thesis/chap-GS-LWE.tex

909 lines
75 KiB
TeX
Raw Normal View History

2018-04-30 12:54:26 +00:00
\section{A Lattice-Based Signature with Efficient Protocols} \label{se:gs-lwe-sigep}
%We first specify the parameters used in our scheme. Let $\lambda$ be the security parameter, and let $n = \bigO(\lambda)$, $q = \mathsf{poly}(n)$, and $m \geq 2n \log q$.
%We assume that messages are vectors of $N$ blocks $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, where each
%block is an $L$-bit string $\mathfrak{m}_k = \mathfrak{m}_k[1] \ldots \mathfrak{m}_k[L] \in \{0,1\}^L$ for $k \in \{1,\ldots, N\}$.
Our scheme can be seen as a variant of the B\"ohl \textit{et al.} signature \cite{BHJ+15}, where
each signature is a triple $(\tau,\mathbf{v},\mathbf{s})$, made of a tag $\tau \in \{0,1\}^\ell$ and integer vectors $(\mathbf{v},\mathbf{s})$ satisfying
$[\mathbf{A} \mid \mathbf{A}_0 + \sum_{j=1}^\ell \tau[j] \cdot \mathbf{A}_j ] \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \mathbf{h} \bmod q$,
where matrices $\mathbf{A}, \mathbf{A}_0, \ldots, \mathbf{A}_\ell, \mathbf{D} \in \Zq^{n \times m}$
are public random matrices and $\mathbf{h} \in \{0,1\}^m$ is a chameleon hash of the message which is computed using randomness $\mathbf{s}$.
A difference is that, while \cite{BHJ+15} uses a short single-use tag $\tau \in \Zq$,
we need the tag to be an $\ell$-bit string $\tau \in \{0,1\}^{\ell}$ which will assume the same role as the prime exponent of Camenisch-Lysyanskaya signatures
\cite{CL02a} in the security proof.
We show that a suitable chameleon hash function makes the scheme compatible with Stern-like zero-knowledge arguments \cite{LNSW13,LNW15} for arguing possession of a valid message-signature pair. \cref{sse:stern} shows how to translate such a statement into asserting that a short witness vector $\mathbf{x}$ with a particular structure satisfies
a relation of the form
$\mathbf{P} \cdot \mathbf{x} = \mathbf{v} \bmod q$, for some public matrix $\mathbf{P}$ and vector~$\mathbf{v}$.
The underlying chameleon hash can be seen as a composition of the chameleon hash of \cite[Se. 4.1]{CHKP10} with
a technique used in \cite{PSTY13,LLNW16}: on input of a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, it outputs the binary decomposition of
$\mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k$, for some discrete Gaussian vector $\mathbf{s}$.
\subsection{Description} \label{desc-sig-protoc}
We assume that messages are vectors of $N$ blocks $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, where each
block is a $2m$-bit string $\mathfrak{m}_k = \mathfrak{m}_k[1] \ldots \mathfrak{m}_k[2m] \in \{0,1\}^{2m}$ for $k \in \{1,\ldots, N\}$. \\
\indent For each vector $\mathbf{v} \in \Zq^L$, we denote by $\bit(\mathbf{v}) \in \{0,1\}^{L \lceil \log q \rceil}$ the vector obtained by replacing each
coordinate of $\mathbf{v}$ by its binary representation.
\begin{description}
\item[\textsf{Keygen}$(1^\lambda,1^N)$:] Given a security parameter $\lambda>0$ and the number of blocks $N = \mathsf{poly}(\lambda)$, choose the following parameters: $n = \bigO(\lambda)$; a prime modulus $q = \widetilde{\bigO}(N\cdot n^{4})$; dimension $m =2n \lceil \log q \rceil $; an integer $\ell = \Theta(\lambda)$; and Gaussian parameters $\sigma = \Omega(\sqrt{n\log q}\log n)$, $\sigma_0 = 2\sqrt{2}(N+1) \sigma m^{3/2}$, and $\sigma_1 = \sqrt{\sigma_0^2 + \sigma^2}$. Define the message space as $(\{0,1\}^{2m})^N$.
\smallskip
\begin{itemize}
\item[1.] Run $\TrapGen(1^n,1^m,q)$ to get~$\mathbf{A} \in
\Zq^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
$\Lambda_q^{\perp}(\mathbf{A}).$ This basis allows computing short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with a Gaussian parameter $\sigma$.
% $\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
Next, choose $\ell+1$ random $\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell} \sample U(\Zq^{n \times m})$. %, where $\ell = \Theta(\lambda)$.
\item[2.] Choose random matrices $\mathbf{D} \sample U(\Zq^{n \times m})$, $\mathbf{D}_0,\mathbf{D}_1,\ldots,\mathbf{D}_{N} \sample U(\Zq^{2n \times 2m})$ as well as a random vector
$\mathbf{u} \sample U(\Zq^n)$. \smallskip
\end{itemize}
The private key consists of $SK:= \mathbf{T}_{\mathbf{A}} \in \ZZ^{m \times m}$ and the public key is
$${PK}:=\big( \mathbf{A}, ~ \{\mathbf{A}_j \}_{j=0}^{\ell}, ~ \{\mathbf{D}_k\}_{k=0}^{N},~\mathbf{D}, ~\mathbf{u} \big).$$
% \smallskip
\item[\textsf{Sign}$\big(SK, \mathsf{Msg} \big)$:] To sign an $N$-block message
$\mathsf{Msg}=\left(\mathfrak{m}_1,\ldots,\mathfrak{m}_N \right) \in \left(\{0,1\}^{2m} \right)^N$,
\begin{enumerate}[1.]
\item Choose a random string $\tau \sample U(\{0,1\}^\ell )$. Then, using $SK:=
\mathbf{T}_{\mathbf{A}}$, compute with $\ExtBasis$ a short delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$
for the matrix
\begin{eqnarray} \label{tau-matrix}
\mathbf{A}_{\tau}=
[ \mathbf{A} \mid \mathbf{A}_0 +
\sum_{j=1}^\ell \tau[j] \mathbf{A}_j
] \in \Zq^{ n \times 2m}.
\end{eqnarray}
\item Sample a vector $\mathbf{s} \sample D_{\ZZ^{2m},\sigma_1 }$. Compute $\mathbf{c}_M \in \Zq^{2n}$ as a chameleon hash of $\left(\mathfrak{m}_1,\ldots,\mathfrak{m}_N \right)$: i.e., compute
$\mathbf{c}_M = \mathbf{D}_{0} \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \in \mathbb{Z}_q^{2n} ,$
which is used to define $\mathbf{u}_M=\mathbf{u} + \mathbf{D} \cdot \bit( \mathbf{c}_M) \in \Zq^n .$
Then,
using the delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$, sample a short vector $\mathbf{v} \in \ZZ^{2m}$ in $D_{\Lambda_q^{\mathbf{u}_M}(\mathbf{A}_\tau), \sigma}$.
\end{enumerate}
Output the signature $sig=(\tau,\mathbf{v},\mathbf{s}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m}$. \smallskip
\item[\textsf{Verify}$\big(PK,\mathsf{Msg},sig\big)$:] Given $PK$, a message $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N) \in (\{0,1\}^{2m})^N$ and a purported
signature $sig=(\tau,\mathbf{v},\mathbf{s}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m}$,
return $1$ if
\begin{eqnarray} \label{ver-eq-block}
\mathbf{A}_{\tau} \cdot \mathbf{v} &=& \mathbf{u} + \mathbf{D} \cdot \bit( \mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k ) \bmod q.
\end{eqnarray}
and $\| \mathbf{v} \| < \sigma \sqrt{2m}$, $\| \mathbf{s} \| < \sigma_1 \sqrt{2m}$.
\end{description}
When the scheme is used for obliviously signing committed messages,
the security proof follows Bai \textit{et al.} \cite{BLL+15} in that it applies an argument based on the R\'enyi divergence in one signing query. This argument requires
to sample $\mathbf{s}$ from a Gaussian distribution whose standard deviation $\sigma_1$ is polynomially larger than $\sigma$. \\
\indent
We note that, instead of being included in the public key, the matrices $ \{\mathbf{D}_k\}_{k=0}^{N}$ can be part of common public parameters shared by many signers. Indeed,
only the matrices $(\mathbf{A},\{\mathbf{A}_i\}_{i=0}^\ell)$ should be specific to the user who holds the secret key $SK=\mathbf{T}_{\mathbf{A}}$. In Section \ref{commit-sig}, we use a variant where $ \{\mathbf{D}_k\}_{k=0}^{N}$
belong to public parameters.
\subsection{Security Analysis}
The security analysis in Theorem \ref{th:gs-lwe-security-cma-sig} requires that $q>\ell$.
\begin{theorem} \label{th:gs-lwe-security-cma-sig}
The signature scheme is secure under chosen-message attacks under the $\mathsf{SIS}$ assumption.
\end{theorem}
\begin{proof}
To prove the result, we will distinguish three kinds of attacks:
\begin{description}
\item[Type I attacks] are attacks where, in the adversary's forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$, $\tau^\star$ did not appear in any output
of the signing oracle.
\item[Type II attacks] are such that, in the adversary's forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$, $\tau^\star$ is recycled from an output
$sig^{(i^\star)}=(\tau^{(i^\star)},\mathbf{v}^{(i^\star)},\mathbf{s}^{(i^\star)})$ of the signing oracle, for some index $i^\star \in \{1,\ldots,Q\}$. However,
if $\mathsf{Msg}^\star=(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ and $\mathsf{Msg}^{(i^\star)}=(\mathfrak{m}_1^{(i^\star)},\ldots,\mathfrak{m}_N^{(i^\star)})$ denote the forgery
message and the $i^\star$-th signing query, respectively, we have
$\mathbf{D}_0 \cdot \mathbf{s}^\star + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k^\star \neq \mathbf{D}_0 \cdot \mathbf{s}^{(i^\star)} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k^{(i^\star)}. $
\item[Type III attacks] are those where the adversary's forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$ recycles $\tau^\star $ from an output
$sig^{(i^\star)}=(\tau^{(i^\star)},\mathbf{v}^{(i^\star)},\mathbf{s}^{(i^\star)})$ of the signing oracle (i.e.,
$\tau^{(i^\star)}= \tau^\star$ for some index $i^\star \in \{1,\ldots,Q\}$) and we have the collision
\begin{eqnarray} \label{collision}
\mathbf{D}_0 \cdot \mathbf{s}^\star + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k^\star = \mathbf{D}_0 \cdot \mathbf{s}^{(i^\star)} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k^{(i^\star)}.
\end{eqnarray}
\end{description}
Type III attacks imply a collision for the chameleon hash function of Kawachi \textit{et al.} \cite{KTX08}: if (\ref{collision}) holds,
a short vector
of $\Lambda_q^{\perp}([ \mathbf{D}_0 \mid \mathbf{D}_1 \mid \ldots \mid \mathbf{D}_N])$ is obtained as
$$\big({\mathbf{s}^\star}^T- {\mathbf{s}^{(i^\star)}}^T \mid {\mathfrak{m}_1^\star }^T - {\mathfrak{m}_1^{(i^\star)} }^T \mid \ldots \mid {\mathfrak{m}_N^\star }^T - {\mathfrak{m}_N^{(i^\star)} }^T \big)^T,$$ so that a collision breaks the $\mathsf{SIS}$ assumption. \\ \indent
The security against Type I attacks is proved by \cref{le:lwe-gs-type-I-attacks} which applies the same technique as in \cite{Boy10,MP12}. In particular, the prefix guessing technique
of \cite{HW09} allows keeping the modulus smaller than the number $Q$ of adversarial queries as in \cite{MP12}.
In order to deal with Type II attacks, we can leverage the technique of~\cite{BHJ+15}. In \cref{le:lwe-gs-type-II-attacks}, we prove that Type II attack would also contradict $\mathsf{SIS}$.
