fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bit->bin

Browse Source
This commit is contained in:
Fabrice Mouhartem 2018-06-18 14:11:43 +02:00
parent 219c22cd9d
commit 4c75b25509
1 changed files with 47 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
chap-GS-LWE.tex
View File

@ -72,7 +72,7 @@ $\mathsf{bin}(\mathbf{v}_i) $ of $\mathbf{v}_i$. The vector $\mathsf{bin}(\mathb
$(\tau,\mathbf{v},\mathbf{s}) $ as a membership certificate, the group member is able to sign a message by proving that: (i) He holds a valid signature $(\tau,\mathbf{v},\mathbf{s}) $ as a membership certificate, the group member is able to sign a message by proving that: (i) He holds a valid signature
$(\tau,\mathbf{v},\mathbf{s})$ on some secret binary message $\mathsf{bin}(\mathbf{v}_i) $; (ii) The latter vector $\mathsf{bin}(\mathbf{v}_i) $ is the binary expansion of $(\tau,\mathbf{v},\mathbf{s})$ on some secret binary message $\mathsf{bin}(\mathbf{v}_i) $; (ii) The latter vector $\mathsf{bin}(\mathbf{v}_i) $ is the binary expansion of
some syndrome $\mathbf{v}_i$ of which he knows a GPV pre-image $\mathbf{z}_i $. We remark that condition (ii) can be proved by providing evidence that we have $ some syndrome $\mathbf{v}_i$ of which he knows a GPV pre-image $\mathbf{z}_i $. We remark that condition (ii) can be proved by providing evidence that we have $
\mathbf{v}_i = \mathbf{H} \cdot \bit(\mathbf{v}_i) = \mathbf{F} \cdot \mathbf{z}_i \bmod q$, for some short integer vector $\mathbf{z}_i $ and some binary $\mathsf{bin}(\mathbf{v}_i) $, \mathbf{v}_i = \mathbf{H} \cdot \textsf{bin}(\mathbf{v}_i) = \mathbf{F} \cdot \mathbf{z}_i \bmod q$, for some short integer vector $\mathbf{z}_i $ and some binary $\mathsf{bin}(\mathbf{v}_i) $,
where $\mathbf{H}$ is the ``powers-of-$2$'' matrix. Our abstraction of Stern-like protocols \cite{Ste96,KTX08,LNSW13} allows us to efficiently argue such where $\mathbf{H}$ is the ``powers-of-$2$'' matrix. Our abstraction of Stern-like protocols \cite{Ste96,KTX08,LNSW13} allows us to efficiently argue such
statements. The fact that the underlying chameleon hash function smoothly interacts with Stern-like zero-knowledge arguments is the property that maintains statements. The fact that the underlying chameleon hash function smoothly interacts with Stern-like zero-knowledge arguments is the property that maintains
the user's capability of efficiently proving knowledge of the underlying secret key. the user's capability of efficiently proving knowledge of the underlying secret key.
@ -106,7 +106,7 @@ $\mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k$
We assume that messages are vectors of $N$ blocks $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, where each We assume that messages are vectors of $N$ blocks $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, where each
block is a $2m$-bit string $\mathfrak{m}_k = \mathfrak{m}_k[1] \ldots \mathfrak{m}_k[2m] \in \{0,1\}^{2m}$ for $k \in \{1,\ldots, N\}$. block is a $2m$-bit string $\mathfrak{m}_k = \mathfrak{m}_k[1] \ldots \mathfrak{m}_k[2m] \in \{0,1\}^{2m}$ for $k \in \{1,\ldots, N\}$.
For each vector $\mathbf{v} \in \Zq^L$, we denote by $\bit(\mathbf{v}) \in \{0,1\}^{L \lceil \log q \rceil}$ the vector obtained by replacing each For each vector $\mathbf{v} \in \Zq^L$, we denote by $\textsf{bin}(\mathbf{v}) \in \{0,1\}^{L \lceil \log q \rceil}$ the vector obtained by replacing each
coordinate of $\mathbf{v}$ by its binary representation. coordinate of $\mathbf{v}$ by its binary representation.
@ -139,7 +139,7 @@ coordinate of $\mathbf{v}$ by its binary representation.
\end{eqnarray} \end{eqnarray}
\item Sample a vector $\mathbf{s} \sample D_{\ZZ^{2m},\sigma_1 }$. Compute $\mathbf{c}_M \in \Zq^{2n}$ as a chameleon hash of $\left(\mathfrak{m}_1,\ldots,\mathfrak{m}_N \right)$: i.e., compute \item Sample a vector $\mathbf{s} \sample D_{\ZZ^{2m},\sigma_1 }$. Compute $\mathbf{c}_M \in \Zq^{2n}$ as a chameleon hash of $\left(\mathfrak{m}_1,\ldots,\mathfrak{m}_N \right)$: i.e., compute
$\mathbf{c}_M = \mathbf{D}_{0} \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \in \mathbb{Z}_q^{2n} ,$ $\mathbf{c}_M = \mathbf{D}_{0} \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \in \mathbb{Z}_q^{2n} ,$
which is used to define $\mathbf{u}_M=\mathbf{u} + \mathbf{D} \cdot \bit( \mathbf{c}_M) \in \Zq^n .$ which is used to define $\mathbf{u}_M=\mathbf{u} + \mathbf{D} \cdot \textsf{bin}( \mathbf{c}_M) \in \Zq^n .$
Then, Then,
using the delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$, sample a short vector $\mathbf{v} \in \ZZ^{2m}$ in $D_{\Lambda_q^{\mathbf{u}_M}(\mathbf{A}_\tau), \sigma}$. using the delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$, sample a short vector $\mathbf{v} \in \ZZ^{2m}$ in $D_{\Lambda_q^{\mathbf{u}_M}(\mathbf{A}_\tau), \sigma}$.
\end{enumerate} \end{enumerate}
@ -148,7 +148,7 @@ coordinate of $\mathbf{v}$ by its binary representation.
signature $sig=(\tau,\mathbf{v},\mathbf{s}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m}$, signature $sig=(\tau,\mathbf{v},\mathbf{s}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m}$,
return $1$ if return $1$ if
\begin{eqnarray} \label{ver-eq-block} \begin{eqnarray} \label{ver-eq-block}
\mathbf{A}_{\tau} \cdot \mathbf{v} &=& \mathbf{u} + \mathbf{D} \cdot \bit( \mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k ) \bmod q. \mathbf{A}_{\tau} \cdot \mathbf{v} &=& \mathbf{u} + \mathbf{D} \cdot \textsf{bin}( \mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k ) \bmod q.
\end{eqnarray} \end{eqnarray}
and $\| \mathbf{v} \| < \sigma \sqrt{2m}$, $\| \mathbf{s} \| < \sigma_1 \sqrt{2m}$. and $\| \mathbf{v} \| < \sigma \sqrt{2m}$, $\| \mathbf{s} \| < \sigma_1 \sqrt{2m}$.
\end{description} \end{description}
@ -358,7 +358,7 @@ We prove the result using a sequence of games. For each $i$, we denote by $W_i$
\begin{array}{c} \begin{array}{c}
\mathbf{v}_1 \\ \hline \mathbf{v}_2 \mathbf{v}_1 \\ \hline \mathbf{v}_2
\end{array} \right] \end{array} \right]
- \mathbf{D} \cdot \bit( \mathbf{c}_M ) \bmod q$, where - \mathbf{D} \cdot \textsf{bin}( \mathbf{c}_M ) \bmod q$, where
\begin{eqnarray*} \begin{eqnarray*}
\mathbf{A}_{\tau^{(i^\dagger)}} &=& \left[ \mathbf{A}_{\tau^{(i^\dagger)}} &=& \left[
\begin{array}{c|c} \mathbf{A} ~ & ~ \mathbf{A}_0 + \begin{array}{c|c} \mathbf{A} ~ & ~ \mathbf{A}_0 +
@ -384,7 +384,7 @@ We prove the result using a sequence of games. For each $i$, we denote by $W_i$
\end{eqnarray*} \end{eqnarray*}
with $h_{\tau^{(i)}} = h_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \cdot h_j \neq 0$. This implies that $\bdv$ can use the trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ to generate a signature. with $h_{\tau^{(i)}} = h_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \cdot h_j \neq 0$. This implies that $\bdv$ can use the trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ to generate a signature.
