From afe5c83cf8295a2e09fea78e83fc3d1ee9c57a79 Mon Sep 17 00:00:00 2001
From: Fabrice Mouhartem <fabrice.mouhartem@ens-lyon.org>
Date: Mon, 30 Apr 2018 18:04:36 +0200
Subject: [PATCH] Update biblio + add proofs for group signature

---
 chap-GS-LWE.tex | 853 +++++++++++++++++++++++++++++++++++++++++++++++-
 macros.tex      |   1 +
 these.bib       |  15 +-
 3 files changed, 848 insertions(+), 21 deletions(-)

diff --git a/chap-GS-LWE.tex b/chap-GS-LWE.tex
index c015de5..7c97035 100644
--- a/chap-GS-LWE.tex
+++ b/chap-GS-LWE.tex
@@ -192,11 +192,6 @@ as    $\mathbf{u} =      \bar{\mathbf{A}} \cdot \mathbf{e}_u  \in \Zq^n$. The pu
   \{\mathbf{A}_j \}_{j=0}^{\ell},  ~ \{\mathbf{D}_k\}_{k=0}^{N},~\mathbf{D}, ~\mathbf{u} \big)$$
 is given to $\adv$.
 
-%Hence,
-%   $\bdv$ is able to compute a trapdoor $\mathbf{T}_{\tau^{(i)}} \in \ZZ^{2m \times 2m}$  for each matrix $\{\mathbf{A}_{\tau^{(i)}} \}_{i=1}^Q $  (see~\cite[Se.~4.2]{ABB1},
-% using the basis~$\mathbf{T}_{\mathbf{C}}$ of~$\Lambda_q^{\perp}(\mathbf{C})$.
-
-
 At the $i$-th signing query $\mathsf{Msg}^{(i)}=(\mathfrak{m}_1^{(i)},\ldots,\mathfrak{m}_N^{(i)}) \in (\{0,1\}^{2m})^N$,  $\bdv$ can use the trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ to generate a signature.
 To do this, $\bdv$ first samples    $\mathbf{s}^{(i)} \sample D_{\ZZ^{2m},\sigma_1}$ and computes a vector $\mathbf{u}_M \in \Zq^m$ as
  $$\mathbf{u}_M  = \mathbf{u}  +  \mathbf{D} \cdot \bit \bigl( \sum_{k=1}^N    \mathbf{D}_k  \cdot {\mathfrak{m}_k^{(i)} }  +   \mathbf{D}_{0} \cdot {\mathbf{s}^{(i)} } \bigr)    ~~  \bmod q.$$
@@ -742,7 +737,7 @@ The scheme provides anonymity under the $\mathsf{LWE}_{n,q,\chi}$ assumption.
       \smallskip
 
     \item[\textsf{Game} 1:] This game is like  \textsf{Game} $0$ with the difference that, at each execution of the $\mathsf{Prove}$ protocol, the challenger runs the zero-knowledge
-      simulator of the interactive proof system. The latter simulator uses either a trapdoor hidden in the common reference string (if Damg\aa rd's technique \cite{Damg00} is used) or
+      simulator of the interactive proof system. The latter simulator uses either a trapdoor hidden in the common reference string (if Damg\aa rd's technique \cite{Dam00} is used) or
       proceeds by programming the random oracle which allows implementing the Fiat-Shamir heuristic. In either case, the statistical zero-knowledge property ensures that the
       adversary cannot distinguish \textsf{Game} $1$ from \textsf{Game} $0$ and $|\Pr[W_1] - \Pr[W_0] | \in \mathsf{negl}(\lambda)$.
       \smallskip
@@ -758,6 +753,806 @@ The scheme provides anonymity under the $\mathsf{LWE}_{n,q,\chi}$ assumption.
   produced without any witness.
 \end{proof}
 
+\section{A Dynamic Lattice-Based Group Signature} \label{see:lwe-gs-desc}
+
+In this section, the signature scheme   of Section \ref{se:gs-lwe-sigep} is used to design a group signature for dynamic groups using the syntax and the security model of Kiayias and Yung \cite{KY06}, which is recalled in \cref{sse:gs-definitions}.
+
+In the notations hereunder, for any positive integers $\mathfrak{n}$, and $q \geq 2$, we define the ``powers-of-2'' matrix $\mathbf{H}_{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil} \in \ZZ_q^{\mathfrak{n} \times  \mathfrak{n}\lceil\log q\rceil}$ to be:
+\begin{eqnarray*}
+ \mathbf{H}_{\mathfrak{n} \times \mathfrak{n} \lceil\log q\rceil }  &=& \mathbf{I}_{\mathfrak{n}}  \otimes  [1 \mid 2 \mid 4 \mid \ldots \mid 2^{\lceil\log q\rceil-1} ] .
+ %\\ &=& \begin{bmatrix} 1 ~2~4 ~ \ldots ~2^{\lceil\log q\rceil-1} &  & & & \\
+%	  &   &  &  \ddots  &  \\
+%			  &   &  &    & 1 ~2~4 ~ \ldots ~2^{\lceil\log q\rceil-1}  \\
+%\end{bmatrix}.
+\end{eqnarray*}
+Also, for each vector $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$, we define $\bit(\mathbf{v}) \in \{0,1\}^{\mathfrak{n}\lceil\log q\rceil}$ to be the vector obtained by replacing each entry of $\mathbf{v}$ by its binary expansion.
+Hence, we have $\mathbf{v}=\mathbf{H}_{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil} \cdot \bit(\mathbf{v})$ for any $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$. \\
+\indent
+In our scheme,  each   group membership certificate is a
+signature generated by the group manager on the user's public key.    Since the group manager only needs to sign known (rather than committed) messages, we can
+use a simplified version of the signature, where the chameleon hash function does not need to choose
+ the discrete Gaussian vector $\mathbf{s}$ with a larger standard deviation than other vectors. \\
+\indent
+A key component of the scheme is the two-message joining protocol whereby the group manager admits new group members by signing their public key. The first message is sent by
+the new user $\mathcal{U}_i$ who samples a membership secret consisting of a short vector $\mathbf{z}_i \sample D_{\ZZ^{4m},\sigma}$ (where $m= 2n \lceil\log q\rceil$), which is used to compute a
+ syndrome $\mathbf{v}_i = \mathbf{F}  \cdot \mathbf{z}_i \in \ZZ_q^{4n}$  for some public matrix $\mathbf{F} \in  \ZZ_q^{4n \times 4m} $. This syndrome $\mathbf{v}_i \in \ZZ_q^{4n}$  must be signed by  $\mathcal{U}_i$ using his long term secret key $\mathsf{usk}[i]$ (as in
+\cite{KY06,BSZ05}, we assume that each user has a long-term key $\mathsf{upk}[i]$ for a digital signature, which is registered in some PKI) and will uniquely
+identify $\mathcal{U}_i$.
+  In order to    generate  a membership certificate for    $\mathbf{v}_i \in \ZZ_q^{4n}$, the group manager $\mathsf{GM}$ signs its binary expansion
+	$\mathsf{bin}(\mathbf{v}_i) \in \{0,1\}^{4n \lceil \log q \rceil }$ using the   scheme of Section \ref{se:gs-lwe-sigep}. \\ \indent  Equipped with his membership
+	certificate   $(\tau,\mathbf{d},\mathbf{s}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m}$, the new group member $\mathcal{U}_i$ can  sign a message using a Stern-like protocol for
+	demonstrating his  knowledge of 
+	 a valid  certificate for which he also knows the secret key associated with the certified public key $\mathbf{v}_i \in \ZZ_q^{4n}$. This boils down to
+	providing evidence that the membership certificate is a valid signature on some binary message $\mathsf{bin}(\mathbf{v}_i) \in \{0,1\}^{4n \lceil \log q \rceil }$
+	for which he also knows a short  $\mathbf{z}_i \in \ZZ^{4m}$
+	 such that
+  $  \mathbf{v}_i = \mathbf{H}_{4n \times 2m} \cdot \bit(\mathbf{v}_i)    = \mathbf{F} \cdot \mathbf{z}_i \in \mathbb{Z}_q^{4n}$.  \\
+	\indent Interestingly, the process does not require any proof of knowledge of the membership secret $\mathbf{z}_i$ during the joining phase, which is round-optimal. Analogously to the Kiayias-Yung technique \cite{KY05} and constructions based on structure-preserving signatures
+		\cite{AFG+10}, the joining protocol thus remains secure in environments where many users want
+		to register at the same time in concurrent sessions. \\
+  \indent  We remark that a similar Stern-like protocol  could also be directly used to prove knowledge of a Boyen signature \cite{Boy10} on a binary expansion of the
+  user's syndrome	$\mathbf{v}_i \in \ZZ_q^{4n}$ while preserving the user's ability to prove knowledge of a short $\mathbf{z}_i \in \ZZ^{4m}$ such that $\mathbf{F}  \cdot \mathbf{z}_i =
+  \mathbf{v}_i \bmod q$. However, this would require considerably longer private keys containing $ 4n \cdot \log q$ matrices $\{\mathbf{A}_j\}_{j=0}^\ell$ of dimension $n \times
+  m$ each (i.e., we would need $\ell= \Theta(n \cdot \log q)$). In contrast, by using the signature scheme of Section \ref{se:gs-lwe-sigep}, we only need the group public key
+  $\mathcal{Y}$ to contain  $\ell=\log N_{\mathsf{gs}}$ matrices in $\ZZ_q^{n \times m}$.  Since the number of users $N_{\mathsf{gs}}$ is polynomial, we have   $\log
+  N_{\mathsf{gs}} \ll n$, which results in a much more efficient scheme.
+
+	
+	
+
+\subsection{Description of the Scheme}
+
+\begin{description}
+\item[\textsf{Setup}$(1^\lambda,1^{N_{\mathsf{gs}}})$:] Given a security parameter $\lambda>0$
+and the maximal expected number of group members ${N_{\mathsf{gs}}}=2^{\ell} \in
+\mathsf{poly}(\lambda)$, choose lattice parameter
+$n = \mathcal{O}(\lambda)$; prime modulus $q = \widetilde{\mathcal{O}}(\ell n^3)$; dimension $m =2  n\lceil \log q\rceil$; Gaussian parameter $\sigma = \Omega(\sqrt{n\log q}\log n)$; infinity norm bounds $\beta = \sigma\omega({\log m})$ and $B = \sqrt{n} \omega(\log n)$. Let $\chi$ be a $B$-bounded distribution.
+Choose a hash function $H:\{0,1\}^*
+\rightarrow \{1,2,3\}^t$ for some $t = \omega(\log n)$,
+which will be modeled as a random oracle in the security analysis.
+Then, do the following. \smallskip   \smallskip
+%   \vspace{-0.3 cm}
+\begin{itemize}
+\item[1.] Generate a key pair for the signature   of Section \ref{desc-sig-protoc} for signing single-block messages. Namely, run $\TrapGen(1^n,1^m,q)$ to get~$\mathbf{A} \in
+\ZZ_q^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
+$\Lambda_q^{\perp}(\mathbf{A})$, which  allows computing short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with  Gaussian parameter $\sigma$.
+%	$\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
+Next, choose      matrices
+$\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell},\mathbf{D} \sample U(\ZZ_q^{n \times m})$, $ \mathbf{D}_0,\mathbf{D}_1 \sample U(\ZZ_q^{2n \times 2m})$ and a vector $\mathbf{u} \sample U(\ZZ_q^n)$.
+\item[2.] Choose an additional random matrix $\mathbf{F} \sample U(\ZZ_q^{4n \times 4m})$ uniformly. Looking ahead, this matrix will be used to ensure security against framing attacks.
+\item[3.]
+Generate a master key pair for the Gentry-Peikert-Vaikuntanathan IBE scheme
+in its multi-bit variant. This key pair consists of a statistically uniform matrix
+$\mathbf{B} \in \ZZ_q^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{B}} \in
+\ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{B})$. This basis will allow us to compute GPV private keys with a
+Gaussian parameter $\sigma_{\mathrm{GPV}} \geq \| \widetilde{\mathbf{T}}_{\mathbf{B}} \| \cdot
+\sqrt{\log m}$.
+\item[4.] Choose a one-time signature scheme $\Pi^\mathrm{OTS}=(\mathcal{G},\mathcal{S},\mathcal{V})$ and a hash function   $H_0:\{0,1\}^* \rightarrow \ZZ_q^{  n \times 2m}$,
+that will be modeled as  random oracles.
+\end{itemize}
+The group public key is defined
+as $$\mathcal{Y}:=\big( \mathbf{A}, ~
+\{\mathbf{A}_j \}_{j=0}^{\ell},~\mathbf{B},  ~\mathbf{D},~ \mathbf{D}_0,~\mathbf{D}_1,~\mathbf{F}, ~\mathbf{u} , ~\Pi^\mathrm{OTS}, ~ H,~H_0  \big).$$
+The opening authority's private key is $\mathcal{S}_{\OA}:=
+\mathbf{T}_{\mathbf{B}}   $ and the private key of the group manager consists of $\mathcal{S}_{\GM}:= \mathbf{T}_{\mathbf{A}}$. The algorithm outputs
+$\big( \mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA} \big)$.
