From 793d532abc671f3011237c519c5ab631a294e420 Mon Sep 17 00:00:00 2001
From: Fabrice Mouhartem <fabrice.mouhartem@ens-lyon.org>
Date: Thu, 17 May 2018 14:13:28 +0200
Subject: [PATCH] Typos

---
 chap-OT-LWE.tex | 834 +++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 824 insertions(+), 10 deletions(-)

diff --git a/chap-OT-LWE.tex b/chap-OT-LWE.tex
index 3993ac7..835a2ee 100644
--- a/chap-OT-LWE.tex
+++ b/chap-OT-LWE.tex
@@ -9,8 +9,9 @@ This phase ends with the two algorithms $\SI$ and $\RI$ outputting their state i
 During the $i$-th \textit{transfer}, $1 \leq i \leq k$,  both parties run an interactive protocol via the $\RT$ and $\ST$ algorithms.
 The sender starts runs   $\ST(S_{i-1})$  to obtain its updated state information $S_i$ while the receiver runs $\RT(R_{i-1}, \rho_i)$ on input of  its previous state $R_{i-1}$ and the index $\rho_i \in \{1, \ldots, N \}$ of the message it wishes to retrieve. At the end, $\RT$ outputs an updated state  $R_i$ and a message $M'_{\rho_i}$.
 
-   \textit{Correctness}   mandates  that, for all   $M_1, \ldots, M_N$, for all   $\rho_1, \ldots, \rho_k \in [ N]$ and all coin tosses $\varpi$ of the (honestly run) algorithms, we have $M'_{\rho_i} = M_{\rho_i}$ for all $i$. \\
-\indent We consider protocols that are secure (against static corruptions) in the sense of simulation-based definitions. The security
+\textit{Correctness} mandates  that, for all   $M_1, \ldots, M_N$, for all   $\rho_1, \ldots, \rho_k \in [ N]$ and all coin tosses $\varpi$ of the (honestly run) algorithms, we have $M'_{\rho_i} = M_{\rho_i}$ for all $i$.
+
+We consider protocols that are secure (against static corruptions) in the sense of simulation-based definitions. The security
 properties against a cheating sender and a cheating receiver are formalized via  the  ``real-world/ideal-world'' paradigm. The
 security definitions of \cite{CNs07}  are recalled in the following Section.
 
@@ -43,15 +44,16 @@ $R_k=(M_{\rho_1}',\ldots,M_{\rho_k}')$ as its final output.
 \medskip
 
 \paragraph{Ideal Experiment.}
-The experiment $\textbf{Ideal\,}_{\hS', \hR'}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k)$ is defined as follows. The (possibly malicious)
-algorithm $\hS'(M_1, \ldots, M_N)$ generates messages $M'_1, \ldots, M'_N$ which are given to the trusted party $\mathsf{T}$. In each of the $k$ transfers, $\mathsf{T}$ obtains 
+We define the experiment $\textbf{Ideal\,}_{\hS', \hR'}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k)$ as follows.\\ \smallskip
+The (possibly malicious) algorithm $\hS'(M_1, \ldots, M_N)$ generates messages $M'_1, \ldots, M'_N$ which are given to the trusted party $\mathsf{T}$. In each of the $k$ transfers, $\mathsf{T}$ obtains 
 a bit $b_i$ from the sender $\hS'$ and an index $\rho'_i$ from the (possibly malicious) receiver $\hR'(\rho_i)$. If $b_i = 1$, and 
 $\rho_i' \in [N]$,
 then $\mathsf{T}$ reveals $M'_{\rho_i}$ to the receiver $\hR'$.
 Otherwise, $\hR'$ receives  $\bot$ from $\mathsf{T}$. At the end of the $k$-th transfer, $\hS'$ and $\hR'$ output a string $S_k$ and $R_k$ and 
 the 
-output of the experiment is the pair $(S_k, R_k)$.\\
-\indent The ideal sender $\mathsf{S}'(M_1,\ldots,M_N)$ is defined the be the sender that sends $(M_1,\ldots,M_N)$ which sends the messages 
+output of the experiment is the pair $(S_k, R_k)$.
+
+The ideal sender $\mathsf{S}'(M_1,\ldots,M_N)$ is defined the be the sender that sends $(M_1,\ldots,M_N)$ which sends the messages 
 $(M_1,\ldots,M_N)$ to $\mathsf{T}$ in the initialization phase, sends $b_i=1$ in each transfer and outputs the final state $S_k=\varepsilon$.  The honest 
 ideal receiver $\mathsf{R}'$ is defined to be the algorithm that sends $\mathsf{T}$ the real selection index $\rho_i$  at each transfer and eventually outputs 
 the list of all received messages $R_k=(M_{\rho_1}',\ldots,M_{\rho_k}')$ as its final state.  
@@ -105,10 +107,13 @@ The distribution of outputs of the environment in the different settings is deno
 
 
 \paragraph{Real World.}
-We describe  the way that real-world algorithms  interact when all participants (i.e., the real-world users $\USR_1,\ldots, \USR_{U}$, the database $\mathsf{DB}$ and the issuer $\mathsf{I}$) are honest. The issuer starts by generating a key pair $(PK_I, SK_I) \gets \mathsf{ISetup}(\pp)$, and sends $PK_I$ to all users $\{\USR_i\}_{i=1}^U$ and the database $\mathsf{DB}$.\\
-\indent When $\mathcal E$ sends a message $\bigl(\texttt{initdb}, \mathrm{DB} = (M_i, \mathsf{AP}_i)_{i=1}^N\bigr)$ to the database $\mathsf{DB}$, the latter encrypts the database $\mathrm{DB}$ by running $\DBSetup$ and sends the encrypted records to all users.\\
-\indent When $\mathcal E$ sends a message $(\texttt{issue},  {x})$ to user $\USR_i$, this user starts an $\Issue$ protocol with the issuer on common input ${x}$, at the end of which it returns $1$ to the environment if the protocol succeeded or $0$ otherwise.\\
-\indent When $\mathcal E$ sends a message $(\texttt{transfer}, \rho)$ to user $\USR_i$, this user first checks if its credentials $\mathsf{Cred}_\USR$ are sufficient to access the record $M_\rho$. If it is the case, it engages in a $\Transfer$ protocol with the database $\mathsf{DB}$, at the end of which it receives either the message $M_\rho$, or an error symbol $\bot$. If it failed at any steps, the user returns $0$ to $\mathcal E$, or $1$ if it succeeded.
+We describe  the way that real-world algorithms  interact when all participants (i.e., the real-world users $\USR_1,\ldots, \USR_{U}$, the database $\mathsf{DB}$ and the issuer $\mathsf{I}$) are honest. The issuer starts by generating a key pair $(PK_I, SK_I) \gets \mathsf{ISetup}(\pp)$, and sends $PK_I$ to all users $\{\USR_i\}_{i=1}^U$ and the database $\mathsf{DB}$.
+
+When $\mathcal E$ sends a message $\bigl(\texttt{initdb}, \mathrm{DB} = (M_i, \mathsf{AP}_i)_{i=1}^N\bigr)$ to the database $\mathsf{DB}$, the latter encrypts the database $\mathrm{DB}$ by running $\DBSetup$ and sends the encrypted records to all users.
+
+When $\mathcal E$ sends a message $(\texttt{issue},  {x})$ to user $\USR_i$, this user starts an $\Issue$ protocol with the issuer on common input ${x}$, at the end of which it returns $1$ to the environment if the protocol succeeded or $0$ otherwise.
+
+When $\mathcal E$ sends a message $(\texttt{transfer}, \rho)$ to user $\USR_i$, this user first checks if its credentials $\mathsf{Cred}_\USR$ are sufficient to access the record $M_\rho$. If it is the case, it engages in a $\Transfer$ protocol with the database $\mathsf{DB}$, at the end of which it receives either the message $M_\rho$, or an error symbol $\bot$. If it failed at any steps, the user returns $0$ to $\mathcal E$, or $1$ if it succeeded.
 
 Notice that in this setting, neither the database nor the issuer return any outputs to the environment.
 \medskip
@@ -148,3 +153,812 @@ Moreover, if the issuer colludes with some users,  the protocol still provides t
 %This is captured by the security of the scheme with an honest database.
 \end{description}
 
+\section{Building Blocks}
+
+We will use two distinct signature schemes because one of them only needs to be secure in
+the sense of a weaker security notion and can be more
+efficient. This weaker notion is sufficient to sign the database entries and
+allows a better efficiency in the scheme of Section \ref{OT-scheme}. In particular, by making
+it stateful (which also suffices since all database entries are signed at once), we
+can reduce the public key size to $\log N$  matrices if $N$ is the number of database entries. The second scheme must be stateful and secure in the
+standard EUF-CMA sense since the issuer uses it to certify users' attributes. The
+signature scheme of \cref{se:gs-lwe-sigep} is only used in the OT-AC protocol of Section \ref{OT-scheme}
+while the scheme of Section \ref{RMA-sec} is used in the adaptive OT protocol of Section
+ \ref{OT-AC-scheme} as well.
+
+We first use the signature scheme described in \cref{se:gs-lwe-sigep} which extends the 
+the B\"ohl \textit{et al.}  signature~\cite{BHJ+15} in order to sign messages comprised of multiple blocks while keeping the scheme compatible with zero-knowledge proofs.
+
+\subsection{A Simpler Variant with Bounded-Message Security and Security Against Non-Adaptive Chosen-Message Attacks} \label{RMA-sec}
+
+
+We  consider a stateful variant  of the scheme in Section \ref{se:gs-lwe-sigep} where a  bound $Q \in \mathsf{poly}(n)$ on the number of signed  messages is fixed  at key generation time. In the context of \OTA, this is sufficient and leads to efficiency  improvements.
+In the   modified scheme hereunder, the  string $\tau \in \{0,1\}^\ell$ is   an $\ell$-bit counter maintained by the signer to keep track of the number of previously signed messages.
+\begin{comment}
+\begin{description}
+\item[\textsf{Keygen}$(1^\lambda,1^N,1^Q)$:] Given a security parameter $\lambda>0$,  the desired  number of  blocks $N = \mathsf{poly}(\lambda)$ and
+the  number $Q$ of messages to be signed, choose   $n = \mathcal{O}(\lambda)$, a prime modulus $q = \widetilde{\mathcal{O}}(Q\cdot n^{4})$, a dimension  $m =2n \lceil \log q \rceil $, an integer $\ell = \lceil \log Q \rceil$  and  Gaussian parameters $\sigma = \Omega(\sqrt{n\log q}\log n)$. The message space is
+$(\{0,1\}^{m_d})^N$, for some $m_d \in \mathsf{poly}(\lambda)$.
+  \smallskip   \smallskip
+\begin{itemize}
+\item[1.] Run $\TrapGen(1^n,1^m,q)$ to get~$\mathbf{A} \in
+  \Zq^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
+  $\Lambda_q^{\perp}(\mathbf{A}).$  This basis allows computing short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with a Gaussian parameter $\sigma$.
+%	$\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
+Next, choose $\ell+1$ random   $\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell} \sample U(\Zq^{n \times m})$.
+	\item[2.]  Choose  random matrices $\mathbf{D} \sample U(\Zq^{n \times m_d})$,  $\mathbf{D}_0,\mathbf{D}_1,\ldots,\mathbf{D}_N \sample U(\Zq^{n \times m})$    as well as a random     vector
+	$\mathbf{u} \sample U(\Zq^n)$. \smallskip
+\end{itemize}
+ The initial state $\tau$ is set to $\tau=0$. The private key consists of $SK:=
+ \mathbf{T}_{\mathbf{A}}   $ and the   public key is $${PK}:=\big( \mathbf{A}, ~
+  \{\mathbf{A}_j \}_{j=0}^{\ell},  ~ \{\mathbf{D}_k\}_{k=0}^{N},~\mathbf{D}, ~\mathbf{u} \big).$$
+	% \smallskip
+\item[\textsf{Sign}$\big(SK,\tau, \mathsf{Msg} \big)$:] To sign an $N$-block message
+ $\mathsf{Msg}=\left(\mathfrak{m}_1,\ldots,\mathfrak{m}_N \right) \in \left(\{0,1\}^{m_d} \right)^N$,     \smallskip
+\begin{itemize}
+\item[1.] Increment the counter $\tau $ by setting $\tau:=\tau+1$ and  interpret it as a binary string $\tau \in  \{0,1\}^\ell  $. Then, using  $SK:=
+ \mathbf{T}_{\mathbf{A}}   $,  compute a short delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$
+for the matrix
+\begin{eqnarray} \label{tau-matrix}
+	\mathbf{A}_{\tau}=
+	 [ \mathbf{A} \mid  \mathbf{A}_0 +
+\sum_{j=1}^\ell \tau[j] \cdot \mathbf{A}_j
+] \in  \Zq^{ n  \times 2m}.
