\section{A Lattice-Based Signature with Efficient Protocols}\label{se:gs-lwe-sigep}
%We first specify the parameters used in our scheme. Let $\lambda$ be the security parameter, and let $n = \bigO(\lambda)$, $q = \mathsf{poly}(n)$, and $m \geq 2n \log q$.
%We assume that messages are vectors of $N$ blocks $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, where each
%block is an $L$-bit string $\mathfrak{m}_k = \mathfrak{m}_k[1] \ldots \mathfrak{m}_k[L] \in \{0,1\}^L$ for $k \in \{1,\ldots, N\}$.
Our scheme can be seen as a variant of the B\"ohl \textit{et al.} signature \cite{BHJ+15}, where
each signature is a triple $(\tau,\mathbf{v},\mathbf{s})$, made of a tag $\tau\in\{0,1\}^\ell$ and integer vectors $(\mathbf{v},\mathbf{s})$ satisfying
where matrices $\mathbf{A}, \mathbf{A}_0, \ldots, \mathbf{A}_\ell, \mathbf{D}\in\Zq^{n \times m}$
are public random matrices and $\mathbf{h}\in\{0,1\}^m$ is a chameleon hash of the message which is computed using randomness $\mathbf{s}$.
A difference is that, while \cite{BHJ+15} uses a short single-use tag $\tau\in\Zq$,
we need the tag to be an $\ell$-bit string $\tau\in\{0,1\}^{\ell}$ which will assume the same role as the prime exponent of Camenisch-Lysyanskaya signatures
\cite{CL02a} in the security proof.
We show that a suitable chameleon hash function makes the scheme compatible with Stern-like zero-knowledge arguments \cite{LNSW13,LNW15} for arguing possession of a valid message-signature pair. \cref{sse:stern} shows how to translate such a statement into asserting that a short witness vector $\mathbf{x}$ with a particular structure satisfies
a relation of the form
$\mathbf{P}\cdot\mathbf{x}=\mathbf{v}\bmod q$, for some public matrix $\mathbf{P}$ and vector~$\mathbf{v}$.
The underlying chameleon hash can be seen as a composition of the chameleon hash of \cite[Se. 4.1]{CHKP10} with
a technique used in \cite{PSTY13,LLNW16}: on input of a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, it outputs the binary decomposition of
$\mathbf{D}_0\cdot\mathbf{s}+\sum_{k=1}^N \mathbf{D}_k \cdot\mathfrak{m}_k$, for some discrete Gaussian vector $\mathbf{s}$.
\subsection{Description}\label{desc-sig-protoc}
We assume that messages are vectors of $N$ blocks $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, where each
coordinate of $\mathbf{v}$ by its binary representation.
\begin{description}
\item[\textsf{Keygen}$(1^\lambda,1^N)$:] Given a security parameter $\lambda>0$ and the number of blocks $N =\mathsf{poly}(\lambda)$, choose the following parameters: $n =\bigO(\lambda)$; a prime modulus $q =\widetilde{\bigO}(N\cdot n^{4})$; dimension $m =2n \lceil\log q \rceil$; an integer $\ell=\Theta(\lambda)$; and Gaussian parameters $\sigma=\Omega(\sqrt{n\log q}\log n)$, $\sigma_0=2\sqrt{2}(N+1)\sigma m^{3/2}$, and $\sigma_1=\sqrt{\sigma_0^2+\sigma^2}$. Define the message space as $(\{0,1\}^{2m})^N$.
\smallskip
\begin{itemize}
\item[1.] Run $\TrapGen(1^n,1^m,q)$ to get~$\mathbf{A}\in
\Zq^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
$\Lambda_q^{\perp}(\mathbf{A}).$ This basis allows computing short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with a Gaussian parameter $\sigma$.
Next, choose $\ell+1$ random $\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell}\sample U(\Zq^{n \times m})$. %, where $\ell = \Theta(\lambda)$.
\item[2.] Choose random matrices $\mathbf{D}\sample U(\Zq^{n \times m})$, $\mathbf{D}_0,\mathbf{D}_1,\ldots,\mathbf{D}_{N}\sample U(\Zq^{2n \times2m})$ as well as a random vector
$\mathbf{u}\sample U(\Zq^n)$. \smallskip
\end{itemize}
The private key consists of $SK:=\mathbf{T}_{\mathbf{A}}\in\ZZ^{m \times m}$ and the public key is
\item Choose a random string $\tau\sample U(\{0,1\}^\ell)$. Then, using $SK:=
\mathbf{T}_{\mathbf{A}}$, compute with $\ExtBasis$ a short delegated basis $\mathbf{T}_\tau\in\ZZ^{2m \times 2m}$
for the matrix
\begin{eqnarray}\label{tau-matrix}
\mathbf{A}_{\tau}=
[ \mathbf{A}\mid\mathbf{A}_0 +
\sum_{j=1}^\ell\tau[j]\mathbf{A}_j
] \in\Zq^{ n \times 2m}.
\end{eqnarray}
\item Sample a vector $\mathbf{s}\sample D_{\ZZ^{2m},\sigma_1}$. Compute $\mathbf{c}_M \in\Zq^{2n}$ as a chameleon hash of $\left(\mathfrak{m}_1,\ldots,\mathfrak{m}_N \right)$: i.e., compute
which is used to define $\mathbf{u}_M=\mathbf{u}+\mathbf{D}\cdot\bit(\mathbf{c}_M)\in\Zq^n .$
Then,
using the delegated basis $\mathbf{T}_\tau\in\ZZ^{2m \times2m}$, sample a short vector $\mathbf{v}\in\ZZ^{2m}$ in $D_{\Lambda_q^{\mathbf{u}_M}(\mathbf{A}_\tau), \sigma}$.
\end{enumerate}
Output the signature $sig=(\tau,\mathbf{v},\mathbf{s})\in\{0,1\}^\ell\times\ZZ^{2m}\times\ZZ^{2m}$. \smallskip
\item[\textsf{Verify}$\big(PK,\mathsf{Msg},sig\big)$:] Given $PK$, a message $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)\in(\{0,1\}^{2m})^N$ and a purported
and $\|\mathbf{v}\| < \sigma\sqrt{2m}$, $\|\mathbf{s}\| < \sigma_1\sqrt{2m}$.
