This commit is contained in:
Fabrice Mouhartem 2018-06-15 16:04:10 +02:00
parent 0882fb5238
commit b25d1b0a71
10 changed files with 481 additions and 173 deletions

View File

@ -1,13 +1,97 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%\chapter{Lattice-Based Oblivious Transfer with Access Control} \label{ch:ac-ot}
%\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens}
%\label{ch:ot-lwe}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{comment}
\section{Introduction}
\end{comment}
Kiayias, Tsiounis and Yung~\cite{KTY07} presented group encryption ($\mathsf{GE}$) as the encryption analogue of group signatures~\cite{CVH91}, which allow users to anonymously sign messages on behalf of an entire group they belong to.
While group signatures aim at hiding the source of some message within a crowd administered by some group manager, group encryption rather seeks to hide its destination within a group of legitimate receivers.
In both cases, a verifier should be convinced that the anonymous signer/receiver indeed belongs to a purported population.
In order to keep users accountable for their actions, an opening authority ($\mathsf{OA}$) is further empowered with some information allowing it to un-anonymize signatures/ciphertexts.
Kiayias, Tsiounis and Yung~\cite{KTY07} formalized $\mathsf{GE}$ schemes as a primitive allowing the sender to generate publicly verifiable guarantees that:
(1) The ciphertext is well-formed and intended for some registered group member who will be able to decrypt;
(2) the opening authority will be able identify the receiver if necessary; (3) The plaintext satisfies certain properties such as being a witness for some
public relation or the private key that underlies a given public key. In the model of Kiayias \textit{et al.}~\cite{KTY07}, the message secrecy and anonymity
properties are required to withstand active adversaries, which are granted access to decryption oracles in all security experiments.
As a natural application, group encryption allows a firewall to filter all incoming encrypted emails except those intended for some certified organization
member and the content of which is additionally guaranteed to satisfy certain requirements, like the absence of malware.
$\mathsf{GE}$~schemes are also motivated by natural privacy applications such as anonymous trusted third parties, key recovery mechanisms or oblivious retriever
storage systems. In optimistic protocols, $\mathsf{GE}$ allows verifiably encrypting messages to \emph{anonymous} trusted third parties which mostly remain off-line
and only come into play to sort out conflicts. In order to protect privacy-sensitive information such as users' citizenship, group encryption
makes it possible to hide the identity of users' preferred trusted third parties within a set of properly certified trustees.
In cloud storage services, $\mathsf{GE}$ enables privacy-preserving asynchronous transfers of encrypted datasets. Namely, it allows users to archive encrypted datasets
on remote servers while convincing those servers that the data is indeed intended for some anonymous certified client who paid a subscription to the storage
provider. Moreover, a judge should be able to identify the archive's recipient in case a misbehaving server is found guilty of hosting suspicious
transaction records or any other illegal content.
As pointed out by Kiayias \textit{et al.}~\cite{KTY07}, group encryption also implies a form of hierarchical group signatures~\cite{TW05}, where signatures can only be opened by a set of eligible trustees operating in a very specific manner determiner by the signer.
The design of numerous privacy-preserving cryptographic protocols crucially relies on zero-knowledge proofs~\cite{GMR85} to prove properties about encrypted or committed values so as to enforce honest behavior on behalf of participants or protect the privacy of users.
In the lattice settings, efficient zero-knowledge proofs are non-trivial to construct due to the limited amount of algebraic structure.
While natural methods of proving knowledge of secret keys \cite{MV03,Lyu08,KTX08,LNSW13} are available, they are only known to work for specific languages.
When it comes to proving circuit satisfiability, the best known methods are designed for the $\mathsf{LPN}$ setting~\cite{JKPT12} or take advantage of the extra structure available in the ring $\LWE$
setting~\cite{XXW13,BKLP15}.
Hence, these methods are not known to readily carry over to standard (i.e., non-ideal) lattices.
In the standard model, the problem
is even trickier as we do not have a lattice-based counterpart of Groth-Sahai proofs~\cite{GS08} and efficient non-interactive proof systems are only available
for specific problems~\cite{PV08}.
The difficulty of designing efficient zero-knowledge proofs for lattice-related languages makes it highly non-trivial to adapt privacy-preserving cryptographic
primitives in the lattice setting. In spite of these technical hurdles, a recent body of work successfully designed anonymity-enabling mechanisms like ring
signatures \cite{KTX08,ABB+13}, blind signatures \cite{Ruec10}, group signatures \cite{GKV10,LLLS13,LLNW14,BCK+14,NZZ15,LNW15,LLNW16}
or, more recently, signature schemes with companion zero-knowledge protocols~\cite{LLM+16}. A common feature of all these works is that the zero-knowledge
layer of the proposed protocols only deals with linear equations, where witnesses are only multiplied by public values.
In this chapter, motivated by the design of advanced privacy-preserving protocols in the lattice setting, we construct zero-knowledge arguments for non-linear
statements among witnesses consisting of vectors and matrices. For suitable parameters $q,n,m \in \ZZ$, we consider zero-knowledge argument systems whereby a
prover can demonstrate knowledge of secret matrices $\mathbf{X} \in \ZZ_q^{m \times n}$ and vectors $\mathbf{s} \in \ZZ_q^n$, $\mathbf{e} \in \ZZ^m$ such that:
(i) $\mathbf{e} \in \ZZ^m$ has small norm;
(ii) A public vector $\mathbf{b} \in \ZZ_q^n$ equals $\mathbf{b} = \mathbf{X}\cdot \mathbf{s} + \mathbf{e} \bmod q$;
(iii) The underlying pair $(\mathbf{X},\mathbf{s})$ satisfies additional algebraic relations: for instance, it should be possible to prove possession of a signature on some representation of the matrix $\mathbf{X}$.
In particular, our zero-knowledge argument makes it possible to prove that a given ciphertext is a well-formed $\LWE$-based encryption with respect to some
hidden, but certified public key. This protocol comes in handy in the design of \textit{group encryption} schemes~\cite{KTY07}, where such languages naturally
arise.
Using these advances, we thus construct, in this chapter, the first construction of group encryption under lattice assumptions.
\paragraph{Related work.}
Kiayias, Tsiounis and Yung (KTY) \cite{KTY07} formalized the notion of group encryption and provided a modular design using
zero-knowledge proofs, digital signatures, anonymous CCA-secure public-key encryption and commitment schemes. They also gave an efficient instantiation using
Paillier's cryptosystem~\cite{Pail99} and Camenisch-Lysyanskaya signatures \cite{CL02}.
Cathalo, Libert and Yung \cite{CLY09}
designed a non-interactive system in the standard model under non-interactive pairing-related assumptions. El~Aimani and Joye \cite{EJ13} suggested various
efficiency improvements with both interactive and non-interactive proofs.
Libert \textit{et al.}~\cite{LYJP14} empowered the $\GE$ primitive with a refined traceability mechanism akin to that of traceable signatures~\cite{KTY04}. Namely,
by releasing a user-specific trapdoor, the opening authority can allow anyone to publicly trace ciphertexts encrypted for this specific group member without
affecting the privacy of other users. Back in 2010, Izabachène, Pointcheval and Vergnaud~\cite{IPV10} considered the problem of eliminating subliminal
channels in a different form of traceable group encryption.
As a matter of fact, all existing realizations of group encryption or similar primitives rely on traditional number theoretic assumptions like the hardness of
factoring or computing discrete logarithms. In particular, all of them are vulnerable to quantum attacks. For the sake of not putting all one's eggs in the
same basket, it is highly desirable to have instantiations based on alternative, quantum-resistant foundations.
\bigskip
In the next sections, we first present the definitions of a group encryption schemes and the required building block.
Then, we describe the zero-knowledge protocol we use to handle these quadratic relations before finally describing our scheme.
\section{Syntax and Definitions of Group Encryption} \label{GE-model}
\index{Group Encryption}
We use the syntax and the security model of Kiayias, Tsiounis and Yung \cite{KTY07}.
The group encryption (\textsf{GE}) primitive involves a sender, a verifier, a group manager~(\textsf{GM}) that manages the group of receivers and an opening
authority~(\textsf{OA}) which is capable of identifying ciphertexts' recipients.
In the syntax of \cite{KTY07}, a $\GE$ scheme is specified by the description of a
In the syntax of \cite{KTY07}, a $\mathsf{GE}$ scheme is specified by the description of a
relation $R$ as well as a tuple
$\GE=\bigl(\mathsf{SETUP},\mathsf{JOIN},\langle
$\mathsf{GE}=\bigl(\mathsf{SETUP},\mathsf{JOIN},\langle
\mathcal{G}_r,R,\mathsf{sample}_{R}
\rangle,\mathsf{ENC},\mathsf{DEC},\mathsf{OPEN},\langle
\mathcal{P},\mathcal{V} \rangle \bigr)$ of algorithms or protocols.
@ -121,7 +205,7 @@ As pointed out in \cite{KTY07,CLY09}, designing an efficient
simulator $\mathsf{PP}'$ (for executing $\mathsf{PROVE}_{\mathsf{PP},\mathsf{PP}'}^b(.)$
when $b=0$) is part of the security proof.
\begin{definition} \label{security-def}
A $\GE$ scheme satisfies \textit{message security}
A $\mathsf{GE}$ scheme satisfies \textit{message security}
if, for any PPT adversary $\adv$, the experiment below returns $1$
with probability at most $1/2 + \mathsf{negl}(\lambda)$.
@ -165,7 +249,7 @@ in the group. It uses a string $\mathsf{keys}$ where the outputs $(\pk_0,\sk_0,\
by the oracle and no entry is introduced in $\mathsf{keys}$ for them).
\item[-]
$\mathsf{OPEN}(\sk_{\OA},.)$: is a stateless oracle that simulates
the opening algorithm and, on input of a $\GE$
the opening algorithm and, on input of a $\mathsf{GE}$
ciphertext, returns the receiver's public key.
\end{itemize}
@ -175,7 +259,7 @@ certified by the adversarially-controlled $\mathsf{GM}$ before the challenge pha
proofs generated using $(\pk_b,\crt_{\pk_b})$.
\begin{definition} \label{anonymity-def}
A $\GE$ scheme satisfies \textit{anonymity} if, for any PPT adversary $\adv$, the experiment below returns $1$
A $\mathsf{GE}$ scheme satisfies \textit{anonymity} if, for any PPT adversary $\adv$, the experiment below returns $1$
with a probability not exceeding $1/2 + \mathsf{negl}(\lambda)$.
\begin{center}
\procedure{Experiment $\Expt_{\adv}^{\mathrm{anon}}(\lambda)$}{
@ -224,7 +308,7 @@ maintains a list $\mathsf{database}$ where registered public keys and
their certificates are stored.
\begin{definition} \label{soundness-def}
A $\GE$ scheme is \textit{sound} if, for any PPT adversary $\adv$, the experiment below returns $1$
A $\mathsf{GE}$ scheme is \textit{sound} if, for any PPT adversary $\adv$, the experiment below returns $1$
with negligible probability.
\begin{center}
\procedure{Experiment $\Expt_{\adv}^{\mathrm{soundness}}(\lambda)$}{
@ -271,6 +355,7 @@ of valid public keys is dense in that all matrices of a given dimension are vali
\subsection{The Agrawal-Boneh-Boyen IBE Scheme} \label{ap:ABB-IBE}
\index{Identity-Based Encryption!Agrawal-Boneh-Boyen}
\subsubsection{Identity-Based Encryption.} \label{ap:IBE}
@ -347,13 +432,13 @@ encryption of a message of its choice from a random element of the ciphertext sp
\begin{enumerate}
\item Compute the matrix $\mathbf B_\ID = \mathbf B + \mathsf{FRD}(\ID) \cdot \mathbf G \in \Zq^{n \times \bar{m}}$.
Sample vectors $\mathbf s \sample U(\Zq^n), \mathbf x, \mathbf y \sample \chi^m$, $\mathbf R \sample D_{\ZZ,\sigma}^{m \times \bar{m}}$ and compute
$\mathbf z = \mathbf R^\top \cdot \mathbf y \in \ZZ^m$.
$\mathbf z = \mathbf R^T \cdot \mathbf y \in \ZZ^m$.
\item Compute
\begin{equation} \label{eq:ABB-c}
\begin{cases}
\mathbf c^{(1)} = \bar{\mathbf A}^\top \cdot \mathbf s + \mathbf y \bmod q,\\
\mathbf c^{(2)} = \mathbf B_\ID^\top \cdot \mathbf s + \mathbf z \bmod q,\\
\mathbf c^{(3)} = \mathbf U^\top \cdot \mathbf s + \mathbf x + \mathbf m \cdot \left\lfloor \dfrac{q}{2} \right\rfloor.
\mathbf c^{(1)} = \bar{\mathbf A}^T \cdot \mathbf s + \mathbf y \bmod q,\\
\mathbf c^{(2)} = \mathbf B_\ID^T \cdot \mathbf s + \mathbf z \bmod q,\\
\mathbf c^{(3)} = \mathbf U^T \cdot \mathbf s + \mathbf x + \mathbf m \cdot \left\lfloor \dfrac{q}{2} \right\rfloor.
\end{cases}
\end{equation}
\item Output $\mathbf c = \bigl(\mathbf c^{(1)},\mathbf c^{(2)},\mathbf c^{(3)}\bigr) \in \ZZ_q^m \times \ZZ_q^{\bar{m}} \times \ZZ_q^m$. \smallskip \smallskip
@ -372,11 +457,12 @@ encryption of a message of its choice from a random element of the ciphertext sp
\end{theorem}
\section{Warm-up: Decompositions, Extensions, Permutations}
\label{se:decomposition-extensions-permutations}
This section introduces the notations and techniques that will be used throughout the paper. Part of the covered material appeared (in slightly different forms) in recent works~\cite{LNSW13,LNW15,ELL+15,LLNW16,LLM+16} on Stern-like protocols~\cite{Ste96}. The techniques that will be employed for handling quadratic relations (double-bit extension $\mathsf{ext}(\cdot, \cdot)$, expansion $\expandtimes(\cdot, \cdot)$ of matrix-vector product and the associated permuting mechanisms) are novel contributions of this chapter.
This section introduces the notations and techniques that will be used throughout the chapter. It details Stern-like protocols that have been introduced in~\cref{sse:stern}. The techniques that will be employed for handling quadratic relations (double-bit extension $\mathsf{ext}(\cdot, \cdot)$, expansion $\expandtimes(\cdot, \cdot)$ of matrix-vector product and the associated permuting mechanisms) are novel contributions.