+\end{eqnarray}
+ \item[2.] Choose a discrete Gaussian vector $\mathbf{r} \sample D_{\ZZ^{m},\sigma }$.  Compute the vector $\mathbf{c}_M \in \Zq^{n}$ as a chameleon hash of $\left(\mathfrak{m}_1,\ldots,\mathfrak{m}_N \right)$. Namely, compute
+ $$\mathbf{c}_M =       \mathbf{D}_{0} \cdot \mathbf{r}   + \sum_{k=1}^N   \mathbf{D}_k \cdot \mathfrak{m}_k \in \mathbb{Z}_q^{n} ,$$
+which is used to define  $\mathbf{u}_M=\mathbf{u} + \mathbf{D} \cdot \mathsf{vdec}_{n,q-1}( \mathbf{c}_M) \in \Zq^n .$
+ Then,
+ using the delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$, sample  a short vector $\mathbf{v} \in \ZZ^{2m}$ in $D_{\Lambda_q^{\mathbf{u}_M}(\mathbf{A}_\tau), \sigma}$.
+\end{itemize}
+Output the signature $sig=(\tau,\mathbf{v},\mathbf{r}) \in \{0,1\}^\ell \times  \ZZ^{2m} \times \ZZ^m$. \smallskip
+\item[\textsf{Verify}$\big(PK,\mathsf{Msg},sig\big)$:] Given  $PK$, a message $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N) \in (\{0,1\}^{m})^N$ and a purported
+signature $sig=(\tau,\mathbf{v},\mathbf{r}) \in \{0,1\}^\ell \times  \ZZ^{2m} \times \ZZ^{m}$,
+return $1$ if
+\begin{eqnarray} \label{ver-eq-block}
+  \mathbf{A}_{\tau} \cdot \mathbf{v} = \mathbf{u} +  \mathbf{D} \cdot \mathsf{vdec}_{n,q-1}(  \mathbf{D}_0 \cdot \mathbf{r} + \sum_{k=1}^N     \mathbf{D}_k \cdot \mathfrak{m}_k ) \bmod q.
+\end{eqnarray}
+ and $\| \mathbf{v} \| < \sigma \sqrt{2m}$, $\| \mathbf{r} \| <  \sigma \sqrt{m}$.
+\end{description}
+
+\end{comment}
+This  simplified variant   resembles
+ the $\mathsf{SIS}$-based signature scheme of B\"ohl \textit{et al.} \cite{BHJ+15}.  \\
+\indent In this version, the message space is $ \{0,1\}^{n \lceil \log q \rceil} $ so that vectors of  $\Zq^n$ can be signed by first decomposing them using
+$\mathsf{vdec}_{n,q-1}(.)$.
+
+\begin{description}
+\item[\textsf{Keygen}$(1^\lambda,1^Q)$:] Given   $\lambda>0$ and the maximal number $Q \in \mathsf{poly}(\lambda)$ of signatures, choose     $n = \mathcal{O}(\lambda)$, a prime $q = \widetilde{\mathcal{O}}(Q \cdot n^{4})$,    $m =2n \lceil \log q \rceil $,  an integer $\ell = \lceil \log Q \rceil$  and  Gaussian parameters $\sigma = \Omega(\sqrt{n\log q}\log n)$. The message space is $ \{0,1\}^{m_d} $, for some $m_d \in \mathsf{poly}(\lambda)$ with $m_d \geq m$.
+  \smallskip   \smallskip
+\begin{itemize}
+\item[1.] Run $\TrapGen(1^n,1^m,q)$ to get~$\mathbf{A} \in
+  \Zq^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
+  $\Lambda_q^{\perp}(\mathbf{A}),$  which allows sampling short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with a Gaussian parameter $\sigma$.
+%	$\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
+Next, choose $\ell+1$ random   $\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell} \sample U(\Zq^{n \times m})$. %, where $\ell = \Theta(\lambda)$.
+	\item[2.]  Choose   $\mathbf{D} \sample U(\Zq^{n \times m_d})$    as well as a random     vector
+	$\mathbf{u} \sample U(\Zq^n)$. \smallskip \smallskip
+\end{itemize}
+ The counter $\tau$ is initialized to $\tau=0$. The  private key consists of $SK:=
+ \mathbf{T}_{\mathbf{A}}   $ and the   public key is  ${PK}:=\big( \mathbf{A}, ~
+  \{\mathbf{A}_j \}_{j=0}^{\ell},  ~\mathbf{D}, ~\mathbf{u} \big).$
+	% \smallskip
+\item[\textsf{Sign}$\big(SK, \tau, \mathfrak{m} \big)$:] To sign a message $\mathfrak{m} \in \{0,1\}^{m_d}$,     \smallskip
+\begin{itemize}
+\item[1.] Increment the counter by setting $\tau:=\tau+1$ and interpret it as a string $\tau \in \{0,1\}^\ell $. Then, using  $SK:=
+ \mathbf{T}_{\mathbf{A}}   $,  compute a short delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$
+for the matrix
+%\begin{eqnarray} \label{tau-matrix}
+$	\mathbf{A}_{\tau}=
+	 [ \mathbf{A} \mid  \mathbf{A}_0 +
+\sum_{j=1}^\ell \tau[j] \mathbf{A}_j
+] \in  \Zq^{ n  \times 2m}.$
+%\end{eqnarray}
+ \item[2.]  Compute the vector   $\mathbf{u}_M=\mathbf{u} + \mathbf{D} \cdot \mathfrak{m} \in \Zq^n .$
+ Then,
+ using the delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$, sample  a short vector $\mathbf{v} \in \ZZ^{2m}$ in $D_{\Lambda_q^{\mathbf{u}_M}(\mathbf{A}_\tau), \sigma}$.
+\end{itemize}
+Output the signature $sig=(\tau,\mathbf{v} ) \in \{0,1\}^\ell \times  \ZZ^{2m}  $. \smallskip
+\item[\textsf{Verify}$\big(PK,\mathfrak{m},sig\big)$:] Given  $PK$,   $\mathfrak{m} \in \{0,1\}^{m_d}$ and a
+signature $sig=(\tau,\mathbf{v}) \in \{0,1\}^\ell \times  \ZZ^{2m} $,
+return $1$ if $\| \mathbf{v} \| < \sigma \sqrt{2m}$ and
+%\begin{eqnarray} \label{ver-eq-block-simple}
+$  \mathbf{A}_{\tau} \cdot \mathbf{v}  =  \mathbf{u} +  \mathbf{D} \cdot  \mathfrak{m} \bmod q.$
+%\end{eqnarray}
+\end{description}
+
+For our purposes, the scheme only needs to satisfy a notion of bounded-message security under non-adaptive chosen-message
+attack. In this relaxed model,
+the adversary only obtains a
+bounded number of signatures for messages that are chosen non-adaptively
+(i.e., all at once and before seeing the public key) by the adversary. This
+security notion is sufficient for signing the $N$ database entries. Note that the queries are
+non-adaptive but the adversary can adaptively choose its forgery message.
+
+
+\begin{theorem} \label{thm-version-3}
+The scheme is bounded message secure under non-adaptive chosen-message attacks if the $\mathsf{SIS}$ assumption holds.
+\end{theorem}
+
+\begin{proof}
+  We show that the scheme presented in Section~\ref{RMA-sec} is secure against non-adaptive chosen-message attacks ({na-CMA}) under the $\SIS$ assumption.
+  The shape of the proof is similar to the security proof of the signature scheme of~\cref{se:gs-lwe-sigep}. Namely, to prove the security, we distinguish two kinds of attacks:
+  \begin{description}
+    \item[Type I attacks,] where in the adversary's forgery $sig^\star = (\tau^\star, \mathbf v^\star)$, $\tau^\star$ did not appear in any outputs of the signing oracle.
+    \item[Type II attacks,] where in the adversary's forgery $sig^\star = (\tau^\star, \mathbf v^\star)$, $\tau^\star$ has been recycled from an output $sig^{(i^\star)} = \bigl(\tau^{(i^\star)}, \mathbf v^{(i^\star)} \bigr)$ of the signing oracle for some query $i^\star \in \{ 1, \ldots, Q \}$.
+  \end{description}
+
+  \noindent
+  Lemma~\ref{le-type1-RMA} states that the signature scheme is secure against Type I forgery using the same technique as is~\cite{ABB10,Boy10,MP12}.
+  Lemma~\ref{le-type2-RMA} claims that the signature scheme resists Type II attacks, with a proof that is very similar to the one of Lemma~\ref{le-type1-RMA}. Both security proofs assume the computational hardness of the $\SIS$ problem.
+\end{proof}
+
+\begin{lemma}
+  The signature scheme of Section~\ref{RMA-sec} is secure against Type I attacks if the $\SIS_{n, m, q, \beta'}$ assumption holds, with $\beta' = \sigma^2 m^{3/2} (\ell + 2) + \sigma m^{1/2}$.
+  \label{le-type1-RMA}
+\end{lemma}
+
+\begin{proof}
+  Let $\adv$ be a $\ppt$ adversary against the \textsf{na-CMA} security of our scheme that mounts Type I attacks with non negligible success probability $\varepsilon$.
+  We construct a $\ppt$ algorithm $\bdv$ using $\adv$ to break the $\SIS_{n,m,q,\beta'}$ assumption.
+  Our reduction $\bdv$ takes as input a target matrix $\bar{\mathbf A} \in \ZZ_q^{n \times m}$ and computes $\mathbf v \in \Lambda_q^\perp(\bar{\mathbf A})$ satisfying $0 < \| \mathbf v \| \leq \beta'$.
+  \smallskip
+
+  At first, $\bdv$ calls $\adv$ to obtain the messages to be queried: $\mathfrak m^{(1)}, \ldots, \mathfrak m^{(Q)}$.
+  For the sake of readability, let us define $\tau^{(i)} = i$, viewed as a bit-string, to be the tag corresponding to the $i$-th signature in our scheme. \medskip
+
+  \noindent \textbf{Setup.} As in~\cite{HW09}, the reduction guesses the shortest prefix such that the string $\tau^\star$ embedded in $\adv$'s forgery differs from all prefixes to $\{\tau^{(1)}, \dots, \tau^{(Q)}\}$.
+  To achieve this, $\bdv$ chooses at random $i^\dag \sample U(\{1, \ldots, Q\})$ and $t^\dag \sample U(\{1, \ldots, \ell\})$.
+  Then, with probability $1/(Q \cdot \ell)$, the longest common prefix between $\tau^\star$ and one of the tags $\{ \tau^{(i)} \}_{i = 1}^{Q}$ is the string $\tau^\star[1] \cdots \tau^\star[t^\dag - 1] \in \bit^{t^\dag - 1}$: the first $(t^\dag - 1)$-th bits of $\tau^\star$.
+  Let us define $\tau^\dag = \tau^\star_{\mid t^\dag}$, where $s_{|i}$ denotes the $i$-th prefix for a string~$s$.
+  By construction $\tau^\dag \notin \{ \tau_{\mid t^\dag}^{(1)}, \ldots, \tau_{\mid t^\dag}^{(Q)} \}$ with probability $1/(Q \cdot \ell)$.
+
+  Next, the reduction $\bdv$ runs $\TrapGen(1^n, 1^m, q)$ to obtain matrices $\mathbf C \in \Zq^{n \times m}$ and a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of
+  $\Lambda_q^\perp(\mathbf C)$, which will be useful to answer the following opening oracle queries.
+  The reduction $\bdv$ continues by picking $\ell + 1$ matrices $\mathbf Q_0, \ldots, \mathbf Q_\ell \in \ZZ^{m \times m}$ where each matrix $\mathbf Q_i$ has its column independently sampled from
+  $D_{\ZZ^m, \sigma}$, and \bdv defines the matrices $\mathbf A=\bar{\mathbf A}$ and $\{\mathbf A_j\}_{j=0}^{\ell}$ as follows
+  \[\begin{cases}
+      \mathbf A_0 = \bar{\mathbf A} \cdot \mathbf Q_0 + \left( \sum_{j=1}^{t^\dag} \tau^\star[j] \right) \cdot \mathbf C \\
+      \mathbf A_j = \bar{\mathbf A} \cdot \mathbf Q_j + (-1)^{\tau^\star[j]} \cdot \mathbf C & \text{for $j \in [ 1, t^\dag ]$} \\
+      \mathbf A_j = \bar{\mathbf A} \cdot \mathbf Q_j & \text{for $j \in [t^\dag + 1, \ell]$}
+  \end{cases}.\]
+  We can notice that
+  \begin{align*}
+    \mathbf A_{\tau^{(i)}} & = \Bigr[ \mathbf A ~\Big|~ \mathbf A_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \mathbf A_j \Bigl] \\
+    & = \Bigr[ \bar{\mathbf A} ~\Big|~ \bar{\mathbf A} \cdot \bigl(\mathbf Q_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \cdot \mathbf Q_j\bigr) + \bigl(\sum_{j=1}^{t^\dag} \tau^\star[j] + (-1)^{\tau^\star[j]} \cdot \tau^{(i)}[j]\bigr) \cdot \mathbf C \Bigl] \\
+    & = \Bigr[ \bar{\mathbf A} ~\Big|~ \bar{\mathbf A} \cdot \bigl(\mathbf Q_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \cdot \mathbf Q_j\bigr) + h_{\tau^{(i)}} \cdot \mathbf C \Bigl],
+  \end{align*}
+  where $h_{\tau^{(i)}}$ denotes the hamming distance between $\tau^{(i)}_{\mid t^\dag}$ and $\tau^\dag$. With probability $1/(Q\cdot \ell)$, and as $\ell > q$, it holds that $h_{\tau^{(i)}} \neq 0 \bmod q$ whenever  $\tau^{(i)}_{\mid t^\dag} \neq \tau^\star_{\mid t^\dag}$.