\end{description}
When the scheme is used for obliviously signing committed messages,
the security proof follows Bai \textit{et al.}\cite{BLL+15} in that it applies an argument based on the R\'enyi divergence in one signing query. This argument requires
We note that, instead of being included in the public key, the matrices $\{\mathbf{D}_k\}_{k=0}^{N}$ can be part of common public parameters shared by many signers. Indeed,
only the matrices $(\mathbf{A},\{\mathbf{A}_i\}_{i=0}^\ell)$ should be specific to the user who holds the secret key $SK=\mathbf{T}_{\mathbf{A}}$. In Section \ref{commit-sig}, we use a variant where $\{\mathbf{D}_k\}_{k=0}^{N}$
belong to public parameters.
\subsection{Security Analysis}
The security analysis in Theorem \ref{th:gs-lwe-security-cma-sig} requires that $q>\ell$.
To prove the result, we will distinguish three kinds of attacks:
\begin{description}
\item[Type I attacks] are attacks where, in the adversary's forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$, $\tau^\star$ did not appear in any output
of the signing oracle.
\item[Type II attacks] are such that, in the adversary's forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$, $\tau^\star$ is recycled from an output
$sig^{(i^\star)}=(\tau^{(i^\star)},\mathbf{v}^{(i^\star)},\mathbf{s}^{(i^\star)})$ of the signing oracle, for some index $i^\star\in\{1,\ldots,Q\}$. However,
if $\mathsf{Msg}^\star=(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ and $\mathsf{Msg}^{(i^\star)}=(\mathfrak{m}_1^{(i^\star)},\ldots,\mathfrak{m}_N^{(i^\star)})$ denote the forgery
message and the $i^\star$-th signing query, respectively, we have
\item[Type III attacks] are those where the adversary's forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$ recycles $\tau^\star$ from an output
$sig^{(i^\star)}=(\tau^{(i^\star)},\mathbf{v}^{(i^\star)},\mathbf{s}^{(i^\star)})$ of the signing oracle (i.e.,
$\tau^{(i^\star)}=\tau^\star$ for some index $i^\star\in\{1,\ldots,Q\}$) and we have the collision
$$\big({\mathbf{s}^\star}^T-{\mathbf{s}^{(i^\star)}}^T \mid{\mathfrak{m}_1^\star}^T -{\mathfrak{m}_1^{(i^\star)}}^T \mid\ldots\mid{\mathfrak{m}_N^\star}^T -{\mathfrak{m}_N^{(i^\star)}}^T \big)^T,$$ so that a collision breaks the $\mathsf{SIS}$ assumption.
The security against Type I attacks is proved by \cref{le:lwe-gs-type-I-attacks} which applies the same technique as in \cite{Boy10,MP12}. In particular, the prefix guessing technique
of \cite{HW09} allows keeping the modulus smaller than the number $Q$ of adversarial queries as in \cite{MP12}.
In order to deal with Type II attacks, we can leverage the technique of~\cite{BHJ+15}. In \cref{le:lwe-gs-type-II-attacks}, we prove that Type II attack would also contradict $\mathsf{SIS}$.
\end{proof}
\begin{lemma}\label{le:lwe-gs-type-I-attacks}
The scheme is secure against Type I attacks if the $\mathsf{SIS}_{n,m,q,\beta'}$ assumption holds for $\beta' = m^{3/2}\sigma^2(\ell+3)+ m^{1/2}\sigma_1$
\end{lemma}
\begin{proof}
Let $\adv$ be a $\ppt$ adversary that can mount a Type I attack with non-negligible success probability $\varepsilon$. We construct a $\ppt$
algorithm $\bdv$ that uses $\adv$ to break the~$\SIS_{n,m,q,\beta'}$ assumption. It takes as input~$\bar{\mathbf{A}}\in
Algorithm~$\bdv$ first chooses the $\ell$-bit strings $\tau^{(1)},\ldots,\tau^{(Q)}\sample U(\{0,1\}^\ell)$ to be used in signing queries. As in \cite{HW09}, it
guesses the shortest prefix such that the string $\tau^\star$ contained in $\adv$'s forgery differs from all prefixes of $\tau^{(1)},\ldots,\tau^{(Q)}$. To this
end, $\bdv$ chooses $i^\dagger\sample U(\{1,\ldots, Q\})$ and $t^\dagger\sample U(\{1,\ldots,\ell\})$ so that, with probability $1/(Q \cdot\ell)$, the longest
common prefix between $\tau^\star$ and one of the $\left\{\tau^{(i)}\right\}_{i=1}^Q$ is the string
$\tau^\star[1]\ldots\tau^\star[t^\dagger-1]=\tau^{(i^\dagger)}[1]\ldots\tau^{(i^\dagger)}[t^\dagger-1]\in\{0,1\}^{t^\dagger-1}$ comprised of the
first $(t^\dagger-1)$-th bits of $\tau^\star\in\{0,1\}^\ell$. We define $\tau^\dagger\in\{0,1\}^{t^\dagger}$ as the $t^\dagger$-bit string $\tau^\dagger=\tau^\star[1]\ldots\tau^\star[t^\dagger]$. By construction, with probability $1/(Q \cdot\ell)$, we have $\tau^\dagger\not\in\left\{\tau^{(1)}_{|{t^\dagger}}, \ldots ,\tau^{(Q)}_{|{t^\dagger}}\right\}$, where $\tau^{(i)}_{|{t^\dagger}}$ denotes
Next, $\bdv$ chooses the matrices $\mathbf{D}_k \sample U(\Zq^{2n \times2m})$ uniformly at random for each $k \in[0,N]$. Then, it picks a random short matrix $\mathbf{R}\in\ZZ^{m \times m}$ which has its columns independently sampled from $D_{\ZZ^m,\sigma}$
% $\bdv$ is able to compute a trapdoor $\mathbf{T}_{\tau^{(i)}} \in \ZZ^{2m \times 2m}$ for each matrix $\{\mathbf{A}_{\tau^{(i)}} \}_{i=1}^Q $ (see~\cite[Se.~4.2]{ABB1},
% using the basis~$\mathbf{T}_{\mathbf{C}}$ of~$\Lambda_q^{\perp}(\mathbf{C})$.
At the $i$-th signing query $\mathsf{Msg}^{(i)}=(\mathfrak{m}_1^{(i)},\ldots,\mathfrak{m}_N^{(i)})\in(\{0,1\}^{2m})^N$, $\bdv$ can use the trapdoor $\mathbf{T}_{\mathbf{C}}\in\ZZ^{m \times m}$ to generate a signature.