To this end, $\bdv$ first samples a discrete Gaussian vector $\vec{s}^{(i)} \sample D_{\ZZ^{2m},\sigma_1}$ and computes $\mathbf{u}_M \in \Zq^n$ as To this end, $\bdv$ first samples a discrete Gaussian vector $\vec{s}^{(i)} \sample D_{\ZZ^{2m},\sigma_1}$ and computes $\mathbf{u}_M \in \Zq^n$ as
$$\mathbf{u}_M = \mathbf{u} + \mathbf{D} \cdot \bit( \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i)} } + \mathbf{D}_{0} \cdot {\mathbf{s}^{(i)} } ) ~~ \bmod q.$$ Then, $$\mathbf{u}_M = \mathbf{u} + \mathbf{D} \cdot \textsf{bin}( \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i)} } + \mathbf{D}_{0} \cdot {\mathbf{s}^{(i)} } ) ~~ \bmod q.$$ Then,
using $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$, it samples a short vector $\mathbf{v}^{(i)} \in \ZZ^{2m}$ in $D^{\mathbf{u}_M}_{\Lambda^{\perp}(\mathbf{A}_{\tau^{(i)}}), \sigma}$ such using $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$, it samples a short vector $\mathbf{v}^{(i)} \in \ZZ^{2m}$ in $D^{\mathbf{u}_M}_{\Lambda^{\perp}(\mathbf{A}_{\tau^{(i)}}), \sigma}$ such
that $(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)})$ satisfies (\ref{ver-eq-block}). that $(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)})$ satisfies (\ref{ver-eq-block}).
\item At the $i^\dagger$-th signing query $ (\mathfrak{m}_1^{(i^\dagger)},\ldots,\mathfrak{m}_N^{(i^\dagger)})$, we have \item At the $i^\dagger$-th signing query $ (\mathfrak{m}_1^{(i^\dagger)},\ldots,\mathfrak{m}_N^{(i^\dagger)})$, we have
@ -440,15 +440,15 @@ such that
\begin{eqnarray} \label{second-sol} \mathbf{A}_{\tau^{(i^\dagger)}} \cdot \begin{eqnarray} \label{second-sol} \mathbf{A}_{\tau^{(i^\dagger)}} \cdot
\left[\begin{array}{c} \left[\begin{array}{c}
\mathbf{v}_1 \\ \hline \mathbf{v}_2 \mathbf{v}_1 \\ \hline \mathbf{v}_2
\end{array} \right] = \mathbf{u} + \mathbf{D} \cdot \bit( \mathbf{c}_M ) \bmod q. \end{eqnarray} \end{array} \right] = \mathbf{u} + \mathbf{D} \cdot \textsf{bin}( \mathbf{c}_M ) \bmod q. \end{eqnarray}
Relation (\ref{sim-s}) implies that $ \mathbf{c}_M \neq \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } Relation (\ref{sim-s}) implies that $ \mathbf{c}_M \neq \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \bmod q$ by hypothesis. It follows that $\bit(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } + \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \bmod q$ by hypothesis. It follows that $\textsf{bin}(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) $ is a non-zero vector in $\{-1,0,1\}^m$. Subtracting (\ref{second-sol}) from (\ref{first-sol}), we get + \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) $ is a non-zero vector in $\{-1,0,1\}^m$. Subtracting (\ref{second-sol}) from (\ref{first-sol}), we get
\begin{eqnarray*} \begin{eqnarray*}
\mathbf{A}_{\tau^{(i^\dagger)}} \cdot \left[\begin{array}{c} \mathbf{A}_{\tau^{(i^\dagger)}} \cdot \left[\begin{array}{c}
\mathbf{v}_1^\star - \mathbf{v}_1 \\ \hline \mathbf{v}_2^\star - \mathbf{v}_1 \mathbf{v}_1^\star - \mathbf{v}_1 \\ \hline \mathbf{v}_2^\star - \mathbf{v}_1
\end{array} \right] \end{array} \right]
&=& \mathbf{D} \cdot \bigl( \bit(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } &=& \mathbf{D} \cdot \bigl( \textsf{bin}(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) \bigr) \mod q, + \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) \bigr) \mod q,
\end{eqnarray*} \end{eqnarray*}
which implies which implies
@ -456,22 +456,22 @@ which implies
\left[ \left[
\begin{array}{c|c} \mathbf{D} \cdot \mathbf{S} ~ &~ \mathbf{D} \cdot (\mathbf{S}_0 + \begin{array}{c|c} \mathbf{D} \cdot \mathbf{S} ~ &~ \mathbf{D} \cdot (\mathbf{S}_0 +
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j) \sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j)
\end{array} \right] \cdot \left[ \begin{array}{c} {\mathbf{v}_1^\star -\mathbf{v}_1 } \\ \hline {\mathbf{v}_2^\star - \mathbf{v}_2 } \end{array} \right] \\ = \mathbf{D} \cdot \bigl( \bit(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } \end{array} \right] \cdot \left[ \begin{array}{c} {\mathbf{v}_1^\star -\mathbf{v}_1 } \\ \hline {\mathbf{v}_2^\star - \mathbf{v}_2 } \end{array} \right] \\ = \mathbf{D} \cdot \bigl( \textsf{bin}(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) \bigr) \mod q . + \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) \bigr) \mod q .
\end{multline} \end{multline}
The above implies that the vector The above implies that the vector
\begin{eqnarray} \nonumber \begin{eqnarray} \nonumber
\mathbf{w} &=& \mathbf{w} &=&
\mathbf{S} \cdot (\mathbf{v}_1^\star - \mathbf{v}_1) + (\mathbf{S}_0 + \sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j ) \cdot (\mathbf{v}_2^\star - \mathbf{v}_2) \\ \mathbf{S} \cdot (\mathbf{v}_1^\star - \mathbf{v}_1) + (\mathbf{S}_0 + \sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j ) \cdot (\mathbf{v}_2^\star - \mathbf{v}_2) \\
\nonumber && \hspace{2.75cm} ~+ \bit \big( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } + \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \big) - \bit(\mathbf{c}_M) \nonumber && \hspace{2.75cm} ~+ \bit \big( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } + \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \big) - \textsf{bin}(\mathbf{c}_M)
\end{eqnarray} \end{eqnarray}
is a short integer vector of $\Lambda_q^{\perp}(\mathbf{D})$. Indeed, its norm can be bounded as $\| \mathbf{w} \| \leq \beta'' = \sqrt{2} (\ell+2) \sigma^2 m^{3/2} + m^{1/2} $. We argue that it is non-zero with overwhelming probability. We already observed that is a short integer vector of $\Lambda_q^{\perp}(\mathbf{D})$. Indeed, its norm can be bounded as $\| \mathbf{w} \| \leq \beta'' = \sqrt{2} (\ell+2) \sigma^2 m^{3/2} + m^{1/2} $. We argue that it is non-zero with overwhelming probability. We already observed that
$ \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } $ \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) - \bit(\mathbf{c}_M)$ is a non-zero vector of $\{-1,0,1\}^m$, which rules out the event that + \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) - \textsf{bin}(\mathbf{c}_M)$ is a non-zero vector of $\{-1,0,1\}^m$, which rules out the event that
$({\mathbf{v}_1^\star}, {\mathbf{v}_2^\star} ) =({\mathbf{v}_1} , {\mathbf{v}_2}) $. Hence, we can only have $\mathbf{w}=\mathbf{0}^m$ when the equality $({\mathbf{v}_1^\star}, {\mathbf{v}_2^\star} ) =({\mathbf{v}_1} , {\mathbf{v}_2}) $. Hence, we can only have $\mathbf{w}=\mathbf{0}^m$ when the equality
\begin{multline} \label{final-eq} \begin{multline} \label{final-eq}
\mathbf{S} \cdot (\mathbf{v}_1^\star - \mathbf{v}_1) + (\mathbf{S}_0 + \mathbf{S} \cdot (\mathbf{v}_1^\star - \mathbf{v}_1) + (\mathbf{S}_0 +
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j ) \cdot (\mathbf{v}_2^\star - \mathbf{v}_2) \\ = \bit(\mathbf{c}_M) - \bit \big( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } \sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j ) \cdot (\mathbf{v}_2^\star - \mathbf{v}_2) \\ = \textsf{bin}(\mathbf{c}_M) - \bit \big( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \big) \qquad + \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \big) \qquad
\end{multline} \end{multline}
holds over $\ZZ$. However, as long as either $\mathbf{v}_1^\star \neq \mathbf{v}_1$ or $\mathbf{v}_2^\star \ne \mathbf{v}_2$, the left-hand-side member of (\ref{final-eq}) holds over $\ZZ$. However, as long as either $\mathbf{v}_1^\star \neq \mathbf{v}_1$ or $\mathbf{v}_2^\star \ne \mathbf{v}_2$, the left-hand-side member of (\ref{final-eq})
@ -824,8 +824,8 @@ In the notations hereunder, for any positive integers $\mathfrak{n}$, and $q \ge
\begin{eqnarray*} \begin{eqnarray*}
\mathbf{H}_{\mathfrak{n} \times \mathfrak{n} \lceil\log q\rceil } &=& \mathbf{I}_{\mathfrak{n}} \otimes [1 \mid 2 \mid 4 \mid \ldots \mid 2^{\lceil\log q\rceil-1} ] . \mathbf{H}_{\mathfrak{n} \times \mathfrak{n} \lceil\log q\rceil } &=& \mathbf{I}_{\mathfrak{n}} \otimes [1 \mid 2 \mid 4 \mid \ldots \mid 2^{\lceil\log q\rceil-1} ] .