+
+  The reduction then picks a random short matrix $\mathbf R \sample \ZZ^{m \times m_d}$ which has its $m_d$ columns independently sampled from $D_{\ZZ^m, \sigma}$, and \bdv computes
+  \[ \mathbf D = \bar{\mathbf A} \cdot \mathbf R \in \ZZ_q^{n \times m_d}. \]
+
+  To finish, $\bdv$ samples a short vector $\mathbf e_u \in D_{\ZZ^m, \sigma}$ and computes the vector $\mathbf u = \bar{\mathbf A} \cdot \mathbf e_u$. The following public key is finally given to \adv:
+  \[ PK := (\mathbf A, \{ \mathbf A_j \}_{j=0}^\ell, \mathbf D, \mathbf u). \]
+
+  \noindent \textbf{Signing queries.} To handle signature queries,   the reduction $\bdv$ uses the trapdoor $\mathbf{T_C} \in \ZZ^{m \times m}$ to generate a signature.
+  To this end, $\bdv$ starts by computing the vector $\mathbf u_M = \mathbf u + \mathbf D \cdot \mathfrak m^{(i)}$.
+  Then $\bdv$ can use $\mathbf{T_C}$ with the algorithm \textsf{SampleRight} from Lemma~\ref{lem:sampler} to
+  compute a short vector $\mathbf v^{(i)}$ in $D_{\Lambda^\perp(\mathbf A_{\tau^{(i)}}), \sigma}^{\mathbf u_M}$, distributed like a
+  valid signature and satisfying the verification equation~\eqref{ver-eq-block}.
+  \medskip
+
+  \noindent \textbf{Output.} At some point, the attacker $\adv$ halts and outputs a \textit{valid} signature $sig^\star = (\tau^\star, \mathbf v^\star)$ for a message $\mathfrak m^\star \notin \{ \mathfrak{m}^{(1)}, \ldots, \mathfrak{m}^{(Q)}\}$.
+  Since the signature is valid, it satisfies $\| \mathbf v^\star \| \leq \sigma \sqrt{2m}$.
+
+  \noindent Parsing $\mathbf v^\star$ as $[ \mathbf{v}_1^\star \mid \mathbf{v}_2^\star]$ with $\mathbf v_1^\star, \mathbf v_2^\star \in \ZZ^m$ and injecting it in~\eqref{ver-eq-block} give:
+  \begin{align*}
+    \Bigr[ \bar{\mathbf A} ~\Big|~ \bar{\mathbf A} \cdot \bigl(\mathbf Q_0 + \sum_{j=1}^\ell \tau^\star[j] \cdot \mathbf Q_j\bigr) \Bigl] \cdot \begin{bmatrix} \mathbf v_1^\star \\ \hline \mathbf v_2^\star \end{bmatrix}
+    & = \mathbf u + \mathbf D \cdot \mathfrak m^\star \mod q \\
+    & = \bar{\mathbf A} \cdot \bigl( \mathbf e_u + \mathbf R \cdot \mathfrak m^\star \bigr) \mod q
+  \end{align*}
+  Thus, the vector
+  \[ \mathbf v' = \mathbf v_1^\star + \bigl( \mathbf Q_0 + \sum_{j=1}^\ell \tau^\star[j] \cdot \mathbf Q_j \bigr) \cdot \mathbf v_2^\star - \mathbf e_u - \mathbf R \cdot \mathfrak m^\star \]
+  is in $\Lambda^\perp(\bar{\mathbf A})$, and $\mathbf v'$ is non-zero with overwhelming probabilities, since in $\adv$'s view, the distribution of $\mathbf e_u$ is
+  $D_{\Lambda^\mathbf u_q(\mathbf A), \sigma}$, which guarantees that $\mathbf e_u$ is statistically hidden by the syndrome $\mathbf u = \bar{\mathbf A} \cdot \mathbf e_u$.
+  Finally, the norm of $\mathbf v'$ is upper bounded by
+  $\beta' = \sigma^2 m^{3/2} (\ell + 2) + 2 \sigma m^{1/2}$.
+\end{proof}
+
+\begin{lemma}
+  The signature scheme of Section~\ref{RMA-sec} is secure against Type II attacks if $\SIS_{n,m,q,\beta''}$ holds, with $\beta'' = \sqrt 2 (\ell + 2) \sigma m^{3/2} + m^{1/2}$.
+  \label{le-type2-RMA}
+\end{lemma}
+
+\begin{proof}
+  We will prove this result using techniques analogous to the previous proof. We show that given an adversary $\adv$ that comes out with a Type II signature in the \textsf{na-CMA} game with non negligible probability $\varepsilon$, we can construct a PPT $\bdv$ that breaks the $\SIS$ assumption with advantage $\varepsilon/Q$ using $\adv$.
+  \medskip
+
+  \noindent Firstly, the reduction $\bdv$ is given a matrix $\mathbf{A} \in \Zq^{n \times m_d}$ as input and has to output an integer vector $\mathbf v \in \ZZ^{m_d}$ in $\Lambda^\perp_q(\mathbf{A})$ such that $0 < \| \mathbf v \| \leq \beta''$.
+  Next, $\bdv$ receives from $\adv$ the messages $\mathfrak{m}^{(1)}, \ldots, \mathfrak{m}^{(Q)}$ for which $\adv$ will further ask signature queries.
+  \medskip
+
+  \noindent To compute the public key, at the outset of the game, the reduction $\bdv$ starts by sampling $i^\dag \sample U(\{1, \ldots, Q\})$ corresponding to the guess that $\adv$'s forgery will recycle $\tau^{(i\dag)}$.
+  This is independent of $\adv$'s view, and the guess will be correct with probability $1/Q$.
+  Using this guess to compute $PK$, the reduction $\bdv$ picks $h_0, \ldots, h_\ell \in \Zq$ subject to the constraints
+%  \medskip
+%  \noindent \textbf{\textsf{\GGame $0$}\,:}\; This is the real na-CMA game: at the beginning of the game, the adversary $\adv$ sends messages $\mathfrak m^{(0)}, \ldots, \mathfrak m^{(Q)}$ it wants to query signatures on.
+%  Then he receives $sig^{(i)} = (\tau^{(i)}, \mathbf v^{(i)})$ for each $i \in \{1, \dots, Q\}$ from the signing oracle.
+%  At the end of the game, the adversary \adv outputs a forgery $sig^\star = (\tau^\star, \mathbf v^\star)$ on a message $\mathfrak m^\star$.
+%  We let the adversary advantage be $\varepsilon = \Pr[W_0]$. Since $(\mathfrak m^\star, sig^\star)$ is a Type II forgery, there exists and index $i^\star \in \{1, \ldots, Q\}$ such that $\tau^\star = \tau^{(i^\star)}$.
+%  Notice that from the choice $\ell = \lceil \log Q \rceil$, it follows that there is no two queries with the same tag.
+%  \medskip
+%
+%  \noindent \textbf{\textsf{\GGame $1$}\,:}\; This game is like \SFGame $1$ with the following difference: at the outset of the game, the challenger $\bdv$ chooses a random index $i^\dag \sample U(\{1, \ldots, Q\})$ which corresponds to a guess that $\adv$'s forgery will recycle $\tau^{(i^\dag)}$ to produce its forgery.
+%  At the end of the game, \adv outputs a Type II forgery $sig^\star = (\tau^\star, \mathbf v^\star)$. If $\tau^\star \neq \tau^{(i^\dag)}$, the challenger $\bdv$ aborts.
+%  Since the choice of $i^\dag$ in $\{1, \ldots, Q\}$ is independent of \adv's view, we have $\Pr[W_1] = \Pr[W_0]/Q$.
+%  \medskip
+%
+%  \noindent \textbf{\textsf{\GGame $2$}\,:}\; In this game we modify the key generation phase of \SFGame $1$, along with the way to answer queries. First the challenger $\bdv$ picks $h_0, \ldots, h_\ell \in \Zq$ subject to the following constraints:
+  \begin{equation} \label{eq:h-constraints}
+    \begin{cases}
+      h_0 + \sum_{j=1}^\ell \tau^{(i^\dag)}[j] \cdot h_j = 0 \mod q & \\
+      h_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \cdot h_j \neq 0 \mod q & \forall i \in \{1, \ldots, Q\} \backslash \{i^\dag\}
+    \end{cases}
+  \end{equation}
+
+  \noindent \bdv then runs $(\mathbf C, \mathbf{T_C}) \gets \TrapGen(1^n, 1^m, q)$.
+  The resulting matrix $\mathbf C \in \Zq^{n \times m}$ is statistically random, and the trapdoor $\mathbf{T_C} \in \ZZ^{m \times m}$ is a short basis of $\Lambda^\perp_q(\mathbf C)$.
+  Next \bdv re-randomize $\mathbf{A}$ using short matrices $\mathbf S, \mathbf S_0, \mathbf S_1, \ldots, \mathbf S_\ell \in \ZZ^{m_d \times m}$ which are obtained by sampling their columns from the distribution $D_{\ZZ^{m_d}, \sigma}$.
+  The challenger $\bdv$ then uses these matrices to define:
+  \begin{align*}
+    \mathbf A &= \mathbf{A} \cdot \mathbf S \nonumber \\
+    \mathbf A_0 &= \mathbf{A} \cdot \mathbf S_0 + h_0 \cdot \mathbf C \label{eq:rel-rerand} \\
+    \mathbf A_j &= \mathbf{A} \cdot \mathbf S_j + h_j \cdot \mathbf C & j \in \{1, \ldots, \ell\} \nonumber
+  \end{align*}
+  and sets $\mathbf D = \mathbf{A} \in \ZZ_q^{n \times m_d}$. Observe that matrices $\mathbf{A},\{\mathbf{A}_j\}_{j=0}^\ell$ are all statistically uniform over $\ZZ_q^{n \times m}$.
+  Then, $\bdv$ samples short vectors ${\mathbf v_1^\dag, \mathbf v_2^\dag \sample D_{\ZZ^m, \sigma}}$ and computes $\mathbf u \in \Zq^n$ as
+  \begin{equation} \label{eq:rel-uM}
+    \mathbf u = \mathbf A_{\tau^{(i^\dag)}} \cdot \begin{bmatrix} \mathbf v_1^{\dag} \\\hline \mathbf v_2^{\dag} \end{bmatrix} - \mathbf{A} \cdot \mathfrak m^{(i^\dag)} \mod q.
+  \end{equation}
+
+  \noindent Finally, $\bdv$ sends to $\adv$ the public key
+  \[ PK := \bigl( \mathbf A, \{\mathbf A_j \}_{j=0}^\ell, \mathbf D, \mathbf u \bigr) \]
+  which is distributed as the $PK$ of the real scheme.
+  \medskip
+
+  \noindent
+\begin{comment}
+  We can notice that
+  \begin{align*}
+    \mathbf A_{\tau^{(i^\dag)}} &= \Bigl[ \mathbf A ~\Big|~ \mathbf A_0 + \sum_{j=0}^\ell \tau^{(i^\dag)} [j] \cdot \mathbf A_j \Bigr] \\
+    &= \Bigl[ \mathbf D \cdot \mathbf S ~\Big|~ \mathbf D \cdot ( \mathbf S_0 + \sum_{j=0}^\ell \tau^{(i^\dag)} [j] \cdot \mathbf S_j) \Bigr].
+  \end{align*}
+\end{comment}
+  To answer signing queries, the challenger $\bdv$ do as follows.