To do this, $\bdv$ first samples $\mathbf{s}^{(i)}\sample D_{\ZZ^{2m},\sigma_1}$ and computes a vector $\mathbf{u}_M \in\Zq^m$ as
Using $\mathbf{T}_{\mathbf{C}}\in\ZZ^{m \times m}$, $\bdv$ can then sample a short vector $\mathbf{v}^{(i)}\in\ZZ^{2m}$ in $D^{\mathbf{u}_M}_{\Lambda^{\perp}(\mathbf{A}_{\tau^{(i)}}), \sigma}$ such
message $\mathsf{Msg}^\star=(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ with $\|\mathbf{v}^\star\|\leq\sigma\sqrt{2m}$ and $\|\mathbf{s}^\star\|\leq\sigma_1\sqrt{2m}$.
At this point, $\bdv$ aborts and declares failure if it was unfortunate in its choice of $i^\dagger\in\{1,\ldots,Q\}$ and $t^\dagger\in\{1,\ldots,\ell\}$. Otherwise,
with probability $1/(Q \cdot\ell)$, $\bdv$ correctly guessed $i^\dagger\in\{1,\ldots,Q\}$ and $t^\dagger\in\{1,\ldots,\ell\}$, in which case it can solve the given $\mathsf{SIS}$ instance as follows.
If we parse $\mathbf{v}^\star\in\ZZ^{2m}$ as $({\mathbf{v}_1^\star}^T \mid{\mathbf{v}_2^\star}^T )^T$ with $\mathbf{v}_1^\star,\mathbf{v}_2^\star\in\ZZ^m$, we have the equality
is in $\Lambda_q^{\perp}(\bar{\mathbf{A}})$. Moreover, with overwhelming probability, this vector is non-zero since, in $\adv$'s view, the distribution of
$\mathbf{e}_u \in\ZZ^m$ is $D_{\Lambda_q^{\mathbf{u}}(\bar{\mathbf{A}}),\sigma_1}$, which ensures that $\mathbf{e}_u$ is statistically hidden by
the syndrome $\mathbf{u}=\bar{\mathbf{A}}\cdot\mathbf{e}_u $. Finally, the norm of $\mathbf{w}$ is smaller than
which yields a valid solution of the given $\mathsf{SIS}_{n,m,q,\beta'}$ instance
with overwhelming probability.
\end{proof}
\begin{lemma}\label{le:lwe-gs-type-II-attacks}
The scheme is secure against Type II attacks if the $\mathsf{SIS}_{n,m,q,\beta''}$ assumption holds for $\beta'' =\sqrt{2}(\ell+2)\sigma^2 m^{3/2}+ m^{1/2}$.
\end{lemma}
\begin{proof}
We prove the result using a sequence of games. For each $i$, we denote by $W_i$ the event that the adversary wins by outputting a Type II forgery in \textsf{Game}$i$.
\medskip
\begin{description}
\item[\textsf{Game} 0:] This is the real game where, at the $i$-th signing query $\mathsf{Msg}^{(i)}=(\mathfrak{m}_1^{(i)},\ldots,\mathfrak{m}_N^{(i)})$,
the adversary obtains a signature $sig^{(i)}=(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)})$ for each $i \in\{1,\ldots,Q\}$ from the signing oracle. At the end of the game, the adversary
outputs a forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$ on a message $\mathsf{Msg}^{\star}=(\mathfrak{m}_1^{\star},\ldots,\mathfrak{m}_N^{\star})$.
By hypothesis, the adversary's advantage is $\varepsilon=\Pr[W_0]$. We assume without loss of generality that the random $\ell$-bit strings $\tau^{(1)}, \ldots, \tau^{(Q)}$ are chosen
at the very beginning of the game.
Since $(\mathsf{Msg}^\star,sig^\star)$ is a Type II forgery, there exists an index $i^\star\in\{1,\ldots,Q\}$ such that $\tau^\star=\tau^{(i^\star)}$.
\item[\textsf{Game} 1:] This game is identical to \textsf{Game}$0$ with the difference that the reduction aborts the experiment in the unlikely event that, in the adversary's forgery
$sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$, $\tau^\star$ coincides with more than one of the random $\ell$-bit strings $\tau^{(1)}, \ldots, \tau^{(Q)}$
used by the challenger. If we call $F_1$ the latter event, we have $\Pr[F_1] < Q^2/2^\ell$ since we are guaranteed to have $\neg F_1$ as long as no two $\tau^{(i)}$, $\tau^{(i')}$ collide.
Given that \textsf{Game}$1$ is identical to \textsf{Game}$0$ until $F_1$ occurs, we have $|\Pr[W_1]-\Pr[W_0]| \leq\Pr[F_1] < Q^2/2^\ell$.
\item[\textsf{Game} 2:] This game is like \textsf{Game}$1$ with the following difference. At the outset of the game, the challenger $\bdv$ chooses a random index
$i^\dagger\sample U(\{1,\ldots,Q\})$ as a guess that $\adv$'s forgery will recycle the $\ell$-bit string $\tau^{(i^\dagger)}\in\{0,1\}^\ell$ of the $i^\dagger$-th signing query.
When $\adv$ outputs its Type II forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$, the challenger aborts
in the event that $\tau^{(i^\dagger)}\neq\tau^\star$ (i.e., $i^\dagger\neq i^\star$). Since the choice of $i^\dagger$ in $\{1,\ldots,Q\}$ is independent of $\adv$'s view, we
have $\Pr[W_2]=\Pr[W_1]/Q$.
\item[\textsf{Game} 3:] In this game, we modify the key generation phase and the way to answer signing queries.