+
+\bigskip
+
+\item[\textsf{Join}$^{(\mathsf{GM},\mathcal{U}_i)}$:] the group manager $\GM$ and  the prospective user $\mathcal{U}_i$    run the following  interactive protocol: \smallskip
+$\left\langle \mathsf{J}_{\user}(\lambda,\mathcal{Y}),\mathsf{J}_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM}) \right\rangle$
+\begin{itemize}
+\item[1.] $\mathcal{U}_i$ samples a  discrete Gaussian  vector $\mathbf{z}_{i} \leftarrow D_{\ZZ^{4m},\sigma}$ and computes $\mathbf{v}_{i} = \mathbf{F} \cdot \mathbf{z}_{i} \in \ZZ_q^{ 4n}$.
+He sends the vector $\mathbf{v}_{i} \in \ZZ_q^{4n}$, whose binary representation $\mathsf{bin}(\mathbf{v}_i)$ consists of $4n\lceil\log q\rceil = 2m$ bits, together with an ordinary digital signature $sig_i = \mathrm{Sign}_{\usk[i]}(\mathbf{v}_i)$ to $\GM$.
+\item[2.] $\mathsf{J}_{\GM}$ verifies that $\mathbf{v}_i$ was not previously used by a registered user and that
+$sig_i$ is a valid signature on   $ \mathbf{v}_i $ w.r.t. $\upk[i]$. It  aborts if this is not the case. Otherwise,  $\GM$   chooses a fresh $\ell$-bit identifier  $\mathsf{id}_i=\mathsf{id}_i[1]\ldots \mathsf{id}_i[\ell]
+\in \{0,1\}^{\ell}$ and
+uses  $\mathcal{S}_{\GM}=\mathbf{T}_{\mathbf{A}}$ to certify
+$\mathcal{U}_i$ as a new group member. To this end, $\GM$
+defines the matrix
+\begin{eqnarray} \label{matr}
+\mathbf{A}_{\mathsf{id}_i}=  \left[ \begin{array}{c|c}  \mathbf{A} ~& ~    \mathbf{A}_0 +
+\sum_{j=1}^\ell \mathsf{id}_i[j] \mathbf{A}_j
+\end{array} \right] \in  \ZZ_q^{ n  \times 2m}.
+\end{eqnarray}
+Then, $\GM$ runs $\mathbf{T}_{\mathsf{id}_i}' \leftarrow
+\ExtBasis(\mathbf{A}_{\mathsf{id}_i},\mathbf{T}_{\mathbf{A}})$ to obtain a  short delegated basis
+$\mathbf{T}_{\mathsf{id}_i}'$ of $\Lambda_q^{\perp}(\mathbf{A}_{\mathsf{id}_i}) \in  \ZZ^{ 2m  \times 2m }$.
+Finally,  $\GM$ samples a short vector $\mathbf{s}_i \sample D_{\ZZ^{2m},\sigma }$ and  uses the obtained delegated basis $\mathbf{T}_{\mathsf{id}_i}' $ to compute a short vector
+$\mathbf{d}_i = \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix} \in \ZZ^{2m}$ such that
+\begin{eqnarray} \nonumber
+\mathbf{A}_{\mathsf{id}_i} \cdot \mathbf{d}_i    &=&     \left[ \begin{array}{c|c}  \mathbf{A} ~& ~    \mathbf{A}_0 +
+\sum_{j=1}^\ell \mathsf{id}_i[j] \mathbf{A}_j
+\end{array} \right] \cdot \mathbf{d}_i\\
+\label{rel-cert} &=&  \mathbf{u}   +  \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot \bit(\mathbf{v}_i)   + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr)  \bmod q. \quad
+\end{eqnarray}
+The triple $(\mathsf{id}_i,\mathbf{d}_i,\mathbf{s}_i)$ is sent to $\mathcal{U}_i$.  Then,
+$\mathsf{J}_{\user}$  verifies that the received $(\mathsf{id}_i,\mathbf{d}_i,\mathbf{s}_i)$ satisfies (\ref{rel-cert}) and that
+$\| \mathbf{d}_i \|_\infty \leq \beta$, $\| \mathbf{s}_i \|_\infty  \leq \beta $. If these conditions are not satisfied, $\mathsf{J}_{\user}$  aborts.
+Otherwise,
+$\mathsf{J}_{\user}$  defines the membership
+certificate as
+$ \crt_{i }=( \mathsf{id}_i, \mathbf{d}_i,\mathbf{s}_i )$.
+The    membership secret $\scr_{i }$ is defined to be   $\scr_i=\mathbf{z}_i \in \ZZ^{4m}$. $\mathsf{J}_{\GM}$ stores
+$\transcript_i=(\mathbf{v}_i, \crt_i,  i,\mathsf{upk}[i],sig_i)$
+in the database  $St_{trans}$ of joining transcripts. \smallskip \smallskip
+\end{itemize}
+
+
+
+\item[\textsf{Sign}$(\mathcal{Y},\crt_i,\scr_i ,M)$:] To sign  $M \in
+\{0,1\}^*$ using   $\crt_i=(\mathsf{id}_i,\mathbf{d}_i,\mathbf{s}_i)$, where $\mathbf{d}_i=[ \mathbf{d}_{i,1}^T \mid \mathbf{d}_{i,2}^T ]^T \in \ZZ^{2m}$ and $\mathbf{s}_i \in \ZZ^{2m}$, as
+well as the membership secret $\scr_i=\mathbf{z}_i \in \ZZ^{4m}$, the group
+member $\mathcal{U}_i$ generates a one-time signature key pair $(\mathsf{VK},\mathsf{SK}) \leftarrow \mathcal{G}(n)$ and conducts the following steps. \smallskip
+
+\begin{itemize}
+\item[1.]  Compute $\mathbf{G}_0=H_0(\mathsf{VK}) \in \ZZ_q^{ n \times 2m}$  and use it as an  IBE public key to encrypt
+$\bit(\mathbf{v}_i) \in \{0,1\}^{2m}$, where $\mathbf{v}_i=\mathbf{F} \cdot \mathbf{z}_i \in \ZZ_q^{4n}$ is the syndrome of
+$\scr_i=\mathbf{z}_i \in \mathbb{Z}^{4m}$ for the matrix $\mathbf{F}$. Namely, compute $ \mathbf{c}_{\mathbf{v}_i}  \in  \ZZ_q^m \times \ZZ_q^{2m}$ as
+\begin{eqnarray} \label{enc1}
+\mathbf{c}_{\mathbf{v}_i}=(\mathbf{c}_1,\mathbf{c}_2) &=&  \big( \mathbf{B}^T \cdot \mathbf{e}_0 + \mathbf{x}_1 ,~  \mathbf{G}_0^T \cdot \mathbf{e}_0 + \mathbf{x}_2 + \bit(\mathbf{v}_i) \cdot \lfloor q/2 \rfloor  \big) \qquad
+%\\ \nonumber && \hspace{4cm}\in \ZZ_q^m \times \ZZ_q^{2m}
+\end{eqnarray}
+for  randomly chosen $\mathbf{e}_0  \sample \chi^n$, $\mathbf{x}_1 \sample \chi^m, \mathbf{x}_2  \sample \chi^{2m}   $.
+Notice that, as in the construction of \cite{LNW15}, the columns of $\mathbf{G}_0$  can be interpreted as public keys for the multi-bit version
+of the dual Regev encryption scheme.
+\item[2.]   Run the protocol in Section~\ref{subsection:zk-for-group-signature}   to prove the knowledge of  $\mathsf{id}_i
+\in \{0,1\}^{\ell}$,
+vectors $\mathbf{s}_i  \in \ZZ^{2m}, \mathbf{d}_{i,1},\mathbf{d}_{i,2} \in \ZZ^{m},\mathbf{z}_i \in \ZZ^{4m}$ with infinity norm bound $\beta $; $\mathbf{e}_0  \in \ZZ^n$, $\mathbf{x}_1 \in \ZZ^m, \mathbf{x}_2 \in \ZZ^{2m} $ with infinity norm bound $B$
+and $\bit(\mathbf{v}_i) \in \{0,1\}^{2m},  \mathbf{w}_{i}  \in \{0,1\}^m$, that satisfy
+\eqref{enc1}   as well as
+\begin{eqnarray} \label{rel-deux}
+\mathbf{A} \cdot \mathbf{d}_{i,1} +   \mathbf{A}_0 \cdot  \mathbf{d}_{i,2} +  \sum_{j=1}^{\ell} ( \mathsf{id}_i[j] \cdot \mathbf{d}_{i,2}) \cdot \mathbf{A}_j
+- \mathbf{D}  \cdot    \mathbf{w}_i   = \mathbf{u} \in \ZZ_q^n
+\end{eqnarray}
+and
+\vspace*{-0.75cm}
+\begin{eqnarray} \label{eq:rel-3}
+\left\{
+\begin{array}{l}
+\mathbf{H}_{2n \times m} \cdot  \mathbf{w}_{i}   =   \mathbf{D}_0 \cdot   \bit(\mathbf{v}_i)  + \mathbf{D}_1 \cdot \mathbf{s}_i  \in \ZZ_q^{2n} \\
+\mathbf{F} \cdot \mathbf{z}_i  =  \mathbf{H}_{4n \times 2m} \cdot  \bit(\mathbf{v}_i)  \in \ZZ_q^{4n}.
+\end{array}
+\right.
+\end{eqnarray}
+
+The protocol is repeated $t = \omega(\log n)$ times  in parallel to achieve negligible soundness error, and then made non-interactive using the Fiat-Shamir
+heuristic~\cite{FS86} as a triple $\pi_K=(
+\{\mathsf{Comm}_{K,j}\}_{j=1}^t,\mathsf{Chall}_K,\{\mathsf{Resp}_{K,j}\}_{j=1}^t)$,
+where $\mathsf{Chall}_K = H(M, \vk, \mathbf{c}_{\mathbf{v}_i},
+\{ \mathsf{Comm}_{K,j}\}_{j=1}^t) \in \{1,2,3\}^t$
+
+\item[3.] Compute a one-time signature $sig=\mathcal{S}(\mathsf{SK},(\mathbf{c}_{\mathbf{v}_i} , \pi_K))$. \smallskip
+
+
+\end{itemize}
+Output the signature that consists of
+
+\begin{equation} \label{eq:sig-final} \Sigma=\big( \mathsf{VK} ,\mathbf{c}_{\mathbf{v}_i},  \pi_K,sig \big).
+\end{equation}
+
+\smallskip
+
+\item[\textsf{Verify}$(\mathcal{Y},M,\Sigma)$:] Parse the signature $\Sigma$ as in
+(\ref{eq:sig-final}). Then, return $1$ if and only if:
+(i) $\mathcal{V}(\mathsf{VK},(\mathbf{c}_{\mathbf{v}_i},\mathbf{c}_{\mathbf{s}_i},\mathbf{c}_{\mathsf{id}},\pi_K),sig)=1$;
+(ii) The proof   $\pi_K$ properly verifies. \smallskip %Otherwise, return $0$. \smallskip
+
+\item[\textsf{Open}$(\mathcal{Y},\mathcal{S}_{\OA},M,\Sigma)$:] Parse~$\mathcal{S}_{\OA}$ as~$
+\mathbf{T}_{\mathbf{B}} \in \ZZ^{m \times m}$ and $\Sigma$ as
+in~(\ref{eq:sig-final}).   \smallskip
+\begin{itemize}
+\item[1.]
+Compute $\mathbf{G}_0=H_0(\mathsf{VK}) \in \ZZ_q^{n \times 2m}$. Then, using  $\mathbf{T}_{\mathbf{B}}$
+to compute a small-norm matrix
+$\mathbf{E}_{0,\mathsf{VK}} \in \ZZ^{m \times 2m }$    such that $   \mathbf{B} \cdot \mathbf{E}_{0,\mathsf{VK}}  = \mathbf{G}_0 \bmod q  $.
+\item[2.]  Using $\mathbf{E}_{0,\mathsf{VK}}$, decrypt    $\mathbf{c}_{\mathbf{v}_i}$  to obtain a  string $\bit(\mathbf{v} ) \in \{0,1\}^{2m}$
+(i.e., by computing $\lfloor (\mathbf{c}_2 - \mathbf{E}_{0,\mathsf{VK}}^T \cdot \mathbf{c}_1) / (q/2) \rceil$). \smallskip
+\item[3.] Determine if the     $\bit(\mathbf{v} ) \in \{0,1\}^{2m} $ obtained at step 2  corresponds to a vector $\mathbf{v} = \mathbf{H}_{4n \times 2m} \cdot \bit(\mathbf{v} ) \bmod q$ that appears in a record   $\transcript_i=(\mathbf{v} , \crt_i,  i,\mathsf{upk}[i],sig_i)$ of  the database  $St_{trans}$ for some   $i$. If so,
+output the corresponding $i$ (and, optionally, $\mathsf{upk}[i]$). Otherwise, output $\perp$.