\end{eqnarray*} \end{eqnarray*}
Also, for each vector $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$, we define $\bit(\mathbf{v}) \in \{0,1\}^{\mathfrak{n}\lceil\log q\rceil}$ to be the vector obtained by replacing each entry of $\mathbf{v}$ by its binary expansion. Also, for each vector $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$, we define $\textsf{bin}(\mathbf{v}) \in \{0,1\}^{\mathfrak{n}\lceil\log q\rceil}$ to be the vector obtained by replacing each entry of $\mathbf{v}$ by its binary expansion.
Hence, we have $\mathbf{v}=\mathbf{H}_{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil} \cdot \bit(\mathbf{v})$ for any $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$. Hence, we have $\mathbf{v}=\mathbf{H}_{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil} \cdot \textsf{bin}(\mathbf{v})$ for any $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$.
In our scheme, each group membership certificate is a In our scheme, each group membership certificate is a
signature generated by the group manager on the user's public key. Since the group manager only needs to sign known (rather than committed) messages, we can signature generated by the group manager on the user's public key. Since the group manager only needs to sign known (rather than committed) messages, we can
@ -847,7 +847,7 @@ identify $\mathcal{U}_i$.
providing evidence that the membership certificate is a valid signature on some binary message $\mathsf{bin}(\mathbf{v}_i) \in \{0,1\}^{4n \lceil \log q \rceil }$ providing evidence that the membership certificate is a valid signature on some binary message $\mathsf{bin}(\mathbf{v}_i) \in \{0,1\}^{4n \lceil \log q \rceil }$
for which he also knows a short $\mathbf{z}_i \in \ZZ^{4m}$ for which he also knows a short $\mathbf{z}_i \in \ZZ^{4m}$
such that such that
$ \mathbf{v}_i = \mathbf{H}_{4n \times 2m} \cdot \bit(\mathbf{v}_i) = \mathbf{F} \cdot \mathbf{z}_i \in \mathbb{Z}_q^{4n}$. $ \mathbf{v}_i = \mathbf{H}_{4n \times 2m} \cdot \textsf{bin}(\mathbf{v}_i) = \mathbf{F} \cdot \mathbf{z}_i \in \mathbb{Z}_q^{4n}$.
Interestingly, the process does not require any proof of knowledge of the membership secret $\mathbf{z}_i$ during the joining phase, which is round-optimal. Analogously to the Kiayias-Yung technique \cite{KY05} and constructions based on structure-preserving signatures Interestingly, the process does not require any proof of knowledge of the membership secret $\mathbf{z}_i$ during the joining phase, which is round-optimal. Analogously to the Kiayias-Yung technique \cite{KY05} and constructions based on structure-preserving signatures
\cite{AFG+10}, the joining protocol thus remains secure in environments where many users want \cite{AFG+10}, the joining protocol thus remains secure in environments where many users want
@ -925,7 +925,7 @@ $\mathbf{d}_i = \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end
\mathbf{A}_{\mathsf{id}_i} \cdot \mathbf{d}_i &=& \left[ \begin{array}{c|c} \mathbf{A} ~& ~ \mathbf{A}_0 + \mathbf{A}_{\mathsf{id}_i} \cdot \mathbf{d}_i &=& \left[ \begin{array}{c|c} \mathbf{A} ~& ~ \mathbf{A}_0 +
\sum_{j=1}^\ell \mathsf{id}_i[j] \mathbf{A}_j \sum_{j=1}^\ell \mathsf{id}_i[j] \mathbf{A}_j
\end{array} \right] \cdot \mathbf{d}_i\\ \end{array} \right] \cdot \mathbf{d}_i\\
\label{rel-cert} &=& \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot \bit(\mathbf{v}_i) + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) \bmod q. \quad \label{rel-cert} &=& \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot \textsf{bin}(\mathbf{v}_i) + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) \bmod q. \quad
\end{eqnarray} \end{eqnarray}
The triple $(\mathsf{id}_i,\mathbf{d}_i,\mathbf{s}_i)$ is sent to $\mathcal{U}_i$. Then, The triple $(\mathsf{id}_i,\mathbf{d}_i,\mathbf{s}_i)$ is sent to $\mathcal{U}_i$. Then,
$\mathsf{J}_{\user}$ verifies that the received $(\mathsf{id}_i,\mathbf{d}_i,\mathbf{s}_i)$ satisfies (\ref{rel-cert}) and that $\mathsf{J}_{\user}$ verifies that the received $(\mathsf{id}_i,\mathbf{d}_i,\mathbf{s}_i)$ satisfies (\ref{rel-cert}) and that
@ -948,10 +948,10 @@ member $\mathcal{U}_i$ generates a one-time signature key pair $(\mathsf{VK},\ma
\begin{itemize} \begin{itemize}
\item[1.] Compute $\mathbf{G}_0=H_0(\mathsf{VK}) \in \ZZ_q^{ n \times 2m}$ and use it as an IBE public key to encrypt \item[1.] Compute $\mathbf{G}_0=H_0(\mathsf{VK}) \in \ZZ_q^{ n \times 2m}$ and use it as an IBE public key to encrypt
$\bit(\mathbf{v}_i) \in \{0,1\}^{2m}$, where $\mathbf{v}_i=\mathbf{F} \cdot \mathbf{z}_i \in \ZZ_q^{4n}$ is the syndrome of $\textsf{bin}(\mathbf{v}_i) \in \{0,1\}^{2m}$, where $\mathbf{v}_i=\mathbf{F} \cdot \mathbf{z}_i \in \ZZ_q^{4n}$ is the syndrome of
$\scr_i=\mathbf{z}_i \in \mathbb{Z}^{4m}$ for the matrix $\mathbf{F}$. Namely, compute $ \mathbf{c}_{\mathbf{v}_i} \in \ZZ_q^m \times \ZZ_q^{2m}$ as $\scr_i=\mathbf{z}_i \in \mathbb{Z}^{4m}$ for the matrix $\mathbf{F}$. Namely, compute $ \mathbf{c}_{\mathbf{v}_i} \in \ZZ_q^m \times \ZZ_q^{2m}$ as
\begin{eqnarray} \label{enc1} \begin{eqnarray} \label{enc1}
\mathbf{c}_{\mathbf{v}_i}=(\mathbf{c}_1,\mathbf{c}_2) &=& \big( \mathbf{B}^T \cdot \mathbf{e}_0 + \mathbf{x}_1 ,~ \mathbf{G}_0^T \cdot \mathbf{e}_0 + \mathbf{x}_2 + \bit(\mathbf{v}_i) \cdot \lfloor q/2 \rfloor \big) \qquad \mathbf{c}_{\mathbf{v}_i}=(\mathbf{c}_1,\mathbf{c}_2) &=& \big( \mathbf{B}^T \cdot \mathbf{e}_0 + \mathbf{x}_1 ,~ \mathbf{G}_0^T \cdot \mathbf{e}_0 + \mathbf{x}_2 + \textsf{bin}(\mathbf{v}_i) \cdot \lfloor q/2 \rfloor \big) \qquad
\end{eqnarray} \end{eqnarray}
for randomly chosen $\mathbf{e}_0 \sample \chi^n$, $\mathbf{x}_1 \sample \chi^m, \mathbf{x}_2 \sample \chi^{2m} $. for randomly chosen $\mathbf{e}_0 \sample \chi^n$, $\mathbf{x}_1 \sample \chi^m, \mathbf{x}_2 \sample \chi^{2m} $.