First, the challenger $\bdv$ randomly picks $h_0,h_1,\ldots,h_\ell\in\Zq$ subject to the constraints
It runs $(\mathbf{C},\mathbf{T}_{\mathbf{C}})\leftarrow\mathsf{TrapGen}(1^n,1^m,q)$,
$(\mathbf{D}_0,\mathbf{T}_{\mathbf{D}_0})\leftarrow\mathsf{TrapGen}(1^{2n},1^{2m},q)$ so as to obtain statistically random matrices $\mathbf{C}\in\Zq^{n \times m}$, $\mathbf{D}_0\in\Zq^{2n \times2m}$ with
trapdoors $\mathbf{T}_{\mathbf{C}}\in\ZZ^{m \times m}$, $\mathbf{T}_{\mathbf{D}_0}\in\ZZ^{2m \times2m}$ consisting of short bases of $\Lambda_q^{\perp}(\mathbf{C})$ and $\Lambda_q^{\perp}(\mathbf{D}_0)$, respectively. Then,
$\bdv$
chooses
a uniformly random $\mathbf{D}\sample U(\Zq^{n \times m})$ and re-randomizes it using short matrices
$\mathbf{S},\mathbf{S}_0,\mathbf{S}_1,\ldots,\mathbf{S}_{\ell}\sample\ZZ^{m \times m}$, which are obtained
by sampling their columns from the distribution $D_{\ZZ^m,\sigma}$. Namely, from $\mathbf{D}\in\Zq^{n \times m}$, $\bdv$
In addition, $\bdv$ picks random matrices $\mathbf{D}_1,\ldots,\mathbf{D}_N \sample U(\Zq^{2n \times2m})$ and a random vector $\mathbf{c}_M \sample U(\Zq^{2n})$. It samples
short vectors $\mathbf{v}_1 ,\mathbf{v}_2\sample D_{\ZZ^m,\sigma}$ and computes $\mathbf{u}\in\Zq^n$
as $\mathbf{u}=\mathbf{A}_{\tau^{(i^\dagger)}}\cdot
\left[
\begin{array}{c}
\mathbf{v}_1 \\\hline\mathbf{v}_2
\end{array}\right]
- \mathbf{D}\cdot\bit( \mathbf{c}_M ) \bmod q$, where
with $h_{\tau^{(i)}}= h_0+\sum_{j=1}^\ell\tau^{(i)}[j]\cdot h_j \neq0$. This implies that $\bdv$ can use the trapdoor $\mathbf{T}_{\mathbf{C}}\in\ZZ^{m \times m}$ to generate a signature.
To this end, $\bdv$ first samples a discrete Gaussian vector $\vec{s}^{(i)}\sample D_{\ZZ^{2m},\sigma_1}$ and computes $\mathbf{u}_M \in\Zq^n$ as
using $\mathbf{T}_{\mathbf{C}}\in\ZZ^{m \times m}$, it samples a short vector $\mathbf{v}^{(i)}\in\ZZ^{2m}$ in $D^{\mathbf{u}_M}_{\Lambda^{\perp}(\mathbf{A}_{\tau^{(i)}}), \sigma}$ such
that $(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)})$ satisfies (\ref{ver-eq-block}).
\item At the $i^\dagger$-th signing query $(\mathfrak{m}_1^{(i^\dagger)},\ldots,\mathfrak{m}_N^{(i^\dagger)})$, we have
due to the constraint $h_0+\sum_{j=1}^\ell\tau^{(i^\dagger)}[j]\cdot h_j =0\bmod q $.
To answer the query, $\bdv$ uses the trapdoor $\mathbf{T}_{\mathbf{D}_0}\in\ZZ^{2m \times2m}$ of $\Lambda_q^{\perp}(\mathbf{D}_0)$ to sample a short vector
$\mathbf{s}^{(i^\dagger)}\in D_{\Lambda_q^{\mathbf{c}'_M}(\mathbf{D}_0), \sigma_1}$, where $\mathbf{c}'_M =\mathbf{c}_M -\sum_{k=1}^N \mathbf{D}_k \cdot{\mathfrak{m}_k^{(i^\dagger)}}\in\Zq^{2n}$.
The obtained vector $\mathbf{s}^{(i^\dagger)}\in\ZZ^{2m}$ thus verifies
\begin{eqnarray}\label{sim-s}
\mathbf{D}_0 \cdot{\mathbf{s}^{(i^\dagger)}}&=&
\mathbf{c}_M - \sum_{k=1}^N \mathbf{D}_k \cdot{\mathfrak{m}_k^{(i^\dagger)}} ~\bmod q,
\quad
\end{eqnarray}
and $\adv$ receives $sig^{(i^\dagger)}=(\tau^{(i^\dagger)},\mathbf{v}^{(i^\dagger)},\mathbf{s}^{(i^\dagger)})$, where $\mathbf{v}^{(i^\dagger)}=(\mathbf{v}_1^T \mid\mathbf{v}_2^T)^T $.
By construction, the returned signature $sig^{(i^\dagger)}$ satisfies
and the distribution of $(\tau^{(i^\dagger)},\mathbf{v}^{(i^\dagger)},\mathbf{s}^{(i^\dagger)})$ is statistically the same as in \textsf{Game}$2$.
\end{itemize}
\end{description}
We conclude that $\Pr[W_2]$ is negligibly far apart from $\Pr[W_3]$ since, by the Leftover Hash Lemma (see \cite[Le. 13]{ABB10}), the public key $PK$ in \textsf{Game}$3$ is statistically close to its distribution in \textsf{Game}$2$.
\medskip
In \textsf{Game}$3$, we claim that the challenger $\bdv$ can use $\adv$ to solve the $\mathsf{SIS}$ problem by finding a short vector of $\Lambda_q^\perp(\mathbf{D})$ with probability $\Pr[W_3]$. Indeed,
with proba\-bility $\Pr[W_3]$, the adversary outputs a valid signature $sig^\star=(\tau^{(i^\dagger)},\mathbf{v}^\star,\mathbf{s}^\star)$ on a message $\mathsf{Msg}^\star=(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ with $\|\mathbf{v}^\star\|\leq\sigma\sqrt{2m}$ and $\|\mathbf{s}^\star\|\leq\sigma_1\sqrt{2m}$.