+\end{itemize}
+\end{description}
+
+We remark that the scheme readily extends to provide a mechanism whereby the opening authority can efficiently prove that signatures were correctly opened at each opening operation.
+The difference between the dynamic group signature models suggested by Kiayias and Yung \cite{KY06} and Bellare \textit{et al.} \cite{BSZ05} is that, in  the latter, the opening authority
+ ($\mathsf{OA}$) must be  able to convince a judge that the $\mathsf{Open}$ algorithm was run correctly.
+ Here, such a mechanism can be realized using the techniques of public-key encryption with non-interactive opening \cite{DHKT08}. Namely,  since
+$\bit(\mathbf{v}_i)$ is encrypted using an IBE scheme for the identity $\vk$, the $\mathsf{OA}$ can simply reveal the decryption matrix $\mathbf{E}_{0,\mathsf{VK}}  $,
+that satisfies $\mathbf{B} \cdot \mathbf{E}_{0,\vk} = \mathbf{G}_0 \bmod q$  (which corresponds to the verification of  a GPV signature) and allows the verifier to perform step 2 of the opening
+algorithm himself. The resulting construction is easily seen to satisfy the notion of opening soundness of Sakai \textit{et al.} \cite{SSE+12}.
+
+\subsection{Efficiency and Correctness}
+\textsc{Efficiency.} The given dynamic group signature scheme can be implemented in polynomial time. The group public key has total bit-size $\mathcal{O}(\ell n m \log q) = \widetilde{\mathcal{O}}(\lambda^2)\cdot \log N_\textsf{gs}$. The secret signing key of each user consists of a small constant number of low-norm vectors, and has bit-size $\widetilde{\mathcal{O}}(\lambda)$.
+
+The size of each group signature is largely dominated by that of the non-interactive argument $\pi_K$, which is obtained from the Stern-like protocol of Section~\ref{subsection:zk-for-group-signature}. Each round of the protocol has communication cost $\widetilde{\mathcal{O}}(m \cdot \log q) \cdot \log N_\textsf{gs}$. Thus, the bit-size of $\pi_K$ is $t\hspace*{-1pt}\cdot\hspace*{-1pt} \widetilde{\mathcal{O}}(m \hspace*{-1pt}\cdot\hspace*{-1pt} \log q) \hspace*{-1pt}\cdot\hspace*{-1pt} \log N_\textsf{gs} = \widetilde{\mathcal{O}}(\lambda)\hspace*{-1pt}\cdot \hspace*{-1pt}\log N_\textsf{gs}$. This is also the asymptotic bound on the size of the group signature.
+
+
+\smallskip
+\noindent
+\textsc{Correctness.} The correctness of algorithm \textsf{Verify}$(\mathcal{Y},M,\Sigma)$ follows from the facts that every certified group member is able to compute valid witness vectors satisfying equations~(\ref{enc1}), (\ref{rel-deux}) and (\ref{eq:rel-3}), and that the underlying argument system is perfectly complete. Moreover, the scheme parameters are chosen so that the GPV IBE~\cite{GPV08} is correct, which implies that algorithm \textsf{Open}$(\mathcal{Y},\mathcal{S}_{\OA},M,\Sigma)$ is also correct.
+
+
+\subsection{Security Analysis}
+
+Due to the fact that the number of public matrices $\{\mathbf{A}_j\}_{j=0}^\ell$ is only logarithmic in ${N_{\mathsf{gs}}}=2^\ell$ instead of being linear in the security parameter $\lambda$,
+the proof of security against misidentification attacks (as defined in \cref{sse:gs-sec-notions}) cannot rely on the security of our signature scheme in a modular manner.
+ The reason is that, at each run of the $\mathsf{Join}$ protocol, the group manager maintains a state and, instead of choosing the $\ell$-bit identifier $\mathsf{id}$ uniformly in
+$\{0,1\}^{\ell}$, it chooses an identifier that has not been used yet. Since $\ell \ll \lambda$ (given that ${N_{\mathsf{gs}}}=2^\ell$ is polynomial in $\lambda$), we thus have
+to prove security from scratch. However, the strategy of the reduction is exactly the same as in the security proof of the signature scheme.
+
+
+\begin{theorem} \label{traceability-thm}
+The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\beta'}$ assumption, for $\beta' \hspace*{-1pt}=\hspace*{-1pt} \mathcal{O}(\ell \sigma^2 m^{3/2})$.
+\end{theorem}
+
+\begin{proof}
+  We prove that   any adversary $\adv$ with non-negligible success probability $\varepsilon$  implies an algorithm $\bdv$ solving the \textsf{SIS} problem
+  in the random oracle model. \\
+  \indent
+  Let $\adv$ be such a $\ppt$ adversary. We build a $\ppt$
+  algorithm $\bdv$ that uses $\adv$ to
+  solve~$\SIS_{n,2m,q,\beta'}$: specifically, $\bdv$ takes as input~$\bar{\mathbf{A}} = \begin{bmatrix} \bar{\mathbf{A}}_1 | \bar{\mathbf{A}}_2 \end{bmatrix} \in
+  \Zq^{n \times 2m}$, where $\bar{\mathbf{A}}_1,\bar{\mathbf{A}}_2 \in \Zq^{n \times m}$,  and finds $\mathbf{w} \in
+  \Lambda_q^{\perp}(\bar{\mathbf{A}})$ with~$0 < \|\mathbf{w}\| \leq \beta'$.
+  \medskip
+
+
+  \noindent \textbf{Initialization.}  Algorithm~$\bdv$ first chooses a random    $coin \sample
+  U(\{0,1,2\})$ as a guess for the kind of misidentification attack that $\adv$ will mount. Also, $\bdv$ 	
+  chooses a random $\ell$-bit string $\mathsf{id}^\dagger \sample U(\{0,1\}^\ell)$.
+  In
+  addition, $\bdv$ 	
+  samples~$i^\star
+  \sample U([1,Q_a])$.   \\
+  \indent
+  Looking ahead, $coin=0$ corresponds to the case where, after repeated executions of $\adv$, the knowledge extractor of the proof system
+  reveals witnesses containing a new  identifier $\mathsf{id}^\star \in \{0,1\}^\ell$ that does not belong to any user in $U^a$.
+  In this case, $\bdv$ will be able to exploit $\adv$'s forgery when $\mathsf{id}^\star=\mathsf{id}^\dagger$.
+  The   case $coin=1$ corresponds to  $\bdv$'s expectation that the knowledge extractor will obtain the identifier $ \mathsf{id}^\star = \mathsf{id}^\dagger$ of a  group member in
+  $ U^a$ (i.e., a group member that was legitimately introduced at the $i^\star$-th $\mathcal{Q}_{\ajoin}$-query, for some $i^\star \in \{1,\ldots,Q_a\}$, where the identifier
+  $\mathsf{id}^\dagger$ is used by $\mathcal{Q}_{\ajoin}$),
+  but  $\bit ( \mathbf{v}^\star ) \in \{0,1\}^{2m}$ (which is encrypted in in $\mathbf{c}_{\mathbf{v}_i}^\star$ as part of the forgery $\Sigma^\star$)  and the extracted $\mathbf{s}^\star \in \ZZ^{2m}$    are such that $ \bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}^\star ) + \mathbf{D}_1 \cdot \mathbf{s}^\star \bigr) \in \{0,1\}^m $
+  does not match
+  the string  $ \bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}_{i^\star} ) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} \bigr) \in \{0,1\}^{2m} $ for which
+  user $i^\star$ obtained a membership certificate at the $i^\star$-th $\mathcal{Q}_{\ajoin}$-query. When $coin=1$, the choice of $i^\star$ corresponds to  a guess that the knowledge
+  extractor will reveal an $\ell$-bit identifier that coincides with the identifier $\mathsf{id}^\dagger$ assigned to the user introduced at the $i^\star$-th $\mathcal{Q}_{\ajoin}$-query.
+  The last case $coin=2$ corresponds to $\bdv$'s expectation that decrypting $\mathbf{c}_{\mathbf{v}_i}^\star$ (which is part of  $\Sigma^\star$) and running
+  the knowledge extractor on $\adv$ will uncover vectors $\bit ( \mathbf{v}^\star ) \in \{0,1\}^{2m}$, $\mathbf{w}^\star \in \{0,1\}^m$ and $\mathbf{s}^\star \in \ZZ^{2m}$
+  such that $\mathbf{w}^\star= \bit(\mathbf{D}_0 \cdot \bit(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )$ and
+  \begin{eqnarray} \label{collide}
+    \bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}^\star ) + \mathbf{D}_1 \cdot \mathbf{s}^\star \bigr) = \bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}_{i^\star} ) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} \bigr)
+  \end{eqnarray}
+  but $(\bit ( \mathbf{v}^\star ), \mathbf{s}^\star) \neq  ( \bit ( \mathbf{v}_{i^\star} ), \mathbf{s}_{i^\star}  ) $, where $ \mathbf{v}_{i^\star} \in \Zq^{4n}$ and $\mathbf{s}_{i^\star} \in \ZZ^{2m}$ are the vectors
+  involved in the  $i^\star$-th $\mathcal{Q}_{\ajoin}$-query.
+  \\	
+  \indent
+  Depending on $coin \in \{0,1,2\}$, the group public key $\mathcal{Y}$ is
+  generated using   different methods.  \smallskip
+
+  \noindent $\bullet$ If $coin=0$, algorithm~$\bdv$ first randomly  chooses $\mathsf{id}^\dagger \sample U(\{0,1\}^\ell)$ as a guess for the $\ell$-bit string
+  that will be revealed by the knowledge extractor of the proof system after repeated executions of the adversary $\adv$.
+  Then, it  runs
+  $\TrapGen(1^n,1^m,q)$ to obtain $\mathbf{C} \in \Zq^{n \times m}$ and a
+  basis $\mathbf{T}_{\mathbf{C}}$ of~$\Lambda_q^{\perp}(\mathbf{C})$ with
+  $\|\widetilde{\mathbf{T}_{\mathbf{C}}}\| \leq \bigO(\sqrt{n \log q})$. Then,
+  it chooses~$\ell+2$ matrices~$ \mathbf{Q}_0,\ldots,\mathbf{Q}_{\ell},\mathbf{Q}_D \in \ZZ^{m \times m}$,
+  each matrix having its columns sampled independently from~$D_{\ZZ^m,\sigma}$.  Then,  $\bdv$ defines the matrices   $\{ \mathbf{A}_i\}_{i=0}^{\ell}$ as
+  \begin{eqnarray*}
+    \left\{
+      \begin{array}{ll}
+        \mathbf{A}_0 =  \bar{\mathbf{A}}_1 \cdot  \mathbf{Q}_0 +  (\sum_{i=1}^{\ell} {\mathsf{id}^\dagger[i]}) \cdot
+        \mathbf{C} \\
+        \mathbf{A}_j = \bar{\mathbf{A}}_1 \cdot  \mathbf{Q}_i + (-1)^{\mathsf{id}^{\dagger}[j]} \cdot
+        \mathbf{C}, \quad \text{ for  }  j \in
+        [1,\ell]. \\
+        \mathbf{D} = \bar{\mathbf{A}}_1 \cdot \mathbf{Q}_D
+      \end{array}
+    \right.
+  \end{eqnarray*}
+  It also defines $\mathbf{A}=\bar{\mathbf{A}}_1$.