Notice that, as in the construction of \cite{LNW15}, the columns of $\mathbf{G}_0$ can be interpreted as public keys for the multi-bit version Notice that, as in the construction of \cite{LNW15}, the columns of $\mathbf{G}_0$ can be interpreted as public keys for the multi-bit version
@ -959,7 +959,7 @@ of the dual Regev encryption scheme.
\item[2.] Run the protocol in Section~\ref{subsection:zk-for-group-signature} to prove the knowledge of $\mathsf{id}_i \item[2.] Run the protocol in Section~\ref{subsection:zk-for-group-signature} to prove the knowledge of $\mathsf{id}_i
\in \{0,1\}^{\ell}$, \in \{0,1\}^{\ell}$,
vectors $\mathbf{s}_i \in \ZZ^{2m}, \mathbf{d}_{i,1},\mathbf{d}_{i,2} \in \ZZ^{m},\mathbf{z}_i \in \ZZ^{4m}$ with infinity norm bound $\beta $; $\mathbf{e}_0 \in \ZZ^n$, $\mathbf{x}_1 \in \ZZ^m, \mathbf{x}_2 \in \ZZ^{2m} $ with infinity norm bound $B$ vectors $\mathbf{s}_i \in \ZZ^{2m}, \mathbf{d}_{i,1},\mathbf{d}_{i,2} \in \ZZ^{m},\mathbf{z}_i \in \ZZ^{4m}$ with infinity norm bound $\beta $; $\mathbf{e}_0 \in \ZZ^n$, $\mathbf{x}_1 \in \ZZ^m, \mathbf{x}_2 \in \ZZ^{2m} $ with infinity norm bound $B$
and $\bit(\mathbf{v}_i) \in \{0,1\}^{2m}, \mathbf{w}_{i} \in \{0,1\}^m$, that satisfy and $\textsf{bin}(\mathbf{v}_i) \in \{0,1\}^{2m}, \mathbf{w}_{i} \in \{0,1\}^m$, that satisfy
\eqref{enc1} as well as \eqref{enc1} as well as
\begin{eqnarray} \label{rel-deux} \begin{eqnarray} \label{rel-deux}
\mathbf{A} \cdot \mathbf{d}_{i,1} + \mathbf{A}_0 \cdot \mathbf{d}_{i,2} + \sum_{j=1}^{\ell} ( \mathsf{id}_i[j] \cdot \mathbf{d}_{i,2}) \cdot \mathbf{A}_j \mathbf{A} \cdot \mathbf{d}_{i,1} + \mathbf{A}_0 \cdot \mathbf{d}_{i,2} + \sum_{j=1}^{\ell} ( \mathsf{id}_i[j] \cdot \mathbf{d}_{i,2}) \cdot \mathbf{A}_j
@ -970,8 +970,8 @@ and
\begin{eqnarray} \label{eq:rel-3} \begin{eqnarray} \label{eq:rel-3}
\left\{ \left\{
\begin{array}{l} \begin{array}{l}
\mathbf{H}_{2n \times m} \cdot \mathbf{w}_{i} = \mathbf{D}_0 \cdot \bit(\mathbf{v}_i) + \mathbf{D}_1 \cdot \mathbf{s}_i \in \ZZ_q^{2n} \\ \mathbf{H}_{2n \times m} \cdot \mathbf{w}_{i} = \mathbf{D}_0 \cdot \textsf{bin}(\mathbf{v}_i) + \mathbf{D}_1 \cdot \mathbf{s}_i \in \ZZ_q^{2n} \\
\mathbf{F} \cdot \mathbf{z}_i = \mathbf{H}_{4n \times 2m} \cdot \bit(\mathbf{v}_i) \in \ZZ_q^{4n}. \mathbf{F} \cdot \mathbf{z}_i = \mathbf{H}_{4n \times 2m} \cdot \textsf{bin}(\mathbf{v}_i) \in \ZZ_q^{4n}.
\end{array} \end{array}
\right. \right.
\end{eqnarray} \end{eqnarray}
@ -1006,9 +1006,9 @@ in~(\ref{eq:sig-final}). \smallskip
Compute $\mathbf{G}_0=H_0(\mathsf{VK}) \in \ZZ_q^{n \times 2m}$. Then, using $\mathbf{T}_{\mathbf{B}}$ Compute $\mathbf{G}_0=H_0(\mathsf{VK}) \in \ZZ_q^{n \times 2m}$. Then, using $\mathbf{T}_{\mathbf{B}}$
to compute a small-norm matrix to compute a small-norm matrix
$\mathbf{E}_{0,\mathsf{VK}} \in \ZZ^{m \times 2m }$ such that $ \mathbf{B} \cdot \mathbf{E}_{0,\mathsf{VK}} = \mathbf{G}_0 \bmod q $. $\mathbf{E}_{0,\mathsf{VK}} \in \ZZ^{m \times 2m }$ such that $ \mathbf{B} \cdot \mathbf{E}_{0,\mathsf{VK}} = \mathbf{G}_0 \bmod q $.
\item[2.] Using $\mathbf{E}_{0,\mathsf{VK}}$, decrypt $\mathbf{c}_{\mathbf{v}_i}$ to obtain a string $\bit(\mathbf{v} ) \in \{0,1\}^{2m}$ \item[2.] Using $\mathbf{E}_{0,\mathsf{VK}}$, decrypt $\mathbf{c}_{\mathbf{v}_i}$ to obtain a string $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m}$
(i.e., by computing $\lfloor (\mathbf{c}_2 - \mathbf{E}_{0,\mathsf{VK}}^T \cdot \mathbf{c}_1) / (q/2) \rceil$). \smallskip (i.e., by computing $\lfloor (\mathbf{c}_2 - \mathbf{E}_{0,\mathsf{VK}}^T \cdot \mathbf{c}_1) / (q/2) \rceil$). \smallskip
\item[3.] Determine if the $\bit(\mathbf{v} ) \in \{0,1\}^{2m} $ obtained at step 2 corresponds to a vector $\mathbf{v} = \mathbf{H}_{4n \times 2m} \cdot \bit(\mathbf{v} ) \bmod q$ that appears in a record $\transcript_i=(\mathbf{v} , \crt_i, i,\mathsf{upk}[i],sig_i)$ of the database $St_{trans}$ for some $i$. If so, \item[3.] Determine if the $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m} $ obtained at step 2 corresponds to a vector $\mathbf{v} = \mathbf{H}_{4n \times 2m} \cdot \textsf{bin}(\mathbf{v} ) \bmod q$ that appears in a record $\transcript_i=(\mathbf{v} , \crt_i, i,\mathsf{upk}[i],sig_i)$ of the database $St_{trans}$ for some $i$. If so,
output the corresponding $i$ (and, optionally, $\mathsf{upk}[i]$). Otherwise, output $\perp$. output the corresponding $i$ (and, optionally, $\mathsf{upk}[i]$). Otherwise, output $\perp$.
\end{itemize} \end{itemize}
\end{description} \end{description}
@ -1017,7 +1017,7 @@ We remark that the scheme readily extends to provide a mechanism whereby the ope
The difference between the dynamic group signature models suggested by Kiayias and Yung \cite{KY06} and Bellare \textit{et al.} \cite{BSZ05} is that, in the latter, the opening authority The difference between the dynamic group signature models suggested by Kiayias and Yung \cite{KY06} and Bellare \textit{et al.} \cite{BSZ05} is that, in the latter, the opening authority
($\mathsf{OA}$) must be able to convince a judge that the $\mathsf{Open}$ algorithm was run correctly. ($\mathsf{OA}$) must be able to convince a judge that the $\mathsf{Open}$ algorithm was run correctly.