\end{proof}
\begin{lemma} \label{le:lwe-gs-type-I-attacks}
The scheme is secure against Type I attacks if the $\mathsf{SIS}_{n,m,q,\beta'}$ assumption holds for $\beta' = m^{3/2} \sigma^2 ( \ell+3) + m^{1/2} \sigma_1 $
\end{lemma}
\begin{proof}
Let $\adv$ be a $\ppt$ adversary that can mount a Type I attack with non-negligible success probability $\varepsilon$. We construct a $\ppt$
algorithm $\bdv$ that uses $\adv$ to break the~$\SIS_{n,m,q,\beta'}$ assumption. It takes as input~$\bar{\mathbf{A}} \in
\Zq^{n \times m}$ and computes $\mathbf{v} \in
\Lambda_q^{\perp}(\bar{\mathbf{A}})$ with~$0 < \|\mathbf{v}\| \leq \beta'$. \\
\indent
Algorithm~$\bdv$ first chooses the $\ell$-bit strings $\tau^{(1)},\ldots,\tau^{(Q)} \sample U(\{0,1\}^\ell)$ to be used in signing queries. As in \cite{HW09}, it
guesses the shortest prefix such that the string $\tau^\star$ contained in $\adv$'s forgery differs from all prefixes of $\tau^{(1)},\ldots,\tau^{(Q)}$. To this
end, $\bdv$ chooses $i^\dagger \sample U(\{1,\ldots, Q\})$ and $t^\dagger \sample U(\{1,\ldots,\ell\})$ so that, with probability $1/(Q \cdot \ell)$, the longest
common prefix between $\tau^\star$ and one of the $\left\{\tau^{(i)} \right\}_{i=1}^Q$ is the string
$\tau^\star[1] \ldots \tau^\star[t^\dagger-1] =\tau^{(i^\dagger)}[1] \ldots \tau^{(i^\dagger)}[t^\dagger-1] \in \{0,1\}^{t^\dagger -1}$ comprised of the
first $(t^\dagger-1)$-th bits of $\tau^\star \in \{0,1\}^\ell$. We define $ \tau^\dagger \in \{0,1\}^{t^\dagger}$ as the $t^\dagger$-bit string $\tau^\dagger=\tau^\star[1] \ldots \tau^\star[t^\dagger] $. By construction, with probability $1/(Q \cdot \ell)$, we have $\tau^\dagger \not \in \left\{\tau^{(1)}_{|{t^\dagger}}, \ldots ,\tau^{(Q)}_{|{t^\dagger}} \right\}$, where $\tau^{(i)}_{|{t^\dagger}}$ denotes
the $t^\dagger$-th prefix of $\tau^{(i)}$ for each $i\in \{1,\ldots,Q\}$. \\
\indent
Then, $\bdv$ runs
$\TrapGen(1^n,1^m,q)$ to obtain $\mathbf{C} \in \Zq^{n \times m}$ and a
basis $\mathbf{T}_{\mathbf{C}}$ of~$\Lambda_q^{\perp}(\mathbf{C})$ with
$\|\widetilde{\mathbf{T}_{\mathbf{C}}}\| \leq \bigO(\sqrt{n \log q})$. Then,
it picks~$\ell+1$ matrices~$\mathbf{Q}_0,\ldots, \mathbf{Q}_{\ell} \in \ZZ^{m \times m}$, where
each matrix $\mathbf{Q}_i$ has its columns sampled independently from~$D_{\ZZ^m, \sigma}$. The
reduction $\bdv$ defines the matrices $\{ \mathbf{A}_j\}_{j=0}^{\ell}$ as
\begin{eqnarray*}
\left\{
\begin{array}{ll}
\mathbf{A}_0 = \bar{\mathbf{A}} \cdot \mathbf{Q}_0 + (\sum_{j=1}^{t^\dagger} {\tau^\star[j]}) \cdot
\mathbf{C} \\
\mathbf{A}_j = \bar{\mathbf{A}} \cdot \mathbf{Q}_j + (-1)^{\tau^\star[j]} \cdot
\mathbf{C}, \qquad \quad \text{ for } j \in
[1,t^\dagger] \\
\mathbf{A}_j = \bar{\mathbf{A}} \cdot \mathbf{Q}_j , \qquad \quad \qquad \quad~~ \qquad \quad \text{ for } j \in
[t^\dagger+1,\ell]
\end{array}
\right.
\end{eqnarray*}
It also sets $\mathbf{A}=\bar{\mathbf{A}}$.
We note that we have
% \vspace*{-.1cm}
\begin{eqnarray*}
\mathbf{A}_{\tau^{(i)}} &=& \left[ \begin{array}{c|c} \bar{\mathbf{A}} & \mathbf{A}_0 +
\sum_{j=1}^\ell \tau^{(i)}[j] \mathbf{A}_j
\end{array} \right] \\
& = & \left[
\begin{array}{c|c}
\bar{\mathbf{A}} ~ & ~ \bar{\mathbf{A}} \cdot (\mathbf{Q}_0 +
\sum_{j=1}^{\ell} \tau^{(i)}[j] \mathbf{Q}_j) + (
\sum_{j=1}^{t^\dagger} \tau^\star[j] +(-1)^{\tau^\star[j]} \tau^{(i)}[j])\cdot \mathbf{C}
\end{array} \right]
\\
&=&
\left[
\begin{array}{c|c}
\bar{\mathbf{A}} ~ & ~ \bar{\mathbf{A}} \cdot (\mathbf{Q}_0 +
\sum_{j=1}^{\ell} \tau^{(i)}[j] \mathbf{Q}_j) + h_{\tau^{(i)}} \cdot \mathbf{C}
\end{array} \right]
\end{eqnarray*}
where $ h_{\tau^{(i)}} \in [1,t^\dagger] \subset [1,\ell]$ stands for the Hamming distance between
$\tau^{(i)}_{|t^\dagger}$ and $\tau^\star_{|t^\dagger}$. Note that, with probability $1/(Q \cdot \ell)$ and since $q>\ell$, we have
$ h_{\tau^{(i)}} \neq 0 \bmod q$ whenever $\tau^{(i)}_{|t^\dagger} \neq \tau^\star_{|t^\dagger}$. \\
\indent Next, $\bdv$ chooses the matrices $\mathbf{D}_k \sample U(\Zq^{2n \times 2m})$ uniformly at random for each $k \in [0,N]$. Then, it picks a random short matrix $\mathbf{R} \in \ZZ^{m \times m}$ which has its columns independently sampled from $D_{\ZZ^m,\sigma}$
and computes
\begin{eqnarray*}
\mathbf{D} &=& \bar{\mathbf{A}} \cdot \mathbf{R}. % \qquad \qquad \qquad \quad~ \forall k \in \{0,\ldots,N\}.
\end{eqnarray*}
Finally, $\bdv$ samples a short vector $\mathbf{e}_u \sample D_{\ZZ^m,\sigma_1}$ and computes the vector $\mathbf{u} \in \Zq^n$
as $\mathbf{u} = \bar{\mathbf{A}} \cdot \mathbf{e}_u \in \Zq^n$. The public key $${PK}:=\big( \mathbf{A}, ~
\{\mathbf{A}_j \}_{j=0}^{\ell}, ~ \{\mathbf{D}_k\}_{k=0}^{N},~\mathbf{D}, ~\mathbf{u} \big)$$
is given to $\adv$.
%Hence,
% $\bdv$ is able to compute a trapdoor $\mathbf{T}_{\tau^{(i)}} \in \ZZ^{2m \times 2m}$ for each matrix $\{\mathbf{A}_{\tau^{(i)}} \}_{i=1}^Q $ (see~\cite[Se.~4.2]{ABB1},
% using the basis~$\mathbf{T}_{\mathbf{C}}$ of~$\Lambda_q^{\perp}(\mathbf{C})$.
At the $i$-th signing query $\mathsf{Msg}^{(i)}=(\mathfrak{m}_1^{(i)},\ldots,\mathfrak{m}_N^{(i)}) \in (\{0,1\}^{2m})^N$, $\bdv$ can use the trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ to generate a signature.
To do this, $\bdv$ first samples $\mathbf{s}^{(i)} \sample D_{\ZZ^{2m},\sigma_1}$ and computes a vector $\mathbf{u}_M \in \Zq^m$ as
$$\mathbf{u}_M = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i)} } + \mathbf{D}_{0} \cdot {\mathbf{s}^{(i)} } \bigr) ~~ \bmod q.$$
Using $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$, $\bdv$ can then sample a short vector $\mathbf{v}^{(i)} \in \ZZ^{2m}$ in $D^{\mathbf{u}_M}_{\Lambda^{\perp}(\mathbf{A}_{\tau^{(i)}}), \sigma}$ such
that $\big(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)} \big)$ satisfies the verification equation (\ref{ver-eq-block}). \\
\indent When $\adv$ halts, it outputs a valid signature $sig^\star=\big(\tau^{(i^\dagger)},\mathbf{v}^\star,\mathbf{s}^\star \big)$ on a
message $\mathsf{Msg}^\star=(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ with $\| \mathbf{v}^\star \| \leq \sigma \sqrt{2m}$ and $\| \mathbf{s}^\star \| \leq \sigma_1 \sqrt{2m}$.
At this point, $\bdv$ aborts and declares failure if it was unfortunate in its choice of $i^\dagger \in \{1,\ldots,Q\}$ and $t^\dagger \in \{1,\ldots,\ell\}$. Otherwise,
with probability $1/(Q \cdot \ell)$, $\bdv$ correctly guessed $i^\dagger \in \{1,\ldots,Q\}$ and $t^\dagger \in \{1,\ldots,\ell\}$, in which case it can solve the given $\mathsf{SIS}$ instance as follows.
If we parse $\mathbf{v}^\star \in \ZZ^{2m}$ as $({\mathbf{v}_1^\star }^T \mid {\mathbf{v}_2^\star }^T )^T$ with $\mathbf{v}_1^\star,\mathbf{v}_2^\star \in \ZZ^m$, we have the equality
\begin{align*}
&\left[ \begin{array}{c|c} \bar{\mathbf{A}} ~&~ \bar{\mathbf{A}} \cdot (\mathbf{Q}_0 +
\sum_{j=1}^{\ell} \tau^\star[j] \mathbf{Q}_j)
\end{array} \right] \cdot
\left[\begin{array}{c} {\mathbf{v}_1^\star } \\ \hline {\mathbf{v}_2^\star } \end{array} \right] \\
& \hspace{3cm}= \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } +
\sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \bigr) \bmod q \\
& \hspace{3cm}= \bar{\mathbf{A}} \cdot \Bigl( \mathbf{e}_u + \mathbf{R} \cdot \bit \bigl( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } +
\sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \bigr) \Bigr) \bmod q ,
\end{align*}
which implies that the vector
\begin{eqnarray*}
\mathbf{w} &=& {\mathbf{v}_1^\star } + (\mathbf{Q}_0 +
\sum_{j=1}^{\ell} \tau^\star[j] \mathbf{Q}_j) \cdot {\mathbf{v}_2^\star } - \mathbf{e}_u - \mathbf{R} \cdot \bit \bigl( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } +
\sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \bigr) \in \ZZ^m
\end{eqnarray*}
is in $\Lambda_q^{\perp}(\bar{\mathbf{A}})$. Moreover, with overwhelming probability, this vector is non-zero since, in $\adv$'s view, the distribution of
$\mathbf{e}_u \in \ZZ^m$ is $D_{\Lambda_q^{\mathbf{u}}(\bar{\mathbf{A}}),\sigma_1}$, which ensures that $\mathbf{e}_u$ is statistically hidden by
the syndrome $\mathbf{u} = \bar{\mathbf{A}} \cdot \mathbf{e}_u $. Finally, the norm of $\mathbf{w}$ is smaller than
% modified by Khoa: $\| \mathbf{w} \| \leq m^{3/2} \sigma ( \sigma_1 + N / \sqrt{2}) + m^{1/2} ( \sigma + \sigma_1) + (\ell+1) \sigma m$,
$\beta' = m^{3/2} \sigma^2 ( \ell+3) + m^{1/2} \sigma_1 $
which yields a valid solution of the given $\mathsf{SIS}_{n,m,q,\beta'}$ instance
with overwhelming probability.