\subsection{Decompositions}\label{subsection:decomposition}
For any $B \in \ZZ_+$, define the number $\delta_B:=\lfloor \log_2 B\rfloor +1 = \lceil \log_2(B+1)\rceil$ and the sequence $B_1, \ldots, B_{\delta_B}$, where $B_j = \lfloor\frac{B + 2^{j-1}}{2^j} \rfloor$, $\forall j \in [1,\delta_B]$. As observed in~\cite{LNSW13}, the sequence satisfies $\sum_{j=1}^{\delta_B} B_j = B$ and
any integer $v \in [0, B]$ can be decomposed into a binary vector $\mathsf{idec}_B(v) \hspace*{-1pt}= \hspace*{-1pt}(v^{(1)}, \ldots, v^{(\delta_B)})^\top \hspace*{-2pt}\in \hspace*{-1pt}\{0,1\}^{\delta_B}$ such that $\sum_{j=1}^{\delta_B}B_j \cdot v^{(j)} \hspace*{-1pt}=\hspace*{-1pt} v$. We describe this decomposition procedure in a deterministic manner:
any integer $v \in [0, B]$ can be decomposed into a binary vector $\mathsf{idec}_B(v) \hspace*{-1pt}= \hspace*{-1pt}(v^{(1)}, \ldots, v^{(\delta_B)})^T \hspace*{-2pt}\in \hspace*{-1pt}\{0,1\}^{\delta_B}$ such that $\sum_{j=1}^{\delta_B}B_j \cdot v^{(j)} \hspace*{-1pt}=\hspace*{-1pt} v$. We describe this decomposition procedure in a deterministic manner:
\begin{enumerate}
\item $v': = v$
\item For $j=1$ to $\delta_B$ do:
@ -384,7 +470,7 @@ For any $B \in \ZZ_+$, define the number $\delta_B:=\lfloor \log_2 B\rfloor +1 =
\item If $v' \geq B_j$ then $v^{(j)}: = 1$, else $v^{(j)}: = 0$;
\item $v': = v' - B_j\cdot v^{(j)}$.
\end{enumerate}
\item Output $\mathsf{idec}_B(v) = (v^{(1)}, \ldots, v^{(\delta_B)})^\top$.
\item Output $\mathsf{idec}_B(v) = (v^{(1)}, \ldots, v^{(\delta_B)})^T$.
\end{enumerate}
Next, for any positive integers $\mathfrak{m}, B$, we define the decomposition matrix:
@ -397,30 +483,30 @@ Next, for any positive integers $\mathfrak{m}, B$, we define the decomposition m
\end{eqnarray}
and the following injective functions:
\begin{enumerate}[(i)]
\item $\mathsf{vdec}_{\mathfrak{m}, B}: [0,B]^{\mathfrak{m}} \rightarrow \{0,1\}^{\mathfrak{m}\delta_B}$ that maps vector $\mathbf{v} = (v_1, \ldots, v_{\mathfrak{m}})^\top$ to vector $\big(\mathsf{idec}_B(v_1)^\top \| \ldots \| \mathsf{idec}_B(v_{\mathfrak{m}})^\top\big)^\top$. Note that $\mathbf{H}_{\mathfrak{m}, B} \cdot \mathsf{vdec}_{\mathfrak{m}, B}(\mathbf{v}) = \mathbf{v}$. \smallskip
\item $\mathsf{vdec}_{\mathfrak{m}, B}: [0,B]^{\mathfrak{m}} \rightarrow \{0,1\}^{\mathfrak{m}\delta_B}$ that maps vector $\mathbf{v} = (v_1, \ldots, v_{\mathfrak{m}})^T$ to vector $\big(\mathsf{idec}_B(v_1)^T \| \ldots \| \mathsf{idec}_B(v_{\mathfrak{m}})^T\big)^T$. Note that $\mathbf{H}_{\mathfrak{m}, B} \cdot \mathsf{vdec}_{\mathfrak{m}, B}(\mathbf{v}) = \mathbf{v}$. \smallskip
\item $\mathsf{vdec}'_{\mathfrak{m}, B}: [-B,B]^{\mathfrak{m}} \rightarrow \{-1,0,1\}^{\mathfrak{m}\delta_B}$ that maps vector
$\mathbf{w} = (w_1, \ldots, w_{\mathfrak{m}})^\top$ to vector
$\big(\sigma(w_1)\cdot\mathsf{idec}_B(w_1)^\top \| \ldots \| \sigma(w_{\mathfrak{m}})\cdot\mathsf{idec}_B(w_{\mathfrak{m}})^\top\big)^\top$, where for each $i=1, \ldots, \mathfrak{m}$: $\sigma(w_i) = 0$ if $w_i =0$; $\sigma(w_i) = -1$ if $w_i <0$; $\sigma(w_i) = 1$ if $w_i >0$. Note that $\mathbf{H}_{\mathfrak{m}, B} \cdot \mathsf{vdec}'_{\mathfrak{m}, B}(\mathbf{w}) = \mathbf{w}$.
$\mathbf{w} = (w_1, \ldots, w_{\mathfrak{m}})^T$ to vector
$\big(\sigma(w_1)\cdot\mathsf{idec}_B(w_1)^T \| \ldots \| \sigma(w_{\mathfrak{m}})\cdot\mathsf{idec}_B(w_{\mathfrak{m}})^T\big)^T$, where for each $i=1, \ldots, \mathfrak{m}$: $\sigma(w_i) = 0$ if $w_i =0$; $\sigma(w_i) = -1$ if $w_i <0$; $\sigma(w_i) = 1$ if $w_i >0$. Note that $\mathbf{H}_{\mathfrak{m}, B} \cdot \mathsf{vdec}'_{\mathfrak{m}, B}(\mathbf{w}) = \mathbf{w}$.
\end{enumerate}
We also define the following matrix decomposition procedure. For positive integers $n,m,q$, define the injective function $\mathsf{mdec}_{n,m,q}: \mathbb{Z}_q^{m \times n} \rightarrow \{0,1\}^{mn\delta_{q-1}}$ that maps matrix $\mathbf{X} = [\mathbf{x}_1 | \ldots | \mathbf{x}_n] \in \mathbb{Z}_q^{m \times n}$, where $\mathbf{x}_1, \ldots, \mathbf{x}_n \in \mathbb{Z}_q^m$, to vector
\begin{align*}
\mathsf{mdec}_{n,m,q}(\mathbf{X}) &= \big(\mathsf{vdec}_{m, q-1}(\mathbf{x}_1)^\top \| \ldots \|\ \mathsf{vdec}_{m,q-1}(\mathbf{x}_n)^\top\big)^\top \\
&= (x_{1,1}, \ldots, x_{1, mk}, x_{2,1}, \ldots, x_{2,mk}, \ldots, x_{n,1}, \ldots, x_{n,mk})^\top \\
\mathsf{mdec}_{n,m,q}(\mathbf{X}) &= \big(\mathsf{vdec}_{m, q-1}(\mathbf{x}_1)^T \| \ldots \|\ \mathsf{vdec}_{m,q-1}(\mathbf{x}_n)^T\big)^T \\
&= (x_{1,1}, \ldots, x_{1, mk}, x_{2,1}, \ldots, x_{2,mk}, \ldots, x_{n,1}, \ldots, x_{n,mk})^T \\
& \hspace{.6\textwidth}\in \{0,1\}^{nm \delta_{q-1}},
\end{align*}
where, for each $(i,j) \in [n] \times [m \delta_{q-1}]$, $x_{i,j} \in \{0,1\}$ denotes the $j$-th bit of the decomposition of the $i$-th column of $\mathbf{X}$. \\ \indent Looking ahead,
when proving
knowledge of witnesses $(\mathbf{X},\mathbf{s}) \in \ZZ_q^{m \times n} \times \ZZ_q^{n}$ satisfying $\mathbf{b} = \mathbf{X} \cdot \mathbf{s} + \mathbf{e} \bmod q$, we will have to consider terms of the form $x_{i,j} \cdot s_{i,t}$, where $\mathbf{s}=(s_1,\ldots,s_n)^\top \in \ZZ_q^n$ and
$(s_{i,1},\ldots,s_{i,\delta_{q-1}})^\top=\mathsf{idec}_{q-1}(s_i)$ for each
knowledge of witnesses $(\mathbf{X},\mathbf{s}) \in \ZZ_q^{m \times n} \times \ZZ_q^{n}$ satisfying $\mathbf{b} = \mathbf{X} \cdot \mathbf{s} + \mathbf{e} \bmod q$, we will have to consider terms of the form $x_{i,j} \cdot s_{i,t}$, where $\mathbf{s}=(s_1,\ldots,s_n)^T \in \ZZ_q^n$ and
$(s_{i,1},\ldots,s_{i,\delta_{q-1}})^T=\mathsf{idec}_{q-1}(s_i)$ for each
$i \in [n]$.
\subsection{Extensions and Permutations}\label{subsection:warm-up-ext-perm}
We now introduce the extensions and permutations which will be essential for proving quadratic relations.
\begin{itemize}
\item For each $c \in \{0,1\}$, denote by $\overline{c}$ the bit $1-c \in \{0,1\}$.
\item For $c_1,c_2 \in \{0,1\}$, define the vector $$\mathsf{ext}(c_1,c_2) = (\overline{c}_1\cdot \overline{c}_2, \overline{c}_1\cdot {c}_2, {c}_1\cdot \overline{c}_2, c_1\cdot c_2)^\top \in \{0,1\}^4.$$
\item For $b_1,b_2 \in \{0,1\}$, define the permutation $T_{b_1,b_2}$ that transforms vector $\mathbf{v} = (v_{0,0}, v_{0,1}, v_{1,0}, v_{1,1})^\top \in \mathbb{Z}_q^4$ to vector $(v_{{b}_1, {b}_2}, v_{{b}_1, \overline{b}_2}, v_{ \overline{b}_1,{b}_2}, v_{\overline{b}_1, \overline{b}_2})^\top$.
\item For $c_1,c_2 \in \{0,1\}$, define the vector $$\mathsf{ext}(c_1,c_2) = (\overline{c}_1\cdot \overline{c}_2, \overline{c}_1\cdot {c}_2, {c}_1\cdot \overline{c}_2, c_1\cdot c_2)^T \in \{0,1\}^4.$$
\item For $b_1,b_2 \in \{0,1\}$, define the permutation $T_{b_1,b_2}$ that transforms vector $\mathbf{v} = (v_{0,0}, v_{0,1}, v_{1,0}, v_{1,1})^T \in \mathbb{Z}_q^4$ to vector $(v_{{b}_1, {b}_2}, v_{{b}_1, \overline{b}_2}, v_{ \overline{b}_1,{b}_2}, v_{\overline{b}_1, \overline{b}_2})^T$.
Note that, for all $c_1, c_2, b_1, b_2 \in \{0,1\}$, we have the following:
\begin{eqnarray}
@ -430,36 +516,36 @@ We now introduce the extensions and permutations which will be essential for pro
\end{itemize}
where $\oplus$ denotes the bit-wise addition modulo $2$.
Now, for positive integers $n,m,k$, and for vectors $$\mathbf{x} = (x_{1,1}, \ldots, x_{1, mk}, x_{2,1}, \ldots, x_{2,mk}, \ldots, x_{n,1}, x_{n,mk})^\top \in \{0,1\}^{nmk}$$
and $\mathbf{s}_0 = (s_{1,1}, \ldots, s_{1,k}, s_{2,1}, \ldots, s_{2,k}, \ldots, s_{n,1}, \ldots, s_{n,k})^\top \in \{0,1\}^{nk}$, we define the vector $ \expandtimes (\mathbf{x}, \mathbf{s}_0) \in \{0,1\}^{4nmk^2}$ as
Now, for positive integers $n,m,k$, and for vectors $$\mathbf{x} = (x_{1,1}, \ldots, x_{1, mk}, x_{2,1}, \ldots, x_{2,mk}, \ldots, x_{n,1}, x_{n,mk})^T \in \{0,1\}^{nmk}$$
and $\mathbf{s}_0 = (s_{1,1}, \ldots, s_{1,k}, s_{2,1}, \ldots, s_{2,k}, \ldots, s_{n,1}, \ldots, s_{n,k})^T \in \{0,1\}^{nk}$, we define the vector $ \expandtimes (\mathbf{x}, \mathbf{s}_0) \in \{0,1\}^{4nmk^2}$ as
\begin{align*}
\expandtimes (\mathbf{x}, \mathbf{s}_0) =
&\bigl( \mathsf{ext}^\top(x_{1,1}, s_{1,1}) \| \mathsf{ext}^\top(x_{1,1}, s_{1,2}) \| \ldots \| \mathsf{ext}^\top(x_{1,1}, s_{1,k}) \| \\
&\| \mathsf{ext}^\top(x_{1,2}, s_{1,1}) \| \mathsf{ext}^\top(x_{1,2}, s_{1,2}) \| \ldots \| \mathsf{ext}^\top(x_{1,2}, s_{1,k}) \| \ldots \\
&\| \mathsf{ext}^\top(x_{1,mk}, s_{1,1}) \| \mathsf{ext}^\top(x_{1,mk}, s_{1,2}) \| \ldots \| \mathsf{ext}^\top(x_{1,mk}, s_{1,k}) \| \\
&\| \mathsf{ext}^\top(x_{2,1}, s_{2,1}) \| \mathsf{ext}^\top(x_{2,1}, s_{2,2}) \| \ldots \| \mathsf{ext}^\top(x_{2,1}, s_{2,k}) \| \ldots \\
&\| \mathsf{ext}^\top(x_{2,mk}, s_{2,1}) \| \mathsf{ext}^\top(x_{2,mk}, s_{2,2}) \| \ldots \| \mathsf{ext}^\top(x_{2,mk}, s_{2,k}) \| \ldots \\
&\| \mathsf{ext}^\top(x_{n,1}, s_{n,1}) \| \mathsf{ext}^\top(x_{n,1}, s_{n,2}) \| \ldots \| \mathsf{ext}^\top(x_{n,1}, s_{n,k}) \| \ldots \\
&\| \mathsf{ext}^\top(x_{n,mk}, s_{n,1}) \| \mathsf{ext}^\top(x_{n,mk}, s_{n,2}) \| \ldots \| \mathsf{ext}^\top(x_{n,mk}, s_{n,k})
\bigr)^\top\hspace*{-2.5pt}.