+  \begin{itemize}
+    \item If the query is not the $i^\dag$-th, we have:
+      \begin{align*}
+        \mathbf A_{\tau^{(i)}} &= \Bigl[ \mathbf A ~\Big|~ \mathbf A_0 + \sum_{j=0}^\ell \tau^{(i)} [j] \cdot \mathbf A_j \Bigr] \\
+        &= \Bigl[ \mathbf{A} \cdot \mathbf S ~\Big|~ \mathbf{A} \cdot ( \mathbf S_0 + \sum_{j=0}^\ell \tau^{(i)} [j] \cdot \mathbf S_j) + h_{\tau^{(i)}} \cdot \mathbf C \Bigr],
+      \end{align*}
+      with $h_{\tau^{(i)}} = h_0 + \sum \tau^{(i)}[j] \cdot h_j \neq 0$ due to the first constraint of~\eqref{eq:h-constraints}. Thus, using the same technique as in the previous proof from~\cite{MP12}, the challenger $\bdv$ can use the trapdoor $\mathbf{T_C}$ along with \textsf{SampleRight} algorithm to sample a short vector in $\Lambda_q^{\mathbf u_M}(\mathbf A_{\tau^{(i)}})$ satisfying~\eqref{ver-eq-block}.
+    \item At the $i^\dag$-th query, thanks to the second constraint of~\eqref{eq:h-constraints}, we have:
+      \begin{align*}
+        \mathbf A_{\tau^{(i^\dag)}} &= \Bigl[ \mathbf A ~\Big|~ \mathbf A_0 + \sum_{j=0}^\ell \tau^{(i^\dag)} [j] \cdot \mathbf A_j \Bigr] \\
+        &= \Bigl[ \mathbf{A} \cdot \mathbf S ~\Big|~ \mathbf{A} \cdot ( \mathbf S_0 + \sum_{j=0}^\ell \tau^{(i^\dag)} [j] \cdot \mathbf S_j) \Bigr].
+      \end{align*}
+      To answer this specific query, the challenger $\bdv$ returns $sig^{(i^\dag)} = (\tau^{(i^\dag)}, \mathbf v^{(i^\dag)})$ where $\mathbf v^{(i^\dag)} = ( \mathbf v_1^{\dag T} \mid \mathbf v_2^{\dag T})^T$ verifying~\eqref{eq:rel-uM}, which furthermore implies that $sig^{(i^\dag)}$ verifies~\eqref{ver-eq-block}.
+  \end{itemize}
+
+  \noindent Thus we claim that $\bdv$ can solve the $\SIS$ problem using the Type II forgery provided by $\adv$.
+  At the end of the game, the adversary outputs a valid signature $sig^\star = (\tau^{(i^\star)}, \mathbf v^\star)$ on a message $\mathfrak m^\star$ with $\| \mathbf v^\star \| \leq \sigma \sqrt{2m}$.
+  In the event that $\tau^{(i^\star)} \neq \tau^{i^\dag}$, the reduction aborts. The latter event happens with probability $1-1/Q$.
+  If we parse $\mathbf v^\star$ as $(\mathbf v_1^{\star, T} \mid \mathbf v_2^{\star T})^T \in \ZZ^{2m}$, with $\mathbf v_1^{\star}, \mathbf v_2^\star \in \ZZ^m$, it holds that:
+  \begin{equation} \label{eq:sub-rel-1}
+    \mathbf A_{\tau^{(i^\dag)}} \cdot \begin{bmatrix} \mathbf v_1^{\star} \\\hline \mathbf v_2^{\star} \end{bmatrix} = \mathbf u + \mathbf{A} \cdot \mathfrak m^{\star} \mod q.
+  \end{equation}
+  According to the way $\mathbf u$ was defined at the beginning of the game, we also have a vector $\mathbf v^\dag = (\mathbf v_1^{\dag T} \mid \mathbf v_2^{\dag T})^T$ such that
+  \begin{equation} \label{eq:sub-rel-2}
+    \mathbf A_{\tau^{(i^\dag)}} \cdot \begin{bmatrix} \mathbf v_1^{\dag} \\\hline \mathbf v_2^{\dag} \end{bmatrix} = \mathbf u + \mathbf{A} \cdot \mathfrak m^{\dag} \mod q.
+  \end{equation}
+  As $sig^\star$ is a valid forgery for the dn-CMA game, it follows that $m^\dag \neq m^\star$. And we get by subtracting \eqref{eq:sub-rel-1} and \eqref{eq:sub-rel-2}
+  \begin{align*}
+    \mathbf A_{\tau^{(i^\dag)}} \cdot \begin{bmatrix} \mathbf v_1^\star - \mathbf v_1^{\dag} \\\hline \mathbf v_2^\star - \mathbf v_2^{\dag} \end{bmatrix} &= \mathbf{A} \cdot \left (\mathfrak m^{\star} - \mathfrak m^\dag \right) \mod q, \\
+    \Bigl[ \mathbf{A} \cdot \mathbf S ~\Big|~ \mathbf{A} \cdot ( \mathbf S_0 + \sum_{j=0}^\ell \tau^{(i^\dag)} [j] \cdot \mathbf S_j) \Bigr]\cdot \begin{bmatrix} \mathbf v_1^\star - \mathbf v_1^{\dag} \\\hline \mathbf v_2^\star - \mathbf v_2^{\dag} \end{bmatrix} &= \mathbf{A} \cdot \left (\mathfrak m^{\star} - \mathfrak m^\dag \right) \mod q.
+  \end{align*}
+  Leading us to the fact that
+  \begin{equation} \label{eq:non-zero}
+    \mathbf v' = \underbrace{\mathbf S \cdot (\mathbf v_1^\star - \mathbf v_2^\dag) + \left( \mathbf S_0 + \sum_{j=1}^\ell \tau^{(i^\dag)}[j] \cdot \mathbf S_j \right) \cdot (\mathbf v_2^\star - \mathbf v_2^\dag)}_{(a)} + \underbrace{\mathfrak m^\dag - \mathfrak m^\star}_{-(b)}
+  \end{equation}
+  is an integer vector of $\Lambda_q^\perp(\mathbf{A})$, with norm bounded by $\| \mathbf v' \| \leq \sqrt 2 (\ell + 2) \sigma m^{3/2} + m^{1/2} = \beta''$.
+  Furthermore, if $\mathbf v'$ was zero, it implies that $(a) = (b)$ in Equation~\eqref{eq:non-zero}.
+  And as $sig^\star \neq sig^\dag$, we have that either $\mathbf v_1^\star \neq \mathbf v_1^\dag$ or $\mathbf v_2^\star \neq \mathbf v_2^\dag$.
+  As a consequence, $(a)$ is information theoretically unpredictable for $\adv$ since the columns of $\mathbf S, \mathbf S_0, \ldots \mathbf S_\ell$ are statistically hidden from $\adv$, as shown in~\cite{MP12} for instance: conditionally on the public key, each column of $\mathbf S$ and $\{\mathbf S_j\}_{j=0}^\ell$ has at least $n$ bits of min-entropy.
+\end{proof}
+
+\section{A Fully Simulatable Adaptive OT Protocol} \label{OT-scheme}
+
+
+Our basic \OTA protocol builds on  the ``assisted decryption'' technique \cite{CNs07}. The databases holder encrypts all entries
+using a multi-bit variant \cite{PVW08} of Regev's cryptosystem \cite{Reg05} and proves the well-formedness of its public key and all ciphertexts. In addition,
+all ciphertexts are signed using a   signature scheme. At each
+transfer, the receiver statistically re-randomizes a blinded version of the desired ciphertext, where the blinding is done via the additive
+homomorphism of Regev. Then, the receiver provides a witness indistinguishable (WI) argument that the modified  ciphertext (which is
+submitted for oblivious decryption) is
+a transformation of one of the original ciphertexts by arguing knowledge of a signature  on this hidden ciphertext. In response,
+the sender obliviously decrypts the modified ciphertext  and argues in zero-knowledge that the response is correct.
+
+
+Adapting the  technique of \cite{CNs07} to the lattice setting requires the following building blocks:
+(i) A signature scheme allowing to sign ciphertexts while remaining compatible with ZK proofs; (ii) A ZK protocol allowing to prove knowledge of a signature on some hidden ciphertext which belongs to a public set and was transformed into a given   ciphertext; (iii)  A protocol for  proving the correct decryption of a ciphertext; (iv) A method of statistically re-randomizing an $\LWE$-encrypted ciphertext in a way that enables oblivious decryption. The first three ingredients can be obtained from \cref{ch:gs-lwe}. Since component (i) only needs to be secure against random-message attacks as
+long as the adversary obtains at most $N$ signatures, we  use the   simplified $\SIS$-based signature scheme
+of Section \ref{RMA-sec}. 	
+The statistical re-randomization of Regev ciphertexts is handled via the noise flooding technique \cite{AJL+12}, which consists in drowning the initial noise with a super-polynomially larger
+noise. While recent results \cite{DS16,BDPMW16} provide potentially more efficient alternatives,
+we chose the flooding  technique for simplicity because it does not require the use of  FHE (and also because
+the  known multi-bit version \cite{HAO15} of the GSW FHE~\cite{GSW13}   incurs an \textit{ad hoc} circular security assumption).
+
+
+\subsection{Description}
+Our scheme works with security parameter $\lambda$, modulus $q$, lattice dimensions $n = \mathcal{O}(\lambda)$ and $m= 2 n \lceil \log q \rceil$. Let $B_\chi = \widetilde{\mathcal{O}}(\sqrt{n})$, and let $\chi$ be a $B_\chi$-bounded distribution. We also define an integer~$B$ as a randomization parameter such that $B= n^{\omega(1)}\cdot (m+1)B_\chi$ and $B+ (m+1)B_\chi \leq q/5$ (to ensure decryption correctness).
+Our basic \OTA protocol goes as follows.
+
+
+
+
+
+\begin{description}
+\item[\textsf{Initialization}$\big(\mathsf{S}_\mathsf{I}(1^\lambda,\mathsf{DB}),\mathsf{R}_{\mathsf{I}}(1^\lambda) \big)$:] In this protocol, the sender $\mathsf{S}_\mathsf{I}$   has a database $\mathsf{DB}=(M_1,\ldots,M_N)$ of $N$ messages, where $M_i \in \{0,1\}^{t}$ for each $i \in [N]$,
+for some $t \in \mathsf{poly}(\lambda)$. It  interacts with the receiver $\mathsf{R}_\mathsf{I}$ as follows. \smallskip \smallskip
+\begin{itemize}
+\item[1.] Generate a key pair for the signature scheme of Section \ref{RMA-sec} in order to sign $Q=N$ messages of length $m_d = (n+t) \cdot \lceil \log q \rceil$ each.
+This key pair consists of $SK_{sig}=\mathbf{T}_{\mathbf{A}} \in \ZZ^{m \times m}$ and
+${PK}_{sig}:=\big( \mathbf{A},
+\{\mathbf{A}_j \}_{j=0}^{\ell},   \mathbf{D}, \mathbf{u} \big),$ where $\ell=\log N$ and $\mathbf{A},\mathbf{A}_0,\ldots,\mathbf{A}_{\ell} \in U(\Zq^{n \times m})$, $\mathbf{D} \in U(\Zq^{n \times m_d})$.
+  %with $m = 2n \lceil \log q \rceil$, $m_d = (n+t) \lceil \log q \rceil$.
+  The counter is initialized to $\tau=0$.
+	\item[2.] Choose  $\mathbf{S} \sample \chi^{n \times t}$ that will serve as a secret key  for an $\LWE$-based encryption scheme.
+	Then, sample   $\mathbf{F} \sample U(\Zq^{n \times m})$, $\mathbf{E} \sample \chi^{m \times t  }$ and compute
+		\begin{eqnarray} \label{PK-gen}
+		 \mathbf{P} = [\mathbf{p}_1 | \ldots | \mathbf{p}_t]  =  \mathbf{F}^T \cdot \mathbf{S}  + \mathbf{E} ~\in \Zq^{m \times t},
+		\end{eqnarray}
+		so that $(\mathbf{F},\mathbf{P}) \in \Zq^{n \times m} \times \Zq^{m  \times t }$  forms a public key for a $t$-bit variant of Regev's encryption scheme \cite{Reg05}.
+	%	 (or, equivalently,
+	%	a set of $m$ encryptions of the all-zeroes $t$-bit string).
+	\item[3.]
+	Sample    vectors $\mathbf{a}_1,\ldots ,\mathbf{a}_N \sample
+	 U(\Zq^n)$ and $\mathbf{x}_1,\ldots,\mathbf{x}_{N} \sample \chi^{t}$ to
+	compute
+	\begin{eqnarray} \label{init-db}
+	 (\mathbf{a}_i,\mathbf{b}_i)= \bigl( \mathbf{a}_i, ~ \mathbf{S}^T \cdot \mathbf{a}_i + \mathbf{x}_i + M_i \cdot \lfloor q/2 \rfloor  \bigr) \in \Zq^n \times \Zq^{t} \qquad  \forall i \in [N].