Here, such a mechanism can be realized using the techniques of public-key encryption with non-interactive opening \cite{DHKT08}. Namely, since Here, such a mechanism can be realized using the techniques of public-key encryption with non-interactive opening \cite{DHKT08}. Namely, since
$\bit(\mathbf{v}_i)$ is encrypted using an IBE scheme for the identity $\vk$, the $\mathsf{OA}$ can simply reveal the decryption matrix $\mathbf{E}_{0,\mathsf{VK}} $, $\textsf{bin}(\mathbf{v}_i)$ is encrypted using an IBE scheme for the identity $\vk$, the $\mathsf{OA}$ can simply reveal the decryption matrix $\mathbf{E}_{0,\mathsf{VK}} $,
that satisfies $\mathbf{B} \cdot \mathbf{E}_{0,\vk} = \mathbf{G}_0 \bmod q$ (which corresponds to the verification of a GPV signature) and allows the verifier to perform step 2 of the opening that satisfies $\mathbf{B} \cdot \mathbf{E}_{0,\vk} = \mathbf{G}_0 \bmod q$ (which corresponds to the verification of a GPV signature) and allows the verifier to perform step 2 of the opening
algorithm himself. The resulting construction is easily seen to satisfy the notion of opening soundness of Sakai \textit{et al.} \cite{SSE+12}. algorithm himself. The resulting construction is easily seen to satisfy the notion of opening soundness of Sakai \textit{et al.} \cite{SSE+12}.
@ -1077,7 +1077,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
extractor will reveal an $\ell$-bit identifier that coincides with the identifier $\mathsf{id}^\dagger$ assigned to the user introduced at the $i^\star$-th $\mathcal{Q}_{\ajoin}$-query. extractor will reveal an $\ell$-bit identifier that coincides with the identifier $\mathsf{id}^\dagger$ assigned to the user introduced at the $i^\star$-th $\mathcal{Q}_{\ajoin}$-query.
The last case $coin=2$ corresponds to $\bdv$'s expectation that decrypting $\mathbf{c}_{\mathbf{v}_i}^\star$ (which is part of $\Sigma^\star$) and running The last case $coin=2$ corresponds to $\bdv$'s expectation that decrypting $\mathbf{c}_{\mathbf{v}_i}^\star$ (which is part of $\Sigma^\star$) and running
the knowledge extractor on $\adv$ will uncover vectors $\bit ( \mathbf{v}^\star ) \in \{0,1\}^{2m}$, $\mathbf{w}^\star \in \{0,1\}^m$ and $\mathbf{s}^\star \in \ZZ^{2m}$ the knowledge extractor on $\adv$ will uncover vectors $\bit ( \mathbf{v}^\star ) \in \{0,1\}^{2m}$, $\mathbf{w}^\star \in \{0,1\}^m$ and $\mathbf{s}^\star \in \ZZ^{2m}$
such that $\mathbf{w}^\star= \bit(\mathbf{D}_0 \cdot \bit(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )$ and such that $\mathbf{w}^\star= \textsf{bin}(\mathbf{D}_0 \cdot \textsf{bin}(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )$ and
\begin{eqnarray} \label{collide} \begin{eqnarray} \label{collide}
\bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}^\star ) + \mathbf{D}_1 \cdot \mathbf{s}^\star \bigr) = \bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}_{i^\star} ) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} \bigr) \bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}^\star ) + \mathbf{D}_1 \cdot \mathbf{s}^\star \bigr) = \bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}_{i^\star} ) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} \bigr)
\end{eqnarray} \end{eqnarray}
@ -1178,7 +1178,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
\begin{bmatrix} \begin{bmatrix}
\mathbf{d}_{i^\star,1} \\ \hline \mathbf{d}_{i^\star,2} \mathbf{d}_{i^\star,1} \\ \hline \mathbf{d}_{i^\star,2}
\end{bmatrix} \end{bmatrix}
- \mathbf{D} \cdot \bit(\mathbf{c}_M), - \mathbf{D} \cdot \textsf{bin}(\mathbf{c}_M),
\end{eqnarray} \end{eqnarray}
where where
$\mathbf{c}_{M} \sample (\Zq^{2n})$ is a randomly chosen vector. Observe that, since $\mathbf{A}$ is statistically uniform over $\Zq^{n \times m}$ and $ \mathbf{d}_{i^\star,1} $\mathbf{c}_{M} \sample (\Zq^{2n})$ is a randomly chosen vector. Observe that, since $\mathbf{A}$ is statistically uniform over $\Zq^{n \times m}$ and $ \mathbf{d}_{i^\star,1}
@ -1208,7 +1208,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
$\mathrm{Verify}_{\mathsf{upk}[i]}(\mathbf{v}_{i},sig_i)=1$, $\bdv$ samples $\mathbf{s}_i \sample D_{\ZZ^{2m},\sigma}$ and uses the trapdoor $\mathbf{T}_{\mathbf{C}}$ to compute a short vector $\mathrm{Verify}_{\mathsf{upk}[i]}(\mathbf{v}_{i},sig_i)=1$, $\bdv$ samples $\mathbf{s}_i \sample D_{\ZZ^{2m},\sigma}$ and uses the trapdoor $\mathbf{T}_{\mathbf{C}}$ to compute a short vector
$\mathbf{d}_i=[\mathbf{d}_{i,1}^T ~|~\mathbf{d}_{i,2}^T]^T \in \ZZ^{2m}$ such that $\mathbf{d}_i=[\mathbf{d}_{i,1}^T ~|~\mathbf{d}_{i,2}^T]^T \in \ZZ^{2m}$ such that
\begin{eqnarray} \label{sim-cert} \begin{eqnarray} \label{sim-cert}
\mathbf{A}_{\mathsf{id}_i} \cdot \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix} = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot \bit(\mathbf{v}_{i}) + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) , \mathbf{A}_{\mathsf{id}_i} \cdot \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix} = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot \textsf{bin}(\mathbf{v}_{i}) + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) ,
\end{eqnarray} \end{eqnarray}
where $\mathbf{A}_{\mathsf{id}_i} \in \Zq^{n \times 2m}$ is the matrix in (\ref{sim-matr}). Note that $\bdv$ is able to compute such a vector using the $\mathsf{SampleRight}$ where $\mathbf{A}_{\mathsf{id}_i} \in \Zq^{n \times 2m}$ is the matrix in (\ref{sim-matr}). Note that $\bdv$ is able to compute such a vector using the $\mathsf{SampleRight}$
algorithm of \cite{ABB10} (since the Hamming distance $h_{\mathsf{id}_i}$ between $\mathsf{id}_i$ and $\mathsf{id}^\star$ is non-zero). The membership certificate algorithm of \cite{ABB10} (since the Hamming distance $h_{\mathsf{id}_i}$ between $\mathsf{id}_i$ and $\mathsf{id}^\star$ is non-zero). The membership certificate
@ -1235,7 +1235,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
Since $h_{\mathsf{id}_i} \neq 0$, $\bdv$ can use the trapdoor Since $h_{\mathsf{id}_i} \neq 0$, $\bdv$ can use the trapdoor
$\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$ to compute a short vector $\mathbf{d}_i = [ \mathbf{d}_{i,1}^T ~|~\mathbf{d}_{i,2}^T ]^T \in \ZZ^{2m}$ such that $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$ to compute a short vector $\mathbf{d}_i = [ \mathbf{d}_{i,1}^T ~|~\mathbf{d}_{i,2}^T ]^T \in \ZZ^{2m}$ such that
\begin{eqnarray*} \begin{eqnarray*}
\mathbf{A}_{\mathsf{id}_i} \cdot \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix} = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot (\bit(\mathbf{v}_{i}) + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) , \mathbf{A}_{\mathsf{id}_i} \cdot \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix} = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot (\textsf{bin}(\mathbf{v}_{i}) + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) ,
\end{eqnarray*} \end{eqnarray*}
where $\mathbf{v}_{i} \in \Zq^{4n}$ is the syndrome chosen by $\adv$ at step 1 of the joining protocol. where $\mathbf{v}_{i} \in \Zq^{4n}$ is the syndrome chosen by $\adv$ at step 1 of the joining protocol.