&\bigl( \mathsf{ext}^T(x_{1,1}, s_{1,1}) \| \mathsf{ext}^T(x_{1,1}, s_{1,2}) \| \ldots \| \mathsf{ext}^T(x_{1,1}, s_{1,k}) \| \\
&\| \mathsf{ext}^T(x_{1,2}, s_{1,1}) \| \mathsf{ext}^T(x_{1,2}, s_{1,2}) \| \ldots \| \mathsf{ext}^T(x_{1,2}, s_{1,k}) \| \ldots \\
&\| \mathsf{ext}^T(x_{1,mk}, s_{1,1}) \| \mathsf{ext}^T(x_{1,mk}, s_{1,2}) \| \ldots \| \mathsf{ext}^T(x_{1,mk}, s_{1,k}) \| \\
&\| \mathsf{ext}^T(x_{2,1}, s_{2,1}) \| \mathsf{ext}^T(x_{2,1}, s_{2,2}) \| \ldots \| \mathsf{ext}^T(x_{2,1}, s_{2,k}) \| \ldots \\
&\| \mathsf{ext}^T(x_{2,mk}, s_{2,1}) \| \mathsf{ext}^T(x_{2,mk}, s_{2,2}) \| \ldots \| \mathsf{ext}^T(x_{2,mk}, s_{2,k}) \| \ldots \\
&\| \mathsf{ext}^T(x_{n,1}, s_{n,1}) \| \mathsf{ext}^T(x_{n,1}, s_{n,2}) \| \ldots \| \mathsf{ext}^T(x_{n,1}, s_{n,k}) \| \ldots \\
&\| \mathsf{ext}^T(x_{n,mk}, s_{n,1}) \| \mathsf{ext}^T(x_{n,mk}, s_{n,2}) \| \ldots \| \mathsf{ext}^T(x_{n,mk}, s_{n,k})
\bigr)^T\hspace*{-2.5pt}.
\end{align*}
That is, $ \expandtimes (\mathbf{x}, \mathbf{s}_0)$ is obtained by applying $\mathsf{ext}$ to all pairs of the form $(x_{i,j},s_{i,t})$ for $(i,j,t) \in [n] \times [mk] \times [k]$.
Now, for $\mathbf{b} = (b_{1,1}, \ldots, b_{1, mk}, b_{2,1}, \ldots, b_{2,mk}, \ldots, b_{n,1}, b_{n,mk})^\top \in \{0,1\}^{nmk}$ and $\mathbf{d} = (d_{1,1}, \ldots, d_{1,k}, d_{2,1}, \ldots, d_{2,k}, \ldots, d_{n,1}, \ldots, d_{n,k})^\top \in \{0,1\}^{nk}$, we define the permutation $P_{\mathbf{b}, \mathbf{d}}$ that transforms
Now, for $\mathbf{b} = (b_{1,1}, \ldots, b_{1, mk}, b_{2,1}, \ldots, b_{2,mk}, \ldots, b_{n,1}, b_{n,mk})^T \in \{0,1\}^{nmk}$ and $\mathbf{d} = (d_{1,1}, \ldots, d_{1,k}, d_{2,1}, \ldots, d_{2,k}, \ldots, d_{n,1}, \ldots, d_{n,k})^T \in \{0,1\}^{nk}$, we define the permutation $P_{\mathbf{b}, \mathbf{d}}$ that transforms
vector
\begin{align*}
\mathbf{v} = &\big( (\mathbf{v}_{1,1,1}^\top \| \ldots \| \mathbf{v}_{1,1, k}^\top ) \| ( \mathbf{v}_{1,2,1}^\top \| \ldots \| \mathbf{v}_{1,2,k}^\top ) \| \ldots \| ( \mathbf{v}_{1,mk,1}^\top \| \ldots \| \mathbf{v}_{1,mk,k}^\top ) \| \\
&~ (\mathbf{v}_{2,1,1}^\top \| \ldots \| \mathbf{v}_{2,1, k}^\top ) \| (\mathbf{v}_{2,2,1}^\top \| \ldots \| \mathbf{v}_{2,2,k}^\top ) \| \ldots \| ( \mathbf{v}_{2,mk,1}^\top \| \ldots \| \mathbf{v}_{2,mk,k}^\top ) \| \\
&~ \hspace*{-25pt} (\mathbf{v}_{n,1,1}^\top \| \ldots \| \mathbf{v}_{n,1, k}^\top ) \| ( \mathbf{v}_{n,2,1}^\top \| \ldots \| \mathbf{v}_{n,2,k}^\top ) \| \ldots \| ( \mathbf{v}_{n,mk,1}^\top \| \ldots \| \mathbf{v}_{n,mk,k}^\top )
\big)^\top \hspace*{-3.5pt}\in \hspace*{-1.5pt}\mathbb{Z}^{4nmk^2},
\mathbf{v} = &\big( (\mathbf{v}_{1,1,1}^T \| \ldots \| \mathbf{v}_{1,1, k}^T ) \| ( \mathbf{v}_{1,2,1}^T \| \ldots \| \mathbf{v}_{1,2,k}^T ) \| \ldots \| ( \mathbf{v}_{1,mk,1}^T \| \ldots \| \mathbf{v}_{1,mk,k}^T ) \| \\
&~ (\mathbf{v}_{2,1,1}^T \| \ldots \| \mathbf{v}_{2,1, k}^T ) \| (\mathbf{v}_{2,2,1}^T \| \ldots \| \mathbf{v}_{2,2,k}^T ) \| \ldots \| ( \mathbf{v}_{2,mk,1}^T \| \ldots \| \mathbf{v}_{2,mk,k}^T ) \| \\
&~ \hspace*{-25pt} (\mathbf{v}_{n,1,1}^T \| \ldots \| \mathbf{v}_{n,1, k}^T ) \| ( \mathbf{v}_{n,2,1}^T \| \ldots \| \mathbf{v}_{n,2,k}^T ) \| \ldots \| ( \mathbf{v}_{n,mk,1}^T \| \ldots \| \mathbf{v}_{n,mk,k}^T )
\big)^T \hspace*{-3.5pt}\in \hspace*{-1.5pt}\mathbb{Z}^{4nmk^2},
\end{align*}
consisting of $nmk^2$ blocks of length $4$, to the vector $P_{\mathbf{b}, \mathbf{d}}(\mathbf{v})$ of the form
\begin{align*}
\big(~& (\mathbf{w}_{1,1,1}^\top \| \ldots \| \mathbf{w}_{1,1, k}^\top ) \| ( \mathbf{w}_{1,2,1}^\top \| \ldots \| \mathbf{w}_{1,2,k}^\top ) \| \ldots \| ( \mathbf{w}_{1,mk,1}^\top \| \ldots \| \mathbf{w}_{1,mk,k}^\top ) \| \\
& ( \mathbf{w}_{2,1,1}^\top \| \ldots \| \mathbf{w}_{2,1, k}^\top ) \| ( \mathbf{w}_{2,2,1}^\top \| \ldots \| \mathbf{w}_{2,2,k}^\top ) \| \ldots \| ( \mathbf{w}_{2,mk,1}^\top \| \ldots \| \mathbf{w}_{2,mk,k}^\top ) \| \\
& (\mathbf{w}_{n,1,1}^\top \| \ldots \| \mathbf{w}_{n,1, k}^\top ) \| (\mathbf{w}_{n,2,1}^\top \| \ldots \| \mathbf{w}_{n,2,k}^\top ) \| \ldots \| (\mathbf{w}_{n,mk,1}^\top \| \ldots \| \mathbf{w}_{n,mk,k}^\top )
~ \big)^\top,
\big(~& (\mathbf{w}_{1,1,1}^T \| \ldots \| \mathbf{w}_{1,1, k}^T ) \| ( \mathbf{w}_{1,2,1}^T \| \ldots \| \mathbf{w}_{1,2,k}^T ) \| \ldots \| ( \mathbf{w}_{1,mk,1}^T \| \ldots \| \mathbf{w}_{1,mk,k}^T ) \| \\
& ( \mathbf{w}_{2,1,1}^T \| \ldots \| \mathbf{w}_{2,1, k}^T ) \| ( \mathbf{w}_{2,2,1}^T \| \ldots \| \mathbf{w}_{2,2,k}^T ) \| \ldots \| ( \mathbf{w}_{2,mk,1}^T \| \ldots \| \mathbf{w}_{2,mk,k}^T ) \| \\
& (\mathbf{w}_{n,1,1}^T \| \ldots \| \mathbf{w}_{n,1, k}^T ) \| (\mathbf{w}_{n,2,1}^T \| \ldots \| \mathbf{w}_{n,2,k}^T ) \| \ldots \| (\mathbf{w}_{n,mk,1}^T \| \ldots \| \mathbf{w}_{n,mk,k}^T )
~ \big)^T,
\end{align*}
where for each $(i,j,t) \in [n]\times [mk] \times [k]$: \hspace*{2.5pt}$\mathbf{w}_{i,j,t} = T_{b_{i,j}, d_{i,t}}(\mathbf{v}_{i,j,t})$.
\smallskip
@ -473,23 +559,23 @@ Observe that, for all $\mathbf{b} \in \{0,1\}^{nmk}, \mathbf{d} \in \{0,1\}^{nk}
\noindent
Next, we recall the notations, extensions and permutations used in previous Stern-like protocols~\cite{LNSW13,LNW15,ELL+15,LLM+16} for proving linear relations.
For any positive integer $t$, denote by $\mathcal{S}_t$ the symmetric group of all permutations of~$t$ elements, by $\mathsf{B}_{2t}$ the set of all vectors in $\{0,1\}^{2t}$ having Hamming weight~$t$, and by $\mathsf{B}_{3t}$ the set of all vectors in $\{-1,0,1\}^{3t}$ having exactly $t$ coordinates equal to $j$, for each $j \in \{-1,0,1\}$.
Note that for any $\phi \in \mathcal{S}_{2t}$ and $\psi\in \mathcal{S}_{3t}$, we have the following equivalences:
For any positive integer $t$, denote by $\permutations_t$ the symmetric group of all permutations of~$t$ elements, by $\mathsf{B}_{2t}$ the set of all vectors in $\{0,1\}^{2t}$ having Hamming weight~$t$, and by $\mathsf{B}_{3t}$ the set of all vectors in $\{-1,0,1\}^{3t}$ having exactly $t$ coordinates equal to $j$, for each $j \in \{-1,0,1\}$.
Note that for any $\phi \in \permutations_{2t}$ and $\psi\in \permutations_{3t}$, we have the following equivalences:
\begin{eqnarray}\label{eq:permuting-B_2t_B_3t}
\mathbf{x} \in \mathsf{B}_{2t} \Longleftrightarrow \phi(\mathbf{x}) \in \mathsf{B}_{2t} \hspace*{7.5pt}\text{ and }\hspace*{7.5pt} \mathbf{y} \in \mathsf{B}_{3t} \Longleftrightarrow \psi(\mathbf{y}) \in \mathsf{B}_{3t}.
\end{eqnarray}
The following extending procedures are defined for any positive integers $t$.
\begin{itemize}
\item $\mathsf{ExtendTwo}_t: \{0,1\}^{t} \rightarrow \mathsf{B}_{2t}$. On input vector $\mathbf{x}$ with Hamming weight $w$, it outputs
\[\mathbf{x}' = (\mathbf{x}^\top \| \mathbf{1}^{t-w} \| \mathbf{0}^{w})^\top. \]
\[\mathbf{x}' = (\mathbf{x}^T \| \mathbf{1}^{t-w} \| \mathbf{0}^{w})^T. \]
\item $\mathsf{ExtendThree}_t: \{-1,0,1\}^{t} \rightarrow \mathsf{B}_{3t}$. On input vector $\mathbf{y}$ containing $n_j$ coordinates equal to $j$ for $j \in \{-1,0,1\}$, this procedure outputs the vector
\[\mathbf{y}' = (\mathbf{y}^\top \| \mathbf{1}^{t-n_1}
\[\mathbf{y}' = (\mathbf{y}^T \| \mathbf{1}^{t-n_1}
\| \mathbf{0}^{t-n_0} \| \mathbf{(-1)}^{t-n_{-1}}).\]
\end{itemize}
We also use the following encoding and permutation to achieve fine-grained control over coordinates of binary witness-vectors.
\begin{itemize}
\item For any positive integer $t$, define the function $\mathsf{encode}_t$ that encodes vector $\mathbf{x} = (x_1, \ldots, x_t)^\top\in \{0,1\}^t$ to vector $\mathsf{encode}_t(\mathbf{x}) = (\bar{x}_1, x_1, \ldots, \bar{x}_t, x_t)^\top \in \{0,1\}^{2t}$.
\item For any positive integer $t$ and any vector $\mathbf{c} = (c_1, \ldots, c_t)^\top \in \{0,1\}^t$, define the permutation $F_{\mathbf{c}}^{(t)}$ that transforms vector $\mathbf{v} = (v_1^{(0)}, v_1^{(1)}, \ldots, v_t^{(0)}, v_t^{(1)})^\top \in \ZZ^{2t}$ into vector $F_{\mathbf{c}}^{(t)}(\mathbf{v}) = (v_1^{(c_1)}, v_1^{(\bar{c}_1)}, \ldots, v_t^{(c_t)}, v_t^{(\bar{c}_t)})^\top$.
\item For any positive integer $t$, define the function $\mathsf{encode}_t$ that encodes vector $\mathbf{x} = (x_1, \ldots, x_t)^T\in \{0,1\}^t$ to vector $\mathsf{encode}_t(\mathbf{x}) = (\bar{x}_1, x_1, \ldots, \bar{x}_t, x_t)^T \in \{0,1\}^{2t}$.
\item For any positive integer $t$ and any vector $\mathbf{c} = (c_1, \ldots, c_t)^T \in \{0,1\}^t$, define the permutation $F_{\mathbf{c}}^{(t)}$ that transforms vector $\mathbf{v} = (v_1^{(0)}, v_1^{(1)}, \ldots, v_t^{(0)}, v_t^{(1)})^T \in \ZZ^{2t}$ into vector $F_{\mathbf{c}}^{(t)}(\mathbf{v}) = (v_1^{(c_1)}, v_1^{(\bar{c}_1)}, \ldots, v_t^{(c_t)}, v_t^{(\bar{c}_t)})^T$.