+  Next, it samples a vector $\mathbf{e}_u \sample D_{\ZZ,\sigma}^m$ and computes a syndrome $\mathbf{u} =    \bar{\mathbf{A}}_1 \cdot  \mathbf{e}_u \in  \Zq^n$. It picks $\mathbf{D}_0,\mathbf{D}_1
+  \sample U(\Zq^{2n \times 2m})$ at random and  also faithfully generates  the GPV master key pair $(\mathbf{B},\mathbf{T}_{\mathbf{B}})$ as in Step~3 of the real setup algorithm.  The group
+  public key $\mathcal{Y}=\big(\mathbf{A},\{\mathbf{A}_j \}_{j=0}^{\ell}, \mathbf{B}, \mathbf{D},\mathbf{D}_0,\mathbf{D}_1,\mathbf{F}, \mathbf{u},\mathcal{OTS},H,H_0  \big)$
+  is finally given to~$\adv$. \\
+  \indent Note  that, for each $\mathsf{id} \neq \mathsf{id}^\dagger$, we have
+  \begin{eqnarray} \nonumber
+    \mathbf{A}_{\mathsf{id}} &=& \left[
+      \begin{array}{c|c}   \bar{\mathbf{A}}_1 ~&~  \mathbf{A}_0 +
+        \sum_{i=1}^\ell \mathsf{id}[i] \mathbf{A}_i
+    \end{array} \right] \\ \nonumber   & = & \left[
+      \begin{array}{c|c}  \bar{\mathbf{A}}_1  ~&~   \bar{\mathbf{A}}_1 \cdot (\mathbf{Q}_0 +
+        \sum_{i=1}^{\ell} \mathsf{id}[i] \mathbf{Q}_i) + (
+        \sum_{i=1}^{\ell} \mathsf{id}^\dagger [i]  +(-1)^{\mathsf{id}^\dagger[i]} \mathsf{id}[i])\cdot  \mathbf{C}
+    \end{array} \right] \\  \label{sim-matr}   &=&
+    \left[
+      \begin{array}{c|c}    \bar{\mathbf{A}}_1  ~&~   \bar{\mathbf{A}}_1 +  h_{\mathsf{id}} \cdot \mathbf{C}
+    \end{array} \right]
+% \vspace*{-.1cm}
+  \end{eqnarray}
+  where $h_{\mathsf{id}} \in [1,\ell]$ denotes the Hamming distance between
+  the identifiers $\mathsf{id}$ and $\mathsf{id}^\dagger$. Since $q>\ell$, we have
+  $h_{\mathsf{id}_j} \neq 0 \bmod q$ whenever $\mathsf{id}_j \neq \mathsf{id}^\dagger$, so
+  that algorithm $\bdv$ is able to compute (see~\cite[Se.~4.2]{ABB10},
+    using the basis~$\mathbf{T}_{\mathbf{C}}$ of~$\Lambda_q^{\perp}(\mathbf{C})$ and
+  the refined $\GPVSample$ of Lemma~\ref{le:GPV}) a basis
+  $\mathbf{T}_{\mathsf{id}}$ of $\Lambda_q^{\perp}(\mathbf{A}_{\mathsf{id}})$
+  with~$\|\widetilde{\mathbf{T}_{\mathsf{id}}}\| \leq \Omega(\sqrt{n\log
+  q\log n})$.  In contrast,
+  algorithm~$\bdv$ lacks a trapdoor for $\mathbf{A}_{\mathsf{id}^\dagger}$ as the
+  latter only depends on $\mathbf{A}$ and $\{\mathbf{Q}_k\}_{k=0}^{\ell}$.
+  Observe that, since the columns of the matrices~$\{\mathbf{Q}_k\}_{k=0}^\ell$ are sampled
+  from~$D_{\ZZ^m,\sigma}$, the
+  matrices~$ \mathbf{A}_0,\ldots,\mathbf{A}_{\ell}$ are within
+  statistical distance~$2^{-\Omega(m)}$ of~$U(\Zq^{n \times m})$.
+  \smallskip
+
+
+  \noindent $\bullet$ If $coin=1$, algorithm~$\bdv$   sets up $\mathcal{Y}$ by defining
+  $\mathbf{D}=\bar{\mathbf{A}}$. Initially, $\bdv$
+  chooses $Q_a-1$ distinct strings $\mathsf{id}_1, \ldots,\mathsf{id}_{i^\star-1}, \mathsf{id}_{i^\star+1},\ldots,\mathsf{id}_{Q_a} \in \{0,1\}^\ell$ such that, for each $i \in [1,Q_a] \backslash \{i^\star\}$, $\mathsf{id}_i$ will be embedded in the membership certificate
+  returned in the $i$-th $\mathcal{Q}_{\ajoin}$-query.  Let also $\mathsf{id}^\dagger=\mathsf{id}_{i^\star}$ be the $\ell$-bit identifier
+  that will be used in the $i^\star$-th query.
+  The reduction  $\bdv$ picks random $h_0,h_1,\ldots,h_\ell \in \Zq$ under the constraints
+  \begin{eqnarray*}
+    h_{\mathsf{id}^\dagger} =  h_0 + \sum_{j=1}^\ell  \mathsf{id}^\dagger[j] \cdot h_j &=& 0 \bmod q  \\
+    h_{\mathsf{id}_i} = h_0 + \sum_{j=1}^\ell \mathsf{id}_i[j] \cdot h_j & \neq & 0 \bmod q   \qquad \qquad i \in \{1,\ldots,Q_a\} \setminus \{i^\dagger\}
+  \end{eqnarray*}
+  Next, $\bdv$ runs $(\mathbf{C},\mathbf{T}_{\mathbf{C}}) \leftarrow \mathsf{TrapGen}(1^n,1^m,q)$, $(\mathbf{D}_1,\mathbf{T}_{\mathbf{D}_1}) \leftarrow \mathsf{TrapGen}(1^{2n},1^{2m},q)$ so as to obtain  statistically random  matrices $\mathbf{C} \in \Zq^{n \times m}$, $ \mathbf{D}_1 \in \Zq^{2n \times 2m}$ together with
+  trapdoors $\mathbf{T}_{\mathbf{C}}  \in \ZZ^{m \times m} $, $\mathbf{T}_{\mathbf{D}_1} \in \ZZ^{2m \times 2m}$ consisting of  short bases of $\Lambda_q^{\perp}(\mathbf{C})$ and $\Lambda_q^{\perp}(\mathbf{D}_1)$, respectively. Then,
+  $\bdv$
+  picks a  random $\mathbf{D}_0 \sample U(\Zq^{2n \times 2m})$ and re-randomizes $\mathbf{D}=\bar{\mathbf{A}}_1 \in \Zq^{n \times m}$ using Gaussian matrices
+  $\mathbf{S},\mathbf{S}_0,\mathbf{S}_1,\ldots,\mathbf{S}_{\ell} \sample \ZZ^{m \times m}$  whose columns are sampled from the distribution $D_{\ZZ^m,\sigma}$.
+  Namely, from  $\mathbf{D} =\bar{\mathbf{A}}_1 $, $\bdv$
+  defines
+  \begin{eqnarray} \nonumber
+    \mathbf{A} &=&  \bar{\mathbf{A}}_1 \cdot \mathbf{S} \\ \label{setup-sig2}
+    \mathbf{A}_0 &=&  \bar{\mathbf{A}}_1 \cdot \mathbf{S}_0 + h_0 \cdot \mathbf{C} \\ \nonumber
+    \mathbf{A}_j &=&  \bar{\mathbf{A}}_1 \cdot \mathbf{S}_j + h_j \cdot \mathbf{C} \qquad \qquad \forall j \in \{1,\ldots,\ell\}  .
+  \end{eqnarray}
+  As part of the generation of
+  $\mathcal{Y}$, the vector $\mathbf{u} \in \Zq^n$ is obtained by picking  short discrete Gaussian vectors
+  $  \mathbf{d}_{i^\star,1}, \mathbf{d}_{i^\star,2} \sample D_{\ZZ^m,\sigma} $
+  and computing
+  \begin{eqnarray} \label{def-u}
+    \mathbf{u}  =   [  \mathbf{A} ~\mid ~    \mathbf{A}_0 +
+      \sum_{j=1}^\ell \mathsf{id}^\dagger[j] \mathbf{A}_j
+    ] \cdot
+    \begin{bmatrix}
+      \mathbf{d}_{i^\star,1} \\ \hline  \mathbf{d}_{i^\star,2}
+    \end{bmatrix}
+    -   \mathbf{D} \cdot \bit(\mathbf{c}_M),
+  \end{eqnarray}
+  where
+  $\mathbf{c}_{M} \sample U(\Zq^{2n})$ is a randomly chosen vector. Observe that, since $\mathbf{A}$ is statistically uniform over $\Zq^{n \times m}$ and $ \mathbf{d}_{i^\star,1}
+  \sample D_{\ZZ^m,\sigma}$, the distribution of
+  $\mathbf{u} $ is statistically close to $U(\Zq^n)$.
+  \medskip
+
+  \noindent $\bullet$ If $coin=2$, $\bdv$ picks $\bar{\mathbf{A}}' \sample U(\Zq^{n \times 2m})$
+  and  a random matrix $\mathbf{Q} \sample \ZZ^{2m \times 2m}$ whose columns are sampled from $D_{\ZZ^{2m},\sigma}$. These
+  are used to define $$\mathbf{D}_0= \begin{bmatrix} \bar{\mathbf{A}} \\ \hline \bar{\mathbf{A}}'  \end{bmatrix} \in \Zq^{2n \times 2m} ,$$
+  and $\mathbf{D}_1=\mathbf{D}_0 \cdot \mathbf{Q} \bmod q$, which is statistically close to $U(\Zq^{2n \times 2m})$. All other components of $\mathcal{Y}$ are obtained by faithfully running the setup algorithm. \medskip
+
+
+  \indent For each value of $coin \in \{0,1,2\}$,  the group public key
+  $$\mathcal{Y}=\big(\mathbf{A},\{\mathbf{A}_j \}_{j=0}^{\ell},\mathbf{B},\mathbf{D},\mathbf{D}_0,\mathbf{D}_1,\mathbf{F}, \mathbf{u},\mathcal{OTS},H,H_0 \big)$$  has a distribution which is statistically close to that of the real scheme and $\mathcal{Y}$ is  given to   $\adv$.
+
+  \medskip
+
+
+  \noindent \textbf{Queries.} The reduction~$\bdv$  starts interacting
+  with the adversary~$\adv$ and the way it handles~$\adv$'s queries to the $\mathcal{Q}_{\ajoin}$ oracle depends on the value of~$coin \in \{0,1,2\}$. \smallskip \smallskip
+
+  \noindent $\bullet$ If $coin=0$, answers $\mathcal{Q}_{\ajoin}$-queries as follows. When $\adv$ triggers an execution of the joining protocol, it chooses
+  a syndrome $\mathbf{v}_{i} \in \Zq^n$.
+  To answer the query, $\bdv$ chooses a fresh  $\ell$-bit identifier $\mathsf{id}_i \in \{0,1\}^\ell$ such that
+  $\mathsf{id}_i \neq \mathsf{id}^\dagger$. If $\adv$ also provides a correct signature $sig_i$ such that
+  $\mathrm{Verify}_{\mathsf{upk}[i]}(\mathbf{v}_{i},sig_i)=1$, $\bdv$ samples $\mathbf{s}_i \sample D_{\ZZ^{2m},\sigma}$ and uses the trapdoor $\mathbf{T}_{\mathbf{C}}$ to compute  a short vector
+  $\mathbf{d}_i=[\mathbf{d}_{i,1}^T ~|~\mathbf{d}_{i,2}^T]^T \in \ZZ^{2m}$ such that
+  \begin{eqnarray} \label{sim-cert}
+    \mathbf{A}_{\mathsf{id}_i} \cdot  \begin{bmatrix}  \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix}  = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot \bit(\mathbf{v}_{i}) +  \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) ,
+  \end{eqnarray}
+  where $\mathbf{A}_{\mathsf{id}_i} \in \Zq^{n \times 2m}$ is the matrix in (\ref{sim-matr}). Note that $\bdv$ is able to compute such a vector using the $\mathsf{SampleRight}$
+  algorithm of \cite{ABB10} (since the Hamming distance $h_{\mathsf{id}_i}$ between $\mathsf{id}_i$ and $\mathsf{id}^\star$ is non-zero).  The membership certificate
+  $\crt_i= (\mathsf{id}_i,\mathbf{d}_i,\mathbf{s}_i)$  is then returned to $\adv$.
+  \smallskip
+
+  \noindent $\bullet$ If $coin=1$, algorithm~$\bdv$ responds each $\mathcal{Q}_{\ajoin}$-query depending on the index $i \in \{1,\ldots,Q_a\}$ of the query. Specifically,
+  we distinguish two cases. \smallskip
+
+  \begin{itemize}
+    \item[-] If $i \neq i^\star$, $\bdv$ proceeds as in the previous case. Namely, it recalls the $\ell$-bit identifier $\mathsf{id}_i \in \{0,1\}^\ell$ (for which $\mathsf{id}_i \neq \mathsf{id}^\dagger$)
+      that was chosen in the setup phase and samples a short vector $\mathbf{s}_{i} \sample D_{\ZZ^{2m},\sigma}$. If $\adv$ also provides a correct signature $sig_i$ such that
+      $\mathrm{Verify}_{\mathsf{upk}[i]}(\mathbf{v}_{i},sig_i)=1$, generates a membership certificate $\crt_i$ for $\adv$ as in the case $coin=0$.
+      Note that
+      \begin{eqnarray} \nonumber
+        \mathbf{A}_{\mathsf{id}_i} &=&  \left[
+          \begin{array}{c|c}  \bar{\mathbf{A}} \cdot \mathbf{S}  ~&~   \bar{\mathbf{A}} \cdot (\mathbf{S}_0 +
+            \sum_{j=1}^{\ell} \mathsf{id}_i[j] \mathbf{S}_j) + h_{\mathsf{id}_i}  \mathbf{C}
+        \end{array} \right] \\  \label{sim-matr-coin1}   &=&
+        \left[
+          \begin{array}{c|c}    \bar{\mathbf{A}} \cdot \mathbf{S}  ~&~   \bar{\mathbf{A}} +  h_{\mathsf{id}_i} \cdot \mathbf{C}
+        \end{array} \right]
+% \vspace*{-.1cm}
+      \end{eqnarray}
+      Since   $h_{\mathsf{id}_i} \neq 0$, $\bdv$ can use the trapdoor
+      $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ of   $\Lambda_q^{\perp}(\mathbf{C})$ to compute  a short vector $\mathbf{d}_i = [ \mathbf{d}_{i,1}^T ~|~\mathbf{d}_{i,2}^T ]^T \in \ZZ^{2m}$ such that
+      \begin{eqnarray*}
+        \mathbf{A}_{\mathsf{id}_i}  \cdot  \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix}  = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot (\bit(\mathbf{v}_{i}) +  \mathbf{D}_1 \cdot \mathbf{s}_i  \bigr) ,
+        \end{eqnarray*}
+        where $\mathbf{v}_{i} \in \Zq^{4n}$ is the syndrome chosen by $\adv$ at step 1 of the joining protocol.