\item[-] If $i = i^\star$, $\bdv$ undertakes to generate a membership certificate $\crt_{i^\star}$ for the $\ell$-bit identifier $\mathsf{id}^\dagger \in \{0,1\}^\ell$ that was \item[-] If $i = i^\star$, $\bdv$ undertakes to generate a membership certificate $\crt_{i^\star}$ for the $\ell$-bit identifier $\mathsf{id}^\dagger \in \{0,1\}^\ell$ that was
@ -1244,9 +1244,9 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
the vector $\mathbf{d}_{i^\star,1},\mathbf{d}_{i^\star,2} \in \ZZ^m$ and $\mathbf{c}_M \in \Zq^{2n}$ that were used to define $\mathbf{u} \in \Zq^n$ in (\ref{def-u}) and using $\mathbf{T}_{\mathbf{D}_1}$. If $\adv$ provides a correct signature the vector $\mathbf{d}_{i^\star,1},\mathbf{d}_{i^\star,2} \in \ZZ^m$ and $\mathbf{c}_M \in \Zq^{2n}$ that were used to define $\mathbf{u} \in \Zq^n$ in (\ref{def-u}) and using $\mathbf{T}_{\mathbf{D}_1}$. If $\adv$ provides a correct signature
$sig_{i^\star}$ such that $sig_{i^\star}$ such that
$\mathrm{Verify}_{\mathsf{upk}[i^\star]}(\mathbf{v}_{i^\star},sig_{i^\star})=1$, $\mathrm{Verify}_{\mathsf{upk}[i^\star]}(\mathbf{v}_{i^\star},sig_{i^\star})=1$,
$\bdv$ uses the trapdoor $\mathbf{T}_{\mathbf{D}_1}$ of $\Lambda_q^\perp (\mathbf{D}_1)$ to sample a short vector $\mathbf{s}_{i^\star} \in \ZZ^{2m}$ of $D_{\Lambda_q^{\mathbf{c}_{i^\star}}(\mathbf{D}_1),\sigma}$, where $\mathbf{c}_{i^\star} = \mathbf{c}_M - \mathbf{D}_0 \cdot \bit( \mathbf{v}_{i^\star}) \bmod q $, $\bdv$ uses the trapdoor $\mathbf{T}_{\mathbf{D}_1}$ of $\Lambda_q^\perp (\mathbf{D}_1)$ to sample a short vector $\mathbf{s}_{i^\star} \in \ZZ^{2m}$ of $D_{\Lambda_q^{\mathbf{c}_{i^\star}}(\mathbf{D}_1),\sigma}$, where $\mathbf{c}_{i^\star} = \mathbf{c}_M - \mathbf{D}_0 \cdot \textsf{bin}( \mathbf{v}_{i^\star}) \bmod q $,
satisfying satisfying
$$ \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} = \mathbf{c}_M - \mathbf{D}_0 \cdot \bit( \mathbf{v}_{i^\star}) ~\bmod q , $$ $$ \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} = \mathbf{c}_M - \mathbf{D}_0 \cdot \textsf{bin}( \mathbf{v}_{i^\star}) ~\bmod q , $$
before returning $\crt_{i^\star}=(\mathsf{id}^\dagger,\mathbf{d}_{i^\star} =[ \mathbf{d}_{i^\star,1}^T \mid \mathbf{d}_{i^\star,2}^T]^T,\mathbf{s}_{i^\star})$ before returning $\crt_{i^\star}=(\mathsf{id}^\dagger,\mathbf{d}_{i^\star} =[ \mathbf{d}_{i^\star,1}^T \mid \mathbf{d}_{i^\star,2}^T]^T,\mathbf{s}_{i^\star})$
to $\adv$. From the definition of $\mathbf{u} \in \Zq^n$ (\ref{def-u}), it is easy to see that $\crt_{i^\star}=(\mathsf{id}^\dagger,\mathbf{d}_{i^\star} ,\mathbf{s}_{i^\star})$ forms a valid membership certificate for to $\adv$. From the definition of $\mathbf{u} \in \Zq^n$ (\ref{def-u}), it is easy to see that $\crt_{i^\star}=(\mathsf{id}^\dagger,\mathbf{d}_{i^\star} ,\mathbf{s}_{i^\star})$ forms a valid membership certificate for
any membership secret $\mathbf{z}_{i^\star} \in \ZZ^{4m}$ corresponding to the syndrome $\mathbf{v}_{i^\star} = \mathbf{F} \cdot \mathbf{z}_{i^\star} \bmod q$. any membership secret $\mathbf{z}_{i^\star} \in \ZZ^{4m}$ corresponding to the syndrome $\mathbf{v}_{i^\star} = \mathbf{F} \cdot \mathbf{z}_{i^\star} \bmod q$.
@ -1261,7 +1261,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
\textbf{Forgery.} When $\adv$ halts, it outputs a \textbf{Forgery.} When $\adv$ halts, it outputs a
signature $ \Sigma^\star=\big( \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}_i}^\star, \pi_K^\star,sig^\star \big)$ on some message $M^\star$. At this point, $\bdv$ uses the signature $ \Sigma^\star=\big( \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}_i}^\star, \pi_K^\star,sig^\star \big)$ on some message $M^\star$. At this point, $\bdv$ uses the
trapdoor $\mathbf{T}_{\mathbf{B}}$ to decrypt $\mathbf{c}_{\mathbf{v}_i}^\star$ and obtain an $m$-bit string $\bit(\mathbf{v}^\star) \in \{0,1\}^m$. trapdoor $\mathbf{T}_{\mathbf{B}}$ to decrypt $\mathbf{c}_{\mathbf{v}_i}^\star$ and obtain an $m$-bit string $\textsf{bin}(\mathbf{v}^\star) \in \{0,1\}^m$.
If we parse the proof $\pi_K^\star$ as If we parse the proof $\pi_K^\star$ as
$(\{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t,\mathsf{Chall}_K^\star,\{\mathsf{Resp}_{K,j}^\star \}_{j=1}^t)$, $(\{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t,\mathsf{Chall}_K^\star,\{\mathsf{Resp}_{K,j}^\star \}_{j=1}^t)$,
@ -1301,7 +1301,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
such that such that
\begin{eqnarray*} \begin{eqnarray*}
\mathbf{A}_{\mathsf{id}^\star } \cdot \begin{bmatrix} \mathbf{d}_{1}^\star \\ \hline \mathbf{d}_{2}^\star \end{bmatrix} &=& \mathbf{u} + \mathbf{D} \cdot \mathbf{w}^\star \\ \mathbf{A}_{\mathsf{id}^\star } \cdot \begin{bmatrix} \mathbf{d}_{1}^\star \\ \hline \mathbf{d}_{2}^\star \end{bmatrix} &=& \mathbf{u} + \mathbf{D} \cdot \mathbf{w}^\star \\
\mathbf{w}^\star &=& \bit \bigl( \mathbf{D}_0 \cdot (\bit(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star \bigr) , \mathbf{w}^\star &=& \bit \bigl( \mathbf{D}_0 \cdot (\textsf{bin}(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star \bigr) ,
\end{eqnarray*} \end{eqnarray*}
At this point, $\bdv$ aborts and At this point, $\bdv$ aborts and
declares failure in the following situations: declares failure in the following situations:
@ -1312,11 +1312,11 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
\item[-] $coin=1$ but $\mathsf{id}^\star \in \{0,1\}^\ell$ never appeared in a membership certificate returned by the $\mathcal{Q}_{\ajoin}$ oracle. \item[-] $coin=1$ but $\mathsf{id}^\star \in \{0,1\}^\ell$ never appeared in a membership certificate returned by the $\mathcal{Q}_{\ajoin}$ oracle.
\item[-] $coin=1$ and $\mathsf{id}^\star \in \{0,1\}^{\ell}$ belongs to some user in $U^a$, but this user is not the one introduced at the $i^\star$-th \item[-] $coin=1$ and $\mathsf{id}^\star \in \{0,1\}^{\ell}$ belongs to some user in $U^a$, but this user is not the one introduced at the $i^\star$-th
$\mathcal{Q}_{\ajoin}$-query (i.e., $i^\star \neq i^\dagger$ and $\mathsf{id}^\star \neq \mathsf{id}^\dagger$). $\mathcal{Q}_{\ajoin}$-query (i.e., $i^\star \neq i^\dagger$ and $\mathsf{id}^\star \neq \mathsf{id}^\dagger$).