If we parse $\mathbf{v}^\star\in\ZZ^{2m}$ as $({\mathbf{v}_1^\star}^T \mid{\mathbf{v}_2^\star}^T )^T$ with $\mathbf{v}_1^\star,\mathbf{v}_2^\star\in\ZZ^m$, we have
Due to the way $\mathbf{u}\in\Zq^n$ was defined at the outset of the game, $\bdv$ also knows short vectors $\mathbf{v}^{(i^\dagger)}=(\mathbf{v}_1^T \mid\mathbf{v}_2^T)^T \in\ZZ^{2m}$
Relation (\ref{sim-s}) implies that $\mathbf{c}_M \neq\mathbf{D}_0\cdot{\mathbf{s}^{\star}}
+ \sum_{k=1}^N \mathbf{D}_k \cdot{\mathfrak{m}_k^{\star}}\bmod q$ by hypothesis. It follows that $\bit(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot{\mathbf{s}^{\star}}
+ \sum_{k=1}^N \mathbf{D}_k \cdot{\mathfrak{m}_k^{\star}} ) $ is a non-zero vector in $\{-1,0,1\}^m$. Subtracting (\ref{second-sol}) from (\ref{first-sol}), we get
is a short integer vector of $\Lambda_q^{\perp}(\mathbf{D})$. Indeed, its norm can be bounded as $\|\mathbf{w}\|\leq\beta'' =\sqrt{2}(\ell+2)\sigma^2 m^{3/2}+ m^{1/2}$. We argue that it is non-zero with overwhelming probability. We already observed that
$\bit(\mathbf{D}_0\cdot{\mathbf{s}^{\star}}
+ \sum_{k=1}^N \mathbf{D}_k \cdot{\mathfrak{m}_k^{\star}} ) - \bit(\mathbf{c}_M)$ is a non-zero vector of $\{-1,0,1\}^m$, which rules out the event that
$({\mathbf{v}_1^\star}, {\mathbf{v}_2^\star})=({\mathbf{v}_1} , {\mathbf{v}_2})$. Hence, we can only have $\mathbf{w}=\mathbf{0}^m$ when the equality
holds over $\ZZ$. However, as long as either $\mathbf{v}_1^\star\neq\mathbf{v}_1$ or $\mathbf{v}_2^\star\ne\mathbf{v}_2$, the left-hand-side member of (\ref{final-eq})
is information theoretically unpredictable since the columns of matrices $\mathbf{S}$ and $\{\mathbf{S}_j\}_{j=0}^\ell$ are statistically hidden in the view of $\adv$.
Indeed, conditionally on the public key, each column of $\mathbf{S}$ and $\{\mathbf{S}_j\}_{j=0}^\ell$ has at least $n$ bits
of min-entropy, as shown by, e.g., \cite[Le. 2.7]{MP12}.
\end{proof}
\subsection{Protocols for Signing a Committed Value and Proving Possession of a Signature}\label{commit-sig}
we will assume that each message block $\mathfrak{m}_k \in\{0,1\}^{2m}$ is obtained by encoding
the actual message $M_k =M_k[1]\ldots M_k[m]\in\{0,1\}^m$ as $\mathfrak{m}_k=\mathsf{Encode}(M_k)=(\bar{M}_k[1] , M_k[1],\ldots, \bar{M}_k[m] , M_k[m])$. Namely,
each $0$ (respectively each $1$) is encoded as a pair $(1,0)$ (resp. $(0,1)$). The reason for this encoding is that the proof of Theorem \ref{commit-thm} requires that at least one block
$\mathfrak{m}_k^\star$ of the forgery message is $1$ while the same bit is $0$ at some specific signing query. We will show (see \cref{se:gs-lwe-stern}) that the correctness of this encoding can
be efficiently proved using Stern-like~\cite{Ste96} protocols.
To sign committed messages, a first idea is exploit the fact that our signature of Section \ref{desc-sig-protoc} blends well with the $\mathsf{SIS}$-based commitment scheme suggested by Kawachi \textit{et al.}~\cite{KTX08}.
In the latter scheme, the commitment key consists of matrices $(\mathbf{D}_0,\mathbf{D}_1)\in\Zq^{2n \times2m}\times\Zq^{2n \times2m}$, so that message
$\mathfrak{m}\in\{0,1\}^{2m}$ can be committed to by sampling a Gaussian vector $\mathbf{s}\sample D_{\ZZ^{2m},\sigma}$ and computing
$\mathbf{C}=\mathbf{D}_0\cdot\mathbf{s}+\mathbf{D}_1\cdot\mathfrak{m}\in\Zq^{2n}$. This scheme extends to commit to multiple messages $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$ at once by computing
$\mathbf{C}=\mathbf{D}_0\cdot\mathbf{s}+\sum_{k=1}^N \mathbf{D}_k \cdot\mathfrak{m}_k \in\Zq^{2n}$ using a longer
commitment key $(\mathbf{D}_0,\mathbf{D}_1,\ldots,\mathbf{D}_N)\in(\Zq^{2n \times2m})^{N+1}$. It is easy to see that the resulting commitment remains statistically hiding and computationally
binding under the $\mathsf{SIS}$ assumption.
%If we assume that the signer only sees perfectly hiding commitments $ \mathbf{c}_{\mathfrak{m}} = \mathbf{D}_0 \cdot \mathbf{s}' + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k$ and $\mathbf{C}= \mathbf{B}_0 \cdot %\mathbf{r} + \sum_{k=1}^N \mathbf{B}_k \cdot \mathfrak{m}_k$ to the message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N) \in (\{0,1\}^m)^N$ on which the
%user wants to obtain a signature, a simple way for the
%user to prove that $\mathbf{C}$ and $ \mathbf{c}_{\mathfrak{m}}$ are commitments to the same message is to
% generate a witness indistinguishable proof of knowledge of a short vector
In order to make our construction usable in the definitional framework of Camenisch \textit{et al.}\cite{CKL+15}, we assume common public parameters
(i.e., a common reference string) and encrypt all witnesses of which knowledge is being proved under a public key included in the common reference string. The resulting ciphertexts thus serve as statistically binding commitments
to the witnesses.
To enable this, the common public parameters comprise public keys $\mathbf{G}_0\in\Zq^{n \times\ell}$, $\mathbf{G}_1\in\Zq^{n \times2m}$
for multi-bit variants of the dual Regev cryptosystem \cite{GPV08} and all parties are denied access to the underlying private keys. The flexibility of Stern-like protocols allows us to prove that the content of a perfectly hiding commitment $\mathbf{c}_{\mathfrak{m}}$ is consistent with
encrypted values.%, the protocols of Ling \textit{et al.} \cite{LNW15} come in handy.
\begin{description}
\item[\textsf{Global}\textrm{-}\textsf{Setup}:] Let $B =\sqrt{n}\omega(\log n)$ and let $\chi$ be a $B$-bounded distribution.
Let $p =\sigma\cdot\omega(\sqrt{m})$ upper-bound entries of vectors sampled from the distribution~$D_{\ZZ^{2m},\sigma}$.