+      \item[-] If $i = i^\star$, $\bdv$ undertakes to generate a membership certificate $\crt_{i^\star}$ for the $\ell$-bit identifier $\mathsf{id}^\dagger \in \{0,1\}^\ell$ that was
+        chosen at the outset of the game. To this end, $\bdv$ has to compute $\crt_{i^\star}$  without using the trapdoor $\mathbf{T}_{\mathbf{C}}$ since the matrix $\mathbf{A}_{\mathsf{id}^\dagger}$ does no longer
+        depend on $\mathbf{C}$ in (\ref{sim-matr-coin1} ). This can be done by  recalling
+        the vector $\mathbf{d}_{i^\star,1},\mathbf{d}_{i^\star,2}  \in \ZZ^m$ and $\mathbf{c}_M \in \Zq^{2n}$ that were used to define $\mathbf{u} \in \Zq^n$ in (\ref{def-u}) and using $\mathbf{T}_{\mathbf{D}_1}$. If $\adv$  provides a correct signature
+        $sig_{i^\star}$ such that
+        $\mathrm{Verify}_{\mathsf{upk}[i^\star]}(\mathbf{v}_{i^\star},sig_{i^\star})=1$,
+        $\bdv$ uses the trapdoor $\mathbf{T}_{\mathbf{D}_1}$ of $\Lambda_q^\perp (\mathbf{D}_1)$ to sample a short vector $\mathbf{s}_{i^\star} \in \ZZ^{2m}$ of $D_{\Lambda_q^{\mathbf{c}_{i^\star}}(\mathbf{D}_1),\sigma}$, where $\mathbf{c}_{i^\star} = \mathbf{c}_M - \mathbf{D}_0 \cdot \bit( \mathbf{v}_{i^\star}) \bmod q $,
+        satisfying
+        $$ \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} = \mathbf{c}_M - \mathbf{D}_0 \cdot \bit( \mathbf{v}_{i^\star}) ~\bmod q , $$
+        before returning   $\crt_{i^\star}=(\mathsf{id}^\dagger,\mathbf{d}_{i^\star} =[ \mathbf{d}_{i^\star,1}^T  \mid \mathbf{d}_{i^\star,2}^T]^T,\mathbf{s}_{i^\star})$
+        to $\adv$.  From the definition of $\mathbf{u} \in \Zq^n$ (\ref{def-u}), it is easy to see that $\crt_{i^\star}=(\mathsf{id}^\dagger,\mathbf{d}_{i^\star} ,\mathbf{s}_{i^\star})$ forms a valid membership certificate for
+        any membership secret $\mathbf{z}_{i^\star} \in \ZZ^{4m}$ corresponding to the syndrome $\mathbf{v}_{i^\star} = \mathbf{F} \cdot \mathbf{z}_{i^\star} \bmod q$.
+%Moreover, the distribution of
+%$\mathbf{s}_{i^\star}$ is
+% $D_{\ZZ^m,\sigma}^{\mathbf{c}_{v_{i^\star}}}$, where $\mathbf{c}_{v_{i^\star}} =  \mathbf{c}_M - \mathbf{D}_0 \cdot \bit( \mathbf{v}_{i^\star})  \in \Zq^n $, as in \GGame $2$.
+    \end{itemize}
+
+    Regardless of the value of $coin$, queries to the random oracle~$H$
+    are handled by returning a uniformly chosen value in $\{1,2,3\}^t$. For
+    each $\kappa \leq Q_H$, we let~$r_{\kappa}$ denote the answer to the
+    $\kappa$-th $H$-query.  Of course, if the adversary makes a given query
+    more than once, then~$\bdv$ consistently returns the previously defined
+    value.  Queries to the random oracle $H_0$    are answered in the usual way, by returning a uniformly random value in the appropriate range.  \medskip
+
+    \noindent \textbf{Forgery.}  When $\adv$ halts, it outputs a
+    signature $ \Sigma^\star=\big( \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}_i}^\star,  \pi_K^\star,sig^\star \big)$ on some message $M^\star$. At this point, $\bdv$ uses the
+    trapdoor $\mathbf{T}_{\mathbf{B}}$ to decrypt $\mathbf{c}_{\mathbf{v}_i}^\star$ and obtain an $m$-bit string $\bit(\mathbf{v}^\star) \in \{0,1\}^m$.
+
+%We know that, with probability $\Pr[W_2]$, it holds that
+%\begin{itemize}
+%\item[-] The pair $(M^\star,\Sigma^\star)$ results in a successful misidentification attack and, when $\bdv$  runs the $\mathsf{Open}$ algorithm on $\Sigma^\star$,  the $\ell$-bit %identifier $\mathsf{id}^\star$ revealed at step 2
+%coincides with  $\mathsf{id}^\dagger$.
+%\item[-]
+%If $coin=0$, $\mathsf{id}^\dagger$ did not appear in any membership certificate returned by $\mathcal{Q}_{\ajoin}$ whereas,  if $coin=1$, $\mathsf{id}^\dagger$ is the identifier used by
+%$\mathcal{Q}_{\ajoin}$ at the $i^\star$-th query.
+%\item[-] If $coin=2$, the opening of $\Sigma^\star$ reveals vectors $\bit(\mathbf{v}^\star)$ and $\mathbf{s}^\star$ that result in a collision (\ref{collide})
+% with those $(\bit(\mathbf{v}_{i^\star}),\mathbf{s}_{i^\star})$
+%of the $i^\star$-th joining query.
+%\end{itemize}
+%In any other situation,   $\bdv$ aborts and reports failure. Note that, in the case $coin=2$, $\bdv$ is done since the collision (\ref{collide}) directly provides a
+%$\mathsf{SIS}$ solution. We thus assume $coin \in \{0,1\}$.
+    If we parse the proof  $\pi_K^\star$ as
+    $(\{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t,\mathsf{Chall}_K^\star,\{\mathsf{Resp}_{K,j}^\star \}_{j=1}^t)$, with high
+    probability,  the adversary $\adv$ must have invoked the random oracle~$H$ on the
+    input~$ (M^\star,  \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star,  \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$.
+    Otherwise, the probability that
+    $\mathsf{Chall}_K^\star=H (M^\star,  \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star,   \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
+    is negligible (at most~$3^{-t}$). It comes that, with probability at least $ \varepsilon' := \varepsilon-
+    3^{-t} $,   $ (M^\star,  \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star,   \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
+    coincides with the $\kappa^\star$-th random oracle query for some $\kappa^\star
+    \leq Q_H$. \\
+    \indent
+    At this stage, the reduction $\bdv$ runs  the
+    adversary $\adv$  up to $32 \cdot Q_H / (\varepsilon - 3^{-t})$ times with the \textit{same} random tape and input as in the
+    initial run.  All queries are answered as previously with
+    one difference in the treatment of random oracle queries.
+    Namely, the first $\kappa^\star-1$ random oracle queries -- which are
+    identical to those of the first execution since $\adv$ is run with the
+    same random tape as before -- receive the same answers
+    $\mathsf{Chall}_1,\ldots,\mathsf{Chall}_{\kappa^\star-1}$ as in the first run. This implies
+    that the $\kappa^\star$-th query will involve exactly the same tuple
+    $  (M^\star,  \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star,  \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
+    as in the first run.  However, from the
+    $\kappa^\star$-th query onwards, $\adv$ obtains fresh random oracle
+    values $\mathsf{Chall}_{\kappa^\star}',\ldots,\mathsf{Chall}_{Q_H}'$ at each new execution. The Improved Forking
+    Lemma of Brickell \textit{et al.}~\cite{BPVY00} guarantees that, with probability at least $1/2$, $\bdv$ can obtain  a $3$-fork involving the
+    same tuple  $  (M^\star,  \mathsf{VK}^\star , \mathbf{c}_{\mathbf{v}_i}^\star,    \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$ with
+    pairwise distinct answers
+    $\mathsf{Chall}_{\kappa^\star}^{(1)} ,
+    \mathsf{Chall}_{\kappa^\star}^{(2)}, \mathsf{Chall}_{\kappa^\star}^{(3)} \in \{1,2,3\}^t$. With probability $1-(7/9)^t$ it can be shown that there exists an index $j \in \{1,\ldots,t\}$ for which the $j$-th bits
+    of  $\mathsf{Chall}_{\kappa^\star}^{(1)} ,
+    \mathsf{Chall}_{\kappa^\star}^{(2)}, \mathsf{Chall}_{\kappa^\star}^{(3)}$ are $ (\mathsf{Chall}_{\kappa^\star,j}^{(1)} ,
+    \mathsf{Chall}_{\kappa^\star,j}^{(2)}, \mathsf{Chall}_{\kappa^\star,j}^{(3)} )=(1,2,3)$. From the corresponding responses $({\mathsf{Resp}_{K,j}^\star}^{(1)},{\mathsf{Resp}_{K,j}^\star}^{(2)},{\mathsf{Resp}_{K,j}^\star}^{(3)})$,
+    $\bdv$ is able to extract witnesses $(\mathbf{d}_{1}^\star,\mathbf{d}_{2}^\star) \in \ZZ^m \times \ZZ^m$, $\mathsf{id}^\star \in \{0,1\}^\ell$ and $\mathbf{w}^\star \in \{0,1\}^m$  from the proof of knowledge $\pi_K^\star$
+    such that
+    \begin{eqnarray*}
+      \mathbf{A}_{\mathsf{id}^\star }  \cdot  \begin{bmatrix} \mathbf{d}_{1}^\star \\ \hline \mathbf{d}_{2}^\star \end{bmatrix}  &=& \mathbf{u} + \mathbf{D} \cdot \mathbf{w}^\star \\
+      \mathbf{w}^\star &=& 	\bit \bigl( \mathbf{D}_0 \cdot (\bit(\mathbf{v}^\star) +  \mathbf{D}_1 \cdot \mathbf{s}^\star  \bigr) ,
+      \end{eqnarray*}
+      At this point, $\bdv$ aborts and
+      declares failure in the following situations:
+
+      \begin{itemize}
+        \item[-] $coin=0$ but   $\mathsf{id}^\star  \in \{0,1\}^\ell$    is recycled from some output of the $\mathcal{Q}_{\ajoin}$ oracle.
+        \item[-] $coin=0$  and $\mathsf{id}^\star \neq \mathsf{id}^\dagger$.
+        \item[-] $coin=1$ but  $\mathsf{id}^\star \in \{0,1\}^\ell$ never appeared in a membership certificate returned by  the $\mathcal{Q}_{\ajoin}$ oracle.
+        \item[-] $coin=1$ and $\mathsf{id}^\star \in \{0,1\}^{\ell}$ belongs to  some user in $U^a$, but this user is not the one introduced at the $i^\star$-th
+          $\mathcal{Q}_{\ajoin}$-query (i.e., $i^\star \neq i^\dagger$ and $\mathsf{id}^\star \neq \mathsf{id}^\dagger$).
+        \item[-] $coin=1$ and the knowledge extractor  revealed vectors $\bit(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$
+          satisfying the collision (\ref{collide}),
+          where $ \bit(\mathbf{v}_{i^\star})$ and $\mathbf{s}_{i^\star}$ are the vectors
+          involved in  the $i^\star$-th  $\mathcal{Q}_{\ajoin}$ query.
+        \item[-] $coin=2$ and the knowledge extraction yields  vectors $\bit(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$ such that the collision
+          (\ref{collide}) does not occur.
