Update biblio + add proofs for group signature

This commit is contained in:
Fabrice Mouhartem 2018-04-30 18:04:36 +02:00
parent a6b9f5a2f7
commit afe5c83cf8
3 changed files with 848 additions and 21 deletions

View File

@ -192,11 +192,6 @@ as $\mathbf{u} = \bar{\mathbf{A}} \cdot \mathbf{e}_u \in \Zq^n$. The pu
\{\mathbf{A}_j \}_{j=0}^{\ell}, ~ \{\mathbf{D}_k\}_{k=0}^{N},~\mathbf{D}, ~\mathbf{u} \big)$$
is given to $\adv$.
%Hence,
% $\bdv$ is able to compute a trapdoor $\mathbf{T}_{\tau^{(i)}} \in \ZZ^{2m \times 2m}$ for each matrix $\{\mathbf{A}_{\tau^{(i)}} \}_{i=1}^Q $ (see~\cite[Se.~4.2]{ABB1},
% using the basis~$\mathbf{T}_{\mathbf{C}}$ of~$\Lambda_q^{\perp}(\mathbf{C})$.
At the $i$-th signing query $\mathsf{Msg}^{(i)}=(\mathfrak{m}_1^{(i)},\ldots,\mathfrak{m}_N^{(i)}) \in (\{0,1\}^{2m})^N$, $\bdv$ can use the trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ to generate a signature.
To do this, $\bdv$ first samples $\mathbf{s}^{(i)} \sample D_{\ZZ^{2m},\sigma_1}$ and computes a vector $\mathbf{u}_M \in \Zq^m$ as
$$\mathbf{u}_M = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i)} } + \mathbf{D}_{0} \cdot {\mathbf{s}^{(i)} } \bigr) ~~ \bmod q.$$
@ -742,7 +737,7 @@ The scheme provides anonymity under the $\mathsf{LWE}_{n,q,\chi}$ assumption.
\smallskip
\item[\textsf{Game} 1:] This game is like \textsf{Game} $0$ with the difference that, at each execution of the $\mathsf{Prove}$ protocol, the challenger runs the zero-knowledge
simulator of the interactive proof system. The latter simulator uses either a trapdoor hidden in the common reference string (if Damg\aa rd's technique \cite{Damg00} is used) or
simulator of the interactive proof system. The latter simulator uses either a trapdoor hidden in the common reference string (if Damg\aa rd's technique \cite{Dam00} is used) or
proceeds by programming the random oracle which allows implementing the Fiat-Shamir heuristic. In either case, the statistical zero-knowledge property ensures that the
adversary cannot distinguish \textsf{Game} $1$ from \textsf{Game} $0$ and $|\Pr[W_1] - \Pr[W_0] | \in \mathsf{negl}(\lambda)$.
\smallskip
@ -758,6 +753,806 @@ The scheme provides anonymity under the $\mathsf{LWE}_{n,q,\chi}$ assumption.
produced without any witness.
\end{proof}
\section{A Dynamic Lattice-Based Group Signature} \label{see:lwe-gs-desc}
In this section, the signature scheme of Section \ref{se:gs-lwe-sigep} is used to design a group signature for dynamic groups using the syntax and the security model of Kiayias and Yung \cite{KY06}, which is recalled in \cref{sse:gs-definitions}.
In the notations hereunder, for any positive integers $\mathfrak{n}$, and $q \geq 2$, we define the ``powers-of-2'' matrix $\mathbf{H}_{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil} \in \ZZ_q^{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil}$ to be:
\begin{eqnarray*}
\mathbf{H}_{\mathfrak{n} \times \mathfrak{n} \lceil\log q\rceil } &=& \mathbf{I}_{\mathfrak{n}} \otimes [1 \mid 2 \mid 4 \mid \ldots \mid 2^{\lceil\log q\rceil-1} ] .
%\\ &=& \begin{bmatrix} 1 ~2~4 ~ \ldots ~2^{\lceil\log q\rceil-1} & & & & \\
% & & & \ddots & \\
% & & & & 1 ~2~4 ~ \ldots ~2^{\lceil\log q\rceil-1} \\
%\end{bmatrix}.
\end{eqnarray*}
Also, for each vector $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$, we define $\bit(\mathbf{v}) \in \{0,1\}^{\mathfrak{n}\lceil\log q\rceil}$ to be the vector obtained by replacing each entry of $\mathbf{v}$ by its binary expansion.
Hence, we have $\mathbf{v}=\mathbf{H}_{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil} \cdot \bit(\mathbf{v})$ for any $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$. \\
\indent
In our scheme, each group membership certificate is a
signature generated by the group manager on the user's public key. Since the group manager only needs to sign known (rather than committed) messages, we can
use a simplified version of the signature, where the chameleon hash function does not need to choose
the discrete Gaussian vector $\mathbf{s}$ with a larger standard deviation than other vectors. \\
\indent
A key component of the scheme is the two-message joining protocol whereby the group manager admits new group members by signing their public key. The first message is sent by
the new user $\mathcal{U}_i$ who samples a membership secret consisting of a short vector $\mathbf{z}_i \sample D_{\ZZ^{4m},\sigma}$ (where $m= 2n \lceil\log q\rceil$), which is used to compute a
syndrome $\mathbf{v}_i = \mathbf{F} \cdot \mathbf{z}_i \in \ZZ_q^{4n}$ for some public matrix $\mathbf{F} \in \ZZ_q^{4n \times 4m} $. This syndrome $\mathbf{v}_i \in \ZZ_q^{4n}$ must be signed by $\mathcal{U}_i$ using his long term secret key $\mathsf{usk}[i]$ (as in
\cite{KY06,BSZ05}, we assume that each user has a long-term key $\mathsf{upk}[i]$ for a digital signature, which is registered in some PKI) and will uniquely
identify $\mathcal{U}_i$.
In order to generate a membership certificate for $\mathbf{v}_i \in \ZZ_q^{4n}$, the group manager $\mathsf{GM}$ signs its binary expansion
$\mathsf{bin}(\mathbf{v}_i) \in \{0,1\}^{4n \lceil \log q \rceil }$ using the scheme of Section \ref{se:gs-lwe-sigep}. \\ \indent Equipped with his membership
certificate $(\tau,\mathbf{d},\mathbf{s}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m}$, the new group member $\mathcal{U}_i$ can sign a message using a Stern-like protocol for
demonstrating his knowledge of
a valid certificate for which he also knows the secret key associated with the certified public key $\mathbf{v}_i \in \ZZ_q^{4n}$. This boils down to
providing evidence that the membership certificate is a valid signature on some binary message $\mathsf{bin}(\mathbf{v}_i) \in \{0,1\}^{4n \lceil \log q \rceil }$
for which he also knows a short $\mathbf{z}_i \in \ZZ^{4m}$
such that
$ \mathbf{v}_i = \mathbf{H}_{4n \times 2m} \cdot \bit(\mathbf{v}_i) = \mathbf{F} \cdot \mathbf{z}_i \in \mathbb{Z}_q^{4n}$. \\
\indent Interestingly, the process does not require any proof of knowledge of the membership secret $\mathbf{z}_i$ during the joining phase, which is round-optimal. Analogously to the Kiayias-Yung technique \cite{KY05} and constructions based on structure-preserving signatures
\cite{AFG+10}, the joining protocol thus remains secure in environments where many users want
to register at the same time in concurrent sessions. \\
\indent We remark that a similar Stern-like protocol could also be directly used to prove knowledge of a Boyen signature \cite{Boy10} on a binary expansion of the
user's syndrome $\mathbf{v}_i \in \ZZ_q^{4n}$ while preserving the user's ability to prove knowledge of a short $\mathbf{z}_i \in \ZZ^{4m}$ such that $\mathbf{F} \cdot \mathbf{z}_i =
\mathbf{v}_i \bmod q$. However, this would require considerably longer private keys containing $ 4n \cdot \log q$ matrices $\{\mathbf{A}_j\}_{j=0}^\ell$ of dimension $n \times
m$ each (i.e., we would need $\ell= \Theta(n \cdot \log q)$). In contrast, by using the signature scheme of Section \ref{se:gs-lwe-sigep}, we only need the group public key
$\mathcal{Y}$ to contain $\ell=\log N_{\mathsf{gs}}$ matrices in $\ZZ_q^{n \times m}$. Since the number of users $N_{\mathsf{gs}}$ is polynomial, we have $\log
N_{\mathsf{gs}} \ll n$, which results in a much more efficient scheme.
\subsection{Description of the Scheme}
\begin{description}
\item[\textsf{Setup}$(1^\lambda,1^{N_{\mathsf{gs}}})$:] Given a security parameter $\lambda>0$
and the maximal expected number of group members ${N_{\mathsf{gs}}}=2^{\ell} \in
\mathsf{poly}(\lambda)$, choose lattice parameter
$n = \mathcal{O}(\lambda)$; prime modulus $q = \widetilde{\mathcal{O}}(\ell n^3)$; dimension $m =2 n\lceil \log q\rceil$; Gaussian parameter $\sigma = \Omega(\sqrt{n\log q}\log n)$; infinity norm bounds $\beta = \sigma\omega({\log m})$ and $B = \sqrt{n} \omega(\log n)$. Let $\chi$ be a $B$-bounded distribution.
Choose a hash function $H:\{0,1\}^*
\rightarrow \{1,2,3\}^t$ for some $t = \omega(\log n)$,
which will be modeled as a random oracle in the security analysis.
Then, do the following. \smallskip \smallskip
% \vspace{-0.3 cm}
\begin{itemize}
\item[1.] Generate a key pair for the signature of Section \ref{desc-sig-protoc} for signing single-block messages. Namely, run $\TrapGen(1^n,1^m,q)$ to get~$\mathbf{A} \in
\ZZ_q^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
$\Lambda_q^{\perp}(\mathbf{A})$, which allows computing short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with Gaussian parameter $\sigma$.
% $\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
Next, choose matrices
$\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell},\mathbf{D} \sample U(\ZZ_q^{n \times m})$, $ \mathbf{D}_0,\mathbf{D}_1 \sample U(\ZZ_q^{2n \times 2m})$ and a vector $\mathbf{u} \sample U(\ZZ_q^n)$.
\item[2.] Choose an additional random matrix $\mathbf{F} \sample U(\ZZ_q^{4n \times 4m})$ uniformly. Looking ahead, this matrix will be used to ensure security against framing attacks.
\item[3.]
Generate a master key pair for the Gentry-Peikert-Vaikuntanathan IBE scheme
in its multi-bit variant. This key pair consists of a statistically uniform matrix
$\mathbf{B} \in \ZZ_q^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{B}} \in
\ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{B})$. This basis will allow us to compute GPV private keys with a
Gaussian parameter $\sigma_{\mathrm{GPV}} \geq \| \widetilde{\mathbf{T}}_{\mathbf{B}} \| \cdot
\sqrt{\log m}$.
\item[4.] Choose a one-time signature scheme $\Pi^\mathrm{OTS}=(\mathcal{G},\mathcal{S},\mathcal{V})$ and a hash function $H_0:\{0,1\}^* \rightarrow \ZZ_q^{ n \times 2m}$,
that will be modeled as random oracles.
\end{itemize}
The group public key is defined
as $$\mathcal{Y}:=\big( \mathbf{A}, ~
\{\mathbf{A}_j \}_{j=0}^{\ell},~\mathbf{B}, ~\mathbf{D},~ \mathbf{D}_0,~\mathbf{D}_1,~\mathbf{F}, ~\mathbf{u} , ~\Pi^\mathrm{OTS}, ~ H,~H_0 \big).$$
The opening authority's private key is $\mathcal{S}_{\OA}:=
\mathbf{T}_{\mathbf{B}} $ and the private key of the group manager consists of $\mathcal{S}_{\GM}:= \mathbf{T}_{\mathbf{A}}$. The algorithm outputs
$\big( \mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA} \big)$.