\end{itemize}
Note that the following equivalence holds for all $t, \mathbf{c}$:
\begin{eqnarray}\label{eq:equivalence-encoding}
@ -519,25 +605,25 @@ Moreover, the argument system should be readily extended to proving that $\mathb
Let $q_1, \ldots, q_k \in \Zq$ be the sequence of integers obtained by decomposing $q-1$ using the technique recalled in
Section \ref{subsection:decomposition}, and define the row vector $\mathbf{g} = (q_1, \ldots, q_k)$.
Let $\mathbf{X} = [\mathbf{x}_1 | \ldots | \mathbf{x}_n] \in \Zq^{m \times n}$ and $\mathbf{s}= (s_1, \ldots, s_n)^\top$.
For each index $i \in [n]$, let us consider $\mathsf{vdec}_{m,q-1}(\mathbf{x}_i) = (x_{i,1}, \ldots, x_{i,mk})^\top \in \{0,1\}^{mk}$.
Let $\mathbf{X} = [\mathbf{x}_1 | \ldots | \mathbf{x}_n] \in \Zq^{m \times n}$ and $\mathbf{s}= (s_1, \ldots, s_n)^T$.
For each index $i \in [n]$, let us consider $\mathsf{vdec}_{m,q-1}(\mathbf{x}_i) = (x_{i,1}, \ldots, x_{i,mk})^T \in \{0,1\}^{mk}$.
Let
\[ \mathsf{vdec}_{n,q-1}(\mathbf{s})= (s_{1,1}, \ldots, s_{1,k}, s_{2,1}, \ldots, s_{2,k}, \ldots, s_{n,1}, \ldots s_{n,k})^\top \in \{0,1\}^{nk} \]
and observe that $s_i = \mathbf{g} \cdot \mathsf{idec}_{q-1}(s_i)= \mathbf{g}\cdot (s_{i,1}, \ldots, s_{i,k})^\top$ for each $i \in [n]$.
\[ \mathsf{vdec}_{n,q-1}(\mathbf{s})= (s_{1,1}, \ldots, s_{1,k}, s_{2,1}, \ldots, s_{2,k}, \ldots, s_{n,1}, \ldots s_{n,k})^T \in \{0,1\}^{nk} \]
and observe that $s_i = \mathbf{g} \cdot \mathsf{idec}_{q-1}(s_i)= \mathbf{g}\cdot (s_{i,1}, \ldots, s_{i,k})^T$ for each $i \in [n]$.
We have:
\begin{eqnarray*}
\mathbf{X}\cdot \mathbf{s} &=& \sum_{i=1}^n \mathbf{x}_i\cdot s_i = \sum_{i=1}^n \mathbf{H}_{m,q-1}\cdot \mathsf{vdec}_{m,q-1}(\mathbf{x}_i)\cdot s_i \\
&=& \mathbf{H}_{m,q-1}\cdot \Big(\sum_{i=1}^n (x_{i,1}\cdot s_i, \ldots, x_{i,mk}\cdot s_i)^\top\Big) \bmod q.
&=& \mathbf{H}_{m,q-1}\cdot \Big(\sum_{i=1}^n (x_{i,1}\cdot s_i, \ldots, x_{i,mk}\cdot s_i)^T\Big) \bmod q.
\end{eqnarray*}
Observe that, for each $i \in [n]$ and each $j \in [mk]$, we have
\begin{align*}
x_{i,j}\cdot s_i &= x_{i,j}\cdot \mathbf{g} \cdot (s_{i,1}, \ldots, s_{i,k})^\top \\
&= (q_1, \ldots, q_k) \cdot (x_{i,j}\cdot s_{i,1}, \ldots, x_{i,j}\cdot s_{i,k})^\top.
x_{i,j}\cdot s_i &= x_{i,j}\cdot \mathbf{g} \cdot (s_{i,1}, \ldots, s_{i,k})^T \\
&= (q_1, \ldots, q_k) \cdot (x_{i,j}\cdot s_{i,1}, \ldots, x_{i,j}\cdot s_{i,k})^T.
\end{align*}
We now extend vector $(q_1, q_2, \ldots, q_k)$ to $\mathbf{g}' \hspace*{-1.5pt}=\hspace*{-1.5pt} (0,0,0,q_1, 0,0,0, q_2, \ldots, 0,0,0,q_k) \in \Zq^{4k}$.
For all $(i,j) \in [n]\times [mk]$, we have:
$$
x_{i,j}\cdot s_i = \mathbf{g}' \cdot (\mathsf{ext}^\top(x_{i,j}, s_{i,1}) \| \ldots \| \mathsf{ext}^\top(x_{i,j},s_{i,k}))^\top.
x_{i,j}\cdot s_i = \mathbf{g}' \cdot (\mathsf{ext}^T(x_{i,j}, s_{i,1}) \| \ldots \| \mathsf{ext}^T(x_{i,j},s_{i,k}))^T.
$$
Let us define the matrices
\begin{eqnarray} \label{Q0-def}
@ -549,17 +635,17 @@ Let us define the matrices
\end{eqnarray}
and $\widehat{\mathbf{Q}} = [\overbrace{\mathbf{Q}_0 | \ldots | \mathbf{Q}_0}^{n \text{ times }}] \in \Zq^{mk \times 4nmk^2}$. For each $i \in [n]$, define
\begin{align*}
\mathbf{y}_i = \bigl( &\mathsf{ext}^\top(x_{i,1}, s_{i,1}) \| \ldots \| \mathsf{ext}^\top(x_{i,1},s_{i,k}))^\top \| \mathsf{ext}^\top(x_{i,2},s_{i,1}) \| \ldots \| \mathsf{ext}^\top(x_{i,2}, s_{i,k}) \\
& \| \ldots \|\mathsf{ext}^\top(x_{i,mk},s_{i,1} \| \ldots \| \mathsf{ext}^\top(x_{i,mk}, s_{i,k}) \bigr)^\top \in \{0,1\}^{4mk^2}.
\mathbf{y}_i = \bigl( &\mathsf{ext}^T(x_{i,1}, s_{i,1}) \| \ldots \| \mathsf{ext}^T(x_{i,1},s_{i,k}))^T \| \mathsf{ext}^T(x_{i,2},s_{i,1}) \| \ldots \| \mathsf{ext}^T(x_{i,2}, s_{i,k}) \\
& \| \ldots \|\mathsf{ext}^T(x_{i,mk},s_{i,1} \| \ldots \| \mathsf{ext}^T(x_{i,mk}, s_{i,k}) \bigr)^T \in \{0,1\}^{4mk^2}.
\end{align*}
Then, for all $i \in [n]$, we have:
$
(x_{i,1}\cdot s_i, \ldots, x_{i,mk}\cdot s_i)^\top = \mathbf{Q}_0 \cdot \mathbf{y}_i.
(x_{i,1}\cdot s_i, \ldots, x_{i,mk}\cdot s_i)^T = \mathbf{Q}_0 \cdot \mathbf{y}_i.
$
Now, we note that $$(\mathbf{y}_1^\top \| \ldots \| \mathbf{y}_n^\top)^\top = \expandtimes \bigl(\mathsf{mdec}_{n,m,q}(\mathbf{X}), \mathsf{vdec}_{n,q-1}(\mathbf{s})\bigr),$$
Now, we note that $$(\mathbf{y}_1^T \| \ldots \| \mathbf{y}_n^T)^T = \expandtimes \bigl(\mathsf{mdec}_{n,m,q}(\mathbf{X}), \mathsf{vdec}_{n,q-1}(\mathbf{s})\bigr),$$
and
\begin{multline} \label{almost}
\sum_{i=1}^n (x_{i,1}\cdot s_i, \ldots, x_{i,mk}\cdot s_i)^\top \\ = \sum_{i=1}^n \mathbf{Q}_0 \cdot \mathbf{y}_i = \widehat{\mathbf{Q}}\cdot \expandtimes \bigl(\mathsf{mdec}_{n,m,q}(\mathbf{X}), \mathsf{vdec}_{n,q-1}(\mathbf{s}) \bigr). \qquad
\sum_{i=1}^n (x_{i,1}\cdot s_i, \ldots, x_{i,mk}\cdot s_i)^T \\ = \sum_{i=1}^n \mathbf{Q}_0 \cdot \mathbf{y}_i = \widehat{\mathbf{Q}}\cdot \expandtimes \bigl(\mathsf{mdec}_{n,m,q}(\mathbf{X}), \mathsf{vdec}_{n,q-1}(\mathbf{s}) \bigr). \qquad
\end{multline}
Letting $\mathbf{Q}= \mathbf{H}_{m,q-1}\cdot \widehat{\mathbf{Q}} \in \Zq^{m \times 4nmk^2}$ and left-multiplying~\eqref{almost} by $ \mathbf{H}_{m,q-1}$, we obtain the equation:
@ -575,11 +661,11 @@ Letting $\mathbf{Q}= \mathbf{H}_{m,q-1}\cdot \widehat{\mathbf{Q}} \in \Zq^{m \t
$x_1$ & $x_2$ & $b_1$ & $b_2$ & ~$\mathsf{ext}(x_1,x_2)$~ & ~$T_{b_1,b_2}(\mathsf{ext}(x_1,x_2))$~ & ~$x_1 \oplus b_1$~& ~$x_2 \oplus b_2$~ &~$\mathsf{ext}(x_1 \oplus b_1, x_2 \oplus b_2)$~\\
\hline
\rule{0pt}{3ex}
$0$ & $0$ & $0$ & $0$ & $(1000)^\top$ & $(1000)^\top$ & $0$ & $0$ & $(1000)^\top$ \\[5pt]
$0$ & $0$ & $0$ & $0$ & $(1000)^T$ & $(1000)^T$ & $0$ & $0$ & $(1000)^T$ \\[5pt]
$0$ & $0$ & $0$ & $1$ & $(1000)^\top$ & $(0100)^\top$ & $0$ & $1$ & $(0100)^\top$ \\[5pt]
$0$ & $0$ & $0$ & $1$ & $(1000)^T$ & $(0100)^T$ & $0$ & $1$ & $(0100)^T$ \\[5pt]
$0$ & $0$ & $1$ & $0$ & $(1000)^\top$ & $(0010)^\top$ & $1$ & $0$ & $(0010)^\top$ \\[5pt]
$0$ & $0$ & $1$ & $0$ & $(1000)^T$ & $(0010)^T$ & $1$ & $0$ & $(0010)^T$ \\[5pt]
\hline
\end{tabular}
@ -607,7 +693,7 @@ We will explain in detail how this technique can be realized in the next subse
%**************************************************
\section{Our Lattice-Based Group Encryption Scheme} \label{groupenc-scheme}
To build a $\GE$ scheme using our zero-knowledge argument system, we need to choose a specific key-private CCA2-secure encryption scheme.
To build a $\mathsf{GE}$ scheme using our zero-knowledge argument system, we need to choose a specific key-private CCA2-secure encryption scheme.
The first idea is to use the CCA2-secure public-key cryptosystem which is implied by the Agrawal-Boneh-Boyen identity-based encryption (IBE) scheme \cite{ABB10} (which is
recalled in \cref{ap:ABB-IBE}) via the Canetti-Halevi-Katz (CHK) transformation \cite{CHK04}.
The ABB scheme is a natural choice since it has pseudo-random ciphertexts (which implies the key-privacy \cite{BBDP01} when the CHK paradigm
@ -640,18 +726,18 @@ trapdoor allowing to sample short vectors in $\Lambda_q^{\perp}(\mathbf{G})$, th
by running the $\mathsf{SampleRight}$ algorithm of Lemma \ref{lem:sampler}.
Having encrypted the witness $\mathbf{w} \in \{0,1\}^m$ by running the ABB encryption algorithm, the sender proceeds by encrypting a hash value of $\mathbf{B}_{\mathsf{U}} \in \Zq^{n \times \bar{m}}$ under the public key $\mathbf{B}_{\OA} = \bar{\mathbf{A}} \cdot \mathbf{T}_{\OA} \in \Zq^{n \times \bar{m}}$ of the opening authority. The latter hash value
is obtained as a bit-wise decomposition of $\mathbf{F} \cdot \mathsf{mdec}_{n,m,q}(\mathbf{B}_{\mathsf{U}}^\top) \in \Zq^{2n}$, where $\mathbf{F} \in \Zq^{2n \times n \bar{m} \lceil \log q \rceil}$
is a random public matrix and $\mathsf{mdec}_{n,m,q}(\mathbf{B}_{\mathsf{U}}^\top) \in \{0,1\}^{n \bar{m} \lceil \log q \rceil}$ denotes an entry-wise binary decomposition of the matrix $\mathbf{B}_{\mathsf{U}} \in \Zq^{n \times \bar{m}}$.
is obtained as a bit-wise decomposition of $\mathbf{F} \cdot \mathsf{mdec}_{n,m,q}(\mathbf{B}_{\mathsf{U}}^T) \in \Zq^{2n}$, where $\mathbf{F} \in \Zq^{2n \times n \bar{m} \lceil \log q \rceil}$
is a random public matrix and $\mathsf{mdec}_{n,m,q}(\mathbf{B}_{\mathsf{U}}^T) \in \{0,1\}^{n \bar{m} \lceil \log q \rceil}$ denotes an entry-wise binary decomposition of the matrix $\mathbf{B}_{\mathsf{U}} \in \Zq^{n \times \bar{m}}$.
By combining our new argument for quadratic relations and the extensions of Stern's protocol suggested in \cite{LNW15,LLM+16},
we are able to prove that some component of the ciphertext is of the form $\mathbf{c}=\mathbf{B}_{\mathsf{U}}^{\top} \cdot \mathbf{s} + \mathbf{e} \in \Zq^{\bar{m}}$, for some $\mathbf{s} \in \Zq^n$
we are able to prove that some component of the ciphertext is of the form $\mathbf{c}=\mathbf{B}_{\mathsf{U}}^{T} \cdot \mathbf{s} + \mathbf{e} \in \Zq^{\bar{m}}$, for some $\mathbf{s} \in \Zq^n$
and a small-norm $\mathbf{e} \in \ZZ^{\bar{m}}$ while also arguing possession of a signature on the binary decomposition
$\mathsf{mdec}_{n,m,q}(\mathbf{B}_{\mathsf{U}}^\top) \in \{0,1\}^{n \bar{m} \lceil \log q \rceil}$ of $\mathbf{B}_{\mathsf{U}}^\top$. For this purpose, we use a variant of a signature scheme
$\mathsf{mdec}_{n,m,q}(\mathbf{B}_{\mathsf{U}}^T) \in \{0,1\}^{n \bar{m} \lceil \log q \rceil}$ of $\mathbf{B}_{\mathsf{U}}^T$. For this purpose, we use a variant of a signature scheme
due to B\"ohl \textit{et al.}'s
signature \cite{BHJ+15} which was described in \cref{ch:gs-lwe}
(and of which a description is given in \cref{se:gs-lwe-sigep}).