+      \end{itemize}
+      We call $\mathsf{fail}$ the event that one of the above situations occurs. Given that the choices of $coin \sample U(\{0,1,2\})$ and $i^\star \sample U([1,Q_a])$ are completely independent of $\adv$'s view,
+      the choice of $coin$ is correct with probability $1/3$. If $coin=0$, $\bdv$'s choice of $\mathsf{id}^\dagger \sample U(\{0,1\}^\ell)$ is correct with probability $1/(N_{\mathsf{gs}}-Q_a) \geq 1/N_{\mathsf{gs}}$ and, when
+      $coin=1$, $\bdv$'s correctly guesses $i^\star \in [1,Q_a]$ with probability $1/Q_a$. We find
+      $$\Pr[ \neg \mathsf{fail}] \geq \frac{1}{3 \cdot \max(N_{\mathsf{gs}},Q_a)} =\frac{1}{3 \cdot   N_{\mathsf{gs}} } .$$
+
+      Assuming that $\mathsf{fail}$ does not occur, $\bdv$ can solve the problem instance as follows. \smallskip
+
+
+      \noindent $\bullet$ If $coin=0$, we have $\mathsf{id}^\star=\mathsf{id}^\dagger$  and $\bdv$   knows a short vector $\mathbf{e}_u \in \ZZ^m$ such that $\mathbf{u}  =     \bar{\mathbf{A}}_1 \cdot \mathbf{e}_u \bmod q$. Hence, it can obtain a short integer vector
+      \begin{eqnarray*}
+        \mathbf{h}  = {\mathbf{d}_1^\star} +   \big( \mathbf{Q}_0 + \sum_{i=1}^\ell \mathsf{id}^\dagger [i] \mathbf{Q}_i \big) \cdot  {\mathbf{d}_2^\star}    - \mathbf{Q}_D
+        \cdot \bit(\mathbf{v}^\star) - \mathbf{e}_u \in \ZZ^m
+      \end{eqnarray*}
+      such that $    \bar{\mathbf{A}}_1 \cdot \mathbf{h} = \mathbf{0}^m \bmod q$.  Moreover,
+      we have $\mathbf{h} \neq \mathbf{0}^m$ w.h.p. since the syndrome $\mathbf{u} \in \Zq^n$ statistically hides
+      $\mathbf{e}_u \in \ZZ^m$
+      in $\Lambda_q^{\mathbf{u}}(\bar{\mathbf{A}}_1)$. Finally, the norm of $\mathbf{h}$ is at most $\| \mathbf{h} \|_2 \leq (\ell+1) \sigma^2 m^{3/2} + \sigma m^{1/2} (m+2)$.
+      This implies that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ is a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ and solves the initial $\mathsf{SIS}$ instance.
+      \smallskip
+
+
+      \smallskip
+      \noindent $\bullet$ If $coin=1$,     the extracted
+      witnesses $(\mathbf{d}_{1}^\star,\mathbf{d}_{2}^\star,\mathbf{s}^\star,\mathsf{id}^\star)$ and the decrypted $\bit(\mathbf{v}^\star)$
+      satisfy $\mathsf{id}^\star=\mathsf{id}^\dagger$, $$\mathbf{w}^\star = \bit( \mathbf{D}_0 \cdot \bit(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )
+      \neq  \bit( \mathbf{D}_0 \cdot  \bit(\mathbf{v}_{i^\star}) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} ) = \mathbf{w}_{i^\star}  $$
+      (since $\neg \mathsf{fail}$ implies that  the collision (\ref{collide}) did not occur if $coin=1$)
+      and
+      \begin{align}  \label{rel1}
+        \left[
+          \begin{array}{c|c|c|c|c|c}
+            \mathbf{A} ~&~  \mathbf{A}_0  ~&~  \mathbf{A}_1~ &~  \ldots ~ & ~  \mathbf{A}_{\ell} ~&~ -\mathbf{D}
+        \end{array} \right] \cdot
+        \begin{bmatrix}
+          \mathbf{d}_{1}^\star  \\ \hline   \mathbf{d}_{2}^\star
+          \\ \hline   \mathsf{id}^\dagger[1] \mathbf{d}_{2}^\star  \\ \hline \vdots  \\ \hline ~~ \mathsf{id}^\dagger[\ell] \mathbf{d}_{2}^\star
+          \\ \hline     \mathbf{w}^\star
+        \end{bmatrix}
+        = \mathbf{u} \bmod q.
+      \end{align}
+      Since $\bdv$ already knew short vectors $(\mathbf{d}_{i^\star,1},\mathbf{d}_{i^\star,2},  \mathbf{w}_{i^\star}) \in \ZZ^m \times \ZZ^m \times \ZZ^m $ such that
+      \begin{align}  \label{rel2}
+        \left[
+          \begin{array}{c|c|c|c|c|c}
+            \mathbf{A} ~&~  \mathbf{A}_0  ~&~  \mathbf{A}_1~ &~  \ldots ~ & ~  \mathbf{A}_{\ell} ~&~ -\mathbf{D}
+        \end{array} \right] \cdot
+        \begin{bmatrix}
+          \mathbf{d}_{i^\star,1}^\star  \\ \hline   \mathbf{d}_{i^\star,2}^\star
+          \\ \hline   \mathsf{id}^\dagger[1] \mathbf{d}_{i^\star,2}^\star  \\ \hline \vdots  \\ \hline ~~ \mathsf{id}^\dagger[\ell] \mathbf{d}_{i^\star,2}^\star
+          \\ \hline     \mathbf{w}_{i^\star}
+        \end{bmatrix}
+        = \mathbf{u} \bmod q,
+      \end{align}
+      by subtracting (\ref{rel2}) from (\ref{rel1}), we find that
+      \begin{align} \label{the-vec}
+        \mathbf{h}  &=  \mathbf{S} \cdot (\mathbf{d}_1^\star - \mathbf{d}_{i^\star,1})  +  (\mathbf{S}_0 + \sum_{j=1}^\ell {\mathsf{id}^\dagger} [j] \mathbf{S}_j ) \cdot (\mathbf{d}_2^\star - \mathbf{d}_{i^\star,2} )
+        \  +   ( \mathbf{w}^\star - \mathbf{w}_{i^\star} ) \quad
+      \end{align}
+      is a small-norm vector $\mathbf{h} \in \ZZ^m$ satisfying $   \bar{\mathbf{A}}_1 \cdot \mathbf{h}=\mathbf{0} \bmod q$. We claim that $\mathbf{h} \neq \mathbf{0}$ with high probability.
+      Indeed, we know that $\mathbf{w}^\star \neq \mathbf{w}_{i^\star}$ if $\neg \mathsf{fail}$ occurs.
+      This implies that the last term of (\ref{the-vec}) is non-zero, which rules out that $(\mathbf{d}_1^\star,\mathbf{d}_2^\star)=(\mathbf{d}_{i^\star,1},\mathbf{d}_{i^\star,2})$.
+      Since the columns of $\mathbf{S}$ and $\{\mathbf{S}_j\}_{j=0}^\ell$ have a lot of entropy conditionally on $\mathcal{Y}$, this implies that    we can only have $\mathbf{h}=\mathbf{0}^m$ with negligible probability. Furthermore, the norm of $\mathbf{h}$ can be bounded by $\| \mathbf{h} \|_2 \leq 4 \sigma^2 m^{3/2} (\ell+2) + 2 m^{1/2} $,
+      so that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ solves the original $\mathsf{SIS}$ instance. \medskip
+
+      \noindent $\bullet$ If $coin=2$, $\bdv$ is done as well since  the collision (\ref{collide}) directly provides a  vector
+      $$\mathbf{h}=\bit(\mathbf{v}^\star) - \bit(\mathbf{v}_i^\star) + \mathbf{Q} \cdot (\mathbf{s}^\star - \mathbf{s}_i^\star) ~ \in \ZZ^{2m}$$ of $\Lambda_q^{\perp}(\mathbf{D}_0)$ (which is also in
+      the lattice $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ by construction) and has
+      norm $\| \mathbf{h} \|_2 \leq 2(\sigma^2 (2m)^{3/2} + (2m)^{1/2}) $. Moreover, $\mathbf{h} \in \ZZ^{2m}$ is non-zero with overwhelming probability
+      given that $\bit(\mathbf{v}^\star) \neq  \bit(\mathbf{v}_i^\star)$ and  the large amount of entropy retained by the columns $\mathbf{Q} \in \ZZ^{2m \times 2m}$ given $\mathbf{D}_1= \mathbf{D}_0 \cdot \mathbf{Q}$.
+\end{proof}
+
+
+\begin{theorem}  \label{non-frame}
+The scheme is secure against framing attacks under the $\mathsf{SIS}_{4n,4m,q,\beta''}$ assumption, where $\beta'' = 4\sigma \sqrt{m}$.
+\end{theorem}
+
+\begin{proof}
+  Let us assume that a PPT adversary $\adv$  can create a
+  forgery $(M^\star,\Sigma^\star)$ that opens to some honest user
+  $i\in U^b$ who did not sign $M^\star$. In the random oracle model, we give a reduction $\bdv$ that uses $\adv$ to solve an instance of the ~$\SIS_{4n,4m,q,\beta''}$ problem:
+  $\bdv$ takes as input~$\bar{\mathbf{A}} \in
+  \Zq^{4n \times 4m}$ and finds a non-zero short vector $\mathbf{w} \in
+  \Lambda_q^{\perp}(\bar{\mathbf{A}})$. % with~$0 < \|\mathbf{w}\| \leq \beta$.
+  \\
+  \indent  Algorithm $\bdv$   generates the group public key $\mathcal{Y}$ by faithfully running the real setup algorithm with the sole difference that, at step 2 of $\mathsf{Setup}$,
+  $\bdv$ defines $\mathbf{F}=\bar{\mathbf{A}} \in \Zq^{4n \times 4m}$. However, the distribution of $\mathcal{Y}$ is as in the real scheme.
+  As a result of having generated $\mathcal{Y}$ itself, $\bdv$ knows
+  $\mathcal{S}_{\GM}=\mathbf{T}_{\mathbf{A}}$ and  $\mathcal{S}_{\OA}= \mathbf{T}_{\mathbf{B}}$. The adversary $\bdv$ is run on input of the
+  group public key
+$$ \mathcal{Y}:=\Bigl(\mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell,~\mathbf{B},~\mathbf{D},~\mathbf{D}_0,~\mathbf{D}_1,~\mathbf{F}=\bar{\mathbf{A}},~\mathbf{u},~\Pi^{\mathsf{OTS}},~H,~H_0  ) \Bigr). $$
+
+If  $\adv$ chooses
+to corrupt the group manager or the opening authority during the
+game, $\bdv$ is able to reveal
+$\mathcal{S}_{\GM}=\mathbf{T}_{\mathbf{A}}$ and
+$\mathcal{S}_{\OA}= \mathbf{T}_{\mathbf{B}}$. % At the very beginning of the game, $\bdv$ draws a random index  $j^\star \sample \{1,\ldots,Q_b\}$  and
+Then, $\bdv$ starts interacting with  $\adv$ as follows.
+\begin{itemize}
+  \item[-] $Q_{\mathsf{keyGM}}$-queries: If $\adv$ decides to corrupt the group manager, $\bdv$
+    hands the secret key $\mathcal{S}_{\GM}=\mathbf{T}_{\mathbf{A}}$ to $\adv$.
+  \item[-] $Q_{\bjoin}$-queries:  At any time $\adv$ can act as a corrupted group manager and  introduce  a new honest user $i$ in the group by invoking the $Q_{\bjoin}$ oracle.
+    At each $Q_{\bjoin}$-query, $\bdv$ faithfully
+    runs   $\mathsf{J}_{\mathsf{user}}$ on behalf of  the honest user in an execution of $\mathsf{Join}$ protocol.
+
+  \item[-] $Q_{\mathsf{pub}}$-queries: These
+    can be answered as in the real game, by having  the simulator return
+    $\mathcal{Y}$.
+  \item[-] $Q_{\mathsf{sig}}$-queries: When the adversary $\adv$ requests user $ i \in
+    U^b$  to sign a message $M$,  $\bdv$  first generates a one-time key pair $(\mathsf{VK},\mathsf{SK}) \leftarrow \mathcal{G}(n)$ to
+    compute $\mathbf{G}_0=H_0(\mathsf{VK}) \in \Zq^{n \times 2m}$. Next,
+    $\bdv$ recalls the vector $\mathbf{z}_i \in \ZZ^{4m}$ that was chosen to define the syndrome $\mathbf{v}_i = \mathbf{F} \cdot \mathbf{z}_i$ at step 1 of the $\mathsf{Join}$ protocol as well as
+    the identifier $\mathsf{id}_i \in \{0,1\}^\ell$ and the short vectors $(\mathbf{d}_{i,1},\mathbf{d}_{i,2},\mathbf{s}_i)  $
+    that were supplied by $\adv$ in an earlier $Q_{\bjoin}$-query. It faithfully computes a signature by IBE-encrypting
+    $\bit(\mathbf{v}_i) \in \{0,1\}^{2m}$   and using $(\mathbf{d}_{i,1},\mathbf{d}_{i,2},\mathbf{s}_i,\mathbf{z}_i,\mathbf{s}_i,\mathsf{id}_i)$  to compute a witness indistinguishable proof   $\pi_K=(
+    \{\mathsf{Comm}_{K,j}\}_{j=1}^t,\mathsf{Chall}_K,\{\mathsf{Resp}_{K,j}\}_{j=1}^t)$.
+    Finally, $\bdv$ computes  a one-time signature
+    $sig=\mathcal{S}(\mathsf{SK},(\mathbf{c}_{\mathbf{v}_i},\pi_K))$ and returns the signature
+    $\Sigma=\big( \mathsf{VK} ,\mathbf{c}_{\mathbf{v}_i}, \pi_K,sig \big)$ to $\adv$.