\end{proof}
\begin{lemma} \label{le:lwe-gs-type-II-attacks}
The scheme is secure against Type II attacks if the $\mathsf{SIS}_{n,m,q,\beta''}$ assumption holds for $\beta'' = \sqrt{2} (\ell+2) \sigma^2 m^{3/2} + m^{1/2} $.
\end{lemma}
\begin{proof}
We prove the result using a sequence of games. For each $i$, we denote by $W_i$ the event that the adversary wins by outputting a Type II forgery in \textsf{Game} $i$.
\medskip
\begin{description}
\item[\textsf{Game} 0:] This is the real game where, at the $i$-th signing query $\mathsf{Msg}^{(i)}=(\mathfrak{m}_1^{(i)},\ldots,\mathfrak{m}_N^{(i)})$,
the adversary obtains a signature $sig^{(i)}=(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)})$ for each $i \in \{1,\ldots,Q\}$ from the signing oracle. At the end of the game, the adversary
outputs a forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$ on a message $\mathsf{Msg}^{\star}=(\mathfrak{m}_1^{\star},\ldots,\mathfrak{m}_N^{\star})$.
By hypothesis, the adversary's advantage is $\varepsilon = \Pr[W_0]$. We assume without loss of generality that the random $\ell$-bit strings $\tau^{(1)}, \ldots, \tau^{(Q)}$ are chosen
at the very beginning of the game.
Since $(\mathsf{Msg}^\star,sig^\star)$ is a Type II forgery, there exists an index $i^\star \in \{1,\ldots,Q\}$ such that $\tau^\star =\tau^{(i^\star)} $.
\item[\textsf{Game} 1:] This game is identical to \textsf{Game} $0$ with the difference that the reduction aborts the experiment in the unlikely event that, in the adversary's forgery
$sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$, $\tau^\star$ coincides with more than one of the random $\ell$-bit strings $\tau^{(1)}, \ldots, \tau^{(Q)}$
used by the challenger. If we call $F_1$ the latter event, we have $\Pr[F_1] < Q^2/2^\ell$ since we are guaranteed to have $\neg F_1$ as long as no two $\tau^{(i)}$, $\tau^{(i')}$ collide.
Given that \textsf{Game} $1$ is identical to \textsf{Game} $0$ until $F_1$ occurs, we have $|\Pr[W_1]-\Pr[W_0]| \leq \Pr[F_1] < Q^2/2^\ell$.
\item[\textsf{Game} 2:] This game is like \textsf{Game} $1$ with the following difference. At the outset of the game, the challenger $\bdv$ chooses a random index
$i^\dagger \sample U(\{1,\ldots,Q\})$ as a guess that $\adv$'s forgery will recycle the $\ell$-bit string $\tau^{(i^\dagger)} \in \{0,1\}^\ell$ of the $i^\dagger$-th signing query.
When $\adv$ outputs its Type II forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$, the challenger aborts
in the event that $\tau^{(i^\dagger)} \neq \tau^\star$ (i.e., $i^\dagger \neq i^\star$). Since the choice of $i^\dagger $ in $\{1,\ldots,Q\}$ is independent of $\adv$'s view, we
have $\Pr[W_2]=\Pr[W_1]/Q$.
\item[\textsf{Game} 3:] In this game, we modify the key generation phase and the way to answer signing queries.
First, the challenger $\bdv$ randomly picks $h_0,h_1,\ldots,h_\ell \in \Zq$ subject to the constraints
\begin{eqnarray*}
h_0 + \sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot h_j &=& 0 \bmod q \\
h_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \cdot h_j & \neq & 0 \bmod q \qquad \qquad i \in \{1,\ldots,Q\} \setminus \{i^\dagger\}
\end{eqnarray*}
It runs $(\mathbf{C},\mathbf{T}_{\mathbf{C}}) \leftarrow \mathsf{TrapGen}(1^n,1^m,q)$,
$(\mathbf{D}_0,\mathbf{T}_{\mathbf{D}_0}) \leftarrow \mathsf{TrapGen}(1^{2n},1^{2m},q)$ so as to obtain statistically random matrices $\mathbf{C} \in \Zq^{n \times m} $, $\mathbf{D}_0 \in \Zq^{2n \times 2m}$ with
trapdoors $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$, $\mathbf{T}_{\mathbf{D}_0} \in \ZZ^{2m \times 2m}$ consisting of short bases of $\Lambda_q^{\perp}(\mathbf{C})$ and $\Lambda_q^{\perp}(\mathbf{D}_0)$, respectively. Then,
$\bdv$
chooses
a uniformly random $\mathbf{D} \sample U(\Zq^{n \times m})$ and re-randomizes it using short matrices
$\mathbf{S},\mathbf{S}_0,\mathbf{S}_1,\ldots,\mathbf{S}_{\ell} \sample \ZZ^{m \times m}$, which are obtained
by sampling their columns from the distribution $D_{\ZZ^m,\sigma}$. Namely, from $\mathbf{D} \in \Zq^{n \times m}$, $\bdv$
defines
\begin{eqnarray} \nonumber
\mathbf{A} &=& \mathbf{D} \cdot \mathbf{S} \\ \label{setup-sig3}
\mathbf{A}_0 &=& \mathbf{D} \cdot \mathbf{S}_0 + h_0 \cdot \mathbf{C} \\ \nonumber
\mathbf{A}_j &=& \mathbf{D} \cdot \mathbf{S}_j + h_j \cdot \mathbf{C} \qquad \qquad \forall j \in \{1,\ldots,\ell\} %\\ \nonumber
%\mathbf{D}_k &=& \mathbf{D} \cdot \mathbf{R}_k \qquad \qquad \qquad \quad~ \forall k \in \{1,\ldots,N\}.
\end{eqnarray}
In addition, $\bdv$ picks random matrices $\mathbf{D}_1,\ldots,\mathbf{D}_N \sample U(\Zq^{2n \times 2m})$ and a random vector $\mathbf{c}_M \sample U(\Zq^{2n})$. It samples
short vectors $\mathbf{v}_1 ,\mathbf{v}_2 \sample D_{\ZZ^m,\sigma}$ and computes $\mathbf{u} \in \Zq^n$
as $\mathbf{u} = \mathbf{A}_{\tau^{(i^\dagger)}} \cdot
\left[
\begin{array}{c}
\mathbf{v}_1 \\ \hline \mathbf{v}_2
\end{array} \right]
- \mathbf{D} \cdot \bit( \mathbf{c}_M ) \bmod q$, where
\begin{eqnarray*}
\mathbf{A}_{\tau^{(i^\dagger)}} &=& \left[
\begin{array}{c|c} \mathbf{A} ~ & ~ \mathbf{A}_0 +
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{A}_j
\end{array} \right] \\ &=& \left[
\begin{array}{c|c} \mathbf{D} \cdot \mathbf{S} ~ & ~ \mathbf{D}\cdot (\mathbf{S}_0 +
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j)
\end{array} \right] .
\end{eqnarray*}
The adversary's signing queries are then answered as follows.
\begin{itemize}
\item At the $i$-th signing query $ (\mathfrak{m}_1^{(i)},\ldots,\mathfrak{m}_N^{(i)})$, whenever $i \neq i^\dagger$, we have
\begin{eqnarray*}
\mathbf{A}_{\tau^{(i)}} &=& \left[
\begin{array}{c|c} \mathbf{A} ~& ~ \mathbf{A}_0 +
\sum_{j=1}^\ell \tau^{(i)}[j] \cdot \mathbf{A}_j
\end{array} \right] \\
&=& \left[
\begin{array}{c|c} \mathbf{A} ~ & ~ \mathbf{D} \cdot (\mathbf{S}_0 +
\sum_{j=1}^\ell \tau^{(i)}[j] \cdot \mathbf{S}_j) + h_{\tau^{(i)}} \cdot \mathbf{C}
\end{array} \right]
\in \Zq^{ n \times 2m},
\end{eqnarray*}
with $h_{\tau^{(i)}} = h_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \cdot h_j \neq 0$. This implies that $\bdv$ can use the trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ to generate a signature.
To this end, $\bdv$ first samples a discrete Gaussian vector $\vec{s}^{(i)} \sample D_{\ZZ^{2m},\sigma_1}$ and computes $\mathbf{u}_M \in \Zq^n$ as
$$\mathbf{u}_M = \mathbf{u} + \mathbf{D} \cdot \bit( \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i)} } + \mathbf{D}_{0} \cdot {\mathbf{s}^{(i)} } ) ~~ \bmod q.$$ Then,
using $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$, it samples a short vector $\mathbf{v}^{(i)} \in \ZZ^{2m}$ in $D^{\mathbf{u}_M}_{\Lambda^{\perp}(\mathbf{A}_{\tau^{(i)}}), \sigma}$ such
that $(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)})$ satisfies (\ref{ver-eq-block}).
\item At the $i^\dagger$-th signing query $ (\mathfrak{m}_1^{(i^\dagger)},\ldots,\mathfrak{m}_N^{(i^\dagger)})$, we have
\begin{eqnarray} \nonumber
\mathbf{A}_{\tau^{(i^\dagger)}} &=& \left[
\begin{array}{c|c} \mathbf{A} ~& ~ \mathbf{A}_0 +
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{A}_j
\end{array} \right] \\
\label{i-mat} &=& \left[
\begin{array}{c|c} \mathbf{D} \cdot \mathbf{S} ~&~ \mathbf{D} \cdot (\mathbf{S}_0 +
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j)
\end{array} \right]
\in \Zq^{ n \times 2m} \quad
\end{eqnarray}
due to the constraint $h_0 + \sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot h_j = 0 \bmod q $.
To answer the query, $\bdv$ uses the trapdoor $\mathbf{T}_{\mathbf{D}_0} \in \ZZ^{2m \times 2m}$ of $\Lambda_q^{\perp}(\mathbf{D}_0)$ to sample a short vector
$\mathbf{s}^{(i^\dagger)} \in D_{\Lambda_q^{\mathbf{c}'_M} (\mathbf{D}_0), \sigma_1}$, where $\mathbf{c}'_M = \mathbf{c}_M - \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i^\dagger)} } \in \Zq^{2n}$.
The obtained vector $\mathbf{s}^{(i^\dagger)} \in \ZZ^{2m}$ thus verifies
\begin{eqnarray} \label{sim-s}
\mathbf{D}_0 \cdot {\mathbf{s}^{(i^\dagger)} } &=&
\mathbf{c}_M - \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i^\dagger)} } ~\bmod q,
\quad
\end{eqnarray}
and $\adv$ receives $sig^{(i^\dagger)}=(\tau^{(i^\dagger)},\mathbf{v}^{(i^\dagger)},\mathbf{s}^{(i^\dagger)})$, where $ \mathbf{v}^{(i^\dagger)} = (\mathbf{v}_1^T \mid \mathbf{v}_2^T)^T $.
By construction, the returned signature $sig^{(i^\dagger)}$ satisfies
\begin{eqnarray*}
\mathbf{A}_{\tau^{(i^\dagger)}}
\cdot \left[ \begin{array}{c}
\mathbf{v}_1 \\ \hline \mathbf{v}_2 \end{array} \right]
&=& \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot {\mathbf{s}^{(i^\dagger)} } + \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i^\dagger)} } \bigr) \quad \bmod q,
\end{eqnarray*}
and the distribution of $(\tau^{(i^\dagger)},\mathbf{v}^{(i^\dagger)},\mathbf{s}^{(i^\dagger)})$ is statistically the same as in \textsf{Game} $2$.