\bigskip
\item[\textsf{Join}$^{(\mathsf{GM},\mathcal{U}_i)}$:] the group manager $\GM$ and the prospective user $\mathcal{U}_i$ run the following interactive protocol: \smallskip
$\left\langle \mathsf{J}_{\user}(\lambda,\mathcal{Y}),\mathsf{J}_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM}) \right\rangle$
\begin{itemize}
\item[1.] $\mathcal{U}_i$ samples a discrete Gaussian vector $\mathbf{z}_{i} \leftarrow D_{\ZZ^{4m},\sigma}$ and computes $\mathbf{v}_{i} = \mathbf{F} \cdot \mathbf{z}_{i} \in \ZZ_q^{ 4n}$.
He sends the vector $\mathbf{v}_{i} \in \ZZ_q^{4n}$, whose binary representation $\mathsf{bin}(\mathbf{v}_i)$ consists of $4n\lceil\log q\rceil = 2m$ bits, together with an ordinary digital signature $sig_i = \mathrm{Sign}_{\usk[i]}(\mathbf{v}_i)$ to $\GM$.
\item[2.] $\mathsf{J}_{\GM}$ verifies that $\mathbf{v}_i$ was not previously used by a registered user and that
$sig_i$ is a valid signature on $ \mathbf{v}_i $ w.r.t. $\upk[i]$. It aborts if this is not the case. Otherwise, $\GM$ chooses a fresh $\ell$-bit identifier $\mathsf{id}_i=\mathsf{id}_i[1]\ldots \mathsf{id}_i[\ell]
\in \{0,1\}^{\ell}$ and
uses $\mathcal{S}_{\GM}=\mathbf{T}_{\mathbf{A}}$ to certify
$\mathcal{U}_i$ as a new group member. To this end, $\GM$
defines the matrix
\begin{eqnarray} \label{matr}
\mathbf{A}_{\mathsf{id}_i}= \left[ \begin{array}{c|c} \mathbf{A} ~& ~ \mathbf{A}_0 +
\sum_{j=1}^\ell \mathsf{id}_i[j] \mathbf{A}_j
\end{array} \right] \in \ZZ_q^{ n \times 2m}.
\end{eqnarray}
Then, $\GM$ runs $\mathbf{T}_{\mathsf{id}_i}' \leftarrow
\ExtBasis(\mathbf{A}_{\mathsf{id}_i},\mathbf{T}_{\mathbf{A}})$ to obtain a short delegated basis
$\mathbf{T}_{\mathsf{id}_i}'$ of $\Lambda_q^{\perp}(\mathbf{A}_{\mathsf{id}_i}) \in \ZZ^{ 2m \times 2m }$.
Finally, $\GM$ samples a short vector $\mathbf{s}_i \sample D_{\ZZ^{2m},\sigma }$ and uses the obtained delegated basis $\mathbf{T}_{\mathsf{id}_i}' $ to compute a short vector
$\mathbf{d}_i = \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix} \in \ZZ^{2m}$ such that
\begin{eqnarray} \nonumber
\mathbf{A}_{\mathsf{id}_i} \cdot \mathbf{d}_i &=& \left[ \begin{array}{c|c} \mathbf{A} ~& ~ \mathbf{A}_0 +
\sum_{j=1}^\ell \mathsf{id}_i[j] \mathbf{A}_j
\end{array} \right] \cdot \mathbf{d}_i\\
\label{rel-cert} &=& \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot \bit(\mathbf{v}_i) + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) \bmod q. \quad
\end{eqnarray}
The triple $(\mathsf{id}_i,\mathbf{d}_i,\mathbf{s}_i)$ is sent to $\mathcal{U}_i$. Then,
$\mathsf{J}_{\user}$ verifies that the received $(\mathsf{id}_i,\mathbf{d}_i,\mathbf{s}_i)$ satisfies (\ref{rel-cert}) and that
$\| \mathbf{d}_i \|_\infty \leq \beta$, $\| \mathbf{s}_i \|_\infty \leq \beta $. If these conditions are not satisfied, $\mathsf{J}_{\user}$ aborts.
Otherwise,
$\mathsf{J}_{\user}$ defines the membership
certificate as
$ \crt_{i }=( \mathsf{id}_i, \mathbf{d}_i,\mathbf{s}_i )$.
The membership secret $\scr_{i }$ is defined to be $\scr_i=\mathbf{z}_i \in \ZZ^{4m}$. $\mathsf{J}_{\GM}$ stores
$\transcript_i=(\mathbf{v}_i, \crt_i, i,\mathsf{upk}[i],sig_i)$
in the database $St_{trans}$ of joining transcripts. \smallskip \smallskip
\end{itemize}
\item[\textsf{Sign}$(\mathcal{Y},\crt_i,\scr_i ,M)$:] To sign $M \in
\{0,1\}^*$ using $\crt_i=(\mathsf{id}_i,\mathbf{d}_i,\mathbf{s}_i)$, where $\mathbf{d}_i=[ \mathbf{d}_{i,1}^T \mid \mathbf{d}_{i,2}^T ]^T \in \ZZ^{2m}$ and $\mathbf{s}_i \in \ZZ^{2m}$, as
well as the membership secret $\scr_i=\mathbf{z}_i \in \ZZ^{4m}$, the group
member $\mathcal{U}_i$ generates a one-time signature key pair $(\mathsf{VK},\mathsf{SK}) \leftarrow \mathcal{G}(n)$ and conducts the following steps. \smallskip
\begin{itemize}
\item[1.] Compute $\mathbf{G}_0=H_0(\mathsf{VK}) \in \ZZ_q^{ n \times 2m}$ and use it as an IBE public key to encrypt
$\bit(\mathbf{v}_i) \in \{0,1\}^{2m}$, where $\mathbf{v}_i=\mathbf{F} \cdot \mathbf{z}_i \in \ZZ_q^{4n}$ is the syndrome of
$\scr_i=\mathbf{z}_i \in \mathbb{Z}^{4m}$ for the matrix $\mathbf{F}$. Namely, compute $ \mathbf{c}_{\mathbf{v}_i} \in \ZZ_q^m \times \ZZ_q^{2m}$ as
\begin{eqnarray} \label{enc1}
\mathbf{c}_{\mathbf{v}_i}=(\mathbf{c}_1,\mathbf{c}_2) &=& \big( \mathbf{B}^T \cdot \mathbf{e}_0 + \mathbf{x}_1 ,~ \mathbf{G}_0^T \cdot \mathbf{e}_0 + \mathbf{x}_2 + \bit(\mathbf{v}_i) \cdot \lfloor q/2 \rfloor \big) \qquad
%\\ \nonumber && \hspace{4cm}\in \ZZ_q^m \times \ZZ_q^{2m}
\end{eqnarray}
for randomly chosen $\mathbf{e}_0 \sample \chi^n$, $\mathbf{x}_1 \sample \chi^m, \mathbf{x}_2 \sample \chi^{2m} $.
Notice that, as in the construction of \cite{LNW15}, the columns of $\mathbf{G}_0$ can be interpreted as public keys for the multi-bit version
of the dual Regev encryption scheme.
\item[2.] Run the protocol in Section~\ref{subsection:zk-for-group-signature} to prove the knowledge of $\mathsf{id}_i
\in \{0,1\}^{\ell}$,
vectors $\mathbf{s}_i \in \ZZ^{2m}, \mathbf{d}_{i,1},\mathbf{d}_{i,2} \in \ZZ^{m},\mathbf{z}_i \in \ZZ^{4m}$ with infinity norm bound $\beta $; $\mathbf{e}_0 \in \ZZ^n$, $\mathbf{x}_1 \in \ZZ^m, \mathbf{x}_2 \in \ZZ^{2m} $ with infinity norm bound $B$
and $\bit(\mathbf{v}_i) \in \{0,1\}^{2m}, \mathbf{w}_{i} \in \{0,1\}^m$, that satisfy
\eqref{enc1} as well as
\begin{eqnarray} \label{rel-deux}
\mathbf{A} \cdot \mathbf{d}_{i,1} + \mathbf{A}_0 \cdot \mathbf{d}_{i,2} + \sum_{j=1}^{\ell} ( \mathsf{id}_i[j] \cdot \mathbf{d}_{i,2}) \cdot \mathbf{A}_j
- \mathbf{D} \cdot \mathbf{w}_i = \mathbf{u} \in \ZZ_q^n
\end{eqnarray}
and
\vspace*{-0.75cm}
\begin{eqnarray} \label{eq:rel-3}
\left\{
\begin{array}{l}
\mathbf{H}_{2n \times m} \cdot \mathbf{w}_{i} = \mathbf{D}_0 \cdot \bit(\mathbf{v}_i) + \mathbf{D}_1 \cdot \mathbf{s}_i \in \ZZ_q^{2n} \\
\mathbf{F} \cdot \mathbf{z}_i = \mathbf{H}_{4n \times 2m} \cdot \bit(\mathbf{v}_i) \in \ZZ_q^{4n}.
\end{array}
\right.
\end{eqnarray}
The protocol is repeated $t = \omega(\log n)$ times in parallel to achieve negligible soundness error, and then made non-interactive using the Fiat-Shamir
heuristic~\cite{FS86} as a triple $\pi_K=(
\{\mathsf{Comm}_{K,j}\}_{j=1}^t,\mathsf{Chall}_K,\{\mathsf{Resp}_{K,j}\}_{j=1}^t)$,
where $\mathsf{Chall}_K = H(M, \vk, \mathbf{c}_{\mathbf{v}_i},
\{ \mathsf{Comm}_{K,j}\}_{j=1}^t) \in \{1,2,3\}^t$
\item[3.] Compute a one-time signature $sig=\mathcal{S}(\mathsf{SK},(\mathbf{c}_{\mathbf{v}_i} , \pi_K))$. \smallskip
\end{itemize}
Output the signature that consists of
\begin{equation} \label{eq:sig-final} \Sigma=\big( \mathsf{VK} ,\mathbf{c}_{\mathbf{v}_i}, \pi_K,sig \big).
\end{equation}
\smallskip
\item[\textsf{Verify}$(\mathcal{Y},M,\Sigma)$:] Parse the signature $\Sigma$ as in
(\ref{eq:sig-final}). Then, return $1$ if and only if:
(i) $\mathcal{V}(\mathsf{VK},(\mathbf{c}_{\mathbf{v}_i},\mathbf{c}_{\mathbf{s}_i},\mathbf{c}_{\mathsf{id}},\pi_K),sig)=1$;
(ii) The proof $\pi_K$ properly verifies. \smallskip %Otherwise, return $0$. \smallskip
\item[\textsf{Open}$(\mathcal{Y},\mathcal{S}_{\OA},M,\Sigma)$:] Parse~$\mathcal{S}_{\OA}$ as~$
\mathbf{T}_{\mathbf{B}} \in \ZZ^{m \times m}$ and $\Sigma$ as
in~(\ref{eq:sig-final}). \smallskip
\begin{itemize}
\item[1.]
Compute $\mathbf{G}_0=H_0(\mathsf{VK}) \in \ZZ_q^{n \times 2m}$. Then, using $\mathbf{T}_{\mathbf{B}}$
to compute a small-norm matrix
$\mathbf{E}_{0,\mathsf{VK}} \in \ZZ^{m \times 2m }$ such that $ \mathbf{B} \cdot \mathbf{E}_{0,\mathsf{VK}} = \mathbf{G}_0 \bmod q $.
\item[2.] Using $\mathbf{E}_{0,\mathsf{VK}}$, decrypt $\mathbf{c}_{\mathbf{v}_i}$ to obtain a string $\bit(\mathbf{v} ) \in \{0,1\}^{2m}$
(i.e., by computing $\lfloor (\mathbf{c}_2 - \mathbf{E}_{0,\mathsf{VK}}^T \cdot \mathbf{c}_1) / (q/2) \rceil$). \smallskip
\item[3.] Determine if the $\bit(\mathbf{v} ) \in \{0,1\}^{2m} $ obtained at step 2 corresponds to a vector $\mathbf{v} = \mathbf{H}_{4n \times 2m} \cdot \bit(\mathbf{v} ) \bmod q$ that appears in a record $\transcript_i=(\mathbf{v} , \crt_i, i,\mathsf{upk}[i],sig_i)$ of the database $St_{trans}$ for some $i$. If so,
output the corresponding $i$ (and, optionally, $\mathsf{upk}[i]$). Otherwise, output $\perp$.
\end{itemize}
\end{description}
We remark that the scheme readily extends to provide a mechanism whereby the opening authority can efficiently prove that signatures were correctly opened at each opening operation.