Generate two public keys for the dual Regev encryption scheme
in its multi-bit variant. These keys consists of a public random matrix
$\mathbf{B}\sample U(\Zq^{n \times m})$ and random matrices $\mathbf{G}_0=\mathbf{B}\cdot\mathbf{E}_0\in\Zq^{n \times\ell}$, $\mathbf{G}_1=\mathbf{B}\cdot\mathbf{E}_1\in\Zq^{n \times2m}$,
where $\mathbf{E}_0\in\ZZ^{ m \times\ell}$ and $\mathbf{E}_1\in\ZZ^{m \times2m}$ are short Gaussian matrices with columns sampled from $D_{\ZZ^{m},\sigma}$. These matrices will be
used to encrypt integer vectors of dimension $\ell$ and $2m$, respectively. Finally, generate public parameters $CK:=\{\mathbf{D}_k \}_{k=0}^N$ consisting of uniformly
random matrices $\mathbf{D}_k \sample U(\Zq^{2n \times2m})$ for a statistically hiding commitment
%where $p > \sigma_1 \sqrt{m}$ upper-bounds entries of vectors sampled from the distribution $D_{\ZZ^m,\sigma_1}$,
\item[\textsf{Issue} $\leftrightarrow$ \textsf{Obtain} :] The signer $S$, who holds a key pair $PK:=\{\mathbf{A} , ~\{\mathbf{A}_j\}_{j=0}^\ell,~\mathbf{D},~\mathbf{u}\}$, $SK:=\mathbf{T}_{\mathbf{A}}$, interacts with the user $U$
who has a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, in the following interactive protocol. \smallskip
which is sent to $S$ as a commitment to $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$. In addition, $U$ encrypts $\{\mathfrak{m}_k\}_{k=1}^N$ and $\mathbf{s}'$ under the dual-Regev public key $(\mathbf{B},\mathbf{G}_1)$
where $\mathbf{s}_{0}\sample\chi^n$, $\mathbf{e}_{0,1}\sample\chi^m$, $\mathbf{e}_{0,2}\sample\chi^{2m}$. The ciphertexts $\{\mathbf{c}_k\}_{k=1}^N$ and $\mathbf{c}_{s'}$ are
sent to $S$ along with $\mathbf{c}_{\mathfrak{m}}$.
Then, $U$ generates an interactive zero-knowledge argument to convince~$S$ that
$\mathbf{c}_{\mathfrak{m}}$ is a commitment to $(\mathfrak{m}_1, \ldots, \mathfrak{m}_N)$ with the randomness $\mathbf{s}'$ such that $\{\mathfrak{m}_k\}_{k=1}^N$ and
$\mathbf{s}'$ were honestly encrypted to $\{\mathbf{c}_{k}\}_{i=1}^N$ and $\mathbf{c}_{s'}$, as in~(\ref{enc-Mk}) and~(\ref{enc-s}).
%is consistent with the messages encrypted in $\{ \mathbf{c}_{k} \}_{i=1}^N$ and $\mathbf{c}_{s'}$.
For convenience, this argument system will be described in Section~\ref{subsection:zk-for-commitments}, where we demonstrate that, together with other zero-knowledge protocols used in this work, it can be derived from a Stern-like~\cite{Ste96} protocol constructed in \cref{se:gs-lwe-stern}.
\item[2.] If the argument of step 1 properly verifies, $S$ samples $\mathbf{s}'' \sample D_{\ZZ^{2m},\sigma_0}$ and computes
a vector $\mathbf{u}_{\mathfrak{m}}=\mathbf{u}+\mathbf{D}\cdot\bit\bigl(\mathbf{c}_{\mathfrak{m}}+\mathbf{D}_0\cdot\mathbf{s}'' \bigr)\in\Zq^n$.
Next, $S$ randomly picks $\tau\sample\{0,1\}^\ell$ and
uses $\mathbf{T}_{\mathbf{A}}$ to compute a delegated basis $\mathbf{T}_{\tau}\in\ZZ^{2m \times2m}$ for the matrix $\mathbf{A}_{\tau}\in\Zq^{n \times2m}$ of (\ref{tau-matrix}).
Using $\mathbf{T}_\tau\in\ZZ^{2m \times2m}$, $S$ samples a short vector $\mathbf{v}\in\ZZ^{2m}$ in $D^{\mathbf{u}_M}_{\Lambda^{\perp}(\mathbf{A}_\tau), \sigma}$. It returns
the vector $(\tau,\mathbf{v},\mathbf{s}'')\in\{0,1\}^\ell\times\ZZ^{2m}\times\ZZ^{2m}$ to $U$.
\item[3.]$U$ computes $\mathbf{s}=\mathbf{s}'+\mathbf{s}''$ over $\ZZ$ and verifies that $$\mathbf{A}_{\tau}\cdot\mathbf{v}=\mathbf{u}+\mathbf{D}\cdot\bit
\bigl( \mathbf{D}_0 \cdot\mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot\mathfrak{m}_k \bigr) \bmod q.$$ If so, it outputs $(\tau,\mathbf{v},\mathbf{s})$. Otherwise, it outputs $\perp$.
\end{itemize}
\end{description}
Note that, if both parties faithfully run the protocol, the user obtains a valid signature $(\tau,\mathbf{v},\mathbf{s})$ for which the distribution of $\mathbf{s}$ is $D_{\ZZ^{2m},\sigma_1}$,
\item[\textsf{Prove}:] On input of a signature $(\tau,\mathbf{v}=(\mathbf{v}_1^T \mid\mathbf{v}_2^T)^T,\mathbf{s})\in\{0,1\}^\ell\times\ZZ^{2m}\times\ZZ^{2m}$ on the message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, the user
does the following. \smallskip\smallskip
\begin{itemize}
\item[1.] Using $(\mathbf{B},\mathbf{G}_0)$ and $(\mathbf{B},\mathbf{G}_1)$ generate perfectly binding commitments to $\tau\in\{0,1\}^\ell$, $\{\mathfrak{m}_k \}_{k=1}^N$,
$\mathbf{v}_1,\mathbf{v}_2\in\ZZ^m$ and $\mathbf{s}\in\ZZ^{2m}$. Namely, compute
\item[2.] Prove in zero-knowledge that $\mathbf{c}_{\tau}$, $\mathbf{c}_{s}$, $\mathbf{c}_{\mathbf{v}}$, $\{\mathbf{c}_k\}_{k=1}^N$ encrypt a valid message-signature pair. In Section~\ref{subsection:zk-for-signature}, we show that this involved zero-knowledge protocol can be derived from the statistical zero-knowledge argument of knowledge for a simpler, but more general relation that we explicitly present in \cref{se:gs-lwe-stern}. The proof system can be made statistically ZK for a malicious verifier using standard techniques (assuming a common reference string, we can use \cite{Dam00}). In the random oracle model, it can
be made non-interactive using the Fiat-Shamir heuristic \cite{FS86}.