\end{itemize}
\end{description}
We conclude that $\Pr[W_2]$ is negligibly far apart from $\Pr[W_3]$ since, by the Leftover Hash Lemma (see \cite[Le. 13]{ABB10}), the public key $PK$ in \textsf{Game} $3$ is statistically close to its distribution in \textsf{Game} $2$.
\medskip
\noindent
In \textsf{Game} $3$, we claim that the challenger $\bdv$ can use $\adv$ to solve the $\mathsf{SIS}$ problem by finding a short vector of $\Lambda_q^\perp(\mathbf{D})$ with probability $\Pr[W_3]$. Indeed,
with proba\-bility $\Pr[W_3]$, the adversary outputs a valid signature $sig^\star=(\tau^{(i^\dagger)},\mathbf{v}^\star,\mathbf{s}^\star)$ on a message $\mathsf{Msg}^\star=(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ with $\| \mathbf{v}^\star \| \leq \sigma \sqrt{2m}$ and $\| \mathbf{s}^\star \| \leq \sigma_1 \sqrt{2m}$.
If we parse $\mathbf{v}^\star \in \ZZ^{2m}$ as $({\mathbf{v}_1^\star }^T \mid {\mathbf{v}_2^\star }^T )^T$ with $\mathbf{v}_1^\star,\mathbf{v}_2^\star \in \ZZ^m$, we have
the equality
\begin{eqnarray} \label{first-sol}
\mathbf{A}_{\tau^{(i^\dagger)}} \cdot \left[ \begin{array}{c}
\mathbf{v}_1^\star \\ \hline \mathbf{v}_2^\star
\end{array} \right]
&=& \mathbf{u} + \mathbf{D} \cdot \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) \quad \bmod q.
\end{eqnarray}
Due to the way $\mathbf{u} \in \Zq^n$ was defined at the outset of the game, $\bdv$ also knows short vectors $\mathbf{v}^{(i^\dagger)}=(\mathbf{v}_1^T \mid \mathbf{v}_2^T)^T \in \ZZ^{2m}$
such that
\begin{eqnarray} \label{second-sol} \mathbf{A}_{\tau^{(i^\dagger)}} \cdot
\left[\begin{array}{c}
\mathbf{v}_1 \\ \hline \mathbf{v}_2
\end{array} \right] = \mathbf{u} + \mathbf{D} \cdot \bit( \mathbf{c}_M ) \bmod q. \end{eqnarray}
Relation (\ref{sim-s}) implies that $ \mathbf{c}_M \neq \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \bmod q$ by hypothesis. It follows that $\bit(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) $ is a non-zero vector in $\{-1,0,1\}^m$. Subtracting (\ref{second-sol}) from (\ref{first-sol}), we get
\begin{eqnarray*}
\mathbf{A}_{\tau^{(i^\dagger)}} \cdot \left[\begin{array}{c}
\mathbf{v}_1^\star - \mathbf{v}_1 \\ \hline \mathbf{v}_2^\star - \mathbf{v}_1
\end{array} \right]
&=& \mathbf{D} \cdot \bigl( \bit(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) \bigr) \mod q,
\end{eqnarray*}
which implies
\begin{multline} \label{eq-un}
\left[
\begin{array}{c|c} \mathbf{D} \cdot \mathbf{S} ~ &~ \mathbf{D} \cdot (\mathbf{S}_0 +
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j)
\end{array} \right] \cdot \left[ \begin{array}{c} {\mathbf{v}_1^\star -\mathbf{v}_1 } \\ \hline {\mathbf{v}_2^\star - \mathbf{v}_2 } \end{array} \right] \\ = \mathbf{D} \cdot \bigl( \bit(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) \bigr) \mod q .
\end{multline}
The above implies that the vector
\begin{eqnarray} \nonumber
\mathbf{w} &=&
\mathbf{S} \cdot (\mathbf{v}_1^\star - \mathbf{v}_1) + (\mathbf{S}_0 + \sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j ) \cdot (\mathbf{v}_2^\star - \mathbf{v}_2) \\
\nonumber && \hspace{2.75cm} ~+ \bit \big( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } + \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \big) - \bit(\mathbf{c}_M)
\end{eqnarray}
is a short integer vector of $\Lambda_q^{\perp}(\mathbf{D})$. Indeed, its norm can be bounded as $\| \mathbf{w} \| \leq \beta'' = \sqrt{2} (\ell+2) \sigma^2 m^{3/2} + m^{1/2} $. We argue that it is non-zero with overwhelming probability. We already observed that
$ \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) - \bit(\mathbf{c}_M)$ is a non-zero vector of $\{-1,0,1\}^m$, which rules out the event that
$({\mathbf{v}_1^\star}, {\mathbf{v}_2^\star} ) =({\mathbf{v}_1} , {\mathbf{v}_2}) $. Hence, we can only have $\mathbf{w}=\mathbf{0}^m$ when the equality
\begin{multline} \label{final-eq}
\mathbf{S} \cdot (\mathbf{v}_1^\star - \mathbf{v}_1) + (\mathbf{S}_0 +
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j ) \cdot (\mathbf{v}_2^\star - \mathbf{v}_2) \\ = \bit(\mathbf{c}_M) - \bit \big( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \big) \qquad
\end{multline}
holds over $\ZZ$. However, as long as either $\mathbf{v}_1^\star \neq \mathbf{v}_1$ or $\mathbf{v}_2^\star \ne \mathbf{v}_2$, the left-hand-side member of (\ref{final-eq})
is information theoretically unpredictable since the columns of matrices $\mathbf{S}$ and $\{\mathbf{S}_j\}_{j=0}^\ell$ are statistically hidden in the view of $\adv$.
Indeed, conditionally on the public key, each column of $\mathbf{S}$ and $\{\mathbf{S}_j\}_{j=0}^\ell$ has at least $n$ bits
of min-entropy, as shown by, e.g., \cite[Le. 2.7]{MP12}.
\end{proof}
\subsection{Protocols for Signing a Committed Value and Proving Possession of a Signature} \label{commit-sig}
We first show a two-party protocol whereby a user can interact with the signer in order to obtain a signature on a committed message. \\
\indent In order to prove that the scheme still guarantees unforgeability for obliviously signed messages,
we will assume that each message block $\mathfrak{m}_k \in \{0,1\}^{2m}$ is obtained by encoding
the actual message $M_k =M_k[1] \ldots M_k[m] \in \{0,1\}^m$ as $\mathfrak{m}_k= \mathsf{Encode}(M_k)=( \bar{M}_k[1] , M_k[1],\ldots, \bar{M}_k[m] , M_k[m] ) $. Namely,
each $0$ (respectively each $1$) is encoded as a pair $(1,0)$ (resp. $(0,1)$). The reason for this encoding is that the proof of Theorem \ref{commit-thm} requires that at least one block
$\mathfrak{m}_k^\star $ of the forgery message is $1$ while the same bit is $0$ at some specific signing query. We will show (see \cref{se:gs-lwe-stern}) that the correctness of this encoding can
be efficiently proved using Stern-like~\cite{Ste96} protocols.
To sign committed messages, a first idea is exploit the fact that our signature of Section \ref{desc-sig-protoc} blends well with the $\mathsf{SIS}$-based commitment scheme suggested by Kawachi \textit{et al.}~\cite{KTX08}.
In the latter scheme, the commitment key consists of matrices $(\mathbf{D}_0,\mathbf{D}_1) \in \Zq^{2n \times 2m} \times \Zq^{2n \times 2m}$, so that message
$\mathfrak{m} \in \{0,1\}^{2m}$ can be committed to by sampling a Gaussian vector $\mathbf{s} \sample D_{\ZZ^{2m},\sigma}$ and computing
$\mathbf{C}= \mathbf{D}_0 \cdot \mathbf{s} + \mathbf{D}_1 \cdot \mathfrak{m} \in \Zq^{2n}$. This scheme extends to commit to multiple messages $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$ at once by computing
$\mathbf{C}=\mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \in \Zq^{2n}$ using a longer
commitment key $(\mathbf{D}_0,\mathbf{D}_1,\ldots,\mathbf{D}_N) \in (\Zq^{2n \times 2m})^{N+1} $. It is easy to see that the resulting commitment remains statistically hiding and computationally
binding under the $\mathsf{SIS}$ assumption.
%If we assume that the signer only sees perfectly hiding commitments $ \mathbf{c}_{\mathfrak{m}} = \mathbf{D}_0 \cdot \mathbf{s}' + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k$ and $\mathbf{C}= \mathbf{B}_0 \cdot %\mathbf{r} + \sum_{k=1}^N \mathbf{B}_k \cdot \mathfrak{m}_k$ to the message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N) \in (\{0,1\}^m)^N$ on which the
%user wants to obtain a signature, a simple way for the
%user to prove that $\mathbf{C}$ and $ \mathbf{c}_{\mathfrak{m}}$ are commitments to the same message is to
% generate a witness indistinguishable proof of knowledge of a short vector
% $$\mathbf{v}=[ \mathfrak{m}_1^T \mid \ldots \mid \mathfrak{m}_N^T \mid \mathbf{r}^T \mid {\mathbf{s}'}^T ]^T \in (\{0,1\}^m)^N \times (\ZZ^m)^2 $$ satisfying
% \begin{eqnarray*}
% \left[ \begin{array}{c|c|c|c|c|c}
%\mathbf{B}_1 ~ & ~ \mathbf{B}_2 ~ & ~ \ldots ~ &~ \mathbf{B}_{N} ~& ~ \mathbf{B}_0 ~ & \\ \hline
% \mathbf{D}_1 ~ & ~ \mathbf{D}_2~ & ~ \ldots ~ & ~\mathbf{D}_N~ & & ~ \mathbf{D}_0~
% \end{array} \right] \cdot \mathbf{v}
%= \begin{bmatrix}
%\mathbf{C} \\ \hline \mathbf{c}_{\mathfrak{m}}
%\end{bmatrix}.
%\end{eqnarray*}
In order to make our construction usable in the definitional framework of Camenisch \textit{et al.} \cite{CKL+15}, we assume common public parameters
(i.e., a common reference string) and encrypt all witnesses of which knowledge is being proved under a public key included in the common reference string. The resulting ciphertexts thus serve as statistically binding commitments
to the witnesses.
To enable this, the common public parameters comprise public keys $\mathbf{G}_0 \in \Zq^{n \times \ell}$, $\mathbf{G}_1 \in \Zq^{n \times 2m}$
for multi-bit variants of the dual Regev cryptosystem \cite{GPV08} and all parties are denied access to the underlying private keys. The flexibility of Stern-like protocols allows us to prove that the content of a perfectly hiding commitment $ \mathbf{c}_{\mathfrak{m}}$ is consistent with
encrypted values.%, the protocols of Ling \textit{et al.} \cite{LNW15} come in handy.
\begin{description}
\item[\textsf{Global}\textrm{-}\textsf{Setup}:] Let $B = \sqrt{n} \omega(\log n)$ and let $\chi$ be a $B$-bounded distribution.
Let $p = \sigma \cdot \omega(\sqrt{m})$ upper-bound entries of vectors sampled from the distribution~$D_{\ZZ^{2m},\sigma}$.
Generate two public keys for the dual Regev encryption scheme
in its multi-bit variant. These keys consists of a public random matrix
$\mathbf{B} \sample U(\Zq^{n \times m})$ and random matrices $\mathbf{G}_0 = \mathbf{B} \cdot \mathbf{E}_0 \in \Zq^{n \times \ell }$, $\mathbf{G}_1 = \mathbf{B} \cdot \mathbf{E}_1 \in \Zq^{n \times 2m}$,
where $\mathbf{E}_0 \in \ZZ^{ m \times \ell}$ and $\mathbf{E}_1 \in \ZZ^{m \times 2m}$ are short Gaussian matrices with columns sampled from $D_{\ZZ^{m},\sigma}$. These matrices will be
used to encrypt integer vectors of dimension $\ell$ and $2m$, respectively. Finally, generate public parameters $CK:=\{ \mathbf{D}_k \}_{k=0}^N$ consisting of uniformly
random matrices $\mathbf{D}_k \sample U(\Zq^{2n \times 2m})$ for a statistically hiding commitment
to vectors in $(\{0,1\}^{2m})^N$.