+	 \qquad
+	\end{eqnarray}
+
+\item[4.] For each $i \in [N]$, generate a signature $(\tau_i,\mathbf{v}_i ) \leftarrow \mathsf{Sign}(SK_{sig},\tau,\mathfrak{m}_i)$ on the decomposition
+ $\mathfrak{m}_i=\mathsf{vdec}_{n+t,q-1}(\mathbf{a}_i^T |\mathbf{b}_i^T )^T \in \{0,1\}^{m_d}$. % of $(\mathbf{a}_i^T | \mathbf{b}_i^T)^T \in \Zq^{n+t}$.
+\item[5.] $\mathsf{S}_\mathsf{I}$ sends
+ $ R_0= \bigl(  PK_{sig} ,~(\mathbf{F},\mathbf{P}),~\{(\mathbf{a}_i,\mathbf{b}_i),(\tau_i,\mathbf{v}_i ) \}_{i=1}^N \bigr) $ to $\mathsf{R}_\mathsf{I}$ and interactively proves knowledge of small-norm  $\mathbf{S} \in \ZZ^{n \times t}$, $\mathbf{E} \in \ZZ^{m \times t}$, short  vectors $\{\mathbf{x}_i\}_{i=1}^N$ and
+$t$-bit messages $\{M_i\}_{i=1}^N$,
+for which~\eqref{PK-gen} and~\eqref{init-db} hold. To this end, $\mathsf{S}_\mathsf{I}$ plays the role of the prover in the  ZK argument system described in Section~\ref{subsection:ZK-protocol-1}.
+%\item[c.]
+If the argument of knowledge does not verify
+%at step b
+or if there exists $i \in [N]$ such that $(\tau_i,\mathbf{v}_i)$ is an invalid signature on the message
+ $\mathfrak{m}_i=\mathsf{vdec}_{n+t,q-1} (\mathbf{a}_i^T |\mathbf{b}_i^T)^T   $ w.r.t. $PK_{sig}$, then $\mathsf{R}_\mathsf{I}$ aborts.
+%\end{itemize}
+\item[6.] Finally $\mathsf{S}_\mathsf{I}$ defines $S_0= \big( (\mathbf{S},\mathbf{E}) ,(\mathbf{F},\mathbf{P}),PK_{sig}  \big)$, which it keeps to itself. \medskip \smallskip
+\end{itemize}
+
+\item[\textsf{Transfer}$\big(\mathsf{S}_\mathsf{T}(S_{i-1}),\mathsf{R}_{\mathsf{T}}(R_{i-1},\rho_i) \big)$:] At the $i$-th transfer, the receiver $\mathsf{R}_\mathsf{T}$ has state $R_{i-1}$ and
+an index $\rho_i \in [1,N]$. It interacts as follows with the sender $\mathsf{S}_\mathsf{T}$ that has state $S_{i-1}$ in order to obtain $M_{\rho_i}$ from $\mathsf{DB}$.  \smallskip \smallskip \smallskip
+\begin{itemize}
+\item[1.] $\mathsf{R}_\mathsf{T}$ samples vectors $\mathbf{e} \sample U(\{-1,0,1\}^m)$, $\mu \sample U(\{0,1\}^t)$ and a random $\nu \sample U([-B,B]^t)$ to compute
+\begin{eqnarray} \label{rand-CT}
+(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{\rho_i} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{\rho_i} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor  + \nu \big) \in \Zq^n \times \Zq^t,
+ \qquad
+\end{eqnarray}
+which is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i} + \mu \cdot \lfloor q/2 \rfloor  )$. The   ciphertext $(\mathbf{c}_0,\mathbf{c}_1)$ is sent to
+$\mathsf{S}_\mathsf{T}$. In addition,  $\mathsf{R}_\mathsf{T}$ provides an interactive WI argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is indeed a transformation of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$ for some   $\rho_i \in [N]$, and $\mathsf{R}_\mathsf{T}$ knows
+a  signature on  $\mathfrak{m} = \mathsf{vdec}_{n+1,q-1}(\mathbf{a}_{\rho_i}^T | \mathbf{b}_{\rho_i}^T)^T \in \{0,1\}^{m_d}$.
+To this end, $\mathsf{R}_\mathsf{T}$ runs the prover in the ZK argument system in Section~\ref{subsection:ZK-protocol-3}.
+
+
+\item[2.] If the argument of step 1 verifies, $\mathsf{S}_\mathsf{T}$ uses $\mathbf{S}$ to decrypt $(\mathbf{c}_0,\mathbf{c}_1) \in \Zq^n \times \Zq^t$ and
+obtain $M' = \lfloor (\mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$
+which is sent back to $\mathsf{R}_\mathsf{T}$. In addition, $\mathsf{S}_\mathsf{T}$ provides a zero-knowledge argument of knowledge of vector $\mathbf{y}= \mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0 - M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$
+of norm $\| \mathbf{y} \|_{\infty} \leq q/5$ and small-norm matrices $\mathbf{E}\in \ZZ^{m \times t}$, $\mathbf{S} \in \ZZ^{n \times t}$ satisfying (modulo $q$)
+\begin{eqnarray} \label{test-transfer}
+\mathbf{P} &=& \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} ~  , \qquad \mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T = \mathbf{c}_1^T - {M'}^T \cdot \lfloor q/2 \rfloor.
+\end{eqnarray}
+To this end, $\mathsf{S}_\mathsf{T}$ runs the prover in the ZK argument system  in Section~\ref{subsection:ZK-protocol-2}.
+\item[3.] If the ZK argument produced by $\mathsf{S}_\mathsf{T}$ does not properly verify at step 2, $\mathsf{R}_\mathsf{T}$ halts and outputs $\perp$. Otherwise, $\mathsf{R}_\mathsf{T}$ recalls
+the random string $\mu \in \{0,1\}^t$ that was chosen at step 1 and computes $M_{\rho_i}=M' \oplus  \mu$. The transfer ends with $\mathsf{S}_\mathsf{T}$ and $\mathsf{R}_\mathsf{T}$
+outputting $S_i=S_{i-1}$ and $R_i=R_{i-1}$, respectively.
+\end{itemize}
+\end{description}
+
+
+
+
+
+In the initialization phase,  the sender has to repeat step 5 with each
+	receiver to prove that   $\left\{(\mathbf{a}_i,\mathbf{b}_i)\right\}_{i=1}^N$ are well-formed. Using the Fiat-Shamir heuristic \cite{FS86}, we can decrease this  initialization
+	cost from $O(N \cdot U)$   to $O(N)$ (regardless of the number of users $U$) by making the proof  non-interactive.
+	This modification also reduces each transfer to $5$ communication rounds since, even in the transfer phase, the sender's ZK arguments can  be non-interactive    and the receiver's arguments only need to be WI, which is preserved when  the basic ZK protocol (which has a ternary challenge space) is repeated $\omega(\log n)$ times in parallel. To keep the security proof
+	simple, we derive the  matrix $\mathbf{F} \in \Zq^{n \times m}$ from a second random oracle.
+	%which the sender can build his $\LWE$-based public key $\mathbf{P}=\mathbf{F} \cdot \mathbf{S} + \mathbf{E}$, for small-norm matrices $\mathbf{S} \in \ZZ^{n \times t}$
+	%and $\mathbf{E} \in \ZZ^{m \times t}$.
+Knowing  a short basis of $\Lambda_q^{\perp}(\mathbf{F})$, the simulator can  extract
+	the columns of $\mathbf{S}$ from the public key $\mathbf{P} \in \Zq^{n \times m}$.  Details are given in Appendix~\ref{optimized}.
+%	\indent In
+%Appendix \ref{ot-proofs}, we prove the security of the above \OTA protocol against static corruptions under the $\SIS$ and $\LWE$ assumptions.
+\subsection{Security}
+The security of the above \OTA protocol against static corruptions is stated by the following theorems.
+
+\begin{theorem} \label{sender-sec}
+The   $\OTA$ protocol provides receiver security under the $\SIS$ assumption.
+\end{theorem}
+
+\begin{proof}
+ We prove that any real-world cheating sender $\hat{\mathsf{S}}$ implies an ideal-world cheating sender $\hat{\mathsf{S}}'$ such that, under the $\SIS$ assumption,
+ the two distributions $\REAL_{\hat{\mathsf{S}},{\mathsf{R}}}$ and $\IDEAL_{\hat{\mathsf{S}}',{\mathsf{R}}'}$ with common inputs $(N,k,M_1,\ldots,M_N,\rho_1,\ldots,\rho_k)$ are indistinguishable
+to any PPT distinguisher $\ddv$. \\ \indent To this end, we consider a sequence of hybrid experiments with binary outputs. In each experiment $\textsf{Exp}_i$,  a distinguisher $\ddv$ takes
+as input  the states $(S_k,R_k)$ produced by $\hat{\mathsf{S}}$ and $\mathsf{R}'$ at the end of the experiment and outputs a bit. We  define $W_i$ as the event that the output of experiment $\textsf{Exp}_i$ is $1$. The first experiment outputs whatever the distinguisher $\ddv$ outputs and corresponds to the real interaction between the cheating sender $\hat{\mathsf{S}}$ and the
+receiver $\mathsf{R}$. \smallskip
+\begin{description}
+\item[\textsf{Exp}$_0$:]  This experiment  involves a real execution of $\hat{\mathsf{S}}$ in interaction with a honest receiver $\mathsf{R}$ which queries the index $\rho_i \in [N]$ at
+the $i$-th transfer for each $i \in [k]$. The output of  $\textsf{Exp}_0$
+is  exactly the output of the distinguisher $\ddv$ on input of $X=(S_k,R_k)  \leftarrow \REAL_{\mathsf{S},\hat{\mathsf{R}}} $, so that
+ we have
+ $$\Pr[W_0]=\Pr[    \ddv (X) =1 \mid X \leftarrow \REAL_{\hat{\mathsf{S}},{\mathsf{R}}} ].$$
+\item[\textsf{Exp}$_1$:]  This experiment is like $\textsf{Exp}_0$ except that, at step 5 of the initialization phase, the knowledge extractor of the argument system is used to
+extract the witnesses   $\mathbf{s}_j \in \chi^n$, $\mathbf{e}_j \in \chi^m$, $\bar{\mathbf{x}}_j \in \chi^N$, $\bar{M}_j \in \{0,1\}^N$, for each $j \in [t]$,   from the sender's argument. In the event that the knowledge
+extractor fails to extract valid witnesses, the experiment aborts and outputs $\perp$. We know that the zero-knowledge argument system is computationally sound
+as long as  the underlying commitment is computationally binding. If  the perfectly hiding commitment of \cite{KTX08}  is used, the binding property  is in turn
+ implied by the $\SIS$ assumption. Under the
+$\SIS$ assumption, it follows that  $\textsf{Exp}_1$ returns $1$ with about the same probability as $\textsf{Exp}_0$. Specifically, there  exists a $\SIS$ solver $\bdv$ such that
+$ | \Pr[W_1] -\Pr[W_0] | \leq \mathbf{Adv}^{\SIS}_\bdv (\lambda). $ \smallskip
+
+
+\item[\textsf{Exp}$_2$:] This experiment is identical to  \textsf{Exp}$_1$ except that  the    receiver $\mathsf{R}'$ makes use of the matrix $\mathbf{S} \in \chi^{n \times t}$, which underlies $\mathbf{P} \in \ZZ_q^{m \times t}$ in
+\eqref{PK-gen} and was extracted at step 5 of the initialization phase. Namely, at step 2 of each transfer, $\mathsf{R}'$ uses
+ $\mathbf{S}$ to determine if the ZK argument sent by $\hat{\mathsf{S}}$ is really an argument for a true statement or if $\hat{\mathsf{S}}$ somehow managed
+to break the soundness of the argument system. Namely, upon receiving the response $M ' \in \{0,1\}^t$ of $\hat{\mathsf{S}}$ at step 2, $\mathsf{R}'$
+uses the previously extracted $\mathbf{S} \in \chi^{n \times t}$ to determine whether there exists a vector $\mathbf{y} \in \ZZ^t$ of norm $\| \mathbf{y} \|_{\infty}
+ \leq q/5$ such that
+\begin{eqnarray} \label{test-deux}
+  \mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T = \mathbf{c}_1^T - {M'}^T \cdot \lfloor q/2 \rfloor .
+	\end{eqnarray}
+If no such vector $\mathbf{y}$ exists, $\mathsf{R}'$ infers that $\hat{\mathsf{S}}$ broke the soundness of the argument system. In this case,  $\hat{\mathsf{S}}$ can be
+rewound so as to break the binding property of the statistically hiding commitment scheme used by the ZK argument system, which in turn contradicts
+the $\SIS$ assumption. We thus have $ | \Pr[W_2] -\Pr[W_1] | \leq \mathbf{Adv}^{\SIS}_\bdv (\lambda)  $ for some efficient algorithm $\bdv$ which
+is given rewinding access to $\hat{\mathsf{S}}$.