The difference between the dynamic group signature models suggested by Kiayias and Yung \cite{KY06} and Bellare \textit{et al.} \cite{BSZ05} is that, in the latter, the opening authority
($\mathsf{OA}$) must be able to convince a judge that the $\mathsf{Open}$ algorithm was run correctly.
Here, such a mechanism can be realized using the techniques of public-key encryption with non-interactive opening \cite{DHKT08}. Namely, since
$\bit(\mathbf{v}_i)$ is encrypted using an IBE scheme for the identity $\vk$, the $\mathsf{OA}$ can simply reveal the decryption matrix $\mathbf{E}_{0,\mathsf{VK}} $,
that satisfies $\mathbf{B} \cdot \mathbf{E}_{0,\vk} = \mathbf{G}_0 \bmod q$ (which corresponds to the verification of a GPV signature) and allows the verifier to perform step 2 of the opening
algorithm himself. The resulting construction is easily seen to satisfy the notion of opening soundness of Sakai \textit{et al.} \cite{SSE+12}.
\subsection{Efficiency and Correctness}
\textsc{Efficiency.} The given dynamic group signature scheme can be implemented in polynomial time. The group public key has total bit-size $\mathcal{O}(\ell n m \log q) = \widetilde{\mathcal{O}}(\lambda^2)\cdot \log N_\textsf{gs}$. The secret signing key of each user consists of a small constant number of low-norm vectors, and has bit-size $\widetilde{\mathcal{O}}(\lambda)$.
The size of each group signature is largely dominated by that of the non-interactive argument $\pi_K$, which is obtained from the Stern-like protocol of Section~\ref{subsection:zk-for-group-signature}. Each round of the protocol has communication cost $\widetilde{\mathcal{O}}(m \cdot \log q) \cdot \log N_\textsf{gs}$. Thus, the bit-size of $\pi_K$ is $t\hspace*{-1pt}\cdot\hspace*{-1pt} \widetilde{\mathcal{O}}(m \hspace*{-1pt}\cdot\hspace*{-1pt} \log q) \hspace*{-1pt}\cdot\hspace*{-1pt} \log N_\textsf{gs} = \widetilde{\mathcal{O}}(\lambda)\hspace*{-1pt}\cdot \hspace*{-1pt}\log N_\textsf{gs}$. This is also the asymptotic bound on the size of the group signature.
\smallskip
\noindent
\textsc{Correctness.} The correctness of algorithm \textsf{Verify}$(\mathcal{Y},M,\Sigma)$ follows from the facts that every certified group member is able to compute valid witness vectors satisfying equations~(\ref{enc1}), (\ref{rel-deux}) and (\ref{eq:rel-3}), and that the underlying argument system is perfectly complete. Moreover, the scheme parameters are chosen so that the GPV IBE~\cite{GPV08} is correct, which implies that algorithm \textsf{Open}$(\mathcal{Y},\mathcal{S}_{\OA},M,\Sigma)$ is also correct.
\subsection{Security Analysis}
Due to the fact that the number of public matrices $\{\mathbf{A}_j\}_{j=0}^\ell$ is only logarithmic in ${N_{\mathsf{gs}}}=2^\ell$ instead of being linear in the security parameter $\lambda$,
the proof of security against misidentification attacks (as defined in \cref{sse:gs-sec-notions}) cannot rely on the security of our signature scheme in a modular manner.
The reason is that, at each run of the $\mathsf{Join}$ protocol, the group manager maintains a state and, instead of choosing the $\ell$-bit identifier $\mathsf{id}$ uniformly in
$\{0,1\}^{\ell}$, it chooses an identifier that has not been used yet. Since $\ell \ll \lambda$ (given that ${N_{\mathsf{gs}}}=2^\ell$ is polynomial in $\lambda$), we thus have
to prove security from scratch. However, the strategy of the reduction is exactly the same as in the security proof of the signature scheme.
\begin{theorem} \label{traceability-thm}
The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\beta'}$ assumption, for $\beta' \hspace*{-1pt}=\hspace*{-1pt} \mathcal{O}(\ell \sigma^2 m^{3/2})$.
\end{theorem}
\begin{proof}
We prove that any adversary $\adv$ with non-negligible success probability $\varepsilon$ implies an algorithm $\bdv$ solving the \textsf{SIS} problem
in the random oracle model. \\
\indent
Let $\adv$ be such a $\ppt$ adversary. We build a $\ppt$
algorithm $\bdv$ that uses $\adv$ to
solve~$\SIS_{n,2m,q,\beta'}$: specifically, $\bdv$ takes as input~$\bar{\mathbf{A}} = \begin{bmatrix} \bar{\mathbf{A}}_1 | \bar{\mathbf{A}}_2 \end{bmatrix} \in
\Zq^{n \times 2m}$, where $\bar{\mathbf{A}}_1,\bar{\mathbf{A}}_2 \in \Zq^{n \times m}$, and finds $\mathbf{w} \in
\Lambda_q^{\perp}(\bar{\mathbf{A}})$ with~$0 < \|\mathbf{w}\| \leq \beta'$.
\medskip
\noindent \textbf{Initialization.} Algorithm~$\bdv$ first chooses a random $coin \sample
U(\{0,1,2\})$ as a guess for the kind of misidentification attack that $\adv$ will mount. Also, $\bdv$
chooses a random $\ell$-bit string $\mathsf{id}^\dagger \sample U(\{0,1\}^\ell)$.
In
addition, $\bdv$
samples~$i^\star
\sample U([1,Q_a])$. \\
\indent
Looking ahead, $coin=0$ corresponds to the case where, after repeated executions of $\adv$, the knowledge extractor of the proof system
reveals witnesses containing a new identifier $\mathsf{id}^\star \in \{0,1\}^\ell$ that does not belong to any user in $U^a$.
In this case, $\bdv$ will be able to exploit $\adv$'s forgery when $\mathsf{id}^\star=\mathsf{id}^\dagger$.
The case $coin=1$ corresponds to $\bdv$'s expectation that the knowledge extractor will obtain the identifier $ \mathsf{id}^\star = \mathsf{id}^\dagger$ of a group member in
$ U^a$ (i.e., a group member that was legitimately introduced at the $i^\star$-th $\mathcal{Q}_{\ajoin}$-query, for some $i^\star \in \{1,\ldots,Q_a\}$, where the identifier
$\mathsf{id}^\dagger$ is used by $\mathcal{Q}_{\ajoin}$),
but $\bit ( \mathbf{v}^\star ) \in \{0,1\}^{2m}$ (which is encrypted in in $\mathbf{c}_{\mathbf{v}_i}^\star$ as part of the forgery $\Sigma^\star$) and the extracted $\mathbf{s}^\star \in \ZZ^{2m}$ are such that $ \bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}^\star ) + \mathbf{D}_1 \cdot \mathbf{s}^\star \bigr) \in \{0,1\}^m $
does not match
the string $ \bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}_{i^\star} ) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} \bigr) \in \{0,1\}^{2m} $ for which
user $i^\star$ obtained a membership certificate at the $i^\star$-th $\mathcal{Q}_{\ajoin}$-query. When $coin=1$, the choice of $i^\star$ corresponds to a guess that the knowledge
extractor will reveal an $\ell$-bit identifier that coincides with the identifier $\mathsf{id}^\dagger$ assigned to the user introduced at the $i^\star$-th $\mathcal{Q}_{\ajoin}$-query.
The last case $coin=2$ corresponds to $\bdv$'s expectation that decrypting $\mathbf{c}_{\mathbf{v}_i}^\star$ (which is part of $\Sigma^\star$) and running
the knowledge extractor on $\adv$ will uncover vectors $\bit ( \mathbf{v}^\star ) \in \{0,1\}^{2m}$, $\mathbf{w}^\star \in \{0,1\}^m$ and $\mathbf{s}^\star \in \ZZ^{2m}$
such that $\mathbf{w}^\star= \bit(\mathbf{D}_0 \cdot \bit(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )$ and
\begin{eqnarray} \label{collide}
\bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}^\star ) + \mathbf{D}_1 \cdot \mathbf{s}^\star \bigr) = \bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}_{i^\star} ) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} \bigr)
\end{eqnarray}
but $(\bit ( \mathbf{v}^\star ), \mathbf{s}^\star) \neq ( \bit ( \mathbf{v}_{i^\star} ), \mathbf{s}_{i^\star} ) $, where $ \mathbf{v}_{i^\star} \in \Zq^{4n}$ and $\mathbf{s}_{i^\star} \in \ZZ^{2m}$ are the vectors
involved in the $i^\star$-th $\mathcal{Q}_{\ajoin}$-query.
\\
\indent
Depending on $coin \in \{0,1,2\}$, the group public key $\mathcal{Y}$ is
generated using different methods. \smallskip
\noindent $\bullet$ If $coin=0$, algorithm~$\bdv$ first randomly chooses $\mathsf{id}^\dagger \sample U(\{0,1\}^\ell)$ as a guess for the $\ell$-bit string
that will be revealed by the knowledge extractor of the proof system after repeated executions of the adversary $\adv$.
Then, it runs
$\TrapGen(1^n,1^m,q)$ to obtain $\mathbf{C} \in \Zq^{n \times m}$ and a
basis $\mathbf{T}_{\mathbf{C}}$ of~$\Lambda_q^{\perp}(\mathbf{C})$ with
$\|\widetilde{\mathbf{T}_{\mathbf{C}}}\| \leq \bigO(\sqrt{n \log q})$. Then,
it chooses~$\ell+2$ matrices~$ \mathbf{Q}_0,\ldots,\mathbf{Q}_{\ell},\mathbf{Q}_D \in \ZZ^{m \times m}$,
each matrix having its columns sampled independently from~$D_{\ZZ^m,\sigma}$. Then, $\bdv$ defines the matrices $\{ \mathbf{A}_i\}_{i=0}^{\ell}$ as
\begin{eqnarray*}
\left\{
\begin{array}{ll}
\mathbf{A}_0 = \bar{\mathbf{A}}_1 \cdot \mathbf{Q}_0 + (\sum_{i=1}^{\ell} {\mathsf{id}^\dagger[i]}) \cdot
\mathbf{C} \\
\mathbf{A}_j = \bar{\mathbf{A}}_1 \cdot \mathbf{Q}_i + (-1)^{\mathsf{id}^{\dagger}[j]} \cdot
\mathbf{C}, \quad \text{ for } j \in
[1,\ell]. \\
\mathbf{D} = \bar{\mathbf{A}}_1 \cdot \mathbf{Q}_D
\end{array}
\right.
\end{eqnarray*}
It also defines $\mathbf{A}=\bar{\mathbf{A}}_1$.