At the same time, the prover $\mathcal{P}$ can also
argue that a hash value of $\mathsf{mdec}_{n,m,q}(\mathbf{B}_{\mathsf{U}}^\top) $ is properly
argue that a hash value of $\mathsf{mdec}_{n,m,q}(\mathbf{B}_{\mathsf{U}}^T) $ is properly
encrypted under the $\OA$'s public key using the ABB encryption scheme.
@ -659,7 +745,7 @@ encrypted under the $\OA$'s public key using the ABB encryption scheme.
\subsection{Description of the Scheme}
Our $\GE$ scheme allows encrypting witnesses for the \ISIS relation (as in \cref{de:sis}) $ \mathrm{R}_{\ISIS}(n,m,q,1)$, which
Our $\mathsf{GE}$ scheme allows encrypting witnesses for the \ISIS relation (as in \cref{de:sis}) $ \mathrm{R}_{\ISIS}(n,m,q,1)$, which
consists of pairs $((\mathbf{A}_R, \mathbf{u}_R), \mathbf{w}) \in (\Zq^{n \times m} \times \Zq^n) \times \{0,1\}^m $ satisfying $\mathbf{u}_R=\mathbf{A}_R \cdot \mathbf{w} \bmod q$.
This relation is in the same spirit as the one of Kiayias, Tsiounis and Yung \cite{KTY07}, who consider the verifiable encryption of discrete logarithms. While the construction of
\cite{KTY07} allow verifiably encrypting discrete-logarithm-type secret keys under the public key of some anonymous trusted third party, our construction makes it possible to encrypt GPV-type secret keys \cite{GPV08}. \smallskip
@ -727,7 +813,7 @@ $(\sk_{\OA},\pk_{\OA})=(\mathbf{T}_{\OA},\mathbf{B}_{\OA})$.
\item[2.] Upon receiving a public key $\mathsf{pk}_{\mathsf{U}} = \mathbf{B}_{\mathsf{U}} \in \mathbb{Z}_q^{n \times \bar{m}}$ from the user, the $\GM$ certifies $\pk_U$ via the following steps:
\smallskip
\begin{enumerate}
\item[a.] Compute $\mathbf{h}_{\mathsf{U}} = \mathbf{F}\cdot \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_{\mathsf{U}}^\top) \in \mathbb{Z}_q^{2n}$ as a hash value
\item[a.] Compute $\mathbf{h}_{\mathsf{U}} = \mathbf{F}\cdot \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_{\mathsf{U}}^T) \in \mathbb{Z}_q^{2n}$ as a hash value
of the public key $\pk_{\mathsf{U}}=\mathbf{B}_{\mathsf{U}} \in \Zq^{n \times \bar{m}}$. \smallskip %and let $\mathbf{e_M} = \mathsf{encode}(\mathsf{bin}(\mathbf{h_M})) \in \{0,1\}^{m}$.
\item[b.] Use the trapdoor $\sk_{\GM} = \mathbf{T_A}$ to generate a signature
\begin{eqnarray}\label{eq:cert-description}
@ -757,14 +843,14 @@ $(\sk_{\OA},\pk_{\OA})=(\mathbf{T}_{\OA},\mathbf{B}_{\OA})$.
\item[3.] Encrypt the witness $\mathbf{w} \in \{0,1\}^m$ under $\mathsf{U}$'s public key $\mathbf{B}_\mathsf{U} \in \Zq^{n \times \bar{m}}$ using the tag $\vk$ by taking the following steps: \smallskip
\begin{enumerate}
\item[a.] Sample $\mathbf{s}_{\rec} \leftarrow U(\mathbb{Z}_q^n)$, $\mathbf{R}_{\rec} \leftarrow D_{\ZZ,\sigma}^{m \times \bar{m}} $ and
$\mathbf{x}_{\rec}, \mathbf{y}_{\rec} \leftarrow \chi^m$. Compute $\mathbf{z}_{\rec} = \mathbf{R}_{\rec}^\top\cdot \mathbf{y}_{\rec} \in \mathbb{Z}^{\bar{m}}$.
$\mathbf{x}_{\rec}, \mathbf{y}_{\rec} \leftarrow \chi^m$. Compute $\mathbf{z}_{\rec} = \mathbf{R}_{\rec}^T\cdot \mathbf{y}_{\rec} \in \mathbb{Z}^{\bar{m}}$.
\item[b.] Compute
\begin{eqnarray}\label{eq:c-recipient}
\begin{cases}
\mathbf{c}_{\rec}^{(1)} = \bar{\mathbf{A}}^\top\cdot \mathbf{s}_{\rec} + \mathbf{y}_{\rec} \bmod q \\
\mathbf{c}_{\rec}^{(2)} %= \mathbf{B}_{\vk}^\top \cdot \mathbf{s}_{\rec} + \mathbf{z}_{\rec} \bmod q
= (\mathbf{B}_\mathsf{U} + \mathbf{H}_{\vk} \cdot \mathbf{G})^\top \cdot \mathbf{s}_{\rec} + \mathbf{z}_{\rec} \bmod q ; \\
\mathbf{c}_{\rec}^{(3)} = \mathbf{U}^\top \cdot \mathbf{s}_{\rec} + \mathbf{x}_{\rec} + \mathbf{w}\cdot \Big\lfloor\frac{q}{2}\Big\rfloor,
\mathbf{c}_{\rec}^{(1)} = \bar{\mathbf{A}}^T\cdot \mathbf{s}_{\rec} + \mathbf{y}_{\rec} \bmod q \\
\mathbf{c}_{\rec}^{(2)} %= \mathbf{B}_{\vk}^T \cdot \mathbf{s}_{\rec} + \mathbf{z}_{\rec} \bmod q
= (\mathbf{B}_\mathsf{U} + \mathbf{H}_{\vk} \cdot \mathbf{G})^T \cdot \mathbf{s}_{\rec} + \mathbf{z}_{\rec} \bmod q ; \\
\mathbf{c}_{\rec}^{(3)} = \mathbf{U}^T \cdot \mathbf{s}_{\rec} + \mathbf{x}_{\rec} + \mathbf{w}\cdot \Big\lfloor\frac{q}{2}\Big\rfloor,
\end{cases}
\end{eqnarray}
and let $\mathbf{c}_{\rec} = \big(\mathbf{c}_{\rec}^{(1)}, \mathbf{c}_{\rec}^{(2)}, \mathbf{c}_{\rec}^{(3)}\big)
@ -777,13 +863,13 @@ $(\sk_{\OA},\pk_{\OA})=(\mathbf{T}_{\OA},\mathbf{B}_{\OA})$.
the $\OA$'s public key $\mathbf{B}_{\OA} \in \Zq^{n \times \bar{m}}$ w.r.t. the tag $\vk \in \Zq^n$. Namely, conduct the following steps: \smallskip
\begin{enumerate}
\item[a.] Sample $\mathbf{s}_{\mathsf{oa}} \leftarrow U( \mathbb{Z}_q^n)$, $\mathbf{R}_{\mathsf{oa}} \leftarrow D_{\ZZ,\sigma}^{m \times \bar{m}}$,
$\mathbf{x}_{\mathsf{oa}} \leftarrow \chi^{m}, \mathbf{y}_{\mathsf{oa}} \leftarrow \chi^m$. Set $\mathbf{z}_{\mathsf{oa}} = \mathbf{R}_{\mathsf{oa}}^\top\cdot \mathbf{y}_{\mathsf{oa}} \in \ZZ^{\bar{m}}$.
$\mathbf{x}_{\mathsf{oa}} \leftarrow \chi^{m}, \mathbf{y}_{\mathsf{oa}} \leftarrow \chi^m$. Set $\mathbf{z}_{\mathsf{oa}} = \mathbf{R}_{\mathsf{oa}}^T\cdot \mathbf{y}_{\mathsf{oa}} \in \ZZ^{\bar{m}}$.
\item[b.] Compute
\begin{eqnarray}\label{eq:c-open}
\begin{cases}
\mathbf{c}_{\mathsf{oa}}^{(1)} = \bar{\mathbf{A}}^\top \cdot \mathbf{s}_{\mathsf{oa}} + \mathbf{y}_{\mathsf{oa}} \bmod q; \\
\mathbf{c}_{\mathsf{oa}}^{(2)} = (\mathbf{B}_\OA + \mathbf{H}_{\vk} \cdot \mathbf{G})^\top \cdot \mathbf{s}_{\mathsf{oa}} + \mathbf{z}_{\mathsf{oa}} \bmod q; \\
\mathbf{c}_{\mathsf{oa}}^{(3)} = \mathbf{V}^\top \cdot \mathbf{s}_{\mathsf{oa}} + \mathbf{x}_{\mathsf{oa}} + \mathsf{vdec}_{n,q-1}(\mathbf{h_\mathsf{U}})\cdot \Big\lfloor\frac{q}{2}\Big\rfloor,
\mathbf{c}_{\mathsf{oa}}^{(1)} = \bar{\mathbf{A}}^T \cdot \mathbf{s}_{\mathsf{oa}} + \mathbf{y}_{\mathsf{oa}} \bmod q; \\
\mathbf{c}_{\mathsf{oa}}^{(2)} = (\mathbf{B}_\OA + \mathbf{H}_{\vk} \cdot \mathbf{G})^T \cdot \mathbf{s}_{\mathsf{oa}} + \mathbf{z}_{\mathsf{oa}} \bmod q; \\
\mathbf{c}_{\mathsf{oa}}^{(3)} = \mathbf{V}^T \cdot \mathbf{s}_{\mathsf{oa}} + \mathbf{x}_{\mathsf{oa}} + \mathsf{vdec}_{n,q-1}(\mathbf{h_\mathsf{U}})\cdot \Big\lfloor\frac{q}{2}\Big\rfloor,
\end{cases}
\end{eqnarray}
and let $\mathbf{c}_{\mathsf{oa}} = \big(\mathbf{c}_{\mathsf{oa}}^{(1)}, \mathbf{c}_{\mathsf{oa}}^{(2)}, \mathbf{c}_{\mathsf{oa}}^{(3)}\big) \in \mathbb{Z}_q^m \times \mathbb{Z}_q^{\bar{m}} \times \mathbb{Z}_q^{m}$.
@ -815,7 +901,7 @@ and the state information $coins_{\mathbf{\Psi}}=\big( \mathbf{s}_{\rec}, \mathb
algorithm of Lemma \ref{lem:sampler}.
\item[b.] Compute
\begin{eqnarray*}
\mathbf{w} = \left\lfloor \Bigl( \mathbf{c}_{\rec}^{(3)} - \mathbf{E}_{\vk}^\top \cdot \begin{bmatrix} \mathbf{c}_{\rec}^{(1)} \\ \mathbf{c}_{\rec}^{(2)} \end{bmatrix} \Bigr) / \left\lfloor \frac{q}{2} \right\rfloor \right\rceil \in \ZZ^m
\mathbf{w} = \left\lfloor \Bigl( \mathbf{c}_{\rec}^{(3)} - \mathbf{E}_{\vk}^T \cdot \begin{bmatrix} \mathbf{c}_{\rec}^{(1)} \\ \mathbf{c}_{\rec}^{(2)} \end{bmatrix} \Bigr) / \left\lfloor \frac{q}{2} \right\rfloor \right\rceil \in \ZZ^m
\end{eqnarray*}
and return the obtained $\mathbf{w} \in \{0,1\}^m$.
\end{itemize}
@ -834,16 +920,16 @@ and the state information $coins_{\mathbf{\Psi}}=\big( \mathbf{s}_{\rec}, \mathb
a small-norm $\mathbf{E}_{\OA,\vk} \in \ZZ^{(m+\bar{m}) \times m} $ satisfying $\mathbf{B}_{\OA,\vk} \cdot \mathbf{E}_{\OA,\vk} = \mathbf{V} \bmod q$.
\item[b.] Compute
\begin{eqnarray*}
\mathbf{h} = \left\lfloor \Bigl( \mathbf{c}_{\mathsf{oa}}^{(3)} - \mathbf{E}_{\OA,\vk}^\top \cdot \begin{bmatrix} \mathbf{c}_{\mathsf{oa}}^{(1)} \\ \mathbf{c}_{\mathsf{oa}}^{(2)} \end{bmatrix} \Bigr) /
\mathbf{h} = \left\lfloor \Bigl( \mathbf{c}_{\mathsf{oa}}^{(3)} - \mathbf{E}_{\OA,\vk}^T \cdot \begin{bmatrix} \mathbf{c}_{\mathsf{oa}}^{(1)} \\ \mathbf{c}_{\mathsf{oa}}^{(2)} \end{bmatrix} \Bigr) /
\left\lfloor \frac{q}{2} \right\rfloor \right\rceil \in \{0,1\}^{m}
\end{eqnarray*}
and $\mathbf{h}_\mathsf{U}'=\mathbf{H}_{2n,q-1} \cdot \mathbf{h} \in \Zq^{2n}$.
\end{itemize}
\item[3.] Look up $\mathsf{database}$ to find a public key $\pk_\mathsf{U}=\mathbf{B}_\mathsf{U} \in \Zq^{n \times \bar{m}}$ that hashes
to $\mathbf{h}_\mathsf{U}' \in \Zq^{2n}$ (i.e., such that $\mathbf{h}_\mathsf{U}'= \mathbf{F} \cdot \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_\mathsf{U}^\top)$). If more than one such key exists, return
to $\mathbf{h}_\mathsf{U}' \in \Zq^{2n}$ (i.e., such that $\mathbf{h}_\mathsf{U}'= \mathbf{F} \cdot \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_\mathsf{U}^T)$). If more than one such key exists, return
$\perp$.
If only one key $\pk_\mathsf{U}=\mathbf{B}_{\mathsf{U}} \in \Zq^{n \times \bar{m}}$ satisfies $\mathbf{h}_\mathsf{U}'= \mathbf{F} \cdot \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_\mathsf{U}^\top)$, return that key $\pk_\mathsf{U}$.
If only one key $\pk_\mathsf{U}=\mathbf{B}_{\mathsf{U}} \in \Zq^{n \times \bar{m}}$ satisfies $\mathbf{h}_\mathsf{U}'= \mathbf{F} \cdot \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_\mathsf{U}^T)$, return that key $\pk_\mathsf{U}$.
In any other situation, return $\bot$.