+ \smallskip
+
+\item[\textsf{Exp}$_3$:] This experiment is like $\textsf{Exp}_2$ with the difference that, at each transfer, the receiver $\mathsf{R}'$ chooses the index $\rho_i=1$ and thus always requests
+the first message of the encrypted database.  In more details, at each transfer, $\mathsf{R}'$
+samples vectors $\mathbf{e} \sample U(\{-1,0,1\}^m)$, $\mu \sample U(\{0,1\}^t)$ and  $\nu \sample U([-B,B]^t)$ to compute and send
+\begin{eqnarray*}
+(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{1} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{1} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor  + \nu \big) \in \ZZ_q^n \times \ZZ_q^t,
+\end{eqnarray*}
+which is a re-randomization of $(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor   )$.
+ Moreover,   $\mathsf{R}_\mathsf{T}'$ uses the witness $\rho_i=1$ to faithfully generate an interactive WI argument that
+   $(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$.
+It thus generates a WI argument of knowledge of vectors $\mathfrak{m} = \mathsf{vdec}_{n+t,q-1}(\mathbf{a}_1| \mathbf{b}_1) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
+$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ satisfying relations~\eqref{eq:protocol-3-original}. %(\ref{statement-rand-un})-(\ref{statement-rand-deux}).
+ By the statistically WI of the interactive argument system, this modification has no noticeable impact on the output distribution of a cheating sender $\hat{\mathsf{S}}$. Indeed, since we chose $B$ as a randomization parameter
+such that $(m+1) \alpha q / B $ is negligible, the result of \cite[Section 4.1]{DS16} implies that always re-randomizing
+$(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor   )$ leaves the view of $\hat{\mathsf{S}}$ statistically unchanged.
+We have  $ | \Pr[W_2] -\Pr[W_1] | \leq \mathsf{negl}(\lambda). $ \smallskip
+\end{description}
+In $\textsf{Exp}_3$, we can define the  ideal-world cheating sender $\hat{\mathsf{S}}'$ which emulates the honest receiver $\mathsf{R}'$ interacting with $\hat{\mathsf{S}}$. At the initialization
+phase,  $\hat{\mathsf{S}}'$ appeals to the knowledge extractor of the argument system so as to extract the small-norm matrices $\mathbf{S} = [\mathbf{s}_1|\ldots|\mathbf{s}_t] \in \chi^{n \times t}$
+and $\mathbf{E}=[\mathbf{e}_1| \ldots |\mathbf{e}_t] \in \chi^{m \times t}$  satisfying \eqref{PK-gen}. Armed with the decryption key $\mathbf{E} \in \chi^{m \times t}$ of the cryptosystem,
+$\hat{\mathsf{S}}'$ can decrypt $\{(\mathbf{a}_i,\mathbf{b}_i)\}_{i=1}^N$ and obtain the messages $M_1,\ldots,M_N \in \{0,1\}^N$ that were encrypted in \eqref{init-db} by $\hat{\mathsf{S}}$.
+It then submits  $M_1,\ldots,M_N \in \{0,1\}^N$ to the trusted party $\mathsf{T}$. As in $\textsf{Exp}_2$, during each transfer phase,  $\hat{\mathsf{S}}'$ computes $(\mathbf{c}_0,\mathbf{c}_1)$ as
+a re-randomization of $(\mathbf{a}_1,\mathbf{b}_1) \in \ZZ_q^n \times \ZZ_q^t$ and faithfully generates the receiver's argument of knowledge using the witness $\rho_i=1$ at step 1.
+ At step 2 of each transfer,  $\hat{\mathsf{S}}'$ plays the role of the verifier on behalf of $\mathsf{R}'$ in the interactive zero-knowledge argument generated by $\hat{\mathsf{S}}$. If  $\hat{\mathsf{S}}'$ detects that  $\hat{\mathsf{S}}$ creates a verifying argument for a false statement (which $\hat{\mathsf{S}}'$ can detect using the
+extracted matrix $\mathbf{S} \in \ZZ^{n \times t}$,  by applying the test
+ \eqref{test-deux}), it aborts the interaction as in $\textsf{Exp}_3$.
+ If the ZK
+argument involves a true statement,    $\hat{\mathsf{S}}'$ sends $1$ to the trusted party $\mathsf{T}$ so as to authorize the transfer in the ideal world. Otherwise,  $\hat{\mathsf{S}}'$ sends $0$ to  $\mathsf{T}$.
+At the end of the $k$-th transfer phase,  $\hat{\mathsf{S}}'$ outputs whatever  $\hat{\mathsf{S}}$ outputs as its final state $S_k$. \\
+\indent In $\textsf{Exp}_3$, it is easy to see that
+$$ \Pr[W_3] =  \Pr[    \ddv (X) =1 \mid X \leftarrow \IDEAL_{\hat{\mathsf{S}}',{\mathsf{R}}'} ] .$$
+When putting the above altogether, we find that there exists  a PPT $\SIS$ solver $\bdv$  such that
+\begin{multline*}
+|  \Pr[    \ddv (X) =1 \mid X \leftarrow \REAL_{\hat{\mathsf{S}},{\mathsf{R}}} ] \\ -  \Pr[    \ddv (X) =1 \mid X \leftarrow \IDEAL_{\hat{\mathsf{S}}',{\mathsf{R}}'} ] | \leq 2 \cdot \mathbf{Adv}_\bdv^{\SIS}(\lambda)
++ \mathsf{negl}(\lambda) ,
+\end{multline*}
+  which proves the result.
+\end{proof}
+
+\begin{theorem} \label{rec-sec}
+The   $\OTA$ protocol provides sender security under the $\SIS$ and $\LWE$ assumptions.
+\end{theorem}
+
+\input{merge2}
+
+
+
+
+
+
+
+
+
+%%%%%%%%%%%% Access control
+
+
+
+
+
+
+
+\section{OT with Access Control for Branching Programs} \label{OT-AC-scheme}
+
+In this section, we extend our  protocol of Section  \ref{OT-scheme} into a protocol where database entries can be protected
+by access control policies consisting of branching programs. In a nutshell, the construction goes as follows.
+
+When the database is set up, the sender signs (a binary representation of) each database entry $(\mathbf{a}_i,\mathbf{b}_i)$ together
+with a  hash value $\mathbf{h}_{\BPR,i} \in \Zq^n$ of the corresponding branching program. For each possessed attribute $\mathbf{x} \in \{0,1\}^\kappa$,
+the user $\USR$
+obtains  a credential $\mathsf{Cred}_{\USR,\mathbf{x}}$ from the issuer. \\ \indent If $\USR$ has a credential $\mathsf{Cred}_{\USR,\mathbf{x}}$ for an attribute $\mathbf{x}$ satisfying
+the $\rho$-th branching program, $\USR$ can re-randomize  $(\mathbf{a}_\rho,\mathbf{b}_\rho)$ into $(\mathbf{c}_0,\mathbf{c}_1)$, which is given to the sender,
+while proving that: (i) He knows a signature
+$(\tau,\mathbf{v})$ on some message $(\mathbf{a}_\rho,\mathbf{b}_\rho,\mathbf{h}_{\BPR,\rho})$ such that $(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of
+$(\mathbf{a}_\rho,\mathbf{b}_\rho)$; (ii) The corresponding $\mathbf{h}_{\BPR,\rho}$ is the hash value of (the binary representation of) a branching program
+$\BPR_{\rho}$ that accepts an   attribute $\mathbf{x} \in \{0,1\}^\kappa$ for which he has a valid credential $\mathsf{Cred}_{\USR,\mathbf{x}}$
+(i.e., $\BPR_{\rho}(\mathbf{x})=1$). \\
+\indent While statement (i) can be proved as in Section \ref{OT-scheme}, handling (ii) requires a method of proving the possession of a (committed) branching program $\BPR$ and a (committed) input $\mathbf{x} \in \{0,1\}^\kappa$ such that $\BPR(\mathbf{x})=1$ while demonstrating possession of a credential for
+$\mathbf{x}$.
+
+
+
+
+Recall that a branching program $\BPR$ of length $L$, input space $\{0,1\}^{\kappa}$ and width $5$ is specified by $L$ tuples of the
+form  $(\var(\theta),\pi_{\theta,0},\pi_{\theta,1})$ where
+\begin{itemize}
+\item[-] $\var: [L] \rightarrow [0, \kappa-1]$ is a function that associates the  $\theta$-th tuple with the coordinate ${x}_{\var(\theta)} \in \{0,1\}$ of
+the input $\mathbf{x} = (x_0, \ldots, x_{\kappa-1})^T$.
+\item[-] $\pi_{\theta,0},\pi_{\theta,1} : \{0,1,2,3,4\} \rightarrow   \{0,1,2,3,4\}$ are permutations that determine the $\theta$-th step of the
+evaluation.
+\end{itemize}
+On input $\mathbf{x} = (x_0, \ldots, x_{\kappa-1})^T$, $\BPR$ computes its output as follows.
+For each bit $b \in \{0,1\}$, let $\bar{b}$ denote the bit $1-b$.
+Let $\eta_\theta$ denote the state of computation at step $\theta$. The initial state is  $\eta_0 = 0$ and, for $\theta \in [1,L]$, the state $\eta_\theta$ is computed as
+\[
+\eta_\theta = \pi_{\theta, x_{\mathrm{var}(\theta)}}(\eta_{\theta-1}) = \pi_{\theta, 0}(\eta_{\theta-1})\cdot \bar{x}_{\mathrm{var}(\theta)} + \pi_{\theta, 1}(\eta_{\theta-1})\cdot {x}_{\mathrm{var}(\theta)}.
+\]
+Finally, the output of evaluation is $\mathsf{BP}(\mathbf{x})=1$ if $\eta_L =0$, otherwise $\mathsf{BP}(\mathbf{x})=0$.
+
+We now let $\delta_{\kappa} =  \lceil\log_2 \kappa\rceil$ and note that each integer in $[0,\kappa-1]$ can be determined by $\delta_\kappa$ bits. In particular, for each $\theta \in [ L]$, let $d_{\theta,1}, \ldots, d_{\theta, \delta_\kappa}$ be the bits representing $\mathrm{var}(\theta)$. Then, we consider the following representation of $\mathsf{BP}$:
+\begin{multline}\label{equation:z_BP}
+%\nonumber
+\hspace*{-12pt}  \mathbf{z}_{\mathsf{BP}} = \big(
+d_{1,1}, \ldots, d_{1, \delta_\kappa}, \ldots, d_{L,1}, \ldots, d_{L, \delta_\kappa}, \pi_{1,0}(0), \ldots, \pi_{1,0}(4), \pi_{1,1}(0), \ldots, \\
+%&& \hspace*{-25pt}
+\pi_{1,1}(4),   \ldots,
+\pi_{L,0}(0), \ldots, \pi_{L,0}(4), \pi_{L,1}(0), \ldots, \pi_{L,1}(4)
+\big)^T \in [0,4]^{\zeta}, ~~~
+\end{multline}
+where $\zeta= L(\delta_\kappa +10)$.
+
+\subsection{The OT-AC Protocol} \label{the-ot-ac}
+
+
+
+
+We assume public parameters $\pp$
+consisting of a modulus $q$, integers $n$, $m$ such that $m = 2n \lceil \log q \rceil$,  a public matrix $\bar{\mathbf{A}} \in \Zq^{n \times m}$,
+the maximal length $L \in \mathsf{poly}(n)$ of branching programs and their desired input length $\kappa \in \mathsf{poly}(n)$.
+\smallskip
+
+\begin{description}
+  \item[\textsf{ISetup}$\big(\pp     \big)$:] Given public parameters $\pp=\{ q,n,m, \bar{\mathbf{A}}, L,\kappa\}$, first generate a key pair $(PK_{I},SK_{I})\gets \mathsf{Keygen}(\pp,1)$ for the signature scheme
+     in Section \ref{se:gs-lwe-sigep} in order to sign single-block messages (i.e., $N_b=1$) of length $m_I = n \cdot \lceil \log q \rceil + \kappa$. %$m=2 n \lceil \log q \rceil$.