Next, it samples a vector $\mathbf{e}_u \sample D_{\ZZ,\sigma}^m$ and computes a syndrome $\mathbf{u} = \bar{\mathbf{A}}_1 \cdot \mathbf{e}_u \in \Zq^n$. It picks $\mathbf{D}_0,\mathbf{D}_1
\sample U(\Zq^{2n \times 2m})$ at random and also faithfully generates the GPV master key pair $(\mathbf{B},\mathbf{T}_{\mathbf{B}})$ as in Step~3 of the real setup algorithm. The group
public key $\mathcal{Y}=\big(\mathbf{A},\{\mathbf{A}_j \}_{j=0}^{\ell}, \mathbf{B}, \mathbf{D},\mathbf{D}_0,\mathbf{D}_1,\mathbf{F}, \mathbf{u},\mathcal{OTS},H,H_0 \big)$
is finally given to~$\adv$. \\
\indent Note that, for each $\mathsf{id} \neq \mathsf{id}^\dagger$, we have
\begin{eqnarray} \nonumber
\mathbf{A}_{\mathsf{id}} &=& \left[
\begin{array}{c|c} \bar{\mathbf{A}}_1 ~&~ \mathbf{A}_0 +
\sum_{i=1}^\ell \mathsf{id}[i] \mathbf{A}_i
\end{array} \right] \\ \nonumber & = & \left[
\begin{array}{c|c} \bar{\mathbf{A}}_1 ~&~ \bar{\mathbf{A}}_1 \cdot (\mathbf{Q}_0 +
\sum_{i=1}^{\ell} \mathsf{id}[i] \mathbf{Q}_i) + (
\sum_{i=1}^{\ell} \mathsf{id}^\dagger [i] +(-1)^{\mathsf{id}^\dagger[i]} \mathsf{id}[i])\cdot \mathbf{C}
\end{array} \right] \\ \label{sim-matr} &=&
\left[
\begin{array}{c|c} \bar{\mathbf{A}}_1 ~&~ \bar{\mathbf{A}}_1 + h_{\mathsf{id}} \cdot \mathbf{C}
\end{array} \right]
% \vspace*{-.1cm}
\end{eqnarray}
where $h_{\mathsf{id}} \in [1,\ell]$ denotes the Hamming distance between
the identifiers $\mathsf{id}$ and $\mathsf{id}^\dagger$. Since $q>\ell$, we have
$h_{\mathsf{id}_j} \neq 0 \bmod q$ whenever $\mathsf{id}_j \neq \mathsf{id}^\dagger$, so
that algorithm $\bdv$ is able to compute (see~\cite[Se.~4.2]{ABB10},
using the basis~$\mathbf{T}_{\mathbf{C}}$ of~$\Lambda_q^{\perp}(\mathbf{C})$ and
the refined $\GPVSample$ of Lemma~\ref{le:GPV}) a basis
$\mathbf{T}_{\mathsf{id}}$ of $\Lambda_q^{\perp}(\mathbf{A}_{\mathsf{id}})$
with~$\|\widetilde{\mathbf{T}_{\mathsf{id}}}\| \leq \Omega(\sqrt{n\log
q\log n})$. In contrast,
algorithm~$\bdv$ lacks a trapdoor for $\mathbf{A}_{\mathsf{id}^\dagger}$ as the
latter only depends on $\mathbf{A}$ and $\{\mathbf{Q}_k\}_{k=0}^{\ell}$.
Observe that, since the columns of the matrices~$\{\mathbf{Q}_k\}_{k=0}^\ell$ are sampled
from~$D_{\ZZ^m,\sigma}$, the
matrices~$ \mathbf{A}_0,\ldots,\mathbf{A}_{\ell}$ are within
statistical distance~$2^{-\Omega(m)}$ of~$U(\Zq^{n \times m})$.
\smallskip
\noindent $\bullet$ If $coin=1$, algorithm~$\bdv$ sets up $\mathcal{Y}$ by defining
$\mathbf{D}=\bar{\mathbf{A}}$. Initially, $\bdv$
chooses $Q_a-1$ distinct strings $\mathsf{id}_1, \ldots,\mathsf{id}_{i^\star-1}, \mathsf{id}_{i^\star+1},\ldots,\mathsf{id}_{Q_a} \in \{0,1\}^\ell$ such that, for each $i \in [1,Q_a] \backslash \{i^\star\}$, $\mathsf{id}_i$ will be embedded in the membership certificate
returned in the $i$-th $\mathcal{Q}_{\ajoin}$-query. Let also $\mathsf{id}^\dagger=\mathsf{id}_{i^\star}$ be the $\ell$-bit identifier
that will be used in the $i^\star$-th query.
The reduction $\bdv$ picks random $h_0,h_1,\ldots,h_\ell \in \Zq$ under the constraints
\begin{eqnarray*}
h_{\mathsf{id}^\dagger} = h_0 + \sum_{j=1}^\ell \mathsf{id}^\dagger[j] \cdot h_j &=& 0 \bmod q \\
h_{\mathsf{id}_i} = h_0 + \sum_{j=1}^\ell \mathsf{id}_i[j] \cdot h_j & \neq & 0 \bmod q \qquad \qquad i \in \{1,\ldots,Q_a\} \setminus \{i^\dagger\}
\end{eqnarray*}
Next, $\bdv$ runs $(\mathbf{C},\mathbf{T}_{\mathbf{C}}) \leftarrow \mathsf{TrapGen}(1^n,1^m,q)$, $(\mathbf{D}_1,\mathbf{T}_{\mathbf{D}_1}) \leftarrow \mathsf{TrapGen}(1^{2n},1^{2m},q)$ so as to obtain statistically random matrices $\mathbf{C} \in \Zq^{n \times m}$, $ \mathbf{D}_1 \in \Zq^{2n \times 2m}$ together with
trapdoors $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m} $, $\mathbf{T}_{\mathbf{D}_1} \in \ZZ^{2m \times 2m}$ consisting of short bases of $\Lambda_q^{\perp}(\mathbf{C})$ and $\Lambda_q^{\perp}(\mathbf{D}_1)$, respectively. Then,
$\bdv$
picks a random $\mathbf{D}_0 \sample U(\Zq^{2n \times 2m})$ and re-randomizes $\mathbf{D}=\bar{\mathbf{A}}_1 \in \Zq^{n \times m}$ using Gaussian matrices
$\mathbf{S},\mathbf{S}_0,\mathbf{S}_1,\ldots,\mathbf{S}_{\ell} \sample \ZZ^{m \times m}$ whose columns are sampled from the distribution $D_{\ZZ^m,\sigma}$.
Namely, from $\mathbf{D} =\bar{\mathbf{A}}_1 $, $\bdv$
defines
\begin{eqnarray} \nonumber
\mathbf{A} &=& \bar{\mathbf{A}}_1 \cdot \mathbf{S} \\ \label{setup-sig2}
\mathbf{A}_0 &=& \bar{\mathbf{A}}_1 \cdot \mathbf{S}_0 + h_0 \cdot \mathbf{C} \\ \nonumber
\mathbf{A}_j &=& \bar{\mathbf{A}}_1 \cdot \mathbf{S}_j + h_j \cdot \mathbf{C} \qquad \qquad \forall j \in \{1,\ldots,\ell\} .
\end{eqnarray}
As part of the generation of
$\mathcal{Y}$, the vector $\mathbf{u} \in \Zq^n$ is obtained by picking short discrete Gaussian vectors
$ \mathbf{d}_{i^\star,1}, \mathbf{d}_{i^\star,2} \sample D_{\ZZ^m,\sigma} $
and computing
\begin{eqnarray} \label{def-u}
\mathbf{u} = [ \mathbf{A} ~\mid ~ \mathbf{A}_0 +
\sum_{j=1}^\ell \mathsf{id}^\dagger[j] \mathbf{A}_j
] \cdot
\begin{bmatrix}
\mathbf{d}_{i^\star,1} \\ \hline \mathbf{d}_{i^\star,2}
\end{bmatrix}
- \mathbf{D} \cdot \bit(\mathbf{c}_M),
\end{eqnarray}
where
$\mathbf{c}_{M} \sample U(\Zq^{2n})$ is a randomly chosen vector. Observe that, since $\mathbf{A}$ is statistically uniform over $\Zq^{n \times m}$ and $ \mathbf{d}_{i^\star,1}
\sample D_{\ZZ^m,\sigma}$, the distribution of
$\mathbf{u} $ is statistically close to $U(\Zq^n)$.
\medskip
\noindent $\bullet$ If $coin=2$, $\bdv$ picks $\bar{\mathbf{A}}' \sample U(\Zq^{n \times 2m})$
and a random matrix $\mathbf{Q} \sample \ZZ^{2m \times 2m}$ whose columns are sampled from $D_{\ZZ^{2m},\sigma}$. These
are used to define $$\mathbf{D}_0= \begin{bmatrix} \bar{\mathbf{A}} \\ \hline \bar{\mathbf{A}}' \end{bmatrix} \in \Zq^{2n \times 2m} ,$$
and $\mathbf{D}_1=\mathbf{D}_0 \cdot \mathbf{Q} \bmod q$, which is statistically close to $U(\Zq^{2n \times 2m})$. All other components of $\mathcal{Y}$ are obtained by faithfully running the setup algorithm. \medskip
\indent For each value of $coin \in \{0,1,2\}$, the group public key
$$\mathcal{Y}=\big(\mathbf{A},\{\mathbf{A}_j \}_{j=0}^{\ell},\mathbf{B},\mathbf{D},\mathbf{D}_0,\mathbf{D}_1,\mathbf{F}, \mathbf{u},\mathcal{OTS},H,H_0 \big)$$ has a distribution which is statistically close to that of the real scheme and $\mathcal{Y}$ is given to $\adv$.
\medskip
\noindent \textbf{Queries.} The reduction~$\bdv$ starts interacting
with the adversary~$\adv$ and the way it handles~$\adv$'s queries to the $\mathcal{Q}_{\ajoin}$ oracle depends on the value of~$coin \in \{0,1,2\}$. \smallskip \smallskip
\noindent $\bullet$ If $coin=0$, answers $\mathcal{Q}_{\ajoin}$-queries as follows. When $\adv$ triggers an execution of the joining protocol, it chooses
a syndrome $\mathbf{v}_{i} \in \Zq^n$.
To answer the query, $\bdv$ chooses a fresh $\ell$-bit identifier $\mathsf{id}_i \in \{0,1\}^\ell$ such that
$\mathsf{id}_i \neq \mathsf{id}^\dagger$. If $\adv$ also provides a correct signature $sig_i$ such that
$\mathrm{Verify}_{\mathsf{upk}[i]}(\mathbf{v}_{i},sig_i)=1$, $\bdv$ samples $\mathbf{s}_i \sample D_{\ZZ^{2m},\sigma}$ and uses the trapdoor $\mathbf{T}_{\mathbf{C}}$ to compute a short vector
$\mathbf{d}_i=[\mathbf{d}_{i,1}^T ~|~\mathbf{d}_{i,2}^T]^T \in \ZZ^{2m}$ such that
\begin{eqnarray} \label{sim-cert}
\mathbf{A}_{\mathsf{id}_i} \cdot \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix} = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot \bit(\mathbf{v}_{i}) + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) ,
\end{eqnarray}
where $\mathbf{A}_{\mathsf{id}_i} \in \Zq^{n \times 2m}$ is the matrix in (\ref{sim-matr}). Note that $\bdv$ is able to compute such a vector using the $\mathsf{SampleRight}$
algorithm of \cite{ABB10} (since the Hamming distance $h_{\mathsf{id}_i}$ between $\mathsf{id}_i$ and $\mathsf{id}^\star$ is non-zero). The membership certificate
$\crt_i= (\mathsf{id}_i,\mathbf{d}_i,\mathbf{s}_i)$ is then returned to $\adv$.
\smallskip
\noindent $\bullet$ If $coin=1$, algorithm~$\bdv$ responds each $\mathcal{Q}_{\ajoin}$-query depending on the index $i \in \{1,\ldots,Q_a\}$ of the query. Specifically,
we distinguish two cases. \smallskip
\begin{itemize}
\item[-] If $i \neq i^\star$, $\bdv$ proceeds as in the previous case. Namely, it recalls the $\ell$-bit identifier $\mathsf{id}_i \in \{0,1\}^\ell$ (for which $\mathsf{id}_i \neq \mathsf{id}^\dagger$)
that was chosen in the setup phase and samples a short vector $\mathbf{s}_{i} \sample D_{\ZZ^{2m},\sigma}$. If $\adv$ also provides a correct signature $sig_i$ such that
$\mathrm{Verify}_{\mathsf{upk}[i]}(\mathbf{v}_{i},sig_i)=1$, generates a membership certificate $\crt_i$ for $\adv$ as in the case $coin=0$.
Note that
\begin{eqnarray} \nonumber
\mathbf{A}_{\mathsf{id}_i} &=& \left[
\begin{array}{c|c} \bar{\mathbf{A}} \cdot \mathbf{S} ~&~ \bar{\mathbf{A}} \cdot (\mathbf{S}_0 +
\sum_{j=1}^{\ell} \mathsf{id}_i[j] \mathbf{S}_j) + h_{\mathsf{id}_i} \mathbf{C}
\end{array} \right] \\ \label{sim-matr-coin1} &=&
\left[
\begin{array}{c|c} \bar{\mathbf{A}} \cdot \mathbf{S} ~&~ \bar{\mathbf{A}} + h_{\mathsf{id}_i} \cdot \mathbf{C}
\end{array} \right]
% \vspace*{-.1cm}
\end{eqnarray}
Since $h_{\mathsf{id}_i} \neq 0$, $\bdv$ can use the trapdoor
$\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$ to compute a short vector $\mathbf{d}_i = [ \mathbf{d}_{i,1}^T ~|~\mathbf{d}_{i,2}^T ]^T \in \ZZ^{2m}$ such that
\begin{eqnarray*}
\mathbf{A}_{\mathsf{id}_i} \cdot \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix} = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot (\bit(\mathbf{v}_{i}) + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) ,
\end{eqnarray*}
where $\mathbf{v}_{i} \in \Zq^{4n}$ is the syndrome chosen by $\adv$ at step 1 of the joining protocol.