+\end{itemize}
+When $\adv$ halts, it   outputs a   signature
+$ \Sigma^\star  =   \big( \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \pi_K^\star,sig^\star \big)$
+for
+some   message $M^\star$, which opens to  ${i^\star} \in
+U^b$ although user $i^\star$ did not sign the message $M^\star$ at any time. Since $(M^\star,\Sigma^\star)$ supposedly frames user $i^\star$, the opening of
+$\Sigma^\star$ must reveal the $m$-bit string $\bit(\mathbf{v}_{i^\star}) \in \{0,1\}^m$.  We note that the reduction $\bdv$ has
+recollection of a short vector $\mathbf{z}_{i^\star} \in \ZZ^{4m}$ (of norm $\| \mathbf{z}_{i^\star} \| <  2\sigma \sqrt{m}$)
+such that $\mathbf{v}_{i^\star} = \mathbf{F} \cdot \mathbf{z}_{i^\star} \bmod q$ which it
+chose when running  $\mathsf{J}_{\mathsf{user}}$ on behalf of user $i^\star$ when this user was introduced in the group.  Hence,
+$\bdv$
+would be able to solve its given $\mathsf{SIS}$ instance if it had another short vector $\mathbf{z}' \in \ZZ^{4m}$ satisfying $\mathbf{v}_{i^\star}  = \mathbf{F} \cdot {\mathbf{z}'} \bmod q $.
+To compute such a
+vector, $\bdv$ proceeds by replaying the adversary  $\adv$ sufficiently many times and applying the Improved Forking
+Lemma of Brickell   \textit{et al.}~\cite{BPVY00}. \\
+\indent
+If we parse  $\pi_K^\star$ as
+$(\{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t,\mathsf{Chall}_K^\star,\{\mathsf{Resp}_{K,j}^\star \}_{j=1}^t)$, with high
+probability,   $\adv$ must have queried~$H$ on the
+input~$ (M^\star,  \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star,   \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$.
+Otherwise, we would only have
+$\mathsf{Chall}_K^\star=H (M^\star,  \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star,   \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
+with negligible probability~$3^{-t}$. It comes that, with probability at least $ \varepsilon' := \varepsilon-
+3^{-t} $, the tuple $ (M^\star,  \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star,  \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
+was the input of the $\kappa^\star$-th random oracle query for some index $\kappa^\star
+\leq Q_H$. \\
+\indent
+At this point, the reduction $\bdv$ runs  the
+adversary $\adv$  up to $32 \cdot Q_H / (\varepsilon - 3^{-t})$ times with the \textit{same} random tape and input as in the
+first run.  All queries are answered as previously with
+one difference in the way to handle $H$-queries.
+Namely, the first $\kappa^\star-1$ $H$-queries -- which are
+the same as in the first execution since $\adv$ is run with the
+same random tape  -- obtain the same answers
+$\mathsf{Chall}_1,\ldots,\mathsf{Chall}_{\kappa^\star-1}$ as in the original run. This implies
+that the $\kappa^\star$-th query will also involve exactly the same tuple
+$  (M^\star,  \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star,  \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$
+as in the original run.  From the
+$\kappa^\star$-th query forward, however, the adversary $\adv$ obtains fresh random oracle
+outputs $\mathsf{Chall}_{\kappa^\star}',\ldots,\mathsf{Chall}_{Q_H}'$ at each new execution. The Improved Forking
+Lemma  of~\cite{BPVY00} ensures that, with probability  $>1/2$, $\bdv$  obtains  a $3$-fork involving the
+tuple  $  (M^\star,  \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star,  \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$ of the initial run and with
+pairwise distinct answers
+$\mathsf{Chall}_{\kappa^\star}^{(1)} ,
+\mathsf{Chall}_{\kappa^\star}^{(2)}, \mathsf{Chall}_{\kappa^\star}^{(3)} \in \{1,2,3\}^t$.  Since the forgeries of the $3$-fork all correspond to the tuple $ (M^\star,  \mathsf{VK}^\star ,
+\mathbf{c}_{\mathbf{v}}^\star,   \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$, they open to the same $m$-bit string $\bit(\mathbf{v}_{i^\star}) \in \{0,1\}^m$ and
+which is  uniquely determined
+by $\mathbf{c}_{\mathbf{v}}^\star$. In turn, this implies that the three forgeries all reveal the same  $\bit(\mathbf{v}_{i^\star})$
+at the second step of $\mathsf{Open}$.
+With probability $1-(7/9)^t$ it can be shown that there exists $j \in \{1,\ldots,t\}$ such that the $j$-th bits
+of  $\mathsf{Chall}_{\kappa^\star}^{(1)} ,
+\mathsf{Chall}_{\kappa^\star }^{(2)}, \mathsf{Chall}_{\kappa^\star }^{(3)}$ are $ (\mathsf{Chall}_{\kappa^\star,j}^{(1)} ,
+\mathsf{Chall}_{\kappa^\star,j}^{(2)}, \mathsf{Chall}_{\kappa^\star,j}^{(3)} )=(1,2,3)$. From the corresponding responses $({\mathsf{Resp}_{K,j}^\star}^{(1)},{\mathsf{Resp}_{K,j}^\star}^{(2)},{\mathsf{Resp}_{K,j}^\star}^{(3)})$,
+$\bdv$ is able to extract a short vector $ \mathbf{z}' \in \ZZ^{4m} $   such that $\mathbf{v}_{i^\star}  =  \mathbf{F} \cdot {\mathbf{z}'} \bmod q $. \\ \indent  Due to the statistical witness indistinguishability of
+the Stern-like proof of  knowledge which is used to generate signature, with overwhelming
+probability, we have  $\mathbf{z}' \neq \mathbf{z}_{i^\star}$. Indeed, from the adversary's view, the distribution of
+$\mathbf{z}_{i^\star}$ is  $D_{\Lambda_q^{\mathbf{v}_{i^\star}}(\mathbf{F}),\sigma}$, which means that it has at least $n$ bits of min-entropy.
+Hence, the difference $\mathbf{h} = \mathbf{z}' - \mathbf{z}_{i^\star} \in \ZZ^{4m}$ is a suitably short non-zero vector  of $ \Lambda_q^{\perp}( \bar{\mathbf{A}} ) $.
+\end{proof}
+
+\begin{theorem} \label{anonymity-thm}
+    In the random oracle model, the scheme provides \textsf{CCA}-anonymity if
+    the $\LWE_{n,q,\chi}$ assumption holds and if  $\Pi^\mathrm{OTS}$ is a strongly unforgeable one-time signature.
+\end{theorem}
+
+\begin{proof}
+  We  proceed as in~\cite{LNW15} and prove the result via a sequence of games which are computationally indistinguishable.
+  The first game consists of the real anonymity experiment which is  parameterized by a bit $d \in \{0,1\}$ that determines the challenger's choice in the challenge phase.
+  The last game is the same regardless of whether $d=0$ or $d=1$. It follows  that, under the stated assumptions,  no PPT adversary can distinguish $\Expt^\textrm{anon$-0$}_\adv$ from $\Expt^\textrm{anon$-1$}_\adv$ with noticeable advantage.
+  \medskip
+
+  \begin{description}
+  \item[$\textsf{Game}^{(d)}$~0:] This is the real anonymity experiment $\Expt^\textrm{anon$-d$}_\adv(\lambda)$ as described in Definition~\ref{def:anon}.
+  More precisely, the challenger starts by running the algorithm $\mathsf{Setup}(1^\lambda, 1^{\Ngs})$ to obtain $(\gspk, \mathcal{S}_\GM = \mathbf{T_A} \in \ZZ^{m \times m}, \mathcal{S}_\OA = \mathbf{T_B} \in \ZZ^{m \times m})$ along with state information $St$. The challenger next hands the public parameters $\gspk$ and the group manager key $\mathcal{S}_\GM$ to the adversary $\adv$.
+  On the following adversary signature opening queries on signatures $\Sigma = (\vk, \mathbf{c}_{\mathbf{v}_d}, \pi_K, sig)$, the challenger uses the opening authority key $\mathbf{T_A} \in \ZZ^{m \times m}$ he possesses to decrypt the GPV encryption of the signer identity $\mathbf{c}_{\mathbf{v}_d} \in \Zq^m \times \Zq^{2m}$.
+  At some point, the adversary $\adv$ requests  a challenge by outputting a target message $M^\star \in \bit^*$ and two user key pairs
+  \[ \bigl(\scr_i^\star = \mathbf{z}^\star_i \in \ZZ^{4m}, \crt_i^\star \in (\mathsf{id}^\star_i, \mathbf{d}^\star_i, \mathbf{s}^\star_i) \in \bit^\ell \times \ZZ^{2m} \times \ZZ^{2m} \bigr)_{i \in \bit} \]
+  which must be  valid and distinct (otherwise, the challenger aborts the experiment).
+  This challenge query is answered  by having the challenger return a signature of the target message under the identity $id_d$:  namely, this  challenge signature is computed as $\Sigma^\star = (\vk^\star, \mathbf{c}_{\mathbf{v}_d}^\star,  \pi_K^\star, sig^\star) \gets \Sign(\mathcal{Y}, \crt_d^\star, \scr_d^\star, M^\star)$  for the given parameter $d$
+  of the \textsf{Game}.
+  Finally, $\adv$ outputs a bit $d' \in \bit$ which is also the experiment's output. % and the experiment outputs $1$ if $b = b'$ or $0$ otherwise. By assumption, $\adv$ has advantage $\varepsilon$ in this game.
+  \smallskip
+
+  \item[$\textsf{Game}^{(d)}$~1:] In this experiment, we slightly change $\mathsf{Game}^{(d)}~0$ as follows. At the outset of the game, the challenger generates the one-time signature key pair $(\vk^\star, \sk^\star)$ that will   be used in the challenge phase.
+  During the game, if the adversary $\adv$ requests the opening of a valid signature $\Sigma = (\vk, \mathbf{c}_{\mathbf{v}_i},  \pi_K, sig)$ where $\vk = \vk^\star$, the challenger returns a random bit and aborts.
+  However, this event $F_1$ would contradict the strong unforgeability of the one-time signature   $\Pi^{\mathrm{OTS}}$.
+  Indeed, before the challenge phase $\vk^\star$ is independent of $\adv$'s view and the probability that $\vk^\star$ shows up in $\adv$'s queries is negligible.
+  After seeing the challenge signature $\Sigma^\star$, if $\adv$ comes up with a valid signature $\Sigma = (\vk, \mathbf{c}_{\mathbf{v}_i},  \pi_K, sig)$ such that $\vk = \vk^\star$, then $sig$ is a forged one-time signature, which defeats the strong unforgeability of $\Pi^{\mathrm{OTS}}$.
+  Therefore the probability $\Pr[F_1]$ that the challenger aborts in this experiment is negligible.
+  From here on, we thus assume that $\adv$'s opening queries for valid signatures do not include $\vk^\star$.
+  \smallskip
+
+  \item[$\textsf{Game}^{(d)}$~2:] In this game, we program the random oracle $H_0$ in the following way: at the beginning of the game, we choose
+  a uniformly random matrix $\mathbf{G}_0^\star \sample U(\Zq^{n \times 2m})$ and set $H_0(\vk^\star) = \mathbf{G}^\star_0$. From the adversary's view, the distribution of
+  $\mathbf{G}_0^\star$   is statistically close to the one in the real attack game, as in \cite{GPV08}.
+  As for other queries, for each  fresh $H_0$-queries on $\vk$,
+  the challenger samples  small-norm matrices $\mathbf{E}_{0,\vk} \sample D_{\ZZ^m, \sigma}^{2m}$ and programs the oracle such that
+  $H_0(\vk) = \mathbf{B} \cdot \mathbf{E}_{0,\vk} \bmod q$. The chosen matrices $\mathbf{E}_{0,\vk}$
+  are retained for later use.
+  Note that the values of $H_0(\vk)$ are statistically close to the uniform.
+  For any query involving a previously queried $\vk$, the challenger consistently returns the previously stored images.
+  The adversary's view  remains the same as in $\mathsf{Game}^{(d)}~1$, analogously to the security proof of the GPV IBE~\cite{GPV08}.
+  \smallskip
+
+  \item[$\textsf{Game}^{(d)}$~3:] Here, we will change the behaviour of the opening algorithm.
+  Namely, at each fresh oracle query, we still store the matrices $\mathbf{E}_{0,\vk} \in \Zq^{m \times 2m}$  and, at the beginning of the game, the challenger
+  samples an uniformly random $\mathbf{B^\star} \in \Zq^{n \times m}$ that is later used in place of $\mathbf{B}$ to answer $H_0$-queries.
+  To answer the adversary's queries of the opening of a signature
+  $\Sigma = (\vk, \mathbf{c}_{\mathbf{v}_i}, \  \pi_K, sig)$,
+  the challenger recalls  the small-norm matrices $\mathbf{E}_{0,\vk}$  which were defined when $\adv$ first queried $H_0(\vk)$.
+  These matrices are used as ``decryption matrices'' to open $\Sigma$ for the corresponding $\mathbf{G}_0 = H_0(\vk) \in \Zq^{n \times 2m}$.