\item[-] $coin=1$ and the knowledge extractor revealed vectors $\bit(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$ \item[-] $coin=1$ and the knowledge extractor revealed vectors $\textsf{bin}(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$
satisfying the collision (\ref{collide}), satisfying the collision (\ref{collide}),
where $ \bit(\mathbf{v}_{i^\star})$ and $\mathbf{s}_{i^\star}$ are the vectors where $ \textsf{bin}(\mathbf{v}_{i^\star})$ and $\mathbf{s}_{i^\star}$ are the vectors
involved in the $i^\star$-th $\mathcal{Q}_{\ajoin}$ query. involved in the $i^\star$-th $\mathcal{Q}_{\ajoin}$ query.
\item[-] $coin=2$ and the knowledge extraction yields vectors $\bit(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$ such that the collision \item[-] $coin=2$ and the knowledge extraction yields vectors $\textsf{bin}(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$ such that the collision
(\ref{collide}) does not occur. (\ref{collide}) does not occur.
\end{itemize} \end{itemize}
We call $\mathsf{fail}$ the event that one of the above situations occurs. Given that the choices of $coin \sample (\{0,1,2\})$ and $i^\star \sample ([1,Q_a])$ are completely independent of $\adv$'s view, We call $\mathsf{fail}$ the event that one of the above situations occurs. Given that the choices of $coin \sample (\{0,1,2\})$ and $i^\star \sample ([1,Q_a])$ are completely independent of $\adv$'s view,
@ -1331,7 +1331,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
\item If $coin=0$, we have $\mathsf{id}^\star=\mathsf{id}^\dagger$ and $\bdv$ knows a short vector $\mathbf{e}_u \in \ZZ^m$ such that $\mathbf{u} = \bar{\mathbf{A}}_1 \cdot \mathbf{e}_u \bmod q$. Hence, it can obtain a short integer vector \item If $coin=0$, we have $\mathsf{id}^\star=\mathsf{id}^\dagger$ and $\bdv$ knows a short vector $\mathbf{e}_u \in \ZZ^m$ such that $\mathbf{u} = \bar{\mathbf{A}}_1 \cdot \mathbf{e}_u \bmod q$. Hence, it can obtain a short integer vector
\begin{eqnarray*} \begin{eqnarray*}
\mathbf{h} = {\mathbf{d}_1^\star} + \big( \mathbf{Q}_0 + \sum_{i=1}^\ell \mathsf{id}^\dagger [i] \mathbf{Q}_i \big) \cdot {\mathbf{d}_2^\star} - \mathbf{Q}_D \mathbf{h} = {\mathbf{d}_1^\star} + \big( \mathbf{Q}_0 + \sum_{i=1}^\ell \mathsf{id}^\dagger [i] \mathbf{Q}_i \big) \cdot {\mathbf{d}_2^\star} - \mathbf{Q}_D
\cdot \bit(\mathbf{v}^\star) - \mathbf{e}_u \in \ZZ^m \cdot \textsf{bin}(\mathbf{v}^\star) - \mathbf{e}_u \in \ZZ^m
\end{eqnarray*} \end{eqnarray*}
such that $ \bar{\mathbf{A}}_1 \cdot \mathbf{h} = \mathbf{0}^m \bmod q$. Moreover, such that $ \bar{\mathbf{A}}_1 \cdot \mathbf{h} = \mathbf{0}^m \bmod q$. Moreover,
we have $\mathbf{h} \neq \mathbf{0}^m$ w.h.p. since the syndrome $\mathbf{u} \in \Zq^n$ statistically hides we have $\mathbf{h} \neq \mathbf{0}^m$ w.h.p. since the syndrome $\mathbf{u} \in \Zq^n$ statistically hides
@ -1340,9 +1340,9 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
This implies that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ is a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ and solves the initial $\mathsf{SIS}$ instance. This implies that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ is a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ and solves the initial $\mathsf{SIS}$ instance.
\item If $coin=1$, the extracted \item If $coin=1$, the extracted
witnesses $(\mathbf{d}_{1}^\star,\mathbf{d}_{2}^\star,\mathbf{s}^\star,\mathsf{id}^\star)$ and the decrypted $\bit(\mathbf{v}^\star)$ witnesses $(\mathbf{d}_{1}^\star,\mathbf{d}_{2}^\star,\mathbf{s}^\star,\mathsf{id}^\star)$ and the decrypted $\textsf{bin}(\mathbf{v}^\star)$
satisfy $\mathsf{id}^\star=\mathsf{id}^\dagger$, $$\mathbf{w}^\star = \bit( \mathbf{D}_0 \cdot \bit(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star ) satisfy $\mathsf{id}^\star=\mathsf{id}^\dagger$, $$\mathbf{w}^\star = \textsf{bin}( \mathbf{D}_0 \cdot \textsf{bin}(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )
\neq \bit( \mathbf{D}_0 \cdot \bit(\mathbf{v}_{i^\star}) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} ) = \mathbf{w}_{i^\star} $$ \neq \textsf{bin}( \mathbf{D}_0 \cdot \textsf{bin}(\mathbf{v}_{i^\star}) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} ) = \mathbf{w}_{i^\star} $$
(since $\neg \mathsf{fail}$ implies that the collision (\ref{collide}) did not occur if $coin=1$) (since $\neg \mathsf{fail}$ implies that the collision (\ref{collide}) did not occur if $coin=1$)
and and
\begin{align} \label{rel1} \begin{align} \label{rel1}
@ -1382,10 +1382,10 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
so that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ solves the original $\mathsf{SIS}$ instance. so that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ solves the original $\mathsf{SIS}$ instance.
\item If $coin=2$, $\bdv$ is done as well since the collision (\ref{collide}) directly provides a vector \item If $coin=2$, $\bdv$ is done as well since the collision (\ref{collide}) directly provides a vector
$$\mathbf{h}=\bit(\mathbf{v}^\star) - \bit(\mathbf{v}_i^\star) + \mathbf{Q} \cdot (\mathbf{s}^\star - \mathbf{s}_i^\star) ~ \in \ZZ^{2m}$$ of $\Lambda_q^{\perp}(\mathbf{D}_0)$ (which is also in $$\mathbf{h}=\textsf{bin}(\mathbf{v}^\star) - \textsf{bin}(\mathbf{v}_i^\star) + \mathbf{Q} \cdot (\mathbf{s}^\star - \mathbf{s}_i^\star) ~ \in \ZZ^{2m}$$ of $\Lambda_q^{\perp}(\mathbf{D}_0)$ (which is also in
the lattice $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ by construction) and has the lattice $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ by construction) and has
norm $\| \mathbf{h} \|_2 \leq 2(\sigma^2 (2m)^{3/2} + (2m)^{1/2}) $. Moreover, $\mathbf{h} \in \ZZ^{2m}$ is non-zero with overwhelming probability norm $\| \mathbf{h} \|_2 \leq 2(\sigma^2 (2m)^{3/2} + (2m)^{1/2}) $. Moreover, $\mathbf{h} \in \ZZ^{2m}$ is non-zero with overwhelming probability
given that $\bit(\mathbf{v}^\star) \neq \bit(\mathbf{v}_i^\star)$ and the large amount of entropy retained by the columns $\mathbf{Q} \in \ZZ^{2m \times 2m}$ given $\mathbf{D}_1= \mathbf{D}_0 \cdot \mathbf{Q}$. given that $\textsf{bin}(\mathbf{v}^\star) \neq \textsf{bin}(\mathbf{v}_i^\star)$ and the large amount of entropy retained by the columns $\mathbf{Q} \in \ZZ^{2m \times 2m}$ given $\mathbf{D}_1= \mathbf{D}_0 \cdot \mathbf{Q}$.
\end{itemize} \end{itemize}
\end{proof} \end{proof}
@ -1431,7 +1431,7 @@ Then, $\bdv$ starts interacting with $\adv$ as follows.