Return public parameters consisting of
$$ \mathsf{par}:= \{ ~\mathbf{B} \in \Zq^{n \times m} ,~\mathbf{G}_0 \in \Zq^{n \times \ell},~\mathbf{G}_1 \in \Zq^{n \times 2m},~CK \}. $$
%where $p > \sigma_1 \sqrt{m}$ upper-bounds entries of vectors sampled from the distribution $D_{\ZZ^m,\sigma_1}$,
\item[\textsf{Issue} $\leftrightarrow$ \textsf{Obtain} :] The signer $S$, who holds a key pair $PK:=\{ \mathbf{A} , ~\{\mathbf{A}_j\}_{j=0}^\ell,~\mathbf{D},~\mathbf{u} \}$, $SK:=\mathbf{T}_{\mathbf{A}}$, interacts with the user $U$
who has a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, in the following interactive protocol. \smallskip
\begin{itemize}
\item[1.] $U$ samples $\mathbf{s}' \sample D_{\ZZ^{2m},\sigma} $ and computes $ \mathbf{c}_{\mathfrak{m}} = \mathbf{D}_0 \cdot \mathbf{s}' + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \in \mathbb{Z}_q^{2n}$
which is sent to $S$ as a commitment to $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$. In addition, $U$ encrypts $\{\mathfrak{m}_k\}_{k=1}^N$ and $\mathbf{s}'$ under the dual-Regev public key $(\mathbf{B},\mathbf{G}_1)$
by computing for all $k \in \{1,\ldots,N\}$:
\begin{eqnarray} \label{enc-Mk} \nonumber
\mathbf{c}_{k} &=& (\mathbf{c}_{k,1},\mathbf{c}_{k,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \mathfrak{m}_k \cdot \lfloor q/2 \rfloor \big) \in \Zq^m \times \Zq^{2m} \qquad %\forall k\in \{1,\ldots,N\}
%\qquad
\end{eqnarray}
for randomly chosen $\mathbf{s}_{k} \sample \chi^n$, $\mathbf{e}_{k,1} \sample \chi^m$, $\mathbf{e}_{k,2} \sample \chi^{2m}$,
and \begin{eqnarray} \label{enc-s} \nonumber
\mathbf{c}_{s'} &=& (\mathbf{c}_{s',1},\mathbf{c}_{s',2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,2} + \mathbf{s}' \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m}
\end{eqnarray}
where $\mathbf{s}_{0} \sample \chi^n$, $\mathbf{e}_{0,1} \sample \chi^m$, $\mathbf{e}_{0,2} \sample \chi^{2m}$. The ciphertexts $\{\mathbf{c}_k\}_{k=1}^N$ and $\mathbf{c}_{s'}$ are
sent to $S$ along with $\mathbf{c}_{\mathfrak{m}}$.
Then, $U$ generates an interactive zero-knowledge argument to convince~$S$ that
$ \mathbf{c}_{\mathfrak{m}}$ is a commitment to $(\mathfrak{m}_1, \ldots, \mathfrak{m}_N)$ with the randomness $\mathbf{s}'$ such that $\{\mathfrak{m}_k\}_{k=1}^N$ and
$\mathbf{s}'$ were honestly encrypted to $\{ \mathbf{c}_{k} \}_{i=1}^N$ and $\mathbf{c}_{s'}$, as in~(\ref{enc-Mk}) and~(\ref{enc-s}).
%is consistent with the messages encrypted in $\{ \mathbf{c}_{k} \}_{i=1}^N$ and $\mathbf{c}_{s'}$.
For convenience, this argument system will be described in Section~\ref{subsection:zk-for-commitments}, where we demonstrate that, together with other zero-knowledge protocols used in this work, it can be derived from a Stern-like~\cite{Ste96} protocol constructed in \cref{se:gs-lwe-stern}.
\item[2.] If the argument of step 1 properly verifies, $S$ samples $\mathbf{s}'' \sample D_{\ZZ^{2m},\sigma_0}$ and computes
a vector $\mathbf{u}_{\mathfrak{m}}= \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{c}_{\mathfrak{m}} + \mathbf{D}_0 \cdot \mathbf{s}'' \bigr) \in \Zq^n$.
Next, $S$ randomly picks $\tau \sample \{0,1\}^\ell$ and
uses $\mathbf{T}_{\mathbf{A}}$ to compute a delegated basis $\mathbf{T}_{\tau} \in \ZZ^{2m \times 2m}$ for the matrix $\mathbf{A}_{\tau} \in \Zq^{n \times 2m}$ of (\ref{tau-matrix}).
Using $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$, $S$ samples a short vector $\mathbf{v} \in \ZZ^{2m}$ in $D^{\mathbf{u}_M}_{\Lambda^{\perp}(\mathbf{A}_\tau), \sigma}$. It returns
the vector $( \tau,\mathbf{v},\mathbf{s}'') \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m} $ to $U$.
\item[3.] $U$ computes $\mathbf{s} = \mathbf{s}'+\mathbf{s}''$ over $\ZZ$ and verifies that $$\mathbf{A}_{\tau} \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \bit
\bigl( \mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \bigr) \bmod q.$$ If so, it outputs $(\tau,\mathbf{v},\mathbf{s})$. Otherwise, it outputs $\perp$.
\end{itemize}
\end{description}
Note that, if both parties faithfully run the protocol, the user obtains a valid signature $(\tau,\mathbf{v},\mathbf{s})$ for which the distribution of $\mathbf{s}$ is $D_{\ZZ^{2m},\sigma_1}$,
where $\sigma_1=\sqrt{\sigma^2 + \sigma_0^2}$. \\
\indent The following protocol allows proving possession of a message-signature pair.
\begin{description}
\item[\textsf{Prove}:] On input of a signature $(\tau,\mathbf{v}=(\mathbf{v}_1^T \mid \mathbf{v}_2^T)^T,\mathbf{s}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m}$ on the message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, the user
does the following. \smallskip \smallskip
\begin{itemize}
\item[1.] Using $(\mathbf{B},\mathbf{G}_0)$ and $(\mathbf{B},\mathbf{G}_1)$ generate perfectly binding commitments to $\tau \in \{0,1\}^\ell$, $\{\mathfrak{m}_k \}_{k=1}^N$,
$\mathbf{v}_1,\mathbf{v}_2 \in \ZZ^m$ and $\mathbf{s} \in \ZZ^{2m}$. Namely, compute
\begin{eqnarray*} \nonumber
\mathbf{c}_{\tau} &=& (\mathbf{c}_{\tau,1},\mathbf{c}_{\tau,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{\tau} + \mathbf{e}_{\tau,1} ,~ \mathbf{G}_0^T \cdot \mathbf{s}_{\tau} + \mathbf{e}_{\tau,2} + \tau
\cdot \lfloor q/2 \rfloor \big) \in \Zq^m \times \Zq^\ell, \\
\mathbf{c}_{k} &=& (\mathbf{c}_{k,1},\mathbf{c}_{k,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \mathfrak{m}_k \cdot \lfloor q/2 \rfloor \big) \in \Zq^m \times \Zq^{2m}
\\ && \hspace{7.6cm} \forall k\in \{1,\ldots,N\} \qquad
\end{eqnarray*}
where $\mathbf{s}_{\tau}, \mathbf{s}_{k} \sample \chi^n$, $\mathbf{e}_{\tau,1} , \mathbf{e}_{k,1} \sample \chi^m$, $\mathbf{e}_{\tau,2} \sample \chi^\ell$, $\mathbf{e}_{k,2} \sample \chi^{2m}$,
as well as \begin{eqnarray*} \nonumber
\mathbf{c}_{\mathbf{v}} &=& (\mathbf{c}_{\mathbf{v},1},\mathbf{c}_{\mathbf{v},2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \mathbf{v} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m}
\\
%\mathbf{c}_{\mathbf{v}_2} &=& (\mathbf{c}_{\mathbf{v}_2,1},\mathbf{c}_{\mathbf{v}_2,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,1} ,~ \mathbf{G}_1^T %\cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,2} + \mathbf{v}_2 \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^m \\
\mathbf{c}_{s} &=& (\mathbf{c}_{s,1},\mathbf{c}_{s,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,2} + \mathbf{s} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m} ,
\end{eqnarray*}
where $\mathbf{s}_{\mathbf{v}}, \mathbf{s}_{0} \sample \chi^n$, $\mathbf{e}_{\mathbf{v},1},\mathbf{e}_{0,1} \sample \chi^m$,
$\mathbf{e}_{\mathbf{v},2},\mathbf{e}_{0,2}\sample \chi^{2m}$.
\item[2.] Prove in zero-knowledge that $\mathbf{c}_{\tau}$, $\mathbf{c}_{s}$, $\mathbf{c}_{\mathbf{v} }$, $\{\mathbf{c}_k\}_{k=1}^N$ encrypt a valid message-signature pair. In Section~\ref{subsection:zk-for-signature}, we show that this involved zero-knowledge protocol can be derived from the statistical zero-knowledge argument of knowledge for a simpler, but more general relation that we explicitly present in \cref{se:gs-lwe-stern}. The proof system can be made statistically ZK for a malicious verifier using standard techniques (assuming a common reference string, we can use \cite{Dam00}). In the random oracle model, it can
be made non-interactive using the Fiat-Shamir heuristic \cite{FS86}.
\end{itemize}
\end{description}
%To establish the security of the protocol,
\noindent We require that the adversary be unable to prove possession of a signature of a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$ for which it did not legally
obtain a credential by interacting with the issuer. Note that the messages that are blindly signed by the issuer are uniquely defined since, at each signing
query, the adversary is required to supply perfectly binding commitments $\{\mathbf{c}_k\}_{k=1}^N$ to $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$.
In instantiations using non-interactive proofs, we assume that these can be bound to a verifier-chosen nonce to prevent replay attacks, as suggested in \cite{CKL+15}.
The security proof (in Theorem \ref{commit-thm}) makes crucial use of the R\'enyi divergence using arguments in the spirit of Bai \textit{et al.} \cite{BLL+15}. The
reduction has to guess upfront the index $i^\star \in \{1,\ldots,Q\}$ of the specific signing query for which the adversary will re-use $\tau^{(i^\star)}$. For
this query, the reduction will have to make sure that the simulation trapdoor of Agrawal \textit{et al.} \cite{ABB10} (used by the $\mathsf{SampleRight}$ algorithm
of Lemma \ref{lem:sampler}) vanishes: otherwise, the adversary's forgery would not be usable for solving $\mathsf{SIS}$. This means that, as in the proof of
\cite{BHJ+15}, the reduction must answer exactly one signing query in a different way, without using the trapdoor. While B\"ohl \textit{et al.} solve this
problem by exploiting the fact that they only need to prove security against non-adaptive forgers, we directly use a built-in chameleon hash function mechanism
which is implicitly realized by the matrix $\mathbf{D}_0$ and the vector $\mathbf{s}$. Namely, in the signing query for which the Agrawal \textit{et al.}
trapdoor~\cite{ABB10} cancels, we assign a special value to the vector $\mathbf{s} \in \ZZ^{2m}$, which depends on the adaptively-chosen signed message
$(\mathsf{Msg}_1^{(i^\star)},\ldots,\mathsf{Msg}_N^{(i^\star)})$ and some Gaussian matrices $\{\mathbf{R}_k\}_{k=1}^N$ hidden behind $\{\mathbf{D}_k\}_{k=1}^N$.