+    Letting $\ell_I = \mathcal{O}(n)$, this key pair contains $SK_{I}=\mathbf{T}_{\mathbf{A}_I}
+    \in \ZZ^{m \times m}$ and
+    $${PK}_{I}:=\big( \mathbf{A}_I, ~
+    \{\mathbf{A}_{I,j} \}_{j=0}^{\ell_{I}}, ~\mathbf{D}_I, ~ \{ \mathbf{D}_{I,0}, \mathbf{D}_{I,1}\} , ~\mathbf{u}_I \big).$$
+  \item[\textsf{Issue}$\big( \mathsf{I}(\pp,SK_I,PK_I,P_\USR,\mathbf{x}) \leftrightarrow \mathsf{U}(\pp,\mathbf{x},st_\USR)     \big)$:]
+    On  common input $\mathbf{x} \in \{0,1\}^\kappa$, the issuer
+    $\mathsf{I}$ and the user $\USR$ interact in the following way: \smallskip
+    \begin{itemize}
+      \item[1.] If $st_{\USR} = \emptyset$,   $\USR$ creates a pseudonym $P_\USR= \bar{\mathbf{A}} \cdot \mathbf{e}_{\USR} \in \Zq^n$, for a randomly chosen    $\mathbf{e}_{\USR} \sample U(\{0,1\}^m)$, which is sent to $\mathsf{I}$. It sets
+        $st_{\USR}=(\mathbf{e}_\USR, P_\USR, 0, \emptyset ,\emptyset)$.  Otherwise, $\USR$ parses its state $st_\USR$ as $(\mathbf{e}_\USR,P_{\USR},f_{DB},C_\USR,\mathsf{Cred}_{\USR})$.
+      \item[2.] The issuer $\mathsf{I}$  defines the message $\mathfrak{m}_{\USR,\mathbf{x}} = (\mathsf{vdec}_{n,q-1}(P_{\USR})^T|\mathbf{x}^T )^T \in \{0,1\}^{m_I}$.
+        Then, it runs the signing algorithm of Section    \ref{se:gs-lwe-sigep}  to obtain  and return
+        $\crt_{\USR,\mathbf{x}} = \big(\tau_{\USR},\mathbf{v}_{\USR},\mathbf{r}_{\USR} \big) \leftarrow \mathsf{Sign}(SK_I,\mathfrak{m}_{\USR,\mathbf{x}}) \in \{0,1\}^{\ell_{I}} \times \ZZ^{2m} \times \ZZ^{m}$, which binds $\USR$'s pseudonym $P_\USR$
+        to the attribute string $\mathbf{x} \in \{0,1\}^\kappa$.
+      \item[3.] $\USR$ checks that $\crt_{\USR,\mathbf{x}}$
+        satisfies \eqref{ver-eq-block} and that $\|\mathbf{v}_\USR\| \leq \sigma \sqrt{2m},\mathbf{r}_\USR \leq \sigma \sqrt{m}$. If so, $\USR$ sets
+        $C_\USR := C_{\USR} \cup \{\mathbf{x}\}$, $\mathsf{Cred}_\USR := \mathsf{Cred}_\USR \cup \{\crt_{\USR,\mathbf{x}}\}$ and updates its state $st_\USR=(\mathbf{e}_\USR,P_\USR,f_{DB},C_\USR,\mathsf{Cred}_\USR)$. If $\crt_{\USR,\mathbf{x}}$  does not properly verify, $\USR$ aborts the interaction and leaves $st_{\USR}$ unchanged. \smallskip
+    \end{itemize}
+  \item[\textsf{DBSetup}$\big(PK_I, \mathsf{DB}=\{(M_i,\BPR_i)\}_{i=1}^N \big)$:] The sender $\mathsf{DB}$
+    has $\mathsf{DB}=\{(M_i,\BPR_i)\}_{i=1}^N $ which is a database  of $N$ pairs made of a   message
+    $M_i \in \{0,1\}^{t}$ and a   policy realized by a length-$L$
+    branching program $\BPR_i = \{\var_i(\theta),\pi_{i,\theta,0},\pi_{i,\theta,1}\}_{\theta=1}^L$.  %.of length $L \in \mathsf{poly}(n)$,
+    \smallskip \smallskip
+    \begin{itemize}
+      \item[1.] Choose a random matrix $\mathbf{A}_{\mathrm{HBP}} \sample U \big(\Zq^{n \times \zeta } \big)$ which will be used to hash the description of
+        branching programs.
+      \item[2.] Generate a key pair for the signature scheme of Section \ref{RMA-sec} in order to sign $Q=N$ messages of length $m_d = (2n+t) \cdot \lceil \log q \rceil$ each.
+        This key pair consists of $SK_{sig}=\mathbf{T}_{\mathbf{A}} \in \ZZ^{m \times m}$ and
+        ${PK}_{sig}:=\big( \mathbf{A},
+        \{\mathbf{A}_j \}_{j=0}^{\ell},   \mathbf{D}, \mathbf{u} \big),$ where $\ell=\lceil \log N \rceil$ and $\mathbf{A},\mathbf{A}_0,\ldots,\mathbf{A}_{\ell} \in U(\Zq^{n \times m})$, $\mathbf{D} \in U(\Zq^{n \times m_d})$ with
+        $m = 2n \lceil \log q \rceil$, $m_d = (2n+t) \lceil \log q \rceil$. The counter is initialized to $\tau=0$.
+
+      \item[3.] Sample  $\mathbf{S} \sample \chi^{n \times t}$ which will serve as a secret key  for an $\LWE$-based encryption scheme.
+        Then, sample   $\mathbf{F} \sample U(\Zq^{n \times m})$, $\mathbf{E} \sample \chi^{m \times t  }$ to compute
+        \begin{eqnarray} \label{PK-gen-ac}
+          \mathbf{P} = [\mathbf{p}_1 | \ldots | \mathbf{p}_t]  =  \mathbf{F}^T \cdot \mathbf{S}  + \mathbf{E} ~\in \Zq^{m \times t}
+        \end{eqnarray}
+        so that $(\mathbf{F},\mathbf{P})  $  forms a public key for a $t$-bit variant of Regev's system.
+      \item[4.]
+        Sample    vectors $\mathbf{a}_1,\ldots ,\mathbf{a}_N \sample
+        U(\Zq^n)$ and $\mathbf{x}_1,\ldots,\mathbf{x}_{N} \sample \chi^{t}$ to
+        compute
+        \begin{eqnarray} \label{init-db-ac}
+          (\mathbf{a}_i,\mathbf{b}_i)= \bigl( \mathbf{a}_i, ~ \mathbf{a}_i^T \cdot \mathbf{S} + \mathbf{x}_i + M_i \cdot \lfloor q/2 \rfloor  \bigr) \in \Zq^n \times \Zq^{t} \qquad  \forall i \in [N]
+          \qquad
+        \end{eqnarray}
+
+      \item[5.] For each $i=1$ to $N$, $ (\mathbf{a}_i,\mathbf{b}_i)$ is bound to $\BPR_i$ as follows. \smallskip  \begin{itemize} \item[a.]
+            Let $\mathbf{z}_{\BPR,i}  \in [0,4]^\zeta $ be the binary representation of the branching program.
+            Compute its digest $\mathbf{h}_{\BPR,i} = \mathbf{A}_{\mathrm{HBP}} \cdot \mathbf{z}_{\BPR,i} \in \Zq^n$.
+						 % via the matrix $\mathbf{A}_{\mathrm{HBP}} \in \Zq^{n \times \zeta} $.
+          \item[b.]  Using $SK_{sig}$, generate a signature $(\tau_i,\mathbf{v}_i ) \leftarrow \mathsf{Sign}(SK_{sig},\tau,\mathfrak{m}_i)$ on the message
+            $\mathfrak{m}_i=\mathsf{vdec}_{2n+t,q-1}(\mathbf{a}_i|\mathbf{b}_i|\mathbf{h}_{\BPR,i}) \in \{0,1\}^{m_d}$ obtained by decomposing $(\mathbf{a}_i^T | \mathbf{b}_i^T | \mathbf{h}_{\BPR,i}^T )^T \in \Zq^{2n+t}$.
+        \end{itemize}
+      \item[6.] The database's public key is defined as
+        $ PK_{\mathrm{DB}}= \bigl(  PK_{sig} ,~(\mathbf{F},\mathbf{P}),~\mathbf{A}_\mathrm{HBP}\bigr) $
+        while the encrypted database is
+        $  \{ER_i=\big(\mathbf{a}_i,\mathbf{b}_i,(\tau_i,\mathbf{v}_i ) \big), \BPR_i \}_{i=1}^N.  $
+        The   sender $\mathsf{DB}$ outputs
+        $  \bigl(  PK_{\mathrm{DB}} ,\{ER_i, \BPR_i \}_{i=1}^N \bigr) $
+        and keeps   $SK_{\mathsf{DB}}=\big(SK_{sig},\mathbf{S} \big)$.\smallskip
+        \end{itemize}
+
+  \item[\textsf{Transfer}$\big(\mathsf{DB}(SK_{\mathsf{DB}},PK_{\mathsf{DB}},PK_I),\USR(\rho,st_\USR,PK_I,PK_\mathsf{DB},ER_\rho,\BPR_\rho) \big)$:] Given an index
+    $\rho \in [N]$,  a
+    record
+    $ER_\rho =\big(\mathbf{a}_\rho,\mathbf{b}_\rho,(\tau_\rho,\mathbf{v}_\rho ) \big) $ and a policy $\BPR_{\rho}$, the user $\USR$ parses
+    $st_\USR$ as $(\mathbf{e}_\USR,P_{\USR},f_{DB},C_\USR,\mathsf{Cred}_{\USR})$. If $C_\USR$ does not contain any $\mathbf{x} \in \{0,1\}^\kappa$ s.t.
+    $\BPR_{\rho}(\mathbf{x})=1$ and $\mathsf{Cred}_{\USR}$ contains the corresponding   $\crt_{\USR,\mathbf{x}}$, $\USR$ outputs $\perp$. Otherwise, he
+    selects  such a pair $(\mathbf{x},\crt_{\USR,\mathbf{x}})$ and interacts with $\mathsf{DB}$: \smallskip
+    \begin{itemize}
+      \item[1.] If $f_{DB}=0$, $\USR$ interacts with $\mathsf{DB}$ for the first time and requires $\mathsf{DB}$ to prove knowledge of small-norm   $\mathbf{S} \in \ZZ^{n \times t}$, $\mathbf{E} \in \ZZ^{m \times t}$,   $\{\mathbf{x}_i\}_{i=1}^N$ and
+$t$-bit messages $\{M_i\}_{i=1}^N$ satisfying~\eqref{PK-gen-ac}-\eqref{init-db-ac}. To do this, $\mathsf{DB}$ uses the  ZK argument     in Section~\ref{subsection:ZK-protocol-1}.
+       % to  prove knowledge of  short matrices $\mathbf{S} \in \ZZ^{n \times t}$ and $\mathbf{E} \in \chi^{m \times t}$ and
+       % $t$-bit messages $\{M_i\}_{i=1}^N$                              -
+        %satisfying (\ref{PK-gen-ac})-(\ref{init-db-ac}). To this end, $\mathsf{DB}$ does the following.  \smallskip \smallskip
+        %\begin{itemize}
+         % \item[a.]
+          %  Define  $\mathbf{A}_{\mathsf{DB}}=[\mathbf{a}_1 | \ldots | \mathbf{a}_N] \in \Zq^{n \times N}$, $\mathbf{B}_{\mathsf{DB}}=[\mathbf{b}_1 | \ldots | \mathbf{b}_N] \in \Zq^{t \times N}$, $\mathbf{M}=[M_1 | \ldots | M_N]
+           % \in \{0,1\}^{t \times N}$,
+            %$\mathbf{X}=[\mathbf{x}_1 | \ldots | \mathbf{x}_N] \in \chi^{ t \times N}$
+            %and parse $\mathbf{S}$ and $\mathbf{E}$ as $\mathbf{S}=[\mathbf{s}_1 | \ldots | \mathbf{s}_t] \in \chi^{n \times t}$,
+            %$\mathbf{E}=[\mathbf{e}_1 | \ldots | \mathbf{e}_t] \in \chi^{m \times t}$.
+          %\item[b.] For each $j \in [t]$, define $\bar{M}_j \in \{0,1\}^N$ to be the $j$-th column  of  $\mathbf{M}^T$. Likewise,
+           % let $\bar{\mathbf{b}}_j \in \Zq^N$ (resp. $\bar{\mathbf{x}}_j \in \chi^N$) be the $j$-th column of $\mathbf{B}_{\mathsf{DB}}^T \in \Zq^{N \times t}  $
+            %(resp.  $\mathbf{X}^T  $).  Note that (\ref{init-db-ac}) can be written
+            %\begin{eqnarray*}
+             % \mathbf{B}_{\mathsf{DB}}^T = \mathbf{A}_{\mathsf{DB}}^T \cdot \mathbf{S} +  \mathbf{X}^T + \mathbf{M}^T \cdot \lfloor q/2 \rfloor .
