass signature protocol that we call DWMS. The final signature in our protocol is a Schnur signature and we prove that our protocol is secure in algebraic group models. And also we define a new computationally hard problem that we call and want some problem and show its hardness in AGM under the assumption that the strict logarithm problem is hard. So, first I will explain you how our protocol works and I will explain how we define the end-to-end sum problem. And finally, I will briefly show how we prove the security of DWMS. So the key generation algorithm of our scheme is the same as the Schnur signature scheme. I will explain the signing process in the next slide and key aggregation works as follows. Given the public keys, the key aggregation algorithm first finds the scalar, which is the output of random orbital H2 for each signing key, and then sums all these public keys. And verification process, again, is the same as the Schnur signature scheme. So in the first round of our scheme in the signing process, first of all, the parties generate sends the necessary messages to each other to generate the commitment of the Schnur signatures. Therefore, each party generates first and random number from ZP and then commits to these random numbers. We call these random numbers as witnesses and these group elements as precommitments. Then they send the precommitments to each other and then first round ends. The second round of our protocol works as follows. Therefore, each party generates the station ID of the signing process, which consists of the public key of the signers, the message that is going to be signed, and all the precommitments. Here each party has and precommitments. And then they compute the commitment of the Schnur scheme. How do they do that? They multiply each precommitment with the scalar that we define with alpha and then they sum all of them. How we define the alpha? Alpha is the random output of station ID and in the corresponding index. Here we call the linear combination of witnesses with random output as delinearization. And the reason that we use this naming is that the coefficients of the linear combinations are random and it cannot be known by the adversary before the adversary selects its own randoms. It reduces a bit of adaptive random selection by the adversary. After the commitment generation is in the Schnur signature scheme, they compute the C value, which is the hash of the message, the aggregated public key and the commitment. And then they generate individual partial signatures and the individual partial signature consists of the delinearized witnesses plus the secret key multiplied with C. And we call that this partial signature and they exchange the partial signatures with each other. And in the end, the final signature is C and S and where S is the sum of all partial signatures. Okay, now I'm going to explain you are a new heart problem that we call it mind some problem. Okay. First of all, I want to show you how we come up with this problem. When we constructed the WMS we first wanted to attack the protocol in our trials we see that actually the following attack is possible. It starts Q signing sessions with the party on this party P and therefore the party sends pre commitments for each session. After that adversary tries to find some pre commitments and the forgery message and also some colors Q number of Q scholars that satisfies this equality. In this equality, the linear combination of CI values here CI is the C value of ith session, the linear combination of CI values is going to be equal to the forgery C values. If you find the forgery C values, it is the hash of the forgery message, the aggregated public key, and also the linear combination of the linearized pre commitments of unsparties. And the restriction here is that there should be the same related same linear relation here, and also here. The adversary can do that in that case he can forge the signature. And actually, we showed in the paper that adversely can do that if m equals to one. It's an interesting attack you can check the paper for attack. But we see that it's not possible when I'm greater than one as don't get to distribute the written problems. And from that attack, we define or and find some problem. And it's, it is as it works as follows. He generates Q challenges, where each Q challenges consists of m group elements. After that he sends the group structure and all these challenges to the adversary. Adversary has access to the random oracle h, h1 and h, h prime, and all these random oracles maps to the ZP. And the adversary outputs a vector beta of size Q plus one from ZP and some output Q, Q output from ordinary set, and also an output from ordinary set that we call omega here. And here the adversary wins if this equality satisfies. Basically in this equality, if the linear combination of the of random oracle h outputs are equal to random oracle output of age. And here the restriction as you can see is that the same linear relationship that is satisfied in the side of the equation in set B also must be satisfied as the input of the random oracle h in G. So here how we define to you to you is the delinearized some of the delinearized challenges. And so we show that our new problem is hard as long as m is greater than one. And this quick algorithm problem is hard. We show this in the algebraic group model. Therefore, this shows that m must be at least two in the in at least two in the WMS in our mass images. Now I'm going to briefly explain you how we show the security of the WMS and for that first I need to explain our security model. We consider the security of our mouse signature scheme in the plain public key model, and it works is in a very similar to existential affordability game. So here challenger generates a secret and public key and then sends the parameters and the public key to the adversity and adversity has access to signing oracle. That he sends message and receive the signature and he can do that as many as he can. And in the end he outputs a forging and we say that adversity wins if the set of public keys include the parties key pk and message star has never been queried to the signing oracle, and the verification of the forgery works. So we show that our DWMS is a secure mass signature scheme in the algebraic group model and the random oracle model, assuming that one more stick the great and problem is hard, and to and by some problem is hard. So how one more stick the great and problem works. The challenger generates a group, a group structure and picks a q plus one elements from the group and sends them to the adversity is a challenge. And then the adversary has access to the district logarithm oracle for that he sends a group element and receives the district logarithm of that group element. But he can do that at most few times. And in the end, if the adversary sends the district logarithm of all the challenges, then he wins. So I'm going to explain you briefly how we prove the secret of DWMS. We assume that there exists the for there exists the forger which breaks the DWMS and given that forger we construct another adversary are which breaks the problem. He receives the challenges from the game, and then in order to simulate the DWMS he needs to pick it, he needs to pick a public key and he picks as a public key the last. And then he gives the group structure and the public to the forger. So he needs to simulate this signing oracle as well and for that, when he receives for the first round when he receives a message to sign. Instead of picking witnesses as described in the DWMS. He uses the OMDA challenges to generate the pre commitments and for that he use random linear combination of the first Q on their challenges and obtains the two pre commitments. In the second round when he receives the message, the pre commitment of the adversary, and the public key of the adversary. He cannot simulate it, because he cannot obtain the partial signature, since he doesn't know the secret key and also the discrete logarithm of the recommitments. So that's how from the discrete logarithm oracle of the OMDA and for that he computes the group element as one where it's the discrete logarithm is equal to partial signature, and then he gives a partial signature to a in each case when he goes to the discrete logarithm oracle, he obtains the linear equation with the unknowns of the discrete logarithm of OMDA challenges. And since he can do that Q times in the end he obtains Q linear equations with the Q plus one unknowns. So he can show that these linear equations are linearly independent. Now he needs one more linear equation in order to solve the system of equations. And for that he receives after receiving the for jury, he generates another linear occasion. And here is the place where we need the algebraic group model. The algebraic group model, whenever the adversary submits a group element it also gives the representation of it. And therefore, the adversary R obtains the representation of the for jury commitment and the representation of the public key of the adversary and we using that he obtains the last equation. And last linear occasion is independent from the first Q equations, because if it is not, then it means that the adversary A breaks the two and might some problem. Since it is an hard problem, we can assume that this case never happens. And then the adversary R can solve this system of equations and obtains the discrete logarithm of Q plus one challenges of the OMDA game. And it outputs that. So I will conclude my presentation by giving you our contribution in this paper. So we constructed the WMS, which is an efficient two round schnoir based mass signature scheme. And we introduce a new computational hard problem that we call M and find some problem. We believe that this M and find some problem can be useful against preventing case some attacks. And we show its hardness in the algebraic group model as a feature work I think it is very interesting to see whether. The real problem is hard in the hard in the standard model as well. And also, it will be interesting to see the security proof of the WMS in the standard model. Thanks for listening.