+  For similar reasons as in the security proof of~\cite{GPV08}, the distribution of $\mathbf{G}_0$ is statistically close to the uniform,
+  which implies that $\mathsf{Game}^{(d)}~2$ and $\mathsf{Game}^{(d)}~3$ are statistically indistinguishable.
+  \smallskip
+
+
+  \item[$\textsf{Game}^{(d)}$~4:] Instead of faithfully generating the
+  NIZKPoK $\pi_K$ of Section~\ref{subsection:zk-for-group-signature}, the challenger simulates the proof without using the witness (note that this is possible since the HVZK property of the underlying proof system is preserved
+  under parallel repetitions). This
+  is done by running the simulator for the underlying interactive protocol for
+  each $j \in \{1,\ldots, t\}$, and then programming the random oracle $H$
+  accordingly. The challenge signature
+  $\Sigma^\star = (\vk^\star, \mathbf{c}_{\mathbf{v}_d}^\star , \pi_K^\star, sig^\star)$
+  is statistically close to the challenge signature of the previous game, because the
+  proof system is statistically zero-knowledge as stated in Lemma~\ref{le:zk-ktx}.
+  Consequently, $\mathsf{Game}^{(d)}~3$ and $\mathsf{Game}^{(d)}~4$ are indistinguishable.
+  \smallskip
+
+  \item[$\textsf{Game}^{(d)}$~5:] In this game, we modify the generation of the challenge ciphertext $\mathbf{c}_{\mathbf{v}_d}^\star$.
+  Instead of using the real encryption algorithm of the GPV IBE to compute $\mathbf{c}_{\mathbf{v}_d}^\star$ as the encryption of $\mathbf{v}_d^\star = \mathbf{F} \cdot \mathbf{z}_d \in \Zq^{4n}$, we return truly random
+  ciphertexts. In other words, we let
+  \[ \mathbf{c}_{\mathbf{v}_d}^\star = \begin{pmatrix}
+      \mathbf{r}_1 \\ \mathbf{r}_2 + \bit(\mathbf{v}_{d}^\star) \lfloor q/2 \rfloor
+  \end{pmatrix}, \]
+  %where $\mathbf{v}_{i_b}^\star= \mathbf{F} \cdot \mathbf{z}_{i_b}^\star $,	and
+  where $\mathbf{r}_1  \sample U(\Zq^{m})$, $\mathbf{r}_2  \sample U(\Zq^{2m})$ are uniformly random.
+  The hardness of the decisional $\LWE_{n, q, \chi}$ problem implies that $\mathbf{c}^\star_{\mathbf{v}_d}$ in \	extsf{Game} $4$ and \	extsf{Game} $5$ are computationally indistinguishable.
+  If $\adv$ can distinguish between these two games, it can furthermore distinguish
+  \[ \begin{pmatrix}
+      \mathbf{B}^T \\ \hline {\mathbf{G}_0^\star }^T
+    \end{pmatrix} \mathbf{e}_0 + \begin{pmatrix} \mathbf{x}_1 \\\hline \mathbf{x}_2 \end{pmatrix} \mbox{ from } \begin{pmatrix}
+      \mathbf{r}_1 \\ \hline \mathbf{r}_2
+  \end{pmatrix},\]
+  which would break the decisional $\LWE_{n,q,\chi}$ assumption.
+
+  Therefore, $\mathsf{Game}^{(d)}~4$ and $\mathsf{Game}^{(d)}~5$ are computationally indistinguishable.
+  \smallskip
+
+  \item[\textsf{Game}~6:] We finally make a conceptual modification on the previous game. Namely we sample uniformly random $\mathbf{r}_1^\prime
+  \sample U(\Zq^{m})$, $\mathbf{r}_2^\prime  \sample U(\Zq^{2m})$ and assign
+  \[ \mathbf{c}_{\mathbf{v}_d}^\star = \begin{pmatrix}
+      \mathbf{r}_1^\prime \\ \mathbf{r}_2^\prime
+  \end{pmatrix}   .\]
+  \end{description}
+
+  Clearly, the distribution of $\mathbf{c}_{\mathbf{v}_i}^\star $ has not changed since $\mathsf{Game}^{(d)}~5$. 	Since \textsf{Game} $6$ does no longer depend on the
+  challenger's bit $d\in \{0,1\}$, the result follows.
+\end{proof}
+
 \section{Subprotocols for Stern-like Argument}
 \addcontentsline{tof}{section}{\protect\numberline{\thesection} Protocoles pour les preuves à la Stern}
 \label{se:gs-lwe-stern}
@@ -1092,5 +1887,47 @@ as the permutation that transforms $\mathbf{z}$ as follows:
 \end{itemize}
 It can be check that~(\ref{eq:zk-equivalence}) holds. Therefore, we can obtain a statistical \textsf{ZKAoK} for the given relation by running the protocol in \cref{sse:stern-abstraction}.
 
-\section{A Dynamic Lattice-Based Group Signature}
-\input{merge}
+\subsection{The Underlying ZKAoK for the Group Signature Scheme}\label{subsection:zk-for-group-signature}
+The argument system upon which our group signature scheme is built can be summarized as follows.
+\begin{description}
+  \item[Common Input:] Matrices $\mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{B} \in \mathbb{Z}_q^{n \times m}$, $\mathbf{D}_0, \mathbf{D}_1 \in \mathbb{Z}_q^{2n \times 2m}$, $\mathbf{F} \in \mathbb{Z}_q^{4n \times 4m}$, $\mathbf{H}_{2n \times m} \hspace*{-1.5pt}\in\hspace*{-1.5pt} \ZZ_q^{2n \times m}$, $\mathbf{H}_{4n \times 2m} \hspace*{-1.5pt}\in\hspace*{-1.5pt} \ZZ_q^{4n \times 2m}$, $\mathbf{G}_0 \hspace*{-1.5pt}\in\hspace*{-1.5pt} \mathbb{Z}_q^{n \times 2m}$; vectors $\mathbf{u} \hspace*{-1.5pt}\in\hspace*{-1.5pt} \mathbb{Z}_q^n$, $\mathbf{c}_1 \hspace*{-1.5pt}\in\hspace*{-1.5pt} \mathbb{Z}_q^m$, $\mathbf{c}_2 \hspace*{-1.5pt}\in \hspace*{-1.5pt}\mathbb{Z}_q^{2m}$. \smallskip
+  \item [Prover's Input:] $\mathbf{z} \in [-\beta,\beta]^{4m}$, $\mathbf{y} \in \{0,1\}^{2m}$, $\mathbf{w} \in \{0,1\}^m$, $\mathbf{d}_1, \mathbf{d}_2 \in [-\beta, \beta]^m$, $\mathbf{s} \in [-\beta,\beta]^{2m}$, $\mathrm{id} = (\mathrm{id}[1], \ldots, \mathrm{id}[\ell])^T \in \{0,1\}^\ell$,
+
+       $\mathbf{e}_0 \in [-B,B]^n$, $\mathbf{e}_1 \in [-B,B]^m$, $\mathbf{e}_2 \in [-B,B]^{2m}$. \smallskip
+  \item[Prover's Goal:] Convince the verifier in \textsf{ZK} that
+\end{description}
+\[
+\begin{cases}
+\mathbf{F}\cdot \mathbf{z} = \mathbf{H}_{4n\times 2m}\cdot \mathbf{y}\bmod q; \hspace*{5pt} \mathbf{H}_{2n \times m}\cdot \mathbf{w}  = \mathbf{D}_0 \cdot \mathbf{y} + \mathbf{D}_1 \cdot \mathbf{s} \bmod q; \\
+\mathbf{A}\cdot \mathbf{d}_1 + \mathbf{A}_0 \cdot \mathbf{d}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\mathrm{id}[j]\cdot \mathbf{d}_2) - \mathbf{D} \cdot \mathbf{w} = \mathbf{u} \bmod q;\\
+\mathbf{c}_1 = \mathbf{B}^T\cdot \mathbf{e}_0 + \mathbf{e}_1 \bmod q; \hspace*{5pt} \mathbf{c}_2 = \mathbf{G}_0^T\cdot \mathbf{e}_0 + \mathbf{e}_2 + \lfloor q/2\rfloor\cdot \mathbf{y} \bmod q.
+\end{cases}
+\]
+
+Using the same strategy as in Sections~\ref{subsection:zk-for-commitments} and~\ref{subsection:zk-for-signature}, we can derive a statistical \textsf{ZKAoK} for the above relation from the protocol   in Section~\ref{sse:stern-abstraction}. As the transformations are   similar to those in Section~\ref{subsection:zk-for-signature}, we   only sketch main points.
+
+In the first step, we combine the given equations to an equation of the form:
+\[\vspace*{-3.5pt}
+\mathbf{M}\cdot \left(
+                  \begin{array}{c}
+                    \mathbf{d}_1 \\
+                    \mathbf{s} \\
+                    \mathbf{z} \\
+                  \end{array}
+                \right) + \mathbf{M}_0 \cdot \mathbf{d}_2 + \sum_{j=1}^\ell \mathbf{M}_j(\mathrm{id}[j]\mathbf{d}_2) + \mathbf{M}' \cdot \left(
+                                     \begin{array}{c}
+                                       \mathbf{w} \\
+                                       \mathbf{y} \\
+                                     \end{array}
+                                   \right) + \mathbf{M}'' \cdot \left(
+                                                                  \begin{array}{c}
+                                                                    \mathbf{e}_0 \\
+                                                                    \mathbf{e}_1 \\
+                                                                    \mathbf{e}_2 \\
+                                                                  \end{array}
+                                                                \right) = \mathbf{v} \bmod q,
+\]
+where matrices $\mathbf{M}, \mathbf{M}_0, \ldots, \mathbf{M}_\ell, \mathbf{M}', \mathbf{M}''$ and vector $\mathbf{v}$ are built from the   input.
+
+We then apply the techniques of \cref{sse:stern-abstraction} for %the vectors
+ $\mathbf{x}_0 = (\mathbf{d}_1^T \| \mathbf{s}^T \| \mathbf{z}^T)^T \in [-\beta, \beta]^{7m}$, $\mathbf{d}_2 \in [-\beta,\beta]^m$; $\mathbf{x}_1 = (\mathbf{w}^T \| \mathbf{y}^T)^T\in \{0,1\}^{3m}$; and $\mathbf{x}_2 = (\mathbf{e}_0^T \| \mathbf{e}_1^T \| \mathbf{e}_2^T)^T \in [-B,B]^{n + 3m}$. This allows us to obtain a unified equation $\mathbf{P}\cdot \mathbf{x} = \mathbf{v} \bmod q$, and to define the sets $\mathsf{VALID}$, $\mathcal{S}$, and permutations $\{T_\pi: \pi \in \mathcal{S}\}$ so that the conditions in~(\ref{eq:zk-equivalence}) hold, in a similar manner as in Section~\ref{subsection:zk-for-signature}.
diff --git a/macros.tex b/macros.tex
index 32a7d5d..af12d67 100644
--- a/macros.tex
+++ b/macros.tex
@@ -24,6 +24,7 @@
 \newcommand{\Keygen}{\ensuremath{\mathsf{Keygen}}\xspace}
 \newcommand{\param}{\ensuremath{\mathsf{par}}\xspace}
 \newcommand{\pk}{\ensuremath{\mathsf{pk}}\xspace}
+\newcommand{\vk}{\ensuremath{\mathsf{vk}}\xspace}
 \newcommand{\sk}{\ensuremath{\mathsf{sk}}\xspace}
 %% ZK
 \newcommand{\trans}{\textsf{trans}\xspace}
diff --git a/these.bib b/these.bib
index 18610e1..087cef7 100644
--- a/these.bib
+++ b/these.bib
@@ -84,17 +84,6 @@
   year         = {2015},
 }
 
-@InCollection{SSE+12,
-  author    = {Sakai, Y. and Schuldt, J. and Emura, K. and Hanaoka, G. and Ohta, K.},
-  title     = {On the Security of Dynamic Group Signatures: Preventing Signature Hijacking},
-  booktitle = {{PKC}},
-  publisher = {Springer},
-  year      = {2012},
-  volume    = {7293},
-  series    = {LNCS},
-  pages     = {715--732},
-}
-
 @InProceedings{ACDN13,
   author    = {Abe, Masayuki and Camenisch, Jan and Dubovitskaya, Maria and Nishimaki, Ryo},
   title     = {Universally composable adaptive oblivious transfer (with access control) from standard assumptions},
@@ -1130,7 +1119,7 @@
   pages     = {457--473},
 }
 
-@InProceedings{SSE+12a,
+@InProceedings{SSE+12,
   author    = {Sakai, Y. and Schuldt, J. and Emura, K. and Hanaoka, G. and Ohta, K.},
   title     = {On the Security of Dynamic Group Signatures: Preventing Signature Hijacking},
   booktitle = {PKC},
@@ -2818,7 +2807,7 @@
   booktitle = {Asiacrypt},
   year      = {2017},
   series    = {LNCS},
-  pages     = {347--374},
+  pages     = {347--374o},
   publisher = {Springer},
 }