+            %\end{eqnarray*}
+            %For each $j \in [t]$, $\mathsf{DB}$ argues knowledge
+            %of $\mathbf{s}_j \in \chi^n$, $\mathbf{e}_j \in \chi^m$, $\bar{\mathbf{x}}_j \in \chi^N$, $\bar{M}_j \in \{0,1\}^N$ such that
+            %\begin{eqnarray} \label{sender-proof-ac}
+             % \left[ \begin{array}{c|c|c|c} ~ \mathbf{F}^T  ~ & ~ \mathbf{I}_m  ~ & ~  & ~ ~\\ \hline
+              %    ~\mathbf{A}_{\mathsf{DB}}^T  ~ & ~  ~ & ~ \mathbf{I}_N  ~ &  ~ \lfloor q/2 \rfloor \cdot \mathbf{I}_N  ~
+              %\end{array} \right]
+              %\cdot  \begin{bmatrix} \mathbf{s}_j \\ \hline \mathbf{e}_j \\ \hline \bar{\mathbf{x}}_j \\ \hline   \bar{{M}}_j  \end{bmatrix}  = \begin{bmatrix}
+              %  \mathbf{p}_j \\ \hline
+               % \bar{\mathbf{b}}_j
+              %\end{bmatrix}
+            %\end{eqnarray}
+          %\item[c.]
+        If there exists $i \in [N]$ such that $(\tau_i,\mathbf{v}_i)$ is an invalid signature
+            on $\mathsf{vdec}_{2n+t,q-1} (\mathbf{a}_i^T|\mathbf{b}_i^T|\mathbf{h}_{\BPR,i}^T)^T   $ or if the ZK argument  does not verify, $\USR$ aborts. Otherwise, $\USR$ updates  $st_\USR$ and sets $f_{DB}=1$.
+        %\end{itemize}
+\end{itemize}
+%\vspace*{-0.05cm}
+\begin{itemize}
+\item[2.] $\USR$ re-randomizes the pair $(\mathbf{a}_\rho,\mathbf{b}_\rho )$ contained in  $ER_\rho$. It samples vectors $\mathbf{e} \sample U(\{-1,0,1\}^m)$, $\mu \sample U(\{0,1\}^t)$ and  $\nu \sample U([-B,B]^t)$ to compute
+\begin{eqnarray} \label{rand-CT-ac}
+(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{\rho} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{\rho} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor  + \nu \big) \in \Zq^n \times \Zq^t,
+ \qquad
+\end{eqnarray}
+which is sent to $\mathsf{DB}$ as a re-randomization of $(\mathbf{a}_{\rho},\mathbf{b}_{\rho} + \mu \cdot \lfloor q/2 \rfloor   )$. Then, $\USR$ provides an interactive WI argument that   $(\mathbf{c}_0,\mathbf{c}_1)$ is  a re-randomization of some $(\mathbf{a}_{\rho},\mathbf{b}_{\rho})$ associated
+with a policy $\BPR_\rho$ for which  $\USR$ has a credential $\crt_{\USR,x}$ for some $\mathbf{x} \in \{0,1\}^\kappa$ such that $\BPR_\rho (\mathbf{x})=1$.
+%To this end, $\USR$ uses the technique of Section \ref{ineff-method}.
+In addition, $\USR$
+demonstrates possession  of: (i) a preimage $\mathbf{z}_{\BPR,\rho} \in [0,4]^\zeta $ of
+$\mathbf{h}_{\BPR,\rho} = \mathbf{A}_{\mathrm{HBP}} \cdot \mathbf{z}_{\BPR,\rho} \in \Zq^n$; (ii) a credential $\mathsf{Cred}_{\USR,\mathbf{x}}$ for the corresponding $\mathbf{x} \in \{0,1\}^\kappa$ and the private key $\mathbf{e}_\USR \in \{0,1\}^m$ for the pseudonym $P_\USR$ to which $\mathbf{x}$ is bound; (iii)  the  coins leading to the randomization of some
+$(\mathbf{a}_{\rho},\mathbf{b}_{\rho})$.
+Then entire step is conducted
+ by arguing knowledge of
+\begin{eqnarray*}
+\left\{
+\begin{array}{l}
+  \mathbf{e}_{\USR} \in \bit^m, \mathfrak{m}_{\USR,\mathbf{x}}  \in \{0,1\}^{m_I}  ,~\mathbf{x} \in \{0,1\}^\kappa,~\widehat{\mathfrak{m}}_{\USR,\mathbf{x}} \in \{0,1\}^{m/2}
+ \\
+\tau_{\USR} \in \{0,1\}^{\ell_I},~\mathbf{v}_{\USR}=(\mathbf{v}_{\USR,1}^T | \mathbf{v}_{\USR,2}^T)^T \in [-\beta,\beta]^{2m}, ~\mathbf{r}_{\USR} \in [-\beta,\beta]^m  \\  \qquad
+	\qquad \qquad \quad    ~~~~~~~~~~~~~~  \text{ \scriptsize //   signature on $\mathfrak{m}_{\USR,\mathbf{x}}=(\mathsf{vdec}_{n,q-1}(P_\USR)^T| \mathbf{x}^T)^T $ } \\
+\mathbf{z}_{\BPR,\rho} \in [0,4]^\zeta \qquad ~~~~~~~~~~~~\text{\scriptsize  // representation of $\BPR_{\rho}$  } \\
+	\mathfrak{m}  \in \{0,1\}^{m_d},  ~\tau \in \{0,1\}^{\ell},~ \mathbf{v} =(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m} \\  \qquad
+	\qquad \qquad \quad ~~~~~~~~~~~~~~  \text{ \scriptsize //   signature on $\mathfrak{m}=\mathsf{vdec}_{2n+t,q-1}(\mathbf{a}_i^T| \mathbf{b}_i^T|\mathbf{h}_{\BPR,\rho}^T)^T $ } \\
+	 ~\mathbf{e} \in \{-1,0,1\}^t, ~\mu \in \{0,1\}^t, ~
+\nu \in [-B,B]^t,\\
+	\qquad \qquad \qquad  \quad  ~~~~~~~~~~~~~~~  \text{\scriptsize // coins allowing the re-randomization of $(\mathbf{a}_{\rho},\mathbf{b}_\rho) $ }
+\end{array}
+ \right.
+\end{eqnarray*}
+satisfying the relations (modulo $q$)
+%\begin{eqnarray} \label{statement-rand-un-ac}
+%\mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} +
+ %\left[ \begin{array}{c|c|c|c}
+ %~  \mathbf{F} ~& ~ &~ & ~     \\  \hline \rule{0pt}{2.6ex}
+ % ~\mathbf{P}^{T}~ & ~ \mathbf{I}_t   \lfloor q/2 \rfloor  ~ & ~\mathbf{I}_t~ & ~ \\ \hline
+	 %& & & - \mathbf{A}_{\mathrm{HBP}}
+ %\end{array} \right] \cdot  \begin{bmatrix}  \mathbf{e} \\ \hline  \mu  \\ \hline  \nu  \\ \hline
+ % \mathbf{z}_{\BPR,\rho}
+ %\end{bmatrix} &=& \begin{bmatrix} \mathbf{c}_0 \\ \hline \mathbf{c}_1 \\ \hline \mathbf{0}^n \end{bmatrix}   \qquad \quad
+%\end{eqnarray}
+%(recall that $(\mathbf{a}_\rho^T | \mathbf{b}_{\rho}^T | \mathbf{h}_{\BPR,\rho}^T )^T = \mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m}   $)
+%and
+%\begin{eqnarray} \label{statement-rand-deux-ac}
+%\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2) - \mathbf{D}\cdot \mathfrak{m} = \mathbf{u},
+%\end{eqnarray}
+\begin{eqnarray}\label{statement-rand-trois-ac}
+\begin{cases}
+\mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} +
+ \left[ \begin{array}{c|c|c|c}
+ ~  \mathbf{F} ~& ~ &~ & ~     \\  \hline \rule{0pt}{2.6ex}
+  ~\mathbf{P}^T ~ & ~ \mathbf{I}_t  \cdot \lfloor q/2 \rfloor  ~ & ~\mathbf{I}_t~ & ~ \\ \hline
+	 & & & - \mathbf{A}_{\mathrm{HBP}}
+ \end{array} \right] \cdot  \begin{bmatrix}  \mathbf{e} \\ \hline  \mu  \\ \hline  \nu  \\ \hline
+  \mathbf{z}_{\BPR,\rho}
+ \end{bmatrix} = \begin{bmatrix} \mathbf{c}_0 \\ \hline \mathbf{c}_1 \\ \hline \mathbf{0}^n \end{bmatrix} \\ \qquad \quad \smallskip
+ \text{{\scriptsize // (recall that $(\mathbf{a}_\rho^T | \mathbf{b}_{\rho}^T | \mathbf{h}_{\BPR,\rho}^T )^T = \mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m}   $)}} \\[2.5pt]
+\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2) - \mathbf{D}\cdot \mathfrak{m} = \mathbf{u} \\[2.5pt]
+\mathbf{A}_{I}\cdot \mathbf{v}_{\mathsf{U},1} + \mathbf{A}_{I,0}\cdot \mathbf{v}_{\mathsf{U},2} +
+            \sum_{j=1}^{\ell_I}\mathbf{A}_{I, j}\cdot (\tau_{\mathsf{U}}[j]\cdot \mathbf{v}_{\mathsf{U},2}) -  \mathbf{D}_I\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}}  = \mathbf{u}_I \\[2.5pt]
+\mathbf{D}_{I,0}\cdot \mathbf{r}_{\mathsf{U}} + \mathbf{D}_{I,1}\cdot \mathfrak{m}_{\mathsf{U}, \mathbf{x}} - \mathbf{H}_{n,q-1}\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}}  = \mathbf{0} \\[2.5pt]
+\left[
+  \begin{array}{c|c}
+    \mathbf{H}_{n,q-1} & \mathbf{0} \\
+    \hline \rule{0pt}{2.6ex}
+    \mathbf{0} & \mathbf{I}_\kappa \\
+  \end{array}
+\right]\cdot {\mathfrak{m}}_{\USR,\mathbf{x}} + \left[
+                                         \begin{array}{c}
+                                           -\bar{\mathbf{A}} \\
+                                           \mathbf{0} \\
+                                         \end{array}
+                                       \right]\cdot \mathbf{e}_{\mathsf{U}} + \left[
+                                         \begin{array}{c}
+                                           \mathbf{0} \\
+                                           -\mathbf{I}_\kappa \\
+                                         \end{array}
+                                       \right]\cdot \mathbf{x} = \mathbf{0}
+\end{cases}
+\end{eqnarray}
+and such that $\mathbf{z}_{\BPR,\rho} \in [0,4]^\zeta$ encodes  $\BPR_\rho$ such that  $\BPR_\rho (\mathbf{x})=1$.
+This is done by running the argument system described in Section~\ref{subsection:ZK-Protocol4-BP}.
+
+\item[3.] If the ZK argument of step 2 verifies, $\mathsf{DB}$ decrypts $(\mathbf{c}_0,\mathbf{c}_1) \in \Zq^n \times \Zq^t$ to
+obtain  $M' = \lfloor (\mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$
+which is returned to $\USR$. Then, $\mathsf{DB}$ argues knowledge of
+ $\mathbf{y}= \mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0 - M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$
+of norm $\| \mathbf{y} \|_{\infty} \leq q/5$ and small-norm  $\mathbf{E}\in \ZZ^{m \times t}$, $\mathbf{S} \in \ZZ^{n \times t}$ satisfying (modulo $q$)
+\begin{eqnarray*}
+\mathbf{P} &=& \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} ~  , \qquad \mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T = \mathbf{c}_1^T - {M'}^T \cdot \lfloor q/2 \rfloor .
+\end{eqnarray*}
+To this end, $\mathsf{DB}$ uses the ZK argument system of Section~\ref{subsection:ZK-protocol-2}.
+
+\item[4.] If the ZK argument produced by $\mathsf{DB}$ does not  verify, $\USR$   outputs $\perp$. Otherwise, $\USR$ recalls
+the string $\mu \in \{0,1\}^t$   and outputs $M_{\rho_i}=M' \oplus  \mu$.
+\end{itemize}
+\end{description}
+
+ Like our construction of Section \ref{OT-scheme}, the above  protocol requires the $\mathsf{DB}$ to repeat a ZK proof of communication complexity
+$\Omega(N)$ with each user $\USR$ during the initialization phase. By applying the Fiat-Shamir heuristic as in Appendix~\ref{optimized}, the cost of the initialization phase
+can be made independent of the number of users: the sender   can publicize $ \bigl(  PK_{\mathrm{DB}} ,\{ER_i, \BPR_i \}_{i=1}^N \bigr) $ along
+   with a with a universally verifiable non-interactive proof of well-formedness.
+
+
+The security of the above protocol against static corruptions is proved in~\cite{LLM+17}, under the $\SIS$ and $\LWE$ assumptions and is similar to the previous proofs.
+
+\input{merge}