We require that the adversary be unable to prove possession of a signature of a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$ for which it did not legally
obtain a credential by interacting with the issuer. Note that the messages that are blindly signed by the issuer are uniquely defined since, at each signing
query, the adversary is required to supply perfectly binding commitments $\{\mathbf{c}_k\}_{k=1}^N$ to $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$.
In instantiations using non-interactive proofs, we assume that these can be bound to a verifier-chosen nonce to prevent replay attacks, as suggested in \cite{CKL+15}.
The security proof (in Theorem \ref{commit-thm}) makes crucial use of the R\'enyi divergence using arguments in the spirit of Bai \textit{et al.}\cite{BLL+15}. The
reduction has to guess upfront the index $i^\star\in\{1,\ldots,Q\}$ of the specific signing query for which the adversary will re-use $\tau^{(i^\star)}$. For
this query, the reduction will have to make sure that the simulation trapdoor of Agrawal \textit{et al.}\cite{ABB10} (used by the $\mathsf{SampleRight}$ algorithm
of Lemma \ref{lem:sampler}) vanishes: otherwise, the adversary's forgery would not be usable for solving $\mathsf{SIS}$. This means that, as in the proof of
\cite{BHJ+15}, the reduction must answer exactly one signing query in a different way, without using the trapdoor. While B\"ohl \textit{et al.} solve this
problem by exploiting the fact that they only need to prove security against non-adaptive forgers, we directly use a built-in chameleon hash function mechanism
which is implicitly realized by the matrix $\mathbf{D}_0$ and the vector $\mathbf{s}$. Namely, in the signing query for which the Agrawal \textit{et al.}
trapdoor~\cite{ABB10} cancels, we assign a special value to the vector $\mathbf{s}\in\ZZ^{2m}$, which depends on the adaptively-chosen signed message
$(\mathsf{Msg}_1^{(i^\star)},\ldots,\mathsf{Msg}_N^{(i^\star)})$ and some Gaussian matrices $\{\mathbf{R}_k\}_{k=1}^N$ hidden behind $\{\mathbf{D}_k\}_{k=1}^N$.
One issue is that this results in a different distribution for the vector $\mathbf{s}\in\ZZ^m$. However, we can still view $\mathbf{s}$ as a vector sampled from a
Gaussian distribution centered away from $\mathbf{0}^{2m}$. Since this specific situation occurs only once during the simulation, we can apply a result proved in
\cite{LSS14} which upper-bounds the R\'enyi divergence between two Gaussian distributions with identical standard deviations but different centers. By
choosing the standard deviation $\sigma_1$ of $\mathbf{s}\in\ZZ^{2m}$ to be polynomially larger than that of the columns of matrices $\{\mathbf{R}_k\}_{k=1}^N$, we can
keep the R\'enyi divergence between the two distributions of $\mathbf{s}$ (i.e., the one of the simulation and the one of the real game) sufficiently small to apply
the probability preservation property (which still gives a polynomial reduction since the argument must only be applied on one signing query). Namely, the
latter implies that, if the R\'enyi divergence $R_2(\mathbf{s}^{\mathsf{real}}||\mathbf{s}^{\mathsf{sim}})$ is polynomial, the probability that the simulated vector
$\mathbf{s}^{\mathsf{sim}}\in\ZZ^{2m}$ passes the verification test will only be polynomially smaller than in the real game and so will be the adversary's
probability of success.
Another option would have been to keep the statistical distance between $\mathbf{s}^{\mathsf{real}}$ and $\mathbf{s}^{\mathsf{sim}}$ negligible using the smudging
technique of \cite{AJL+12}. However, this would have implied to use an exponentially large modulus $q$ since $\sigma_1$ should have been exponentially larger
than the standard deviations of the columns of $\{\mathbf{R}_k\}_{k=1}^N$.
\begin{theorem}\label{commit-thm}
Under the $\mathsf{SIS}_{n,2m, q, \hat{\beta}}$ assumption, where $\hat{\beta}= N \sigma(2m)^{3/2}+4\sigma_1 m^{3/2}$\hspace*{-1.5pt}, the above
protocols are secure protocols for obtaining a signature on a committed message and proving possession of a valid message-signature pair.
In the following proof, we make use of the Rényi divergence in a similar way to~\cite{BLL+15}:
instead of the classical statistical distance we sometimes use the R\'enyi divergence, which is a measurement of the distance between two distributions.
Its use in security proofs for lattice-based systems was first considered by Bai {\em et al.}~\cite{BLL+15} and further improved by Prest~\cite{Pre17}. We first recall its definition.
\defRenyi*
We will focus on the following properties of the R\'enyi divergence, the proofs can be found in~\cite{LSS14}.
\begin{lemma}[{\cite[Le. 2.7]{BLL+15}}]
\label{lem:renyi}
Let $a \in[1, +\infty]$. Let $P$ and $Q$ denote distributions with $\Supp(P)
\subseteq\Supp(Q)$. Then the following properties hold:
\textbf{Step 1:}\emph{Transforming the equations in~(\ref{equation:R-commit-statement}) into a unified one of the form $\mathbf{P}\cdot\mathbf{x}=\mathbf{v}\bmod q$, where $\|\mathbf{x}\|_\infty=1$ and $\mathbf{x}\in\mathsf{VALID}$ - a ``specially-designed'' set.}
Now we employ the techniques from \cref{sse:stern-abstraction} to convert~\eqref{equation:R-commit-unified} into the form $\mathbf{P}\cdot\mathbf{x}=\mathbf{v}\bmod q$. Specifically, if we let:
$L =3(n+3m)(N+1)\delta_B +2mN +6m\delta_{p-1}$, and $\mathbf{P}\hspace*{-1pt}=\hspace*{-1pt}\big[\mathbf{M}'_1 | \mathbf{M}_2 | \mathbf{M}'_3\big]\hspace*{-2pt}\in\hspace*{-1pt}\mathbb{Z}_q^{D \times L}$, and $\mathbf{x}=\big(\hat{\mathbf{x}}_1^T \|\mathfrak{m}^T \|\hat{\mathbf{s}}^T\big)^T$, then we will obtain the desired equation:
\[
\mathbf{P}\cdot\mathbf{x} = \mathbf{v}\bmod q.