\end{enumerate}
@ -870,7 +956,7 @@ and the state information $coins_{\mathbf{\Psi}}=\big( \mathbf{s}_{\rec}, \mathb
\medskip \smallskip
To this end $\mathcal{P}$ conducts the following steps. \medskip \smallskip \smallskip
\begin{itemize}
\item[1.] Decompose the matrix $\mathbf{B}_\mathsf{U} \in \Zq^{n \times \bar{m}}$ into $\mathbf{b}_{\mathsf{U}} = \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_{\mathsf{U}}^\top) \in \{0,1\}^{n\bar{m}k}$ and the vectors $\mathbf{s}_{\rec} ,\mathbf{s}_{\mathsf{oa}} \in \Zq^n$ into $\mathbf{s}_{0,\rec} = \mathsf{vdec}_{n,q-1}(\mathbf{s}_{\rec}) \in \{0,1\}^{nk}$ and $\mathbf{s}_{0,\mathsf{oa}} = \mathsf{vdec}_{n,q-1}(\mathbf{s}_{\mathsf{oa}}) \in \{0,1\}^{nk}$. Combine the first two binary vectors into $\mathbf{z}_{\mathbf{\Psi}} = \expandtimes (\mathbf{b}_{\mathsf{U}},\mathbf{s}_{0,\rec}) \in \{0,1\}^{4n \bar{m} k^2}
\item[1.] Decompose the matrix $\mathbf{B}_\mathsf{U} \in \Zq^{n \times \bar{m}}$ into $\mathbf{b}_{\mathsf{U}} = \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_{\mathsf{U}}^T) \in \{0,1\}^{n\bar{m}k}$ and the vectors $\mathbf{s}_{\rec} ,\mathbf{s}_{\mathsf{oa}} \in \Zq^n$ into $\mathbf{s}_{0,\rec} = \mathsf{vdec}_{n,q-1}(\mathbf{s}_{\rec}) \in \{0,1\}^{nk}$ and $\mathbf{s}_{0,\mathsf{oa}} = \mathsf{vdec}_{n,q-1}(\mathbf{s}_{\mathsf{oa}}) \in \{0,1\}^{nk}$. Combine the first two binary vectors into $\mathbf{z}_{\mathbf{\Psi}} = \expandtimes (\mathbf{b}_{\mathsf{U}},\mathbf{s}_{0,\rec}) \in \{0,1\}^{4n \bar{m} k^2}
$. Define
$$\mathbf{Q} = \mathbf{H}_{\bar{m},q-1} \cdot [\overbrace{\mathbf{Q}_0 | \ldots | \mathbf{Q}_0}^{n \text{ times }}] \in \Zq^{\bar{m} \times 4n \bar{m} k^2} ,$$ where
$\mathbf{Q}_0 = \mathbf{I}_{\bar{m} k} \otimes \mathbf{g}' \in \Zq^{\bar{m}k \times 4 \bar{m} k^2}$ is the matrix defined as in (\ref{Q0-def}).
@ -879,7 +965,7 @@ $. Define
\begin{eqnarray*}
\left\{
\begin{array}{l}
\tau \in \{0,1\}^\ell, ~\mathbf{d}=[\mathbf{d}_1^\top | \mathbf{d}_2^\top ]^\top \in [-\beta,\beta]^{2m},~\mathbf{r} \in [-\beta,\beta]^m \\
\tau \in \{0,1\}^\ell, ~\mathbf{d}=[\mathbf{d}_1^T | \mathbf{d}_2^T ]^T \in [-\beta,\beta]^{2m},~\mathbf{r} \in [-\beta,\beta]^m \\
\mathbf{t}_{\mathsf{U}} \in \{0,1\}^{m},~\mathbf{w}_{\mathsf{U}} \in \{0,1\}^{\bar{m}} \\
\mathbf{b}_{\mathsf{U}} \in \{0,1\}^{n \bar{m} k}, ~\mathbf{s}_{0,\rec} \in \{0,1\}^{nk}, ~
\mathbf{z}_{\mathbf{\Psi}} = \expandtimes (\mathbf{b}_{\mathsf{U}},\mathbf{s}_{0,\rec})
@ -902,25 +988,25 @@ $. Define
\end{eqnarray}
as well as
\begin{eqnarray} \nonumber
\mathbf{c}_{\rec}^{(1)} &=& \left[ \begin{array}{c|c} \bar{\mathbf{A}}^\top \cdot \mathbf{H}_{n,q-1} ~ &~ \mathbf{I}_m \end{array} \right] \cdot \begin{bmatrix} \mathbf{s}_{0,\rec} \\ \hline \mathbf{y}_{\rec} \end{bmatrix} , \qquad \quad \\ \label{rel-deux}
\mathbf{c}_{\rec}^{(1)} &=& \left[ \begin{array}{c|c} \bar{\mathbf{A}}^T \cdot \mathbf{H}_{n,q-1} ~ &~ \mathbf{I}_m \end{array} \right] \cdot \begin{bmatrix} \mathbf{s}_{0,\rec} \\ \hline \mathbf{y}_{\rec} \end{bmatrix} , \qquad \quad \\ \label{rel-deux}
\mathbf{z}_{\mathbf{\Psi}} &= & \expandtimes (\mathbf{b}_{\mathsf{U}},\mathbf{s}_{0,\rec}) \qquad \qquad \\ \nonumber
\mathbf{c}_{\rec}^{(2)} &=&
\left[ \begin{array}{c|c|c} \mathbf{Q} ~&~ \mathbf{G}^\top \cdot \mathbf{H}_\vk^\top \cdot \mathbf{H}_{n,q-1} ~& ~ \mathbf{I}_{\bar{m}}
\left[ \begin{array}{c|c|c} \mathbf{Q} ~&~ \mathbf{G}^T \cdot \mathbf{H}_\vk^T \cdot \mathbf{H}_{n,q-1} ~& ~ \mathbf{I}_{\bar{m}}
\end{array} \right] \cdot \begin{bmatrix} \mathbf{z}_{\mathbf{\Psi}} \\ \hline \mathbf{s}_{0,\rec} \\ \hline \mathbf{z}_{\rec} \end{bmatrix} , \qquad \quad \\ \nonumber
\mathbf{c}_{\rec}^{(3)} &=&
\left[ \begin{array}{c|c|c} ~ \mathbf{U}^\top \cdot \mathbf{H}_{n,q-1} ~~& ~~ \mathbf{I}_m ~~& ~~\mathbf{I}_m \cdot \lfloor \frac{q}{p} \rfloor ~
\left[ \begin{array}{c|c|c} ~ \mathbf{U}^T \cdot \mathbf{H}_{n,q-1} ~~& ~~ \mathbf{I}_m ~~& ~~\mathbf{I}_m \cdot \lfloor \frac{q}{p} \rfloor ~
\end{array} \right] \cdot \begin{bmatrix} \mathbf{s}_{0,\rec} \\ \hline \mathbf{x}_{\rec} \\ \hline \mathbf{w} \end{bmatrix} , \\ \nonumber
\mathbf{u}_R &=& \mathbf{A}_R \cdot \mathbf{w} \bmod q
\end{eqnarray}
and
\begin{eqnarray} \nonumber
\mathbf{c}_{\mathsf{oa}}^{(1)} &=& \left[ \begin{array}{c|c} \bar{\mathbf{A}}^\top \cdot \mathbf{H}_{n,q-1} ~& ~ \mathbf{I}_m
\mathbf{c}_{\mathsf{oa}}^{(1)} &=& \left[ \begin{array}{c|c} \bar{\mathbf{A}}^T \cdot \mathbf{H}_{n,q-1} ~& ~ \mathbf{I}_m
\end{array} \right] \cdot \begin{bmatrix} \mathbf{s}_{0,\mathsf{oa}} \\ \hline \mathbf{y}_{\mathsf{oa}} \end{bmatrix} , \qquad \quad \\ \label{rel-trois}
\mathbf{c}_{\mathsf{oa}}^{(2)} &=&
\left[ \begin{array}{c|c} (\mathbf{B}_\OA + \mathbf{H}_\vk \cdot \mathbf{G} )^\top \cdot \mathbf{H}_{n,q-1} ~& ~ \mathbf{I}_{\bar{m}}
\left[ \begin{array}{c|c} (\mathbf{B}_\OA + \mathbf{H}_\vk \cdot \mathbf{G} )^T \cdot \mathbf{H}_{n,q-1} ~& ~ \mathbf{I}_{\bar{m}}
\end{array} \right] \cdot \begin{bmatrix} \mathbf{s}_{0,\mathsf{oa}} \\ \hline \mathbf{z}_{\mathsf{oa}} \end{bmatrix} , \qquad \quad \\ \nonumber
\mathbf{c}_{\mathsf{oa}}^{(3)} &=&
\left[ \begin{array}{c|c|c} ~ \mathbf{V}^\top \cdot \mathbf{H}_{n,q-1} ~~& ~ ~ \mathbf{I}_m~~& ~~\mathbf{I}_m \cdot \lfloor \frac{q}{2} \rfloor ~
\left[ \begin{array}{c|c|c} ~ \mathbf{V}^T \cdot \mathbf{H}_{n,q-1} ~~& ~ ~ \mathbf{I}_m~~& ~~\mathbf{I}_m \cdot \lfloor \frac{q}{2} \rfloor ~
\end{array} \right] \cdot \begin{bmatrix} \mathbf{s}_{0,\mathsf{oa}} \\ \hline \mathbf{x}_{\mathsf{oa}} \\ \hline \mathbf{t}_{\mathsf{U}} \end{bmatrix} .
\end{eqnarray}
The protocol is repeated $\kappa$ times to make the soundness error negligibly small.
@ -944,17 +1030,17 @@ such that the following system of $10$ equations holds:
+ (-\mathbf{D})\cdot\mathbf{w}_\textsf{U} \bmod q, \\[5pt]
\mathbf{0} = \mathbf{H}_{n, q-1}\cdot \mathbf{w}_\textsf{U} + (-\mathbf{D}_0)\cdot \mathbf{r} + (-\mathbf{D}_1)\cdot \mathbf{t}_\textsf{U} \bmod q, \\[5pt]
\mathbf{0} = \mathbf{H}_{2n,q-1}\cdot \mathbf{t}_\textsf{U} + (-\mathbf{F})\cdot\mathbf{b}_\textsf{U}\bmod q, \\[5pt]
\mathbf{c}_{\rec}^{(1)} = (\bar{\mathbf{A}}^\top\cdot \mathbf{H}_{n,q-1}) \cdot \mathbf{s}_{0,\rec} + \mathbf{I}_m\cdot \mathbf{y}_{\rec} \bmod q, \\[5pt]
\mathbf{c}_{\rec}^{(2)} = \mathbf{Q}\cdot \mathbf{z}_{\mathbf{\Psi}} + (\mathbf{G}^\top\cdot \mathbf{H}_{\vk}^\top \cdot \mathbf{H}_{n,q-1})\cdot \mathbf{s}_{0,\rec} + \mathbf{I}_{\bar{m}} \cdot \mathbf{z}_{\rec} \bmod q, \\[5pt]
\mathbf{c}_{\rec}^{(3)} = (\mathbf{U}^\top\cdot \mathbf{H}_{n,q-1})\cdot \mathbf{s}_{0,\rec} + \mathbf{I}_m\cdot \mathbf{x}_{\rec} + (\lfloor \frac{q}{2}\rfloor\cdot \mathbf{I}_m)\cdot \mathbf{w} \bmod q, \\[5pt]
\mathbf{c}_{\rec}^{(1)} = (\bar{\mathbf{A}}^T\cdot \mathbf{H}_{n,q-1}) \cdot \mathbf{s}_{0,\rec} + \mathbf{I}_m\cdot \mathbf{y}_{\rec} \bmod q, \\[5pt]
\mathbf{c}_{\rec}^{(2)} = \mathbf{Q}\cdot \mathbf{z}_{\mathbf{\Psi}} + (\mathbf{G}^T\cdot \mathbf{H}_{\vk}^T \cdot \mathbf{H}_{n,q-1})\cdot \mathbf{s}_{0,\rec} + \mathbf{I}_{\bar{m}} \cdot \mathbf{z}_{\rec} \bmod q, \\[5pt]
\mathbf{c}_{\rec}^{(3)} = (\mathbf{U}^T\cdot \mathbf{H}_{n,q-1})\cdot \mathbf{s}_{0,\rec} + \mathbf{I}_m\cdot \mathbf{x}_{\rec} + (\lfloor \frac{q}{2}\rfloor\cdot \mathbf{I}_m)\cdot \mathbf{w} \bmod q, \\[5pt]
\mathbf{u}_R = \mathbf{A}_R\cdot \mathbf{w} \bmod q, \\[5pt]
\mathbf{c}_{\mathsf{oa}}^{(1)} = (\bar{\mathbf{A}}^\top \cdot \mathbf{H}_{n,q-1})\cdot \mathbf{s}_{0,\mathsf{oa}} + \mathbf{I}_m\cdot \mathbf{y}_{\mathsf{oa}} \bmod q, \\[5pt]
\mathbf{c}_{\mathsf{oa}}^{(2)} = [(\mathbf{B}_{\OA} + \mathbf{H}_{\vk}\cdot \mathbf{G})^\top\cdot \mathbf{H}_{n,q-1}]\cdot \mathbf{s}_{0,\mathsf{oa}} + \mathbf{I}_{\bar{m}}\cdot \mathbf{z}_{\mathsf{oa}} \bmod q, \\[5pt]
\mathbf{c}_{\mathsf{oa}}^{(3)} = (\mathbf{V}^\top\cdot \mathbf{H}_{n,q-1})\cdot \mathbf{s}_{0, \mathsf{oa}} + \mathbf{I}_m\cdot \mathbf{x}_{\mathsf{oa}} + (\lfloor \frac{q}{2}\rfloor\cdot \mathbf{I}_m)\cdot \mathbf{t}_{\mathsf{U}} \bmod q.