\item[-] If $i = i^\star$, $\bdv$ undertakes to generate a membership certificate $\crt_{i^\star}$ for the $\ell$-bit identifier $\mathsf{id}^\dagger \in \{0,1\}^\ell$ that was
chosen at the outset of the game. To this end, $\bdv$ has to compute $\crt_{i^\star}$ without using the trapdoor $\mathbf{T}_{\mathbf{C}}$ since the matrix $\mathbf{A}_{\mathsf{id}^\dagger}$ does no longer
depend on $\mathbf{C}$ in (\ref{sim-matr-coin1} ). This can be done by recalling
the vector $\mathbf{d}_{i^\star,1},\mathbf{d}_{i^\star,2} \in \ZZ^m$ and $\mathbf{c}_M \in \Zq^{2n}$ that were used to define $\mathbf{u} \in \Zq^n$ in (\ref{def-u}) and using $\mathbf{T}_{\mathbf{D}_1}$. If $\adv$ provides a correct signature
$sig_{i^\star}$ such that
$\mathrm{Verify}_{\mathsf{upk}[i^\star]}(\mathbf{v}_{i^\star},sig_{i^\star})=1$,
$\bdv$ uses the trapdoor $\mathbf{T}_{\mathbf{D}_1}$ of $\Lambda_q^\perp (\mathbf{D}_1)$ to sample a short vector $\mathbf{s}_{i^\star} \in \ZZ^{2m}$ of $D_{\Lambda_q^{\mathbf{c}_{i^\star}}(\mathbf{D}_1),\sigma}$, where $\mathbf{c}_{i^\star} = \mathbf{c}_M - \mathbf{D}_0 \cdot \bit( \mathbf{v}_{i^\star}) \bmod q $,
satisfying
$$ \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} = \mathbf{c}_M - \mathbf{D}_0 \cdot \bit( \mathbf{v}_{i^\star}) ~\bmod q , $$
before returning $\crt_{i^\star}=(\mathsf{id}^\dagger,\mathbf{d}_{i^\star} =[ \mathbf{d}_{i^\star,1}^T \mid \mathbf{d}_{i^\star,2}^T]^T,\mathbf{s}_{i^\star})$
to $\adv$. From the definition of $\mathbf{u} \in \Zq^n$ (\ref{def-u}), it is easy to see that $\crt_{i^\star}=(\mathsf{id}^\dagger,\mathbf{d}_{i^\star} ,\mathbf{s}_{i^\star})$ forms a valid membership certificate for
any membership secret $\mathbf{z}_{i^\star} \in \ZZ^{4m}$ corresponding to the syndrome $\mathbf{v}_{i^\star} = \mathbf{F} \cdot \mathbf{z}_{i^\star} \bmod q$.
%Moreover, the distribution of
%$\mathbf{s}_{i^\star}$ is
% $D_{\ZZ^m,\sigma}^{\mathbf{c}_{v_{i^\star}}}$, where $\mathbf{c}_{v_{i^\star}} = \mathbf{c}_M - \mathbf{D}_0 \cdot \bit( \mathbf{v}_{i^\star}) \in \Zq^n $, as in \GGame $2$.
\end{itemize}
Regardless of the value of $coin$, queries to the random oracle~$H$
are handled by returning a uniformly chosen value in $\{1,2,3\}^t$. For
each $\kappa \leq Q_H$, we let~$r_{\kappa}$ denote the answer to the
$\kappa$-th $H$-query. Of course, if the adversary makes a given query
more than once, then~$\bdv$ consistently returns the previously defined
value. Queries to the random oracle $H_0$ are answered in the usual way, by returning a uniformly random value in the appropriate range. \medskip
\noindent \textbf{Forgery.} When $\adv$ halts, it outputs a
signature $ \Sigma^\star=\big( \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}_i}^\star, \pi_K^\star,sig^\star \big)$ on some message $M^\star$. At this point, $\bdv$ uses the
trapdoor $\mathbf{T}_{\mathbf{B}}$ to decrypt $\mathbf{c}_{\mathbf{v}_i}^\star$ and obtain an $m$-bit string $\bit(\mathbf{v}^\star) \in \{0,1\}^m$.
%We know that, with probability $\Pr[W_2]$, it holds that
%\begin{itemize}
%\item[-] The pair $(M^\star,\Sigma^\star)$ results in a successful misidentification attack and, when $\bdv$ runs the $\mathsf{Open}$ algorithm on $\Sigma^\star$, the $\ell$-bit %identifier $\mathsf{id}^\star$ revealed at step 2
%coincides with $\mathsf{id}^\dagger$.
%\item[-]
%If $coin=0$, $\mathsf{id}^\dagger$ did not appear in any membership certificate returned by $\mathcal{Q}_{\ajoin}$ whereas, if $coin=1$, $\mathsf{id}^\dagger$ is the identifier used by
%$\mathcal{Q}_{\ajoin}$ at the $i^\star$-th query.
%\item[-] If $coin=2$, the opening of $\Sigma^\star$ reveals vectors $\bit(\mathbf{v}^\star)$ and $\mathbf{s}^\star$ that result in a collision (\ref{collide})
% with those $(\bit(\mathbf{v}_{i^\star}),\mathbf{s}_{i^\star})$
%of the $i^\star$-th joining query.
%\end{itemize}
%In any other situation, $\bdv$ aborts and reports failure. Note that, in the case $coin=2$, $\bdv$ is done since the collision (\ref{collide}) directly provides a
%$\mathsf{SIS}$ solution. We thus assume $coin \in \{0,1\}$.
If we parse the proof $\pi_K^\star$ as
$(\{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t,\mathsf{Chall}_K^\star,\{\mathsf{Resp}_{K,j}^\star \}_{j=1}^t)$, with high
probability, the adversary $\adv$ must have invoked the random oracle~$H$ on the
input~$ (M^\star, \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$.
Otherwise, the probability that
$\mathsf{Chall}_K^\star=H (M^\star, \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
is negligible (at most~$3^{-t}$). It comes that, with probability at least $ \varepsilon' := \varepsilon-
3^{-t} $, $ (M^\star, \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
coincides with the $\kappa^\star$-th random oracle query for some $\kappa^\star
\leq Q_H$. \\
\indent
At this stage, the reduction $\bdv$ runs the
adversary $\adv$ up to $32 \cdot Q_H / (\varepsilon - 3^{-t})$ times with the \textit{same} random tape and input as in the
initial run. All queries are answered as previously with
one difference in the treatment of random oracle queries.
Namely, the first $\kappa^\star-1$ random oracle queries -- which are
identical to those of the first execution since $\adv$ is run with the
same random tape as before -- receive the same answers
$\mathsf{Chall}_1,\ldots,\mathsf{Chall}_{\kappa^\star-1}$ as in the first run. This implies
that the $\kappa^\star$-th query will involve exactly the same tuple
$ (M^\star, \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
as in the first run. However, from the
$\kappa^\star$-th query onwards, $\adv$ obtains fresh random oracle
values $\mathsf{Chall}_{\kappa^\star}',\ldots,\mathsf{Chall}_{Q_H}'$ at each new execution. The Improved Forking
Lemma of Brickell \textit{et al.}~\cite{BPVY00} guarantees that, with probability at least $1/2$, $\bdv$ can obtain a $3$-fork involving the
same tuple $ (M^\star, \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$ with
pairwise distinct answers
$\mathsf{Chall}_{\kappa^\star}^{(1)} ,
\mathsf{Chall}_{\kappa^\star}^{(2)}, \mathsf{Chall}_{\kappa^\star}^{(3)} \in \{1,2,3\}^t$. With probability $1-(7/9)^t$ it can be shown that there exists an index $j \in \{1,\ldots,t\}$ for which the $j$-th bits
of $\mathsf{Chall}_{\kappa^\star}^{(1)} ,
\mathsf{Chall}_{\kappa^\star}^{(2)}, \mathsf{Chall}_{\kappa^\star}^{(3)}$ are $ (\mathsf{Chall}_{\kappa^\star,j}^{(1)} ,
\mathsf{Chall}_{\kappa^\star,j}^{(2)}, \mathsf{Chall}_{\kappa^\star,j}^{(3)} )=(1,2,3)$. From the corresponding responses $({\mathsf{Resp}_{K,j}^\star}^{(1)},{\mathsf{Resp}_{K,j}^\star}^{(2)},{\mathsf{Resp}_{K,j}^\star}^{(3)})$,
$\bdv$ is able to extract witnesses $(\mathbf{d}_{1}^\star,\mathbf{d}_{2}^\star) \in \ZZ^m \times \ZZ^m$, $\mathsf{id}^\star \in \{0,1\}^\ell$ and $\mathbf{w}^\star \in \{0,1\}^m$ from the proof of knowledge $\pi_K^\star$
such that
\begin{eqnarray*}
\mathbf{A}_{\mathsf{id}^\star } \cdot \begin{bmatrix} \mathbf{d}_{1}^\star \\ \hline \mathbf{d}_{2}^\star \end{bmatrix} &=& \mathbf{u} + \mathbf{D} \cdot \mathbf{w}^\star \\
\mathbf{w}^\star &=& \bit \bigl( \mathbf{D}_0 \cdot (\bit(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star \bigr) ,
\end{eqnarray*}
At this point, $\bdv$ aborts and
declares failure in the following situations:
\begin{itemize}
\item[-] $coin=0$ but $\mathsf{id}^\star \in \{0,1\}^\ell$ is recycled from some output of the $\mathcal{Q}_{\ajoin}$ oracle.
\item[-] $coin=0$ and $\mathsf{id}^\star \neq \mathsf{id}^\dagger$.
\item[-] $coin=1$ but $\mathsf{id}^\star \in \{0,1\}^\ell$ never appeared in a membership certificate returned by the $\mathcal{Q}_{\ajoin}$ oracle.
\item[-] $coin=1$ and $\mathsf{id}^\star \in \{0,1\}^{\ell}$ belongs to some user in $U^a$, but this user is not the one introduced at the $i^\star$-th
$\mathcal{Q}_{\ajoin}$-query (i.e., $i^\star \neq i^\dagger$ and $\mathsf{id}^\star \neq \mathsf{id}^\dagger$).
\item[-] $coin=1$ and the knowledge extractor revealed vectors $\bit(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$
satisfying the collision (\ref{collide}),
where $ \bit(\mathbf{v}_{i^\star})$ and $\mathbf{s}_{i^\star}$ are the vectors
involved in the $i^\star$-th $\mathcal{Q}_{\ajoin}$ query.
\item[-] $coin=2$ and the knowledge extraction yields vectors $\bit(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$ such that the collision
(\ref{collide}) does not occur.