One issue is that this results in a different distribution for the vector $\mathbf{s} \in \ZZ^m$. However, we can still view $\mathbf{s}$ as a vector sampled from a
Gaussian distribution centered away from $\mathbf{0}^{2m}$. Since this specific situation occurs only once during the simulation, we can apply a result proved in
\cite{LSS14} which upper-bounds the R\'enyi divergence between two Gaussian distributions with identical standard deviations but different centers. By
choosing the standard deviation $\sigma_1$ of $\mathbf{s} \in \ZZ^{2m}$ to be polynomially larger than that of the columns of matrices $\{\mathbf{R}_k\}_{k=1}^N$, we can
keep the R\'enyi divergence between the two distributions of $\mathbf{s}$ (i.e., the one of the simulation and the one of the real game) sufficiently small to apply
the probability preservation property (which still gives a polynomial reduction since the argument must only be applied on one signing query). Namely, the
latter implies that, if the R\'enyi divergence $R_2(\mathbf{s}^{\mathsf{real}}||\mathbf{s}^{\mathsf{sim}})$ is polynomial, the probability that the simulated vector
$\mathbf{s}^{\mathsf{sim}} \in \ZZ^{2m}$ passes the verification test will only be polynomially smaller than in the real game and so will be the adversary's
probability of success.
Another option would have been to keep the statistical distance between $\mathbf{s}^{\mathsf{real}}$ and $\mathbf{s}^{\mathsf{sim}}$ negligible using the smudging
technique of \cite{AJL+12}. However, this would have implied to use an exponentially large modulus $q$ since $\sigma_1$ should have been exponentially larger
than the standard deviations of the columns of $\{\mathbf{R}_k\}_{k=1}^N$.
\begin{theorem} \label{commit-thm}
Under the $\mathsf{SIS}_{n,2m, q, \hat{\beta}}$ assumption, where $\hat{\beta} = N \sigma (2m)^{3/2} + 4 \sigma_1 m^{3/2}$\hspace*{-1.5pt}, the above
protocols are secure protocols for obtaining a signature on a committed message and proving possession of a valid message-signature pair.
\end{theorem}
\begin{theorem} \label{anon-cred}
The scheme provides anonymity under the $\mathsf{LWE}_{n,q,\chi}$ assumption.
\end{theorem}
\section{Subprotocols for Stern-like Argument}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Protocoles pour les preuves à la Stern}
\label{se:gs-lwe-stern}
\subsection{Proving the Consistency of Commitments}\label{subsection:zk-for-commitments}
The argument system used in our protocol for signing a committed value in Section~\ref{commit-sig} can be summarized as follows.
\begin{description}
\item[Common Input:] Matrices $\{\mathbf{D}_k\in \ZZ_q^{2n \times 2m}\}_{k=0}^N$; $\mathbf{B}\in \ZZ_q^{n \times m}$; $\mathbf{G}_1 \in \mathbb{Z}_q^{n \times 2m}$;
\smallskip
\hspace*{-7.5pt}vectors $\mathbf{c}_{\mathfrak{m}} \in \mathbb{Z}_q^{2n}$; $\{\mathbf{c}_{k,1} \in \ZZ_q^{m}\}_{k=1}^N$; $\{\mathbf{c}_{k,2} \in \ZZ_q^{2m}\}_{k=1}^N$; $\mathbf{c}_{\mathbf{s}', 1} \in \ZZ_q^{m}$; $\mathbf{c}_{\mathbf{s}',2} \in \mathbb{Z}_q^{2m}$. \medskip
\item[Prover's Input:] $\mathfrak{m} = (\mathfrak{m}_1^T \| \ldots \| \mathfrak{m}_N^T)^T \in \mathsf{CorEnc}(mN)$;
$\{\mathbf{s}_{k} \in [-B,B]^n, \hspace*{2.5pt} \mathbf{e}_{k,1}\in [-B,B]^m; \hspace*{2.5pt} \mathbf{e}_{k,2}\in [-B,B]^{2m}\}_{k=1}^N$; \hspace*{5pt} $\mathbf{s}_0\in [-B,B]^n$;
$\mathbf{e}_{0,1}\in [-B,B]^m; \hspace*{5pt} \mathbf{e}_{0,2}\in [-B,B]^{2m}$; \hspace*{5pt} $\mathbf{s}' \in [-(p-1), (p-1)]^{2m}$ \smallskip
\item[Prover's Goal:] Convince the verifier in \textsf{ZK} that:
\end{description}
\vspace*{-10pt}
\begin{eqnarray}\label{equation:R-commit-statement}
\hspace*{-5pt}
\begin{cases}
\mathbf{c}_{\mathfrak{m}}= \mathbf{D}_0 \cdot \mathbf{s}' + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \bmod q; \\[2.5pt]
\mathbf{c}_{\mathbf{s}', 1}= \mathbf{B}^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,1} \bmod q; \hspace*{5pt}\mathbf{c}_{\mathbf{s}',2}= \mathbf{G}_1^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,2} + \lfloor q/p \rfloor\cdot \mathbf{s}'\bmod q; \\[2.5pt]
\forall k\in [N]: \mathbf{c}_{k,1}= \mathbf{B}^T\cdot\mathbf{s}_{k} + \mathbf{e}_{k,1}; \hspace*{5pt}\mathbf{c}_{k,2}= \mathbf{G}_1^T\cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \lfloor q/2 \rfloor\cdot \mathfrak{m}_k.
\end{cases}
\end{eqnarray}
We will show that the above argument system can be obtained from the one in \cref{sse:stern-abstraction}. We proceed in two steps.
\smallskip \smallskip
\noindent \textbf{Step 1:} \emph{Transforming the equations in~(\ref{equation:R-commit-statement}) into a unified one of the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{v} \bmod q$, where $\|\mathbf{x}\|_\infty =1$ and $\mathbf{x} \in \mathsf{VALID}$ - a ``specially-designed'' set.}
To do so, we first form the following vectors and matrices:
\[
\scriptsize
\begin{cases}
\mathbf{x}_1 \hspace*{-1pt}= \hspace*{-1pt}\big(\mathbf{s}_0^T \| \mathbf{e}_{0,1}^T \| \mathbf{e}_{0,2}^T \| \mathbf{s}_{1}^T \| \mathbf{e}_{1,1}^T \| \mathbf{e}_{1,2}^T \| \ldots \| \mathbf{s}_{N}^T \| \mathbf{e}_{N,1}^T \| \mathbf{e}_{N,2}^T \big)^T\hspace*{-3.5pt} \in \hspace*{-1.5pt}[-B,B]^{(n+3m)(N+1)}; \\[2.5pt]
%\mathbf{x}_2 = \big(\mathfrak{m}_1^T \| \ldots\| \mathfrak{m}_N^T\big)^T \in \mathsf{CorEnc}(mN); \hspace*{10pt} \mathbf{x}_3 = \mathbf{s}' \in [-(p-1), (p-1)]^{2m};\\[2.5pt]
\mathbf{v} = \big(\mathbf{c}_{\mathfrak{m}}^T \| \mathbf{c}_{\mathbf{s}',1}^T\| \mathbf{c}_{\mathbf{s}',2}^T\| \mathbf{c}_{1,1}^T \|\mathbf{c}_{1,2}^T \| \ldots \|\mathbf{c}_{N,1}^T \|\mathbf{c}_{N,2}^T \big)^T \in \mathbb{Z}_q^{2n + 3m(N+1)};\\[5pt]
%\mathbf{D} = [\mathbf{D}_1 | \ldots | \mathbf{D}_N]; \hspace*{5pt}
\mathbf{P}_1 = \left(
\begin{array}{ccc}
\begin{array}{c}
\mathbf{B}^T \\
\hline
\rule{0pt}{3ex}\mathbf{G}_1^T
\end{array}
& \vline
& \mathbf{I}_{3m}
\end{array}
\right); \hspace*{10pt}
\mathbf{Q}_2 = \left(
\begin{array}{c}
\mathbf{0} \\
\hline
\rule{0pt}{3ex}\lfloor\frac{q}{2}\rfloor\mathbf{I}_{2m}
\end{array}
\right); \hspace*{10pt}
\mathbf{Q}_p = \left(
\begin{array}{c}
\mathbf{0} \\
\hline
\rule{0pt}{3ex}\lfloor\frac{q}{p}\rfloor\mathbf{I}_{2m}
\end{array}
\right)\\[5pt]
\mathbf{M}_1 = \left(
\begin{array}{c}
\mathbf{0} \\
\hline
\rule{0pt}{3ex}
\begin{array}{cccc}
\mathbf{P}_1 & & & \\
& \mathbf{P}_1 & & \\
& & \xddots & \\
& & & \mathbf{P}_1 \\
\end{array}
\\
\end{array}
\right); \hspace*{15pt}
\mathbf{M}_2 = \left(
\begin{array}{c}
\mathbf{D}_1 | \ldots | \mathbf{D}_N \\
\hline
\rule{0pt}{3ex}
\mathbf{0} \\
\hline
\rule{0pt}{3ex}
\begin{array}{ccc}
\mathbf{Q}_2 & & \\
& \xddots & \\
& & \mathbf{Q}_2 \\
\end{array}
\\
\end{array}
\right); \hspace*{15pt}
\mathbf{M}_3 = \left(
\begin{array}{c}
\mathbf{D}_0 \\
\hline
\rule{0pt}{3ex}
\mathbf{Q}_p \\
\hline
\rule{0pt}{3ex}
\\
\mathbf{0} \\
\\
\end{array}
\right).
\end{cases}
\]
We then observe that (\ref{equation:R-commit-statement}) can be rewritten as:
\begin{eqnarray}\label{equation:R-commit-unified}
\vspace*{-5pt}
\mathbf{M}_1 \cdot \mathbf{x}_1 + \mathbf{M}_2 \cdot \mathfrak{m} + \mathbf{M}_3 \cdot \mathbf{s}' = \mathbf{v} \in \mathbb{Z}_q^D,
\end{eqnarray}
where $D = 2n + 3m(N+1)$.
Now we employ the techniques from \cref{sse:stern-abstraction} to convert~\eqref{equation:R-commit-unified} into the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{v} \bmod q$. Specifically, if we let:
\[
\vspace*{-5pt}
\begin{cases}
\mathsf{DecExt}_{(n+3m)(N+1),B}(\mathbf{x}_1) \rightarrow \hat{\mathbf{x}}_1 \in \mathsf{B}^3_{(n+3m)(N+1)\delta_B}; \\[2.5pt]
{\mathbf{M}}'_1 = \mathbf{M}_1 \cdot \widehat{\mathbf{K}}_{(n+3m)(N+1),B} \in \ZZ_q^{D \times 3(n+3m)(N+1)\delta_B}; \\[2.5pt]
%\mathsf{Ext}_{2mN}(\mathbf{x}_2) \rightarrow \hat{\mathbf{x}}_2 \in \mathsf{B}_{2(2mN)}; \hspace*{5pt}
%{\mathbf{M}}'_2 = \big[\mathbf{M}_2 | \mathbf{0}^{D \times 2mN}] \in \mathbb{Z}_q^{D \times 4mN}; \\[5pt]
\mathsf{DecExt}_{2m, p-1}(\mathbf{s}') \rightarrow \hat{\mathbf{s}} \in \mathsf{B}^3_{2m\delta_{p-1}}; \hspace*{5pt}
{\mathbf M}'_3 = \mathbf{M}_3 \cdot \widehat{\mathbf K}_{2m,p-1} \in \mathbb{Z}_q^{D \times 6m\delta_{p-1}},
\end{cases}
\]
$L = 3(n+3m)(N+1)\delta_B + 2mN + 6m\delta_{p-1}$, and $\mathbf{P} \hspace*{-1pt}= \hspace*{-1pt}\big[\mathbf{M}'_1 | \mathbf{M}_2 | \mathbf{M}'_3\big] \hspace*{-2pt}\in \hspace*{-1pt}\mathbb{Z}_q^{D \times L}$, and $\mathbf{x} = \big(\hat{\mathbf{x}}_1^T \| \mathfrak{m}^T \| \hat{\mathbf{s}}^T\big)^T$, then we will obtain the desired equation:
\[
\mathbf{P}\cdot \mathbf{x} = \mathbf{v} \bmod q.