\mathbf{c}_{\mathsf{oa}}^{(1)} = (\bar{\mathbf{A}}^T \cdot \mathbf{H}_{n,q-1})\cdot \mathbf{s}_{0,\mathsf{oa}} + \mathbf{I}_m\cdot \mathbf{y}_{\mathsf{oa}} \bmod q, \\[5pt]
\mathbf{c}_{\mathsf{oa}}^{(2)} = [(\mathbf{B}_{\OA} + \mathbf{H}_{\vk}\cdot \mathbf{G})^T\cdot \mathbf{H}_{n,q-1}]\cdot \mathbf{s}_{0,\mathsf{oa}} + \mathbf{I}_{\bar{m}}\cdot \mathbf{z}_{\mathsf{oa}} \bmod q, \\[5pt]
\mathbf{c}_{\mathsf{oa}}^{(3)} = (\mathbf{V}^T\cdot \mathbf{H}_{n,q-1})\cdot \mathbf{s}_{0, \mathsf{oa}} + \mathbf{I}_m\cdot \mathbf{x}_{\mathsf{oa}} + (\lfloor \frac{q}{2}\rfloor\cdot \mathbf{I}_m)\cdot \mathbf{t}_{\mathsf{U}} \bmod q.
\end{cases}
\end{eqnarray}
Let $\mathbf{w}_1 = \mathbf{b}_{\mathsf{U}}$, $\mathbf{w}_2 = \mathbf{s}_{0,\rec}$, $\mathbf{w}_3 = \mathbf{z}_{\mathbf{\Psi}} = \expandtimes (\mathbf{b}_{\mathsf{U}},\mathbf{s}_{0,\rec})$, $\mathbf{w}_4 = \mathbf{w}_{\mathsf{U}}$, $\mathbf{w}_5 = \mathbf{t}_{\mathsf{U}}$,
$\mathbf{w}_6 = \mathbf{s}_{0,\mathsf{oa}}$, $\mathbf{w}_7 = \mathbf{w}$, $\mathbf{w}_8 = \mathbf{x}_{\rec}$, $\mathbf{w}_9 = \mathbf{y}_{\rec}$, $\mathbf{w}_{10} = \mathbf{z}_{\rec}$, $\mathbf{w}_{11} = \mathbf{r}$, $\mathbf{w}_{12} = \mathbf{x}_{\mathsf{oa}}$, $\mathbf{w}_{13} = \mathbf{y}_{\mathsf{oa}}$, $\mathbf{w}_{14}= \mathbf{z}_{\mathsf{oa}}$ and $$\mathbf{w}_{15}= \big(\hspace*{1.5pt}\mathbf{d}_1^\top \hspace*{1.5pt}\|\hspace*{1.5pt} \mathbf{d}_2^\top \hspace*{1.5pt}\|\hspace*{1.5pt} \tau[1]\hspace*{-1.5pt}\cdot\hspace*{1.5pt}\mathbf{d}_2^\top \hspace*{1.5pt}\| \ldots \|\hspace*{1.5pt} \tau[\ell]\hspace*{-1.5pt}\cdot\hspace*{1.5pt}\mathbf{d}_2^\top\hspace*{1.5pt}\big)^\top.$$
$\mathbf{w}_6 = \mathbf{s}_{0,\mathsf{oa}}$, $\mathbf{w}_7 = \mathbf{w}$, $\mathbf{w}_8 = \mathbf{x}_{\rec}$, $\mathbf{w}_9 = \mathbf{y}_{\rec}$, $\mathbf{w}_{10} = \mathbf{z}_{\rec}$, $\mathbf{w}_{11} = \mathbf{r}$, $\mathbf{w}_{12} = \mathbf{x}_{\mathsf{oa}}$, $\mathbf{w}_{13} = \mathbf{y}_{\mathsf{oa}}$, $\mathbf{w}_{14}= \mathbf{z}_{\mathsf{oa}}$ and $$\mathbf{w}_{15}= \big(\hspace*{1.5pt}\mathbf{d}_1^T \hspace*{1.5pt}\|\hspace*{1.5pt} \mathbf{d}_2^T \hspace*{1.5pt}\|\hspace*{1.5pt} \tau[1]\hspace*{-1.5pt}\cdot\hspace*{1.5pt}\mathbf{d}_2^T \hspace*{1.5pt}\| \ldots \|\hspace*{1.5pt} \tau[\ell]\hspace*{-1.5pt}\cdot\hspace*{1.5pt}\mathbf{d}_2^T\hspace*{1.5pt}\big)^T.$$
Then system (\ref{eq:big-system-main-scheme}) can be rewritten as:
\begin{eqnarray}\label{eq:big-system-main-scheme-2}
\begin{cases}
@ -987,9 +1073,9 @@ It can be seen that the given group encryption scheme can be implemented in poly
The given group encryption scheme is correct with overwhelming probability.
We first remark that the scheme parameters are set up so that the two instances of the ABB identity-based encryption~\cite{ABB10} are correct. Indeed, during the decryption procedure of $\mathsf{DEC}(\mathsf{sk}_\USR, \mathbf{\Psi},L)$, we have:
\[
\mathbf{c}_{\rec}^{(3)} - \mathbf{E}_{\vk}^\top \cdot \begin{bmatrix} \mathbf{c}_{\rec}^{(1)} \\ \mathbf{c}_{\rec}^{(2)} \end{bmatrix} = \mathbf{x}_{\rec} - \mathbf{E}_{\vk}^\top \cdot \begin{bmatrix} \mathbf{y}_{\rec} \\ \mathbf{z}_{\rec} \end{bmatrix} + \mathbf{w}\cdot \left\lfloor \frac{q}{2} \right\rfloor.
\mathbf{c}_{\rec}^{(3)} - \mathbf{E}_{\vk}^T \cdot \begin{bmatrix} \mathbf{c}_{\rec}^{(1)} \\ \mathbf{c}_{\rec}^{(2)} \end{bmatrix} = \mathbf{x}_{\rec} - \mathbf{E}_{\vk}^T \cdot \begin{bmatrix} \mathbf{y}_{\rec} \\ \mathbf{z}_{\rec} \end{bmatrix} + \mathbf{w}\cdot \left\lfloor \frac{q}{2} \right\rfloor.
\]
Note that $\|\mathbf{x}_{\rec}\|_\infty$ and $\|\mathbf{y}_{\rec}\|_\infty$ are bounded by $B$, and $\|\mathbf{z}_{\rec}\|_\infty = \|\mathbf{R}_{\rec}^\top\cdot \mathbf{y}_{\rec}\|_\infty \leq \beta m B = \widetilde{\mathcal{O}}(n^2)$. Furthermore, the entries of the discrete Gaussian matrix $\mathbf{E}_{\vk}^\top$ are bounded by $\widetilde{\mathcal{O}}(\sqrt{n})$. Hence, the error term $\mathbf{x}_{\rec} - \mathbf{E}_{\vk}^\top \cdot \begin{bmatrix} \mathbf{y}_{\rec} \\ \mathbf{z}_{\rec} \end{bmatrix}$ is bounded by $\widetilde{\mathcal{O}}(n^{3.5})$ which is much smaller than $q/4 = \widetilde{\mathcal{O}}(n^4)$. As a result, the decryption algorithm returns $\mathbf{w}$ with overwhelming probability. The correctness of algorithm $\mathsf{OPEN}(\mathsf{sk}_{\OA}, \mathbf{\Psi},L)$ also follows from a similar argument.
Note that $\|\mathbf{x}_{\rec}\|_\infty$ and $\|\mathbf{y}_{\rec}\|_\infty$ are bounded by $B$, and $\|\mathbf{z}_{\rec}\|_\infty = \|\mathbf{R}_{\rec}^T\cdot \mathbf{y}_{\rec}\|_\infty \leq \beta m B = \widetilde{\mathcal{O}}(n^2)$. Furthermore, the entries of the discrete Gaussian matrix $\mathbf{E}_{\vk}^T$ are bounded by $\widetilde{\mathcal{O}}(\sqrt{n})$. Hence, the error term $\mathbf{x}_{\rec} - \mathbf{E}_{\vk}^T \cdot \begin{bmatrix} \mathbf{y}_{\rec} \\ \mathbf{z}_{\rec} \end{bmatrix}$ is bounded by $\widetilde{\mathcal{O}}(n^{3.5})$ which is much smaller than $q/4 = \widetilde{\mathcal{O}}(n^4)$. As a result, the decryption algorithm returns $\mathbf{w}$ with overwhelming probability. The correctness of algorithm $\mathsf{OPEN}(\mathsf{sk}_{\OA}, \mathbf{\Psi},L)$ also follows from a similar argument.
Finally, we note that if a certified group user honestly follows all the prescribed algorithms, then he should be able to compute valid witness-vectors to be used in the protocol $\langle \mathcal{P}, \mathcal{V}\rangle$, and he should be accepted by the verifier, thanks to the perfect completeness of the argument system in \cref{sse:stern}.
@ -1053,7 +1139,7 @@ The security results are explicited in the following theorems.
\noindent \textbf{Game $4$:} We now modify the generation of the challenge ciphertext $\Psi^\star$.
In this game, the challenger computes the ciphertext
$\mathbf{c}_{\oa}^\star$ as an ABB encryption under the identity $\vk^\star$ of a random $m$-bit string instead of a decomposition
$\mathsf{vdec}_{n,q-1}(\mathbf{h}_{\USR,b}) \in \{0,1\}^m$ of $\mathbf{h}_{\USR,b} = \mathbf{F} \cdot \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_{\USR,b}^\top) \in \ZZ_q^{2n}$. Since
$\mathsf{vdec}_{n,q-1}(\mathbf{h}_{\USR,b}) \in \{0,1\}^m$ of $\mathbf{h}_{\USR,b} = \mathbf{F} \cdot \mathsf{mdec}_{n,\bar{m},q}(\mathbf{B}_{\USR,b}^T) \in \ZZ_q^{2n}$. Since
the random encryption coins $\mathbf{s}_{\oa}^\star, \mathbf{R}_{\oa}^\star ,\mathbf{x}_{\oa}^\star, \mathbf{y}_{\oa}^\star $ are no longer used to generate proofs
$\pi_{\Psi^\star}$, we can show that any noticeable change in $\adv$'s output distribution implies
a selective adversary against the ABB IBE, as established by Lemma \ref{ABB-un}, which would contradict the $\LWE$ assumption.
@ -1130,7 +1216,7 @@ we can assess % corresponds to \SFGame 3.
\[ \mathsf{PP} = \big(\bar{\mathbf A}, \mathbf B, \mathbf U \big) \in \Zq^{n \times m} \times \Zq^{n \times \bar{m}} \times \Zq^{n \times m} \]
from its real-or-random (ROR) challenger.
Our reduction uses $\mathsf{PP}$ to compute public parameters for our $\GE$ scheme. To this end, it samples $\mathbf F \sample U(\Zq^{2n \times n \bar{m}k})$,
Our reduction uses $\mathsf{PP}$ to compute public parameters for our $\mathsf{GE}$ scheme. To this end, it samples $\mathbf F \sample U(\Zq^{2n \times n \bar{m}k})$,
$\mathbf V \sample U(\Zq^{n\times m})$ as in the real $\mathsf{SETUP}_\mathsf{init}$ algorithm.
The reduction $\bdv$ also computes $\mathbf B_\OA =\bar{\mathbf{A}} \cdot \mathbf T_\OA \bmod q $,
where the small-norm matrix $\mathbf{T}_\OA$ is sampled from $D_{\ZZ,\sigma}^{m \times \bar{m}}$, and sends $\adv$ the parameters
@ -1314,7 +1400,7 @@ $\pk_{\mathcal{R}}=(\mathbf{A}_{{R}},\mathbf{u}_{R}) \in \ZZ_q^{n \times m} \tim
$\Psi^\star= (\vk^\star,\mathbf{c}_{\rec}^\star, \mathbf{c}_{\oa}^\star, \Sigma^\star)$, a label $L$ and produce a convincing proof $\pi_{\Psi^\star}$ such that either
\begin{enumerate}
\item $\mathbf{c}_{\oa}^\star$ does not decrypt to a string $\mathbf{h} \in \{0,1\}^m$ such that $\mathbf{h}_{\USR} = \mathbf{H}_{2n,q-1} \cdot \mathbf{h} \in \ZZ_q^{2n}$ coincides
with $\mathbf{h}_{\USR} = \mathbf{F} \cdot \mathsf{mdec}_{n,m,q}(\mathbf{B}_{\USR}^\top)$ for some $\pk_{\USR}=\mathbf{B}_{\USR} \in \ZZ_q^{n \times \bar{m}}$ appearing in $\mathsf{database}$.
with $\mathbf{h}_{\USR} = \mathbf{F} \cdot \mathsf{mdec}_{n,m,q}(\mathbf{B}_{\USR}^T)$ for some $\pk_{\USR}=\mathbf{B}_{\USR} \in \ZZ_q^{n \times \bar{m}}$ appearing in $\mathsf{database}$.
\item $\mathbf{c}_{\oa}^\star$ opens to a certified public key $\pk_{\USR}=\mathbf{B}_{\USR} \in \ZZ_q^{n \times \bar{m}}$, which belongs to $\mathsf{database}$ (and for which a certificate
was issued), but $\mathbf{B}_{\USR} $ is outside the language $\mathcal{PK}$ of valid public keys. This case is immediately ruled out
by the density of the public key space.
@ -1326,10 +1412,10 @@ $\Psi^\star= (\vk^\star,\mathbf{c}_{\rec}^\star, \mathbf{c}_{\oa}^\star, \Sigma^
$\mathbf{u}_R= \mathbf{A}_R \cdot \mathbf{w} \bmod q$.
\item The opening algorithm fails to uniquely identify the receiver. This occurs if $\mathbf{c}_{\oa}^\star$ decrypts to a string $\mathbf{h} \in \{0,1\}^m$ such that $\mathbf{h}_{\USR}' = \mathbf{H}_{2n,q-1} \cdot \mathbf{h} \in \ZZ_q^{2n}$ corresponds to
at least two distinct public keys $\mathbf{B}_{\USR,0} ,\mathbf{B}_{\USR,1} \in \ZZ_q^{n \times \bar{m}}$ which satisfy
$$\mathbf{h}_{\USR}' = \mathbf{F} \cdot \mathsf{mdec}_{n ,\bar{m},q}(\mathbf{B}_{\USR,0}^\top ) \bmod q=\mathbf{F} \cdot \mathsf{mdec}_{n ,\bar{m},q}(\mathbf{B}_{\USR,1}^\top ) \bmod q. $$
$$\mathbf{h}_{\USR}' = \mathbf{F} \cdot \mathsf{mdec}_{n ,\bar{m},q}(\mathbf{B}_{\USR,0}^T ) \bmod q=\mathbf{F} \cdot \mathsf{mdec}_{n ,\bar{m},q}(\mathbf{B}_{\USR,1}^T ) \bmod q. $$
Since $\mathsf{mdec}_{n,\bar{m},q}(.) : \ZZ_q^{\bar{m} \times n} \rightarrow \{0,1\}^{n \bar{m} k}$ is an injective function, the above equality necessarily implies a
collision for the $\mathsf{SIS}$-based hash function built upon $\mathbf{F} \in \ZZ_q^{2n \times n \bar{m} k}$: namely,
$$ \mathsf{mdec}_{n ,\bar{m},q}(\mathbf{B}_{\USR,0}^\top ) - \mathsf{mdec}_{n ,\bar{m},q}(\mathbf{B}_{\USR,1}^\top ) ~~\in \{-1,0,1\}^{n\bar{m} k} $$
$$ \mathsf{mdec}_{n ,\bar{m},q}(\mathbf{B}_{\USR,0}^T ) - \mathsf{mdec}_{n ,\bar{m},q}(\mathbf{B}_{\USR,1}^T ) ~~\in \{-1,0,1\}^{n\bar{m} k} $$
is a short non-zero vector of $\Lambda_q^\perp (\mathbf{F})$.