\end{itemize}
We call $\mathsf{fail}$ the event that one of the above situations occurs. Given that the choices of $coin \sample U(\{0,1,2\})$ and $i^\star \sample U([1,Q_a])$ are completely independent of $\adv$'s view,
the choice of $coin$ is correct with probability $1/3$. If $coin=0$, $\bdv$'s choice of $\mathsf{id}^\dagger \sample U(\{0,1\}^\ell)$ is correct with probability $1/(N_{\mathsf{gs}}-Q_a) \geq 1/N_{\mathsf{gs}}$ and, when
$coin=1$, $\bdv$'s correctly guesses $i^\star \in [1,Q_a]$ with probability $1/Q_a$. We find
$$\Pr[ \neg \mathsf{fail}] \geq \frac{1}{3 \cdot \max(N_{\mathsf{gs}},Q_a)} =\frac{1}{3 \cdot N_{\mathsf{gs}} } .$$
Assuming that $\mathsf{fail}$ does not occur, $\bdv$ can solve the problem instance as follows. \smallskip
\noindent $\bullet$ If $coin=0$, we have $\mathsf{id}^\star=\mathsf{id}^\dagger$ and $\bdv$ knows a short vector $\mathbf{e}_u \in \ZZ^m$ such that $\mathbf{u} = \bar{\mathbf{A}}_1 \cdot \mathbf{e}_u \bmod q$. Hence, it can obtain a short integer vector
\begin{eqnarray*}
\mathbf{h} = {\mathbf{d}_1^\star} + \big( \mathbf{Q}_0 + \sum_{i=1}^\ell \mathsf{id}^\dagger [i] \mathbf{Q}_i \big) \cdot {\mathbf{d}_2^\star} - \mathbf{Q}_D
\cdot \bit(\mathbf{v}^\star) - \mathbf{e}_u \in \ZZ^m
\end{eqnarray*}
such that $ \bar{\mathbf{A}}_1 \cdot \mathbf{h} = \mathbf{0}^m \bmod q$. Moreover,
we have $\mathbf{h} \neq \mathbf{0}^m$ w.h.p. since the syndrome $\mathbf{u} \in \Zq^n$ statistically hides
$\mathbf{e}_u \in \ZZ^m$
in $\Lambda_q^{\mathbf{u}}(\bar{\mathbf{A}}_1)$. Finally, the norm of $\mathbf{h}$ is at most $\| \mathbf{h} \|_2 \leq (\ell+1) \sigma^2 m^{3/2} + \sigma m^{1/2} (m+2)$.
This implies that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ is a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ and solves the initial $\mathsf{SIS}$ instance.
\smallskip
\smallskip
\noindent $\bullet$ If $coin=1$, the extracted
witnesses $(\mathbf{d}_{1}^\star,\mathbf{d}_{2}^\star,\mathbf{s}^\star,\mathsf{id}^\star)$ and the decrypted $\bit(\mathbf{v}^\star)$
satisfy $\mathsf{id}^\star=\mathsf{id}^\dagger$, $$\mathbf{w}^\star = \bit( \mathbf{D}_0 \cdot \bit(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )
\neq \bit( \mathbf{D}_0 \cdot \bit(\mathbf{v}_{i^\star}) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} ) = \mathbf{w}_{i^\star} $$
(since $\neg \mathsf{fail}$ implies that the collision (\ref{collide}) did not occur if $coin=1$)
and
\begin{align} \label{rel1}
\left[
\begin{array}{c|c|c|c|c|c}
\mathbf{A} ~&~ \mathbf{A}_0 ~&~ \mathbf{A}_1~ &~ \ldots ~ & ~ \mathbf{A}_{\ell} ~&~ -\mathbf{D}
\end{array} \right] \cdot
\begin{bmatrix}
\mathbf{d}_{1}^\star \\ \hline \mathbf{d}_{2}^\star
\\ \hline \mathsf{id}^\dagger[1] \mathbf{d}_{2}^\star \\ \hline \vdots \\ \hline ~~ \mathsf{id}^\dagger[\ell] \mathbf{d}_{2}^\star
\\ \hline \mathbf{w}^\star
\end{bmatrix}
= \mathbf{u} \bmod q.
\end{align}
Since $\bdv$ already knew short vectors $(\mathbf{d}_{i^\star,1},\mathbf{d}_{i^\star,2}, \mathbf{w}_{i^\star}) \in \ZZ^m \times \ZZ^m \times \ZZ^m $ such that
\begin{align} \label{rel2}
\left[
\begin{array}{c|c|c|c|c|c}
\mathbf{A} ~&~ \mathbf{A}_0 ~&~ \mathbf{A}_1~ &~ \ldots ~ & ~ \mathbf{A}_{\ell} ~&~ -\mathbf{D}
\end{array} \right] \cdot
\begin{bmatrix}
\mathbf{d}_{i^\star,1}^\star \\ \hline \mathbf{d}_{i^\star,2}^\star
\\ \hline \mathsf{id}^\dagger[1] \mathbf{d}_{i^\star,2}^\star \\ \hline \vdots \\ \hline ~~ \mathsf{id}^\dagger[\ell] \mathbf{d}_{i^\star,2}^\star
\\ \hline \mathbf{w}_{i^\star}
\end{bmatrix}
= \mathbf{u} \bmod q,
\end{align}
by subtracting (\ref{rel2}) from (\ref{rel1}), we find that
\begin{align} \label{the-vec}
\mathbf{h} &= \mathbf{S} \cdot (\mathbf{d}_1^\star - \mathbf{d}_{i^\star,1}) + (\mathbf{S}_0 + \sum_{j=1}^\ell {\mathsf{id}^\dagger} [j] \mathbf{S}_j ) \cdot (\mathbf{d}_2^\star - \mathbf{d}_{i^\star,2} )
\ + ( \mathbf{w}^\star - \mathbf{w}_{i^\star} ) \quad
\end{align}
is a small-norm vector $\mathbf{h} \in \ZZ^m$ satisfying $ \bar{\mathbf{A}}_1 \cdot \mathbf{h}=\mathbf{0} \bmod q$. We claim that $\mathbf{h} \neq \mathbf{0}$ with high probability.
Indeed, we know that $\mathbf{w}^\star \neq \mathbf{w}_{i^\star}$ if $\neg \mathsf{fail}$ occurs.
This implies that the last term of (\ref{the-vec}) is non-zero, which rules out that $(\mathbf{d}_1^\star,\mathbf{d}_2^\star)=(\mathbf{d}_{i^\star,1},\mathbf{d}_{i^\star,2})$.
Since the columns of $\mathbf{S}$ and $\{\mathbf{S}_j\}_{j=0}^\ell$ have a lot of entropy conditionally on $\mathcal{Y}$, this implies that we can only have $\mathbf{h}=\mathbf{0}^m$ with negligible probability. Furthermore, the norm of $\mathbf{h}$ can be bounded by $\| \mathbf{h} \|_2 \leq 4 \sigma^2 m^{3/2} (\ell+2) + 2 m^{1/2} $,
so that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ solves the original $\mathsf{SIS}$ instance. \medskip
\noindent $\bullet$ If $coin=2$, $\bdv$ is done as well since the collision (\ref{collide}) directly provides a vector
$$\mathbf{h}=\bit(\mathbf{v}^\star) - \bit(\mathbf{v}_i^\star) + \mathbf{Q} \cdot (\mathbf{s}^\star - \mathbf{s}_i^\star) ~ \in \ZZ^{2m}$$ of $\Lambda_q^{\perp}(\mathbf{D}_0)$ (which is also in
the lattice $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ by construction) and has
norm $\| \mathbf{h} \|_2 \leq 2(\sigma^2 (2m)^{3/2} + (2m)^{1/2}) $. Moreover, $\mathbf{h} \in \ZZ^{2m}$ is non-zero with overwhelming probability
given that $\bit(\mathbf{v}^\star) \neq \bit(\mathbf{v}_i^\star)$ and the large amount of entropy retained by the columns $\mathbf{Q} \in \ZZ^{2m \times 2m}$ given $\mathbf{D}_1= \mathbf{D}_0 \cdot \mathbf{Q}$.
\end{proof}
\begin{theorem} \label{non-frame}
The scheme is secure against framing attacks under the $\mathsf{SIS}_{4n,4m,q,\beta''}$ assumption, where $\beta'' = 4\sigma \sqrt{m}$.
\end{theorem}
\begin{proof}
Let us assume that a PPT adversary $\adv$ can create a
forgery $(M^\star,\Sigma^\star)$ that opens to some honest user
$i\in U^b$ who did not sign $M^\star$. In the random oracle model, we give a reduction $\bdv$ that uses $\adv$ to solve an instance of the ~$\SIS_{4n,4m,q,\beta''}$ problem:
$\bdv$ takes as input~$\bar{\mathbf{A}} \in
\Zq^{4n \times 4m}$ and finds a non-zero short vector $\mathbf{w} \in
\Lambda_q^{\perp}(\bar{\mathbf{A}})$. % with~$0 < \|\mathbf{w}\| \leq \beta$.
\\
\indent Algorithm $\bdv$ generates the group public key $\mathcal{Y}$ by faithfully running the real setup algorithm with the sole difference that, at step 2 of $\mathsf{Setup}$,
$\bdv$ defines $\mathbf{F}=\bar{\mathbf{A}} \in \Zq^{4n \times 4m}$. However, the distribution of $\mathcal{Y}$ is as in the real scheme.
As a result of having generated $\mathcal{Y}$ itself, $\bdv$ knows
$\mathcal{S}_{\GM}=\mathbf{T}_{\mathbf{A}}$ and $\mathcal{S}_{\OA}= \mathbf{T}_{\mathbf{B}}$. The adversary $\bdv$ is run on input of the
group public key
$$ \mathcal{Y}:=\Bigl(\mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell,~\mathbf{B},~\mathbf{D},~\mathbf{D}_0,~\mathbf{D}_1,~\mathbf{F}=\bar{\mathbf{A}},~\mathbf{u},~\Pi^{\mathsf{OTS}},~H,~H_0 ) \Bigr). $$
If $\adv$ chooses
to corrupt the group manager or the opening authority during the
game, $\bdv$ is able to reveal
$\mathcal{S}_{\GM}=\mathbf{T}_{\mathbf{A}}$ and
$\mathcal{S}_{\OA}= \mathbf{T}_{\mathbf{B}}$. % At the very beginning of the game, $\bdv$ draws a random index $j^\star \sample \{1,\ldots,Q_b\}$ and
Then, $\bdv$ starts interacting with $\adv$ as follows.
\begin{itemize}
\item[-] $Q_{\mathsf{keyGM}}$-queries: If $\adv$ decides to corrupt the group manager, $\bdv$
hands the secret key $\mathcal{S}_{\GM}=\mathbf{T}_{\mathbf{A}}$ to $\adv$.
\item[-] $Q_{\bjoin}$-queries: At any time $\adv$ can act as a corrupted group manager and introduce a new honest user $i$ in the group by invoking the $Q_{\bjoin}$ oracle.
At each $Q_{\bjoin}$-query, $\bdv$ faithfully
runs $\mathsf{J}_{\mathsf{user}}$ on behalf of the honest user in an execution of $\mathsf{Join}$ protocol.
\item[-] $Q_{\mathsf{pub}}$-queries: These
can be answered as in the real game, by having the simulator return
$\mathcal{Y}$.
\item[-] $Q_{\mathsf{sig}}$-queries: When the adversary $\adv$ requests user $ i \in
U^b$ to sign a message $M$, $\bdv$ first generates a one-time key pair $(\mathsf{VK},\mathsf{SK}) \leftarrow \mathcal{G}(n)$ to
compute $\mathbf{G}_0=H_0(\mathsf{VK}) \in \Zq^{n \times 2m}$. Next,
$\bdv$ recalls the vector $\mathbf{z}_i \in \ZZ^{4m}$ that was chosen to define the syndrome $\mathbf{v}_i = \mathbf{F} \cdot \mathbf{z}_i$ at step 1 of the $\mathsf{Join}$ protocol as well as
the identifier $\mathsf{id}_i \in \{0,1\}^\ell$ and the short vectors $(\mathbf{d}_{i,1},\mathbf{d}_{i,2},\mathbf{s}_i) $
that were supplied by $\adv$ in an earlier $Q_{\bjoin}$-query. It faithfully computes a signature by IBE-encrypting
$\bit(\mathbf{v}_i) \in \{0,1\}^{2m}$ and using $(\mathbf{d}_{i,1},\mathbf{d}_{i,2},\mathbf{s}_i,\mathbf{z}_i,\mathbf{s}_i,\mathsf{id}_i)$ to compute a witness indistinguishable proof $\pi_K=(
\{\mathsf{Comm}_{K,j}\}_{j=1}^t,\mathsf{Chall}_K,\{\mathsf{Resp}_{K,j}\}_{j=1}^t)$.
Finally, $\bdv$ computes a one-time signature
$sig=\mathcal{S}(\mathsf{SK},(\mathbf{c}_{\mathbf{v}_i},\pi_K))$ and returns the signature
$\Sigma=\big( \mathsf{VK} ,\mathbf{c}_{\mathbf{v}_i}, \pi_K,sig \big)$ to $\adv$.