\]
Having performed the above unification, we now define $\mathsf{VALID}$ as the set of all vectors $\mathbf{t} \hspace*{-1pt}\in\hspace*{-1pt} \{-1,0,1\}^L$ of the form $\mathbf{t}\hspace*{-1pt} =\hspace*{-1pt} \big(\mathbf{t}_1^T \| \mathbf{t}_2^T \| \mathbf{t}_3^T\big)^T$\hspace*{-2.5pt}, where $\mathbf{t}_1 \in \mathsf{B}^3_{(n+3m)(N+1)\delta_B}$, $\mathbf{t}_2 \in \mathsf{CorEnc}(mN)$, and $\mathbf{t}_3 \in \mathsf{B}^3_{2m\delta_{p-1}}$. Note that $\mathbf{x} \in \mathsf{VALID}$. \\
\smallskip
\noindent
\textbf{Step 2:} \emph{Specifying the set $\mathcal{S}$ and permutations of $L$ elements $\{T_\pi: \pi \in \mathcal{S}\}$ for which the conditions in~(\ref{eq:zk-equivalence}) hold.}
\begin{itemize}
\item Define $\mathcal{S}: = \mathcal{S}_{3(n+3m)(N+1)\delta_B} \times \{0,1\}^{mN} \times \mathcal{S}_{6m\delta_{p-1}}$. \smallskip
\item For $\pi = (\pi_1, \mathbf{b}, \pi_3) \in \mathcal{S}$, and for vector $\mathbf{w} = \big(\mathbf{w}_1^T \| \mathbf{w}_2^T \| \mathbf{w}_3^T\big)^T \in \mathbb{Z}_q^L$, where $\mathbf{w}_1 \in \ZZ_q^{3(n+3m)(N+1)\delta_B}$, $\mathbf{w}_2 \in \ZZ_q^{2mN}$, $\mathbf{w}_3 \in \ZZ_q^{6m\delta_{p-1}}$, we define: \vspace*{-5pt}
\[
T_{\pi} = \big(\pi_1(\mathbf{w}_1)^T \| E_{\mathbf{b}}(\mathbf{w}_2)^T \| \pi_3(\mathbf{w}_3)^T\big)^T.
\]
\end{itemize}
\vspace*{-2.5pt}
By inspection, it can be seen that the properties in~(\ref{eq:zk-equivalence}) are satisfied, as desired. As a result, we can obtain the required argument system by running the protocol in \cref{sse:stern-abstraction} with common input $(\mathbf{P}, \mathbf{v})$ and prover's input $\mathbf{x}$.
%--------------------------------------------------
\subsection{Proving the Possession of a Signature on a Committed Value}\label{subsection:zk-for-signature}
We now describe how to derive the protocol for proving the possession of a signature on a committed value, that is used in Section~\ref{commit-sig}.
\begin{description}
\item[Common Input:] Matrices $\mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{D} \in \ZZ_q^{n \times m}$; $\{\mathbf{D}_k\in \ZZ_q^{2n \times 2m}\}_{k=0}^N$; $\mathbf{B}\in \ZZ_q^{n \times m}$; $\mathbf{G}_1 \in \mathbb{Z}_q^{n \times 2m}$;
$\mathbf{G}_0 \in \mathbb{Z}_q^{n \times \ell}$; vectors
$ \{\mathbf{c}_{k,1}\}_{k=1}^N, \mathbf{c}_{\tau,1}, \mathbf{c}_{\mathbf{v}, 1}, \mathbf{c}_{s, 1} \in \ZZ_q^m$; $\{\mathbf{c}_{k,2}\}_{k=1}^N,\mathbf{c}_{\mathbf{v}, 2}, \mathbf{c}_{s,2} \in \ZZ_q^{2m}$; $\mathbf{c}_{\tau,2} \in \ZZ_q^\ell$; $\mathbf{u} \in \mathbb{Z}_q^n$.
\smallskip
\item[Prover's Input:] $\mathbf{v} = \left(
\begin{array}{c}
\mathbf{v}_1 \\
\mathbf{v}_2 \\
\end{array}
\right)
$, where $\mathbf{v}_1, \mathbf{v}_2\in [-\beta, \beta]^m$ and $\beta = \sigma\cdot \omega(\log m)$ - the infinity norm bound of signatures; $\tau \in \{0,1\}^\ell$; $\mathbf{s} \in [-(p-1), (p-1)]^{2m}$;
\smallskip
$\mathfrak{m} = (\mathfrak{m}_1^T \| \ldots \| \mathfrak{m}_N^T)^T \in \mathsf{CorEnc}(mN)$; $\{\mathbf{s}_{k}\}_{k=1}^N$, $\mathbf{s}_{\mathbf{v}}$, $\mathbf{s}_0$, $\mathbf{s}_\tau \in [-B,B]^n$;
\smallskip
$\{\mathbf{e}_{k,1}\}_{k=1}^N$, $\mathbf{e}_{\mathbf{v}, 1}$, $\mathbf{e}_{0,1}$, $\mathbf{e}_{\tau,1} \in [-B,B]^m$;
$\{\mathbf{e}_{k,2}\}_{k=1}^N, \mathbf{e}_{0,2},\mathbf{e}_{\mathbf{v},2} \in [-B,B]^{2m}$;
\smallskip
$\mathbf{e}_{\tau,2} \in [-B,B]^\ell$.
\end{description}
\noindent
\textbf{Prover's Goal:} Convince the verifier in \textsf{ZK} that: \vspace*{-7.5pt}
\begin{eqnarray}\label{equation:R-sign-signature}
\hspace*{-5pt}
\mathbf{A}\hspace*{-1.5pt}\cdot\hspace*{-1.5pt}\mathbf{v}_1 + \mathbf{A}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{v}_2 + \sum_{i=1}^\ell \mathbf{A}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \tau[i] \mathbf{v}_2 - \mathbf{D}\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathsf{bin}(\mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k) = \mathbf{u} \bmod q,\vspace*{-10pt}
\end{eqnarray}
and that (modulo $q$)
\begin{eqnarray}\label{equation:R-sign-ciphertext}
\hspace*{-12.5pt}
\begin{cases}
\forall k\in [N]: \mathbf{c}_{k,1}= \mathbf{B}^T\cdot\mathbf{s}_{k} + \mathbf{e}_{k,1} ; \hspace*{5pt}\mathbf{c}_{k,2}= \mathbf{G}_1^T\cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \lfloor q/2 \rfloor\cdot \mathfrak{m}_k ; \\
\mathbf{c}_{\mathbf{v}, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ; \\
\mathbf{c}_{\mathbf{v},2}= \mathbf{G}_1^T \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{s}_{\mathbf{v}} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{e}_{\mathbf{v},2}\hspace*{-2pt}+\hspace*{-2pt} \lfloor\frac{q}{p}\rfloor \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{v} \hspace*{-2pt}=\hspace*{-2pt} \mathbf{G}_1^T \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{s}_{\mathbf{v}} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{e}_{\mathbf{v},2}\hspace*{-2pt}+\hspace*{-2pt} \left(\hspace*{-2pt}
\begin{array}{c}
\lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\
\mathbf{0}\\
\end{array}
\hspace*{-2pt}\right)\cdot \mathbf{v}_1
\hspace*{-2pt}+ \hspace*{-2pt} \left(\hspace*{-2pt}
\begin{array}{c}
\mathbf{0}\\
\lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\
\end{array}
\hspace*{-2pt}\right)\hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{v}_2
; \\
%\mathbf{c}_{\mathbf{v}_2, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,1} ; \hspace*{2.5pt}
%\mathbf{c}_{\mathbf{v}_2,2}= \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,2}+ \lfloor\frac{q}{p}\rfloor \cdot %\mathbf{v}_2 ; \\
\mathbf{c}_{\mathbf{s}, 1}= \mathbf{B}^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,1} ; \hspace*{5pt}\mathbf{c}_{\mathbf{s},2}= \mathbf{G}_1^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,2} + \lfloor q/p \rfloor\cdot \mathbf{s} ; \\
\mathbf{c}_{\tau,1} = \mathbf{B}^T\cdot \mathbf{s}_\tau + \mathbf{e}_{\tau,1} ; \hspace*{2.5pt} \mathbf{c}_{\tau,2}= \mathbf{G}_0^T\cdot \mathbf{s}_\tau + \mathbf{e}_{\tau,2} + \lfloor q/2 \rfloor\cdot \tau .
\end{cases}
\end{eqnarray}
$~$ \\
We proceed in two steps.
\medskip \smallskip
\noindent \textbf{Step 1:} \emph{Transforming the equations in~(\ref{equation:R-sign-signature}) and~(\ref{equation:R-sign-ciphertext}) into a unified one of the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{c} \bmod q$, where $\|\mathbf{x}\|_\infty =1$ and $\mathbf{x} \in \mathsf{VALID}$ - a ``specially-designed'' set.}
Note that, if we let $\mathbf{y} = \mathsf{bin}(\mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k) \in \{0,1\}^{m}$, then we have $\mathbf{H}_{2n \times m}\cdot \mathbf{y} = \mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k \bmod q$, and~(\ref{equation:R-sign-signature}) can be equivalently written as:
\begin{eqnarray*}\label{equation:R-sign-signature-2}
\hspace*{-10pt}
\left(
\begin{array}{c}
\mathbf{A} \\
\mathbf{0} \\
\end{array}
\right)\hspace*{-1.5pt}\cdot\hspace*{-1.5pt}
\mathbf{v}_1 +
\left(
\begin{array}{c}
\mathbf{A}_0 \\
\mathbf{0} \\
\end{array}
\right)\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{v}_2 &+&
\sum_{i=1}^\ell \left(
\begin{array}{c}
\mathbf{A}_i \\
\mathbf{0} \\
\end{array}
\right)\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \tau[i] \mathbf{v}_2 +
\left(
\begin{array}{c}
\mathbf{0} \\
\mathbf{D}_0 \\
\end{array}
\right)\cdot \mathbf{s} + \left(
\begin{array}{c}
-\mathbf{D} \\
-\mathbf{H}_{2n \times m} \\
\end{array}
\right)\cdot \mathbf{y} \\
&+&\left(
\begin{array}{c}
\mathbf{0} \\
\mathbf{D}_1 | \ldots | \mathbf{D}_N \\
\end{array}
\right)\cdot \mathfrak{m} = \left(
\begin{array}{c}
\mathbf{u} \\
\mathbf{0}^{2n} \\
\end{array}
\right) ~\bmod q.