\end{enumerate}
Having shown that cases \textit{b} and \textit{d} cannot occur if the $\mathsf{SIS}$ assumption holds, we only need to consider cases \textit{a} and \textit{c}. The computational soundness of the argument system ensures that, by replaying
@ -1340,7 +1426,7 @@ the knowledge extractor will be able to extract either:
\begin{eqnarray*}
\left\{
\begin{array}{l}
\tau \in \{0,1\}^\ell, ~\mathbf{d}=[\mathbf{d}_1^\top | \mathbf{d}_2^\top ]^\top \in [-\beta,\beta]^{2m},~\mathbf{r} \in [-\beta,\beta]^m \\
\tau \in \{0,1\}^\ell, ~\mathbf{d}=[\mathbf{d}_1^T | \mathbf{d}_2^T ]^T \in [-\beta,\beta]^{2m},~\mathbf{r} \in [-\beta,\beta]^m \\
\mathbf{t}_{\USR} \in \{0,1\}^{m},~\mathbf{w}_{\USR} \in \{0,1\}^{\bar{m}} \\
\mathbf{b}_{\USR} \in \{0,1\}^{n \bar{m} k}, ~\mathbf{s}_{0,\rec} \in \{0,1\}^{nk}, ~
\mathbf{z}_{\mathbf{\Psi}} \in \{0,1\}^{4n \bar{m} k^2}

View File

@ -25,7 +25,7 @@ In particular, the cost of moving to dynamic group is reasonable: while using th
Signature & $\widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs}$ & $\widetilde{\mathcal{O}}(\lambda + \log^2 N_\mathsf{gs})$ & $\widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs}$ & $\widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs}$ & $ \widetilde{\mathcal{O}}(\lambda)\cdot \log N_\mathsf{gs}$ \\
\hline
\end{tabular}
\caption{Efficiency comparison among recent lattice-based group signatures for static groups and our dynamic scheme. The evaluation is done with respect to $2$ governing parameters: security parameter $\lambda$ and the maximum expected group size $N_\mathsf{gs}$. We do not include the earlier schemes~\cite{GKV10,CNR12} that have signature size $\widetilde{\mathcal{O}}(\lambda^2)\cdot N_\mathsf{gs}$.}
\caption[Comparison between recent lattice-based group signatures]{Efficiency comparison among recent lattice-based group signatures for static groups and our dynamic scheme. The evaluation is done with respect to $2$ governing parameters: security parameter $\lambda$ and the maximum expected group size $N_\mathsf{gs}$. We do not include the earlier schemes~\cite{GKV10,CNR12} that have signature size $\widetilde{\mathcal{O}}(\lambda^2)\cdot N_\mathsf{gs}$.}
\label{table:lattice-gs-comparison}
\end{table}
@ -81,7 +81,6 @@ the user's capability of efficiently proving knowledge of the underlying secret
Given the state of $\NIZK$ proofs in the lattice setting, it seems hard to provide group signature schemes in the standard model.
In the forthcoming sections, we first provide the description of our signature with efficient protocols; then a description of our dynamic group signature will be given and finally, we will explain how to use the Stern abstraction of \cref{sse:stern} to provide the required zero-knowledge arguments.
\section{A Lattice-Based Signature with Efficient Protocols} \label{se:gs-lwe-sigep}

View File

@ -51,8 +51,7 @@ This section recalls the syntax and the security definitions of dynamic group s
\begin{figure}
\centering
\input fig-gs-relations
\caption{Relations between the protagonists in a dynamic group signature
scheme}
\caption{Relations between the protagonists in a dynamic group signature scheme.}
\label{fig:gs-relations}
\end{figure}

View File

@ -1,9 +1,132 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%\chapter{Lattice-Based Oblivious Transfer with Access Control}
%\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens}
%\label{ch:ot-lwe}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{comment}
\section{Introduction}
\end{comment}
Oblivious transfer ($\mathsf{OT}$) is a central cryptographic primitive coined by Rabin~\cite{Rab81} and extended by Even \textit{et al.} \cite{EGL85}.
It involves a
sender $\mathsf{S}$ with a database of messages $M_1, \ldots, M_N$ and a receiver $\mathsf{R}$ with an index $\rho \in \{1,\ldots,N\}$. The
protocol allows $\mathsf{R}$ to retrieve the $\rho$-th entry $M_{\rho}$ from $\mathsf{S}$ without letting $\mathsf{S}$ infer anything
on $\mathsf{R}$'s choice $\rho$. Moreover, $\mathsf{R}$ only obtains $M_{\rho}$ learns nothing about $\{M_i\}_{i \neq \rho}$.
In its adaptive flavor \cite{NP99}, $\mathsf{OT}$ allows the receiver to interact $k$ times with $\mathsf{S}$ to retrieve
$M_{\rho_1},\ldots,M_{\rho_k}$ in such a way that, for each index $i \in \{2,\ldots,k\}$, the $i$-th index $\rho_{i} $ may depend on the messages
$M_{\rho_1},\ldots,M_{\rho_{i-1}}$ previously obtained by $\mathsf{R}$.
$\mathsf{OT}$ is known to be a complete building block for cryptography (as for example, \cite{GMW87}) in that, if it can be realized, then
any secure multiparty computation can be. In its adaptive variant, $\mathsf{OT}$ is motivated by applications in privacy-preserving access
to sensitive databases (e.g., medical records or financial data) stored in encrypted form on remote servers, oblivious searches or location-based
services.
As far as efficiency goes, adaptive $\mathsf{OT}$ protocols should be designed in such a way that, after an inevitable initialization phase with
linear communication complexity in $N$ and the security parameter $\lambda$, the complexity of each transfer is at most poly-logarithmic in $N$. At the same time, this asymptotic efficiency should not come at the expense of sacrificing ideal security properties.
The most efficient adaptive $\mathsf{OT}$ protocols that satisfy the latter criterion stem from the work of Camenisch, Neven and shelat
\cite{CNS07} and its follow-ups \cite{GH07,GH08,GH11}.
In its basic form, (adaptive) $\mathsf{OT}$ does not restrict in any way the population of users who can obtain specific records. In many
sensitive databases (e.g., DNA databases or patients' medical history),
however, not all users should be able to download all records: it is vital access to certain entries be conditioned on the receiver holding suitable credentials delivered by authorities. At the same time, privacy protection mandates that authorized users be able to query database records while
leaking as little as possible about their interests or activities. In medical datasets, for example, the specific entries retrieved by a given doctor
could reveal which disease his patients are suffering from. In financial or patent datasets, the access pattern of a company could betray its investment
strategy or the invention it is developing.
In order to combine user-privacy and fine-grained database security, it is thus desirable to enrich adaptive $\mathsf{OT}$ protocols with refined access control mechanisms in many of their natural use cases.
This motivated Camenisch, Dubovitskaya and Neven \cite{CDN09} to introduce
a variant
named \textit{ oblivious transfer with access control} (OT-AC), where each database record is protected by a different access control policy $P : \{0,1\}^\ast
\rightarrow \{0,1\}$.
Based on their attributes, users can obtain credentials generated by pre-determined authorities, which entitle them to anonymously retrieve database records of which the access policy accepts their certified attributes: in other words, the user can only download the records for which he has a
valid credential $\mathsf{Cred}_x$ for an attribute string $x \in \{0,1\}^\ast$ such that
$P(x)=1$. During the transfer phase, the user demonstrates possession of a pair $(\mathsf{Cred}_x,x)$ and simultaneously
convinces the sender that he is querying some record $M_{\rho}$ associated with a policy $P$ such that $P(x)=1$. The only
information that the database holder eventually learns is that some user retrieved some record which he was authorized to obtain.
Camenisch \textit{et al.} formalized the OT-AC primitive and provided a construction in groups with a bilinear map \cite{CDN09}.
While efficient, their solution ``only'' supports access policies consisting of conjunctions: each policy $P$ is specified by a list
of attributes that a given user should obtain a credential for in order to complete the transfer. Several subsequent works
\cite{ZAW+10,CDNZ11,CDEN12}
considered more expressive access policies while even hiding the access policies in some cases \cite{CDNZ11,CDEN12}. Unfortunately,
all of them rely on non-standard assumptions (known as ``$q$-type assumptions'' as described in~\cref{ch:proofs}) in groups with a bilinear maps. For the sake of not putting
all one's eggs in the same basket, a primitive as powerful as OT-AC ought to have alternative realizations based on firmer foundations.
In this chapter, we propose a solution based on lattice assumptions where access policies consist of any branching program of width $5$,
which is known \cite{Bar86} to suffice for the realization of any access policy in $\mathsf{NC1}$. As a result of independent interest, we provide
protocols for proving the correct evaluation of a committed branching program. More precisely, we give zero-knowledge arguments for demonstrating possession of a secret input $\mathbf x \in \{0,1\}^\kappa$ and
a secret (and possibly certified) branching program $\BPR$ such that $\BPR(\mathbf x)=1$.
\index{Complexity classes!$\mathsf{NC}1$}
\paragraph{Related Work.}
Oblivious transfer with adaptive queries dates back to the work of Naor and Pinkas \cite{NP99}, which
requires $O( \log N)$ interaction rounds per transfer.
Naor and Pinkas \cite{NP05} also gave generic constructions of
(adaptive) $k$-out-of-$N$ OT from private information retrieval (PIR) \cite{CGKS95}. The constructions of~\cite{NP99,NP05}, however, are only secure in the half-simulation model, where simulation-based
security is only considered for one of the two parties (receiver security being formalized in terms of a game-based definition).
Moreover, the constructions of Adaptive OT from PIR \cite{NP05}
requires a complexity $O(N^{1/2})$ at each transfer where Adaptive OT allows for $O(\log N)$ cost.
Before 2007, many OT protocols (e.g., \cite{NP01,AIR01,tau05}) were analyzed in terms of half-simulation.
While several efficient fully simulatable protocols appeared the last 15 years (e.g., \cite{DN03,Lin08,PVW08} and references therein),
full simulatability
remained elusive in
the adaptive $k$-out-of-$N$ setting \cite{NP99} until the work~\cite{CNS07} of
Camenisch, Neven and shelat, who introduced the ``assisted decryption''
paradigm. The latter consists in having the sender obliviously decrypt a re-randomized version of one of the original ciphertexts contained in the database. This technique served as a blueprint for many subsequent protocols \cite{GH07,GH08,GH11,JL09}, including those with access control
\cite{CDN09,CDNZ11,CDEN12,ACDN13} and those presented in this chapter. In the adaptive $k$-out-of-$N$ setting (which we denote as \OTA),
the difficulty is to achieve full simulatability without having to transmit a $O(N)$ bits at each transfer. To our knowledge, except
the oblivious-PRF-based approach of Jarecki and Liu \cite{JL09},
all known fully simulatable \OTA protocols rely on bilinear maps\footnote{Several
pairing-free candidates were suggested in \cite{KPN10,KPN11} but, as pointed out in \cite{GH11},
they cannot achieve full simulatability in the sense of \cite{CNS07}. In particular, the sender can detect if the receiver fetches the same
record in two distinct transfers.
%The constructions of \cite{KN09} do achieve full simulatability but each transfer costs $\Theta(N)$ bits in terms
%of communication.
}. A recent work of D\"ottling \textit{et al.}~\cite{DFKS16} uses non-black-box techniques to realize $\LWE$-based $2$-round oblivious PRF (OPRF) protocols~\cite{FIPR05}. However, while fully simulatable OPRFs imply \cite{JL09}
fully simulatable adaptive OT, the OPRF construction of~\cite{DFKS16} does not satisfy the standard
notion of full simulation-based security against malicious adversaries (which is impossible to achieve in two rounds). It also relies on the full power of
homomorphic encryption, which we do not require.
A number of works introduced various forms of access control in OT. Priced OT \cite{AIR01}
assigns variable prices to all database records. In conditional OT \cite{DCOR99}, access to a record is made contingent on the user's secret
satisfying some predicate. Restricted OT \cite{Her11} explicitly protects each record with an independent access policy. Still, none of these
OT flavors aims at protecting the anonymity of users. The model of Coull, Green and Hohenberger \cite{CGH09} does consider user anonymity via stateful
credentials. For the applications of OT-AC, it would nevertheless require re-issuing user credentials at each transfer.
While efficient, the initial OT-AC protocol of Camenisch \textit{et al.} \cite{CDN09} relies on non-standard
assumptions in groups with a bilinear map and only realizes access policies made of conjunctions. Abe \textit{et al.} \cite{ACDN13}
gave a different protocol which they proved secure under more standard assumptions in the universal composability framework \cite{Can01}.
Their policies, however, remain limited to conjunctions. It was mentioned in \cite{CDN09,ACDN13}
that disjunctions and DNF formulas can be handled by duplicating database entries. Unfortunately, this approach rapidly
becomes prohibitively expensive in the case of $(t,n)$-threshold policies with $t \approx n/2$.
Moreover, securing the protocol against malicious senders
requires them to prove that
all duplicates encrypt the same message. More expressive policies were considered by Zhang \textit{et al.} \cite{ZAW+10} who
gave a construction based on attribute-based encryption \cite{SW05} that
extends to access policies expressed by any Boolean formulas (and thus $\mathsf{NC}1$ circuits).
Camenisch, Dubovitskaya, Neven and Zaverucha \cite{CDNZ11} generalized the OT-AC functionality so as
to hide the access policies. In \cite{CDEN12}, Camenisch \textit{et al.} gave a more efficient
construction with hidden policies based on the attribute-based