\end{itemize}
When $\adv$ halts, it outputs a signature
$ \Sigma^\star = \big( \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \pi_K^\star,sig^\star \big)$
for
some message $M^\star$, which opens to ${i^\star} \in
U^b$ although user $i^\star$ did not sign the message $M^\star$ at any time. Since $(M^\star,\Sigma^\star)$ supposedly frames user $i^\star$, the opening of
$\Sigma^\star$ must reveal the $m$-bit string $\bit(\mathbf{v}_{i^\star}) \in \{0,1\}^m$. We note that the reduction $\bdv$ has
recollection of a short vector $\mathbf{z}_{i^\star} \in \ZZ^{4m}$ (of norm $\| \mathbf{z}_{i^\star} \| < 2\sigma \sqrt{m}$)
such that $\mathbf{v}_{i^\star} = \mathbf{F} \cdot \mathbf{z}_{i^\star} \bmod q$ which it
chose when running $\mathsf{J}_{\mathsf{user}}$ on behalf of user $i^\star$ when this user was introduced in the group. Hence,
$\bdv$
would be able to solve its given $\mathsf{SIS}$ instance if it had another short vector $\mathbf{z}' \in \ZZ^{4m}$ satisfying $\mathbf{v}_{i^\star} = \mathbf{F} \cdot {\mathbf{z}'} \bmod q $.
To compute such a
vector, $\bdv$ proceeds by replaying the adversary $\adv$ sufficiently many times and applying the Improved Forking
Lemma of Brickell \textit{et al.}~\cite{BPVY00}. \\
\indent
If we parse $\pi_K^\star$ as
$(\{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t,\mathsf{Chall}_K^\star,\{\mathsf{Resp}_{K,j}^\star \}_{j=1}^t)$, with high
probability, $\adv$ must have queried~$H$ on the
input~$ (M^\star, \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$.
Otherwise, we would only have
$\mathsf{Chall}_K^\star=H (M^\star, \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
with negligible probability~$3^{-t}$. It comes that, with probability at least $ \varepsilon' := \varepsilon-
3^{-t} $, the tuple $ (M^\star, \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
was the input of the $\kappa^\star$-th random oracle query for some index $\kappa^\star
\leq Q_H$. \\
\indent
At this point, the reduction $\bdv$ runs the
adversary $\adv$ up to $32 \cdot Q_H / (\varepsilon - 3^{-t})$ times with the \textit{same} random tape and input as in the
first run. All queries are answered as previously with
one difference in the way to handle $H$-queries.
Namely, the first $\kappa^\star-1$ $H$-queries -- which are
the same as in the first execution since $\adv$ is run with the
same random tape -- obtain the same answers
$\mathsf{Chall}_1,\ldots,\mathsf{Chall}_{\kappa^\star-1}$ as in the original run. This implies
that the $\kappa^\star$-th query will also involve exactly the same tuple
$ (M^\star, \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
as in the original run. From the
$\kappa^\star$-th query forward, however, the adversary $\adv$ obtains fresh random oracle
outputs $\mathsf{Chall}_{\kappa^\star}',\ldots,\mathsf{Chall}_{Q_H}'$ at each new execution. The Improved Forking
Lemma of~\cite{BPVY00} ensures that, with probability $>1/2$, $\bdv$ obtains a $3$-fork involving the
tuple $ (M^\star, \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$ of the initial run and with
pairwise distinct answers
$\mathsf{Chall}_{\kappa^\star}^{(1)} ,
\mathsf{Chall}_{\kappa^\star}^{(2)}, \mathsf{Chall}_{\kappa^\star}^{(3)} \in \{1,2,3\}^t$. Since the forgeries of the $3$-fork all correspond to the tuple $ (M^\star, \mathsf{VK}^\star ,
\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$, they open to the same $m$-bit string $\bit(\mathbf{v}_{i^\star}) \in \{0,1\}^m$ and
which is uniquely determined
by $\mathbf{c}_{\mathbf{v}}^\star$. In turn, this implies that the three forgeries all reveal the same $\bit(\mathbf{v}_{i^\star})$
at the second step of $\mathsf{Open}$.
With probability $1-(7/9)^t$ it can be shown that there exists $j \in \{1,\ldots,t\}$ such that the $j$-th bits
of $\mathsf{Chall}_{\kappa^\star}^{(1)} ,
\mathsf{Chall}_{\kappa^\star }^{(2)}, \mathsf{Chall}_{\kappa^\star }^{(3)}$ are $ (\mathsf{Chall}_{\kappa^\star,j}^{(1)} ,
\mathsf{Chall}_{\kappa^\star,j}^{(2)}, \mathsf{Chall}_{\kappa^\star,j}^{(3)} )=(1,2,3)$. From the corresponding responses $({\mathsf{Resp}_{K,j}^\star}^{(1)},{\mathsf{Resp}_{K,j}^\star}^{(2)},{\mathsf{Resp}_{K,j}^\star}^{(3)})$,
$\bdv$ is able to extract a short vector $ \mathbf{z}' \in \ZZ^{4m} $ such that $\mathbf{v}_{i^\star} = \mathbf{F} \cdot {\mathbf{z}'} \bmod q $. \\ \indent Due to the statistical witness indistinguishability of
the Stern-like proof of knowledge which is used to generate signature, with overwhelming
probability, we have $\mathbf{z}' \neq \mathbf{z}_{i^\star}$. Indeed, from the adversary's view, the distribution of
$\mathbf{z}_{i^\star}$ is $D_{\Lambda_q^{\mathbf{v}_{i^\star}}(\mathbf{F}),\sigma}$, which means that it has at least $n$ bits of min-entropy.
Hence, the difference $\mathbf{h} = \mathbf{z}' - \mathbf{z}_{i^\star} \in \ZZ^{4m}$ is a suitably short non-zero vector of $ \Lambda_q^{\perp}( \bar{\mathbf{A}} ) $.
\end{proof}
\begin{theorem} \label{anonymity-thm}
In the random oracle model, the scheme provides \textsf{CCA}-anonymity if
the $\LWE_{n,q,\chi}$ assumption holds and if $\Pi^\mathrm{OTS}$ is a strongly unforgeable one-time signature.
\end{theorem}
\begin{proof}
We proceed as in~\cite{LNW15} and prove the result via a sequence of games which are computationally indistinguishable.
The first game consists of the real anonymity experiment which is parameterized by a bit $d \in \{0,1\}$ that determines the challenger's choice in the challenge phase.
The last game is the same regardless of whether $d=0$ or $d=1$. It follows that, under the stated assumptions, no PPT adversary can distinguish $\Expt^\textrm{anon$-0$}_\adv$ from $\Expt^\textrm{anon$-1$}_\adv$ with noticeable advantage.
\medskip
\begin{description}
\item[$\textsf{Game}^{(d)}$~0:] This is the real anonymity experiment $\Expt^\textrm{anon$-d$}_\adv(\lambda)$ as described in Definition~\ref{def:anon}.
More precisely, the challenger starts by running the algorithm $\mathsf{Setup}(1^\lambda, 1^{\Ngs})$ to obtain $(\gspk, \mathcal{S}_\GM = \mathbf{T_A} \in \ZZ^{m \times m}, \mathcal{S}_\OA = \mathbf{T_B} \in \ZZ^{m \times m})$ along with state information $St$. The challenger next hands the public parameters $\gspk$ and the group manager key $\mathcal{S}_\GM$ to the adversary $\adv$.
On the following adversary signature opening queries on signatures $\Sigma = (\vk, \mathbf{c}_{\mathbf{v}_d}, \pi_K, sig)$, the challenger uses the opening authority key $\mathbf{T_A} \in \ZZ^{m \times m}$ he possesses to decrypt the GPV encryption of the signer identity $\mathbf{c}_{\mathbf{v}_d} \in \Zq^m \times \Zq^{2m}$.
At some point, the adversary $\adv$ requests a challenge by outputting a target message $M^\star \in \bit^*$ and two user key pairs
\[ \bigl(\scr_i^\star = \mathbf{z}^\star_i \in \ZZ^{4m}, \crt_i^\star \in (\mathsf{id}^\star_i, \mathbf{d}^\star_i, \mathbf{s}^\star_i) \in \bit^\ell \times \ZZ^{2m} \times \ZZ^{2m} \bigr)_{i \in \bit} \]
which must be valid and distinct (otherwise, the challenger aborts the experiment).
This challenge query is answered by having the challenger return a signature of the target message under the identity $id_d$: namely, this challenge signature is computed as $\Sigma^\star = (\vk^\star, \mathbf{c}_{\mathbf{v}_d}^\star, \pi_K^\star, sig^\star) \gets \Sign(\mathcal{Y}, \crt_d^\star, \scr_d^\star, M^\star)$ for the given parameter $d$
of the \textsf{Game}.
Finally, $\adv$ outputs a bit $d' \in \bit$ which is also the experiment's output. % and the experiment outputs $1$ if $b = b'$ or $0$ otherwise. By assumption, $\adv$ has advantage $\varepsilon$ in this game.
\smallskip
\item[$\textsf{Game}^{(d)}$~1:] In this experiment, we slightly change $\mathsf{Game}^{(d)}~0$ as follows. At the outset of the game, the challenger generates the one-time signature key pair $(\vk^\star, \sk^\star)$ that will be used in the challenge phase.
During the game, if the adversary $\adv$ requests the opening of a valid signature $\Sigma = (\vk, \mathbf{c}_{\mathbf{v}_i}, \pi_K, sig)$ where $\vk = \vk^\star$, the challenger returns a random bit and aborts.
However, this event $F_1$ would contradict the strong unforgeability of the one-time signature $\Pi^{\mathrm{OTS}}$.
Indeed, before the challenge phase $\vk^\star$ is independent of $\adv$'s view and the probability that $\vk^\star$ shows up in $\adv$'s queries is negligible.
After seeing the challenge signature $\Sigma^\star$, if $\adv$ comes up with a valid signature $\Sigma = (\vk, \mathbf{c}_{\mathbf{v}_i}, \pi_K, sig)$ such that $\vk = \vk^\star$, then $sig$ is a forged one-time signature, which defeats the strong unforgeability of $\Pi^{\mathrm{OTS}}$.
Therefore the probability $\Pr[F_1]$ that the challenger aborts in this experiment is negligible.
From here on, we thus assume that $\adv$'s opening queries for valid signatures do not include $\vk^\star$.
\smallskip
\item[$\textsf{Game}^{(d)}$~2:] In this game, we program the random oracle $H_0$ in the following way: at the beginning of the game, we choose
a uniformly random matrix $\mathbf{G}_0^\star \sample U(\Zq^{n \times 2m})$ and set $H_0(\vk^\star) = \mathbf{G}^\star_0$. From the adversary's view, the distribution of
$\mathbf{G}_0^\star$ is statistically close to the one in the real attack game, as in \cite{GPV08}.
As for other queries, for each fresh $H_0$-queries on $\vk$,
the challenger samples small-norm matrices $\mathbf{E}_{0,\vk} \sample D_{\ZZ^m, \sigma}^{2m}$ and programs the oracle such that
$H_0(\vk) = \mathbf{B} \cdot \mathbf{E}_{0,\vk} \bmod q$. The chosen matrices $\mathbf{E}_{0,\vk}$
are retained for later use.
Note that the values of $H_0(\vk)$ are statistically close to the uniform.
For any query involving a previously queried $\vk$, the challenger consistently returns the previously stored images.
The adversary's view remains the same as in $\mathsf{Game}^{(d)}~1$, analogously to the security proof of the GPV IBE~\cite{GPV08}.
\smallskip
\item[$\textsf{Game}^{(d)}$~3:] Here, we will change the behaviour of the opening algorithm.
Namely, at each fresh oracle query, we still store the matrices $\mathbf{E}_{0,\vk} \in \Zq^{m \times 2m}$ and, at the beginning of the game, the challenger
samples an uniformly random $\mathbf{B^\star} \in \Zq^{n \times m}$ that is later used in place of $\mathbf{B}$ to answer $H_0$-queries.
To answer the adversary's queries of the opening of a signature
$\Sigma = (\vk, \mathbf{c}_{\mathbf{v}_i}, \ \pi_K, sig)$,
the challenger recalls the small-norm matrices $\mathbf{E}_{0,\vk}$ which were defined when $\adv$ first queried $H_0(\vk)$.