\end{eqnarray*}
Next, we use linear algebra to combine this equation and~(\ref{equation:R-sign-ciphertext}) into (modulo $q$):
\begin{align}\label{equation:R-sign-almost}
\hspace*{-10pt}
\mathbf{F}\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{v}_1 \hspace*{-1.5pt}+\hspace*{-1.5pt} \mathbf{F}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{v}_2 \hspace*{-1.5pt}+\hspace*{-1.5pt} \sum_{i=1}^\ell \mathbf{F}_i \hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \tau[i]\mathbf{v}_2 + \mathbf{M}_1 \hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \tau \hspace*{-1.5pt}+\hspace*{-1.5pt} \mathbf{M}_2\hspace*{-1.5pt}\cdot\hspace*{-1.5pt}\mathbf{y} + \mathbf{M}_3\hspace*{-1.5pt}\cdot\hspace*{-1.5pt}\mathfrak{m}
\hspace*{-1.5pt}+ \hspace*{-1.5pt}\mathbf{M}_4 \hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{M}_5\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{e} \hspace*{-2pt}=\hspace*{-2pt} \mathbf{c},
\end{align}
where, for dimensions $D = \ell + 3n + 7m + 3mN$ and $L_0 = D + nN$,
\begin{itemize}
\item Matrices $\mathbf{F}, \mathbf{F}_0, \mathbf{F}_1, \ldots, \mathbf{F}_\ell \in \mathbb{Z}_q^{D \times m}$, $\mathbf{M}_1 \in \mathbb{Z}_q^{D \times \ell}$, $\mathbf{M}_2 \in \mathbb{Z}_q^{D \times m}$, $\mathbf{M}_3 \in \mathbb{Z}_q^{D \times 2mN}$, $\mathbf{M}_4 \in \mathbb{Z}_q^{D \times 2m}$, $\mathbf{M}_5 \in \mathbb{Z}_q^{D \times L_0}$ and vector $\mathbf{c} \in \mathbb{Z}_q^D$ are built from the public input.
\item Vector $\mathbf{e} = \big(\hspace*{1pt}\mathbf{s}_1^T \hspace*{1pt}\|\hspace*{1pt} \ldots \hspace*{1pt}\|\hspace*{1pt} \mathbf{s}_N^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{s}_{\mathbf{v}}^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{s}_0^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{s}_\tau^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{1,1}^T \hspace*{1pt}\|\hspace*{1pt} \ldots \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{N,1}^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{\mathbf{v},1}^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{0,1}^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{\tau, 1}^T \hspace*{1pt}\| \\
~~~~~~~~~~~~~~~~~\|\hspace*{1pt}\mathbf{e}_{1,2}^T \hspace*{1pt}\|\hspace*{1pt} \ldots \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{N,2}^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{0,2}^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{\mathbf{v},2}^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{\tau,2}^T\hspace*{1pt}\big)^T \in [-B,B]^{L_0}$.
\end{itemize}
Now we further transform~\eqref{equation:R-sign-almost} using the techniques from \cref{sse:stern-abstraction}. Specifically, we form the following:
\[
\begin{cases}
\mathsf{DecExt}_{m, \beta}(\mathbf{v}_1) \rightarrow \hat{\mathbf{v}}_1 \in \mathsf{B}^3_{m\delta_\beta}; \hspace*{5pt}\mathsf{DecExt}_{m, \beta}(\mathbf{v}_2)\rightarrow \hat{\mathbf{v}}_2 \in \mathsf{B}^3_{m\delta_\beta}; \\[2.5pt]
{\mathbf{F}}' = \big[\mathbf{F} \cdot \widehat{\mathbf{K}}_{m, \beta} | \mathbf{F}_0 \cdot \widehat{\mathbf{K}}_{m, \beta} | \mathbf{F}_1 \cdot \widehat{\mathbf{K}}_{m, \beta} | \ldots | \mathbf{F}_\ell \cdot \widehat{\mathbf{K}}_{m, \beta} | \mathbf{0}^{D \times 3m\delta_\beta \ell}\big] \in \mathbb{Z}_q^{D \times 3m\delta_\beta(2\ell+2)}; \\[2.5pt]
\mathsf{Ext}_{2\ell}(\tau) \rightarrow \hat{\tau} = (\tau[1], \ldots, \tau[\ell], \ldots, \tau[2\ell])^T \in \mathsf{B}^2_{\ell}; \hspace*{2.5pt}\mathbf{M}'_1 = [\mathbf{M}_1 | \mathbf{0}^{D \times \ell}] \in \mathbb{Z}_q^{D \times 2\ell};\\[2.5pt]
\mathsf{Ext}_{2m}(\mathbf{y})\rightarrow \hat{\mathbf{y}} \in \mathsf{B}^2_{m}; \hspace*{2.5pt}\mathbf{M}'_2 = [\mathbf{M}_2 | \mathbf{0}^{D \times m}] \in \ZZ_q^{D \times 2m }; \\[2.5pt]
\mathsf{DecExt}_{2m, p-1}(\mathbf{s}) \rightarrow \hat{\mathbf{s}} \in \mathsf{B}^3_{2m\delta_{p-1}}; \hspace*{2.5pt} \mathbf{M}'_4 = \mathbf{M}_4 \cdot \widehat{\mathbf{K}}_{2m, p-1} \in \mathbb{Z}_q^{D \times 6m\delta_{p-1}}; \\[2.5pt]
\mathsf{DecExt}_{L_0, B}(\mathbf{e}) \rightarrow \hat{\mathbf{e}} \in \mathsf{B}^3_{L_0\delta_{B}}; \hspace*{2.5pt}
\mathbf{M}'_5 = \mathbf{M}_5 \cdot \widehat{\mathbf{K}}_{L_0, B} \in \mathbb{Z}_q^{D \times 3L_0\delta_B}.
\end{cases}
\]
Now, let $L = 3m\delta_\beta(2\ell+2) + 2\ell + 2m + 2mN + 6m\delta_{p-1} + 3L_0\delta_B$, and construct matrix
$\mathbf{P} = \big[\hspace*{1pt}\mathbf{F}' \hspace*{1pt}|\hspace*{1pt} \mathbf{M}'_1 \hspace*{1pt}| \hspace*{1pt}\mathbf{M}'_2 \hspace*{1pt}|\hspace*{1pt} \mathbf{M}_3\hspace*{1pt}|\hspace*{1pt} \mathbf{M}'_4\hspace*{1pt}| \hspace*{1pt} \mathbf{M}'_5 \hspace*{1pt}\big] \in \ZZ_q^{D \times L}$ and vector
\[
\mathbf{x} = \big(\hspace*{1.5pt}\hat{\mathbf{v}}_1^T\hspace*{1.5pt} \|\hspace*{1.5pt} \hat{\mathbf{v}}_2^T \hspace*{1.5pt}\| \hspace*{1.5pt}\tau[1]\hat{\mathbf{v}}_2^T\hspace*{1.5pt} \| \ldots \|\hspace*{1.5pt} \tau[\ell]\hat{\mathbf{v}}_2^T\hspace*{1.5pt}\| \ldots \| \hspace*{1.5pt}\tau[2\ell]\hat{\mathbf{v}}_2^T\hspace*{1.5pt}\| \hspace*{1.5pt} \hat{\tau}^T \hspace*{1.5pt}\| \hspace*{1.5pt}\hat{\mathbf{y}}^T\hspace*{1.5pt} \|\hspace*{1.5pt} \mathfrak{m}^T \hspace*{1.5pt}\|\hspace*{1.5pt} \hat{\mathbf{s}}^T\hspace*{1.5pt}\| \hspace*{1.5pt} \hat{\mathbf{e}}^T\hspace*{1.5pt}\big)^T,
\]
then we will obtain the equation $\mathbf{P}\cdot \mathbf{x} = \mathbf{c} \bmod q$.
Before going on, we define $\mathsf{VALID}$ as the set of
$\mathbf{w} \in \{-1,0,1\}^L$ of the form:
\vspace*{-5pt}
\[
\mathbf{w} = \big(\mathbf{w}_{1}^T \| \mathbf{w}_2^T \| g_1 \mathbf{w}_2^T\| \ldots \| g_{2\ell}\mathbf{w}_2^T \| \mathbf{g}^T\| \mathbf{w}_3^T\| \mathbf{w}_4^T \| \mathbf{w}_5^T \| \mathbf{w}_6^T\big)^T
\vspace*{-5pt}
\]
for some $\mathbf{w}_1, \mathbf{w}_2 \in \mathsf{B}^3_{m\delta_\beta}$, $\mathbf{g} = (g_1, \ldots, g_{2\ell}) \in \mathsf{B}_{2\ell}$, $\mathbf{w}_3 \in \mathsf{B}^2_{m}$, $\mathbf{w}_4 \in \mathsf{CorEnc}(mN)$, $\mathbf{w}_5 \in \mathsf{B}^3_{2m\delta_{p-1}}$, and $\mathbf{w}_6 \in \mathsf{B}^3_{L_0\delta_B}$.
It can be checked that the constructed vector $\mathbf{x}$ belongs to this tailored set $\mathsf{VALID}$.\\
\noindent
\textbf{Step 2:} \emph{Specifying the set $\mathcal{S}$ and permutations of $L$ elements $\{T_\pi: \pi \in \mathcal{S}\}$ for which the conditions in~(\ref{eq:zk-equivalence}) hold.}
\begin{itemize}
\item Define $\mathcal{S} = \mathcal{S}_{3m\delta_\beta} \times \mathcal{S}_{3m\delta_\beta} \times \mathcal{S}_{2\ell} \times\mathcal{S}_{2m} \times \{0,1\}^{mN}\times \mathcal{S}_{6m\delta_{p-1}} \times \mathcal{S}_{3L_0\delta_B}$. \medskip
\item For $\pi = (\phi, \psi, \gamma, \rho, \mathbf{b}, \eta, \xi) \in \mathcal{S}$ and $\mathbf{z} = \big(\mathbf{z}_0^1 \| \mathbf{z}_0^2 \| \mathbf{z}_1 \| \ldots \| \mathbf{z}_{2\ell} \| \mathbf{g} \| \mathbf{t}_1 \| \mathbf{t}_2 \|\mathbf{t}_3 \| \mathbf{t}_4\big) \in \mathbb{Z}_q^L$,
where ${\mathbf{z}_0^1}, {\mathbf{z}_0^2}, \mathbf{z}_1, \ldots, \mathbf{z}_{2\ell} \in \mathbb{Z}_q^{3m\delta_\beta}$, $\mathbf{g} \in \mathbb{Z}_q^{2\ell}$, $\mathbf{t}_1\in \mathbb{Z}_q^{2m}$, $\mathbf{t}_2 \in \mathbb{Z}_q^{2mN}$, $\mathbf{t}_3 \in \mathbb{Z}_q^{6m\delta_{p-1}}$, and $\mathbf{t}_4 \in \mathbb{Z}_q^{3L_0\delta_B}$, we define:
\begin{eqnarray*}
\hspace*{-15pt}
T_{\pi}(\mathbf{z}) = \big(\phi(\mathbf{z}_0^1)^T\hspace*{1pt} \| \psi(\mathbf{z}_0^2)^T \hspace*{1pt}\| \psi(\mathbf{z}_{\gamma(1)})^T \hspace*{1pt}\| \ldots \| \psi(\mathbf{z}_{\gamma(2\ell)})^T \hspace*{1pt}\| \gamma(\mathbf{g})^T\hspace*{1pt} \| \\
~~~~~~~~\|\rho(\mathbf{t}_1)^T \| E_{\mathbf{b}}(\mathbf{t}_2)^T \hspace*{1pt}\| \eta(\mathbf{t}_3)^T \| \xi(\mathbf{t}_4)^T\hspace*{1pt}\big)^T
\end{eqnarray*}
as the permutation that transforms $\mathbf{z}$ as follows:
\begin{enumerate}
\item It rearranges the order of the $2\ell$ blocks $\mathbf{z}_1, \ldots, \mathbf{z}_{2\ell}$ according to $\gamma$.
\item It then {permutes} block $\mathbf{z}_0^1$ according to $\phi$, blocks $\mathbf{z}_0^2$, $\{\mathbf{z}_i\}_{i=1}^{2\ell}$ according to~$\psi$, block $\mathbf{g}$ according to $\gamma$, block $\mathbf{t}_1$ according to $\rho$, block $\mathbf{t}_2$ according to $E_{\mathbf{b}}$, block $\mathbf{t}_3$ according to~$\eta$, and block $\mathbf{t}_4$ according to $\xi$.
\end{enumerate}
\end{itemize}
It can be check that~(\ref{eq:zk-equivalence}) holds. Therefore, we can obtain a statistical \textsf{ZKAoK} for the given relation by running the protocol in \cref{sse:stern-abstraction}.