$\bdv$ recalls the vector $\mathbf{z}_i \in \ZZ^{4m}$ that was chosen to define the syndrome $\mathbf{v}_i = \mathbf{F} \cdot \mathbf{z}_i$ at step 1 of the $\mathsf{Join}$ protocol as well as $\bdv$ recalls the vector $\mathbf{z}_i \in \ZZ^{4m}$ that was chosen to define the syndrome $\mathbf{v}_i = \mathbf{F} \cdot \mathbf{z}_i$ at step 1 of the $\mathsf{Join}$ protocol as well as
the identifier $\mathsf{id}_i \in \{0,1\}^\ell$ and the short vectors $(\mathbf{d}_{i,1},\mathbf{d}_{i,2},\mathbf{s}_i) $ the identifier $\mathsf{id}_i \in \{0,1\}^\ell$ and the short vectors $(\mathbf{d}_{i,1},\mathbf{d}_{i,2},\mathbf{s}_i) $
that were supplied by $\adv$ in an earlier $Q_{\bjoin}$-query. It faithfully computes a signature by IBE-encrypting that were supplied by $\adv$ in an earlier $Q_{\bjoin}$-query. It faithfully computes a signature by IBE-encrypting
$\bit(\mathbf{v}_i) \in \{0,1\}^{2m}$ and using $(\mathbf{d}_{i,1},\mathbf{d}_{i,2},\mathbf{s}_i,\mathbf{z}_i,\mathbf{s}_i,\mathsf{id}_i)$ to compute a witness indistinguishable proof $\pi_K=( $\textsf{bin}(\mathbf{v}_i) \in \{0,1\}^{2m}$ and using $(\mathbf{d}_{i,1},\mathbf{d}_{i,2},\mathbf{s}_i,\mathbf{z}_i,\mathbf{s}_i,\mathsf{id}_i)$ to compute a witness indistinguishable proof $\pi_K=(
\{\mathsf{Comm}_{K,j}\}_{j=1}^t,\mathsf{Chall}_K,\{\mathsf{Resp}_{K,j}\}_{j=1}^t)$. \{\mathsf{Comm}_{K,j}\}_{j=1}^t,\mathsf{Chall}_K,\{\mathsf{Resp}_{K,j}\}_{j=1}^t)$.
Finally, $\bdv$ computes a one-time signature Finally, $\bdv$ computes a one-time signature
$sig=\mathcal{S}(\mathsf{SK},(\mathbf{c}_{\mathbf{v}_i},\pi_K))$ and returns the signature $sig=\mathcal{S}(\mathsf{SK},(\mathbf{c}_{\mathbf{v}_i},\pi_K))$ and returns the signature
@ -1442,7 +1442,7 @@ $ \Sigma^\star = \big( \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \pi_
for for
some message $M^\star$, which opens to ${i^\star} \in some message $M^\star$, which opens to ${i^\star} \in
U^b$ although user $i^\star$ did not sign the message $M^\star$ at any time. Since $(M^\star,\Sigma^\star)$ supposedly frames user $i^\star$, the opening of U^b$ although user $i^\star$ did not sign the message $M^\star$ at any time. Since $(M^\star,\Sigma^\star)$ supposedly frames user $i^\star$, the opening of
$\Sigma^\star$ must reveal the $m$-bit string $\bit(\mathbf{v}_{i^\star}) \in \{0,1\}^m$. We note that the reduction $\bdv$ has $\Sigma^\star$ must reveal the $m$-bit string $\textsf{bin}(\mathbf{v}_{i^\star}) \in \{0,1\}^m$. We note that the reduction $\bdv$ has
recollection of a short vector $\mathbf{z}_{i^\star} \in \ZZ^{4m}$ (of norm $\| \mathbf{z}_{i^\star} \| < 2\sigma \sqrt{m}$) recollection of a short vector $\mathbf{z}_{i^\star} \in \ZZ^{4m}$ (of norm $\| \mathbf{z}_{i^\star} \| < 2\sigma \sqrt{m}$)
such that $\mathbf{v}_{i^\star} = \mathbf{F} \cdot \mathbf{z}_{i^\star} \bmod q$ which it such that $\mathbf{v}_{i^\star} = \mathbf{F} \cdot \mathbf{z}_{i^\star} \bmod q$ which it
chose when running $\mathsf{J}_{\mathsf{user}}$ on behalf of user $i^\star$ when this user was introduced in the group. Hence, chose when running $\mathsf{J}_{\mathsf{user}}$ on behalf of user $i^\star$ when this user was introduced in the group. Hence,
@ -1481,9 +1481,9 @@ tuple $ (M^\star, \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \{\maths
pairwise distinct answers pairwise distinct answers
$\mathsf{Chall}_{\kappa^\star}^{(1)} , $\mathsf{Chall}_{\kappa^\star}^{(1)} ,
\mathsf{Chall}_{\kappa^\star}^{(2)}, \mathsf{Chall}_{\kappa^\star}^{(3)} \in \{1,2,3\}^t$. Since the forgeries of the $3$-fork all correspond to the tuple $ (M^\star, \mathsf{VK}^\star , \mathsf{Chall}_{\kappa^\star}^{(2)}, \mathsf{Chall}_{\kappa^\star}^{(3)} \in \{1,2,3\}^t$. Since the forgeries of the $3$-fork all correspond to the tuple $ (M^\star, \mathsf{VK}^\star ,
\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$, they open to the same $m$-bit string $\bit(\mathbf{v}_{i^\star}) \in \{0,1\}^m$ and \mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$, they open to the same $m$-bit string $\textsf{bin}(\mathbf{v}_{i^\star}) \in \{0,1\}^m$ and
which is uniquely determined which is uniquely determined
by $\mathbf{c}_{\mathbf{v}}^\star$. In turn, this implies that the three forgeries all reveal the same $\bit(\mathbf{v}_{i^\star})$ by $\mathbf{c}_{\mathbf{v}}^\star$. In turn, this implies that the three forgeries all reveal the same $\textsf{bin}(\mathbf{v}_{i^\star})$
at the second step of $\mathsf{Open}$. at the second step of $\mathsf{Open}$.
With probability $1-(7/9)^t$ it can be shown that there exists $j \in \{1,\ldots,t\}$ such that the $j$-th bits With probability $1-(7/9)^t$ it can be shown that there exists $j \in \{1,\ldots,t\}$ such that the $j$-th bits
of $\mathsf{Chall}_{\kappa^\star}^{(1)} , of $\mathsf{Chall}_{\kappa^\star}^{(1)} ,
@ -1568,7 +1568,7 @@ Hence, the difference $\mathbf{h} = \mathbf{z}' - \mathbf{z}_{i^\star} \in \ZZ^{
Instead of using the real encryption algorithm of the GPV IBE to compute $\mathbf{c}_{\mathbf{v}_d}^\star$ as the encryption of $\mathbf{v}_d^\star = \mathbf{F} \cdot \mathbf{z}_d \in \Zq^{4n}$, we return truly random Instead of using the real encryption algorithm of the GPV IBE to compute $\mathbf{c}_{\mathbf{v}_d}^\star$ as the encryption of $\mathbf{v}_d^\star = \mathbf{F} \cdot \mathbf{z}_d \in \Zq^{4n}$, we return truly random
ciphertexts. In other words, we let ciphertexts. In other words, we let
\[ \mathbf{c}_{\mathbf{v}_d}^\star = \begin{pmatrix} \[ \mathbf{c}_{\mathbf{v}_d}^\star = \begin{pmatrix}
\mathbf{r}_1 \\ \mathbf{r}_2 + \bit(\mathbf{v}_{d}^\star) \lfloor q/2 \rfloor \mathbf{r}_1 \\ \mathbf{r}_2 + \textsf{bin}(\mathbf{v}_{d}^\star) \lfloor q/2 \rfloor
\end{pmatrix}, \] \end{pmatrix}, \]
%where $\mathbf{v}_{i_b}^\star= \mathbf{F} \cdot \mathbf{z}_{i_b}^\star $, and %where $\mathbf{v}_{i_b}^\star= \mathbf{F} \cdot \mathbf{z}_{i_b}^\star $, and
where $\mathbf{r}_1 \sample (\Zq^{m})$, $\mathbf{r}_2 \sample (\Zq^{2m})$ are uniformly random. where $\mathbf{r}_1 \sample (\Zq^{m})$, $\mathbf{r}_2 \sample (\Zq^{2m})$ are uniformly random.