These matrices are used as ``decryption matrices'' to open $\Sigma$ for the corresponding $\mathbf{G}_0 = H_0(\vk) \in \Zq^{n \times 2m}$.
For similar reasons as in the security proof of~\cite{GPV08}, the distribution of $\mathbf{G}_0$ is statistically close to the uniform,
which implies that $\mathsf{Game}^{(d)}~2$ and $\mathsf{Game}^{(d)}~3$ are statistically indistinguishable.
\smallskip
\item[$\textsf{Game}^{(d)}$~4:] Instead of faithfully generating the
NIZKPoK $\pi_K$ of Section~\ref{subsection:zk-for-group-signature}, the challenger simulates the proof without using the witness (note that this is possible since the HVZK property of the underlying proof system is preserved
under parallel repetitions). This
is done by running the simulator for the underlying interactive protocol for
each $j \in \{1,\ldots, t\}$, and then programming the random oracle $H$
accordingly. The challenge signature
$\Sigma^\star = (\vk^\star, \mathbf{c}_{\mathbf{v}_d}^\star , \pi_K^\star, sig^\star)$
is statistically close to the challenge signature of the previous game, because the
proof system is statistically zero-knowledge as stated in Lemma~\ref{le:zk-ktx}.
Consequently, $\mathsf{Game}^{(d)}~3$ and $\mathsf{Game}^{(d)}~4$ are indistinguishable.
\smallskip
\item[$\textsf{Game}^{(d)}$~5:] In this game, we modify the generation of the challenge ciphertext $\mathbf{c}_{\mathbf{v}_d}^\star$.
Instead of using the real encryption algorithm of the GPV IBE to compute $\mathbf{c}_{\mathbf{v}_d}^\star$ as the encryption of $\mathbf{v}_d^\star = \mathbf{F} \cdot \mathbf{z}_d \in \Zq^{4n}$, we return truly random
ciphertexts. In other words, we let
\[ \mathbf{c}_{\mathbf{v}_d}^\star = \begin{pmatrix}
\mathbf{r}_1 \\ \mathbf{r}_2 + \bit(\mathbf{v}_{d}^\star) \lfloor q/2 \rfloor
\end{pmatrix}, \]
%where $\mathbf{v}_{i_b}^\star= \mathbf{F} \cdot \mathbf{z}_{i_b}^\star $, and
where $\mathbf{r}_1 \sample U(\Zq^{m})$, $\mathbf{r}_2 \sample U(\Zq^{2m})$ are uniformly random.
The hardness of the decisional $\LWE_{n, q, \chi}$ problem implies that $\mathbf{c}^\star_{\mathbf{v}_d}$ in \ extsf{Game} $4$ and \ extsf{Game} $5$ are computationally indistinguishable.
If $\adv$ can distinguish between these two games, it can furthermore distinguish
\[ \begin{pmatrix}
\mathbf{B}^T \\ \hline {\mathbf{G}_0^\star }^T
\end{pmatrix} \mathbf{e}_0 + \begin{pmatrix} \mathbf{x}_1 \\\hline \mathbf{x}_2 \end{pmatrix} \mbox{ from } \begin{pmatrix}
\mathbf{r}_1 \\ \hline \mathbf{r}_2
\end{pmatrix},\]
which would break the decisional $\LWE_{n,q,\chi}$ assumption.
Therefore, $\mathsf{Game}^{(d)}~4$ and $\mathsf{Game}^{(d)}~5$ are computationally indistinguishable.
\smallskip
\item[\textsf{Game}~6:] We finally make a conceptual modification on the previous game. Namely we sample uniformly random $\mathbf{r}_1^\prime
\sample U(\Zq^{m})$, $\mathbf{r}_2^\prime \sample U(\Zq^{2m})$ and assign
\[ \mathbf{c}_{\mathbf{v}_d}^\star = \begin{pmatrix}
\mathbf{r}_1^\prime \\ \mathbf{r}_2^\prime
\end{pmatrix} .\]
\end{description}
Clearly, the distribution of $\mathbf{c}_{\mathbf{v}_i}^\star $ has not changed since $\mathsf{Game}^{(d)}~5$. Since \textsf{Game} $6$ does no longer depend on the
challenger's bit $d\in \{0,1\}$, the result follows.
\end{proof}
\section{Subprotocols for Stern-like Argument}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Protocoles pour les preuves à la Stern}
\label{se:gs-lwe-stern}
@ -1092,5 +1887,47 @@ as the permutation that transforms $\mathbf{z}$ as follows:
\end{itemize}
It can be check that~(\ref{eq:zk-equivalence}) holds. Therefore, we can obtain a statistical \textsf{ZKAoK} for the given relation by running the protocol in \cref{sse:stern-abstraction}.
\section{A Dynamic Lattice-Based Group Signature}
\input{merge}
\subsection{The Underlying ZKAoK for the Group Signature Scheme}\label{subsection:zk-for-group-signature}
The argument system upon which our group signature scheme is built can be summarized as follows.
\begin{description}
\item[Common Input:] Matrices $\mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{B} \in \mathbb{Z}_q^{n \times m}$, $\mathbf{D}_0, \mathbf{D}_1 \in \mathbb{Z}_q^{2n \times 2m}$, $\mathbf{F} \in \mathbb{Z}_q^{4n \times 4m}$, $\mathbf{H}_{2n \times m} \hspace*{-1.5pt}\in\hspace*{-1.5pt} \ZZ_q^{2n \times m}$, $\mathbf{H}_{4n \times 2m} \hspace*{-1.5pt}\in\hspace*{-1.5pt} \ZZ_q^{4n \times 2m}$, $\mathbf{G}_0 \hspace*{-1.5pt}\in\hspace*{-1.5pt} \mathbb{Z}_q^{n \times 2m}$; vectors $\mathbf{u} \hspace*{-1.5pt}\in\hspace*{-1.5pt} \mathbb{Z}_q^n$, $\mathbf{c}_1 \hspace*{-1.5pt}\in\hspace*{-1.5pt} \mathbb{Z}_q^m$, $\mathbf{c}_2 \hspace*{-1.5pt}\in \hspace*{-1.5pt}\mathbb{Z}_q^{2m}$. \smallskip
\item [Prover's Input:] $\mathbf{z} \in [-\beta,\beta]^{4m}$, $\mathbf{y} \in \{0,1\}^{2m}$, $\mathbf{w} \in \{0,1\}^m$, $\mathbf{d}_1, \mathbf{d}_2 \in [-\beta, \beta]^m$, $\mathbf{s} \in [-\beta,\beta]^{2m}$, $\mathrm{id} = (\mathrm{id}[1], \ldots, \mathrm{id}[\ell])^T \in \{0,1\}^\ell$,
$\mathbf{e}_0 \in [-B,B]^n$, $\mathbf{e}_1 \in [-B,B]^m$, $\mathbf{e}_2 \in [-B,B]^{2m}$. \smallskip
\item[Prover's Goal:] Convince the verifier in \textsf{ZK} that
\end{description}
\[
\begin{cases}
\mathbf{F}\cdot \mathbf{z} = \mathbf{H}_{4n\times 2m}\cdot \mathbf{y}\bmod q; \hspace*{5pt} \mathbf{H}_{2n \times m}\cdot \mathbf{w} = \mathbf{D}_0 \cdot \mathbf{y} + \mathbf{D}_1 \cdot \mathbf{s} \bmod q; \\
\mathbf{A}\cdot \mathbf{d}_1 + \mathbf{A}_0 \cdot \mathbf{d}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\mathrm{id}[j]\cdot \mathbf{d}_2) - \mathbf{D} \cdot \mathbf{w} = \mathbf{u} \bmod q;\\
\mathbf{c}_1 = \mathbf{B}^T\cdot \mathbf{e}_0 + \mathbf{e}_1 \bmod q; \hspace*{5pt} \mathbf{c}_2 = \mathbf{G}_0^T\cdot \mathbf{e}_0 + \mathbf{e}_2 + \lfloor q/2\rfloor\cdot \mathbf{y} \bmod q.
\end{cases}
\]
Using the same strategy as in Sections~\ref{subsection:zk-for-commitments} and~\ref{subsection:zk-for-signature}, we can derive a statistical \textsf{ZKAoK} for the above relation from the protocol in Section~\ref{sse:stern-abstraction}. As the transformations are similar to those in Section~\ref{subsection:zk-for-signature}, we only sketch main points.
In the first step, we combine the given equations to an equation of the form:
\[\vspace*{-3.5pt}
\mathbf{M}\cdot \left(
\begin{array}{c}
\mathbf{d}_1 \\
\mathbf{s} \\
\mathbf{z} \\
\end{array}
\right) + \mathbf{M}_0 \cdot \mathbf{d}_2 + \sum_{j=1}^\ell \mathbf{M}_j(\mathrm{id}[j]\mathbf{d}_2) + \mathbf{M}' \cdot \left(
\begin{array}{c}
\mathbf{w} \\
\mathbf{y} \\
\end{array}
\right) + \mathbf{M}'' \cdot \left(
\begin{array}{c}
\mathbf{e}_0 \\
\mathbf{e}_1 \\
\mathbf{e}_2 \\
\end{array}
\right) = \mathbf{v} \bmod q,
\]
where matrices $\mathbf{M}, \mathbf{M}_0, \ldots, \mathbf{M}_\ell, \mathbf{M}', \mathbf{M}''$ and vector $\mathbf{v}$ are built from the input.
We then apply the techniques of \cref{sse:stern-abstraction} for %the vectors
$\mathbf{x}_0 = (\mathbf{d}_1^T \| \mathbf{s}^T \| \mathbf{z}^T)^T \in [-\beta, \beta]^{7m}$, $\mathbf{d}_2 \in [-\beta,\beta]^m$; $\mathbf{x}_1 = (\mathbf{w}^T \| \mathbf{y}^T)^T\in \{0,1\}^{3m}$; and $\mathbf{x}_2 = (\mathbf{e}_0^T \| \mathbf{e}_1^T \| \mathbf{e}_2^T)^T \in [-B,B]^{n + 3m}$. This allows us to obtain a unified equation $\mathbf{P}\cdot \mathbf{x} = \mathbf{v} \bmod q$, and to define the sets $\mathsf{VALID}$, $\mathcal{S}$, and permutations $\{T_\pi: \pi \in \mathcal{S}\}$ so that the conditions in~(\ref{eq:zk-equivalence}) hold, in a similar manner as in Section~\ref{subsection:zk-for-signature}.

View File

@ -24,6 +24,7 @@
\newcommand{\Keygen}{\ensuremath{\mathsf{Keygen}}\xspace}
\newcommand{\param}{\ensuremath{\mathsf{par}}\xspace}
\newcommand{\pk}{\ensuremath{\mathsf{pk}}\xspace}
\newcommand{\vk}{\ensuremath{\mathsf{vk}}\xspace}
\newcommand{\sk}{\ensuremath{\mathsf{sk}}\xspace}
%% ZK
\newcommand{\trans}{\textsf{trans}\xspace}

View File

@ -84,17 +84,6 @@
year = {2015},
}
@InCollection{SSE+12,
author = {Sakai, Y. and Schuldt, J. and Emura, K. and Hanaoka, G. and Ohta, K.},
title = {On the Security of Dynamic Group Signatures: Preventing Signature Hijacking},
booktitle = {{PKC}},
publisher = {Springer},
year = {2012},
volume = {7293},
series = {LNCS},
pages = {715--732},
}
@InProceedings{ACDN13,
author = {Abe, Masayuki and Camenisch, Jan and Dubovitskaya, Maria and Nishimaki, Ryo},
title = {Universally composable adaptive oblivious transfer (with access control) from standard assumptions},
@ -1130,7 +1119,7 @@
pages = {457--473},
}
@InProceedings{SSE+12a,
@InProceedings{SSE+12,
author = {Sakai, Y. and Schuldt, J. and Emura, K. and Hanaoka, G. and Ohta, K.},
title = {On the Security of Dynamic Group Signatures: Preventing Signature Hijacking},
booktitle = {PKC},
@ -2818,7 +2807,7 @@
booktitle = {Asiacrypt},
year = {2017},
series = {LNCS},
pages = {347--374},
pages = {347--374o},
publisher = {Springer},
}