\]
Having performed the above unification, we now define $\mathsf{VALID}$ as the set of all vectors $\mathbf{t}\hspace*{-1pt}\in\hspace*{-1pt}\{-1,0,1\}^L$ of the form $\mathbf{t}\hspace*{-1pt}=\hspace*{-1pt}\big(\mathbf{t}_1^T \|\mathbf{t}_2^T \|\mathbf{t}_3^T\big)^T$\hspace*{-2.5pt}, where $\mathbf{t}_1\in\mathsf{B}^3_{(n+3m)(N+1)\delta_B}$, $\mathbf{t}_2\in\mathsf{CorEnc}(mN)$, and $\mathbf{t}_3\in\mathsf{B}^3_{2m\delta_{p-1}}$. Note that $\mathbf{x}\in\mathsf{VALID}$. \\
\smallskip
\textbf{Step 2:}\emph{Specifying the set $\mathcal{S}$ and permutations of $L$ elements $\{T_\pi: \pi\in\mathcal{S}\}$ for which the conditions in~(\ref{eq:zk-equivalence}) hold.}
\item For $\pi=(\pi_1, \mathbf{b}, \pi_3)\in\mathcal{S}$, and for vector $\mathbf{w}=\big(\mathbf{w}_1^T \|\mathbf{w}_2^T \|\mathbf{w}_3^T\big)^T \in\mathbb{Z}_q^L$, where $\mathbf{w}_1\in\ZZ_q^{3(n+3m)(N+1)\delta_B}$, $\mathbf{w}_2\in\ZZ_q^{2mN}$, $\mathbf{w}_3\in\ZZ_q^{6m\delta_{p-1}}$, we define: \vspace*{-5pt}
By inspection, it can be seen that the properties in~(\ref{eq:zk-equivalence}) are satisfied, as desired. As a result, we can obtain the required argument system by running the protocol in \cref{sse:stern-abstraction} with common input $(\mathbf{P}, \mathbf{v})$ and prover's input $\mathbf{x}$.
\textbf{Step 1:}\emph{Transforming the equations in~(\ref{equation:R-sign-signature}) and~(\ref{equation:R-sign-ciphertext}) into a unified one of the form $\mathbf{P}\cdot\mathbf{x}=\mathbf{c}\bmod q$, where $\|\mathbf{x}\|_\infty=1$ and $\mathbf{x}\in\mathsf{VALID}$ - a ``specially-designed'' set.}
Note that, if we let $\mathbf{y}=\mathsf{bin}(\mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt}\mathbf{s}+\sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt}\mathfrak{m}_k)\in\{0,1\}^{m}$, then we have $\mathbf{H}_{2n \times m}\cdot\mathbf{y}=\mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt}\mathbf{s}+\sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt}\mathfrak{m}_k \bmod q$, and~(\ref{equation:R-sign-signature}) can be equivalently written as:
where, for dimensions $D =\ell+3n +7m +3mN$ and $L_0= D + nN$,
\begin{itemize}
\item Matrices $\mathbf{F}, \mathbf{F}_0, \mathbf{F}_1, \ldots, \mathbf{F}_\ell\in\mathbb{Z}_q^{D \times m}$, $\mathbf{M}_1\in\mathbb{Z}_q^{D \times\ell}$, $\mathbf{M}_2\in\mathbb{Z}_q^{D \times m}$, $\mathbf{M}_3\in\mathbb{Z}_q^{D \times2mN}$, $\mathbf{M}_4\in\mathbb{Z}_q^{D \times2m}$, $\mathbf{M}_5\in\mathbb{Z}_q^{D \times L_0}$ and vector $\mathbf{c}\in\mathbb{Z}_q^D$ are built from the public input.
for some $\mathbf{w}_1, \mathbf{w}_2\in\mathsf{B}^3_{m\delta_\beta}$, $\mathbf{g}=(g_1, \ldots, g_{2\ell})\in\mathsf{B}_{2\ell}$, $\mathbf{w}_3\in\mathsf{B}^2_{m}$, $\mathbf{w}_4\in\mathsf{CorEnc}(mN)$, $\mathbf{w}_5\in\mathsf{B}^3_{2m\delta_{p-1}}$, and $\mathbf{w}_6\in\mathsf{B}^3_{L_0\delta_B}$.
It can be checked that the constructed vector $\mathbf{x}$ belongs to this tailored set $\mathsf{VALID}$.\\
\textbf{Step 2:}\emph{Specifying the set $\mathcal{S}$ and permutations of $L$ elements $\{T_\pi: \pi\in\mathcal{S}\}$ for which the conditions in~(\ref{eq:zk-equivalence}) hold.}
\item For $\pi=(\phi, \psi, \gamma, \rho, \mathbf{b}, \eta, \xi)\in\mathcal{S}$ and $\mathbf{z}=\big(\mathbf{z}_0^1\|\mathbf{z}_0^2\|\mathbf{z}_1\|\ldots\|\mathbf{z}_{2\ell}\|\mathbf{g}\|\mathbf{t}_1\|\mathbf{t}_2\|\mathbf{t}_3\|\mathbf{t}_4\big)\in\mathbb{Z}_q^L$,
where ${\mathbf{z}_0^1}, {\mathbf{z}_0^2}, \mathbf{z}_1, \ldots, \mathbf{z}_{2\ell}\in\mathbb{Z}_q^{3m\delta_\beta}$, $\mathbf{g}\in\mathbb{Z}_q^{2\ell}$, $\mathbf{t}_1\in\mathbb{Z}_q^{2m}$, $\mathbf{t}_2\in\mathbb{Z}_q^{2mN}$, $\mathbf{t}_3\in\mathbb{Z}_q^{6m\delta_{p-1}}$, and $\mathbf{t}_4\in\mathbb{Z}_q^{3L_0\delta_B}$, we define:
as the permutation that transforms $\mathbf{z}$ as follows:
\begin{enumerate}
\item It rearranges the order of the $2\ell$ blocks $\mathbf{z}_1, \ldots, \mathbf{z}_{2\ell}$ according to $\gamma$.
\item It then {permutes} block $\mathbf{z}_0^1$ according to $\phi$, blocks $\mathbf{z}_0^2$, $\{\mathbf{z}_i\}_{i=1}^{2\ell}$ according to~$\psi$, block $\mathbf{g}$ according to $\gamma$, block $\mathbf{t}_1$ according to $\rho$, block $\mathbf{t}_2$ according to $E_{\mathbf{b}}$, block $\mathbf{t}_3$ according to~$\eta$, and block $\mathbf{t}_4$ according to $\xi$.
\end{enumerate}
\end{itemize}
It can be check that~(\ref{eq:zk-equivalence}) holds. Therefore, we can obtain a statistical \textsf{ZKAoK} for the given relation by running the protocol in \cref{sse:stern-abstraction}.
