thesis/chap-OT-LWE.tex
2018-05-17 14:13:28 +02:00

965 lines
84 KiB
TeX

\section{Adaptive Oblivious Transfer}
\label{sec:def-OT}
In the syntax of \cite{CNs07}, an adaptive $k$-out-of-$N$ OT scheme $\OT_k^N$ is a tuple of stateful $\ppt$ algorithms $(\SI, \RI, \ST, \RT)$.
The sender $\mathsf{S}=(\SI,\ST)$ consists of two interactive algorithms $\SI$ and $\ST$ and the receiver has a similar representation as algorithms $\RI$ and $\RT$.
In the \textit{initialization phase}, the sender and the receiver run interactive algorithms $\SI$ and $\RI$, respectively, where $\SI$ takes as input messages $M_1, \ldots, M_N$ while $\RI$ has no input.
This phase ends with the two algorithms $\SI$ and $\RI$ outputting their state information $S_0$ and $R_0$ respectively.
During the $i$-th \textit{transfer}, $1 \leq i \leq k$, both parties run an interactive protocol via the $\RT$ and $\ST$ algorithms.
The sender starts runs $\ST(S_{i-1})$ to obtain its updated state information $S_i$ while the receiver runs $\RT(R_{i-1}, \rho_i)$ on input of its previous state $R_{i-1}$ and the index $\rho_i \in \{1, \ldots, N \}$ of the message it wishes to retrieve. At the end, $\RT$ outputs an updated state $R_i$ and a message $M'_{\rho_i}$.
\textit{Correctness} mandates that, for all $M_1, \ldots, M_N$, for all $\rho_1, \ldots, \rho_k \in [ N]$ and all coin tosses $\varpi$ of the (honestly run) algorithms, we have $M'_{\rho_i} = M_{\rho_i}$ for all $i$.
We consider protocols that are secure (against static corruptions) in the sense of simulation-based definitions. The security
properties against a cheating sender and a cheating receiver are formalized via the ``real-world/ideal-world'' paradigm. The
security definitions of \cite{CNs07} are recalled in the following Section.
\subsection{Security Definitions for Adaptive $k$-out-of-$N$ Oblivious Transfer} \label{def-AOT}
Security is defined via the ``real-world/ideal-world'' paradigm which was first introduced in the Universal Composability (UC) framework~\cite{Can01}. Like \cite{CNs07,CDN09}, however, we do not incorporate all the formalities of the UC framework.
We define two experiments: the \textbf{Real} experiment, where the two parties run the actual protocol, and the \textbf{Ideal} experiment wherein a \textit{trusted third party} assumes the role of the functionality.
The model of \cite{CNs07} formalizes two security notions called \textit{sender security} and \textit{receiver security}.
The former considers the security of honest senders against cheating senders whereas the latter considers the security of honest receivers interacting
with malicious senders.
For an adaptive OT protocol $\OT_k^N$ comprised of algorithms $(\SI, \ST, \RI, \RT)$, we denote define the honest sender $\mathsf S$ as the algorithm that runs
$\SI(M_1, \ldots, M_N)$ during the initialization phase, runs $\ST$ at each transfer and eventually returns $S_k = \epsilon$ as its final output.
Similarly, the honest receiver $\mathsf R$ is the algorithm that runs $\RI$ in the initialization phase, runs $\RT(R_{i-1}, \rho_i)$ during the $i$-th transfer and eventually returns $R_k = (M'_{\rho_1}, \ldots, M'_{\rho_k})$ as its final output.
\medskip
\paragraph{Real Experiment.}
Here, a sender $\hS$ and a receiver $\hR$ which proceed as follows for experiment $\textbf{Real\,}_{\hS, \hR}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k)$.\\ \smallskip
The sender $\hS$ is given messages $M_1, \ldots, M_N$ and interacts with $\hR$ which does not have any input in the initialization phase.
At end of the latter, $\hS$ and \hR output their initial states $S_0$ and $R_0$ respectively. Then, $\hS$ and \hR start $k$ sequential interactions:
for $i \in [k]$, in the $i$-th transfer, the sender $\hS$ and the receiver $\hR$ run $S_i \gets \hS(S_{i-1})$ and $(R_i, M'_{\rho_i}) \gets \hR(R_{i-1}, \rho_i)$, where $\rho_i \in [N]$ is a message index and $(S_i,R_i)$ denote updated states for $\hS$ and $\hR$, respectively.
Note that $M'_{\rho_i}$ may be different from $M_{\rho_i}$ if one of the participant deviates from the protocol. At the end of the $k$-th interaction, $\hS$ and $\hR$ output strings $S_k$ and $R_k$ respectively. The output of $\textbf{Real\,}_{\hS,\hR}$ is the pair $(S_k, R_k)$.
\smallskip
The honest sender $\mathsf{S}$ is the algorithm that runs $\mathsf{S}(M_1,\ldots,M_N)$ as in the initialization phase, runs $\mathsf{S}_\mathsf{T}$ in all subsequent interactions
and always outputs $S_k=\varepsilon$. The honest receiver $\mathsf{R}$ is the algorithm that runs $\mathsf{R}_\mathsf{I}$ in the initialization phase, runs
$\mathsf{R}_{\mathsf{T}}(\mathsf{R}_{i-1},\rho_i)$ at the $i$-th transfer and returns the list of received messages
$R_k=(M_{\rho_1}',\ldots,M_{\rho_k}')$ as its final output.
\medskip
\paragraph{Ideal Experiment.}
We define the experiment $\textbf{Ideal\,}_{\hS', \hR'}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k)$ as follows.\\ \smallskip
The (possibly malicious) algorithm $\hS'(M_1, \ldots, M_N)$ generates messages $M'_1, \ldots, M'_N$ which are given to the trusted party $\mathsf{T}$. In each of the $k$ transfers, $\mathsf{T}$ obtains
a bit $b_i$ from the sender $\hS'$ and an index $\rho'_i$ from the (possibly malicious) receiver $\hR'(\rho_i)$. If $b_i = 1$, and
$\rho_i' \in [N]$,
then $\mathsf{T}$ reveals $M'_{\rho_i}$ to the receiver $\hR'$.
Otherwise, $\hR'$ receives $\bot$ from $\mathsf{T}$. At the end of the $k$-th transfer, $\hS'$ and $\hR'$ output a string $S_k$ and $R_k$ and
the
output of the experiment is the pair $(S_k, R_k)$.
The ideal sender $\mathsf{S}'(M_1,\ldots,M_N)$ is defined the be the sender that sends $(M_1,\ldots,M_N)$ which sends the messages
$(M_1,\ldots,M_N)$ to $\mathsf{T}$ in the initialization phase, sends $b_i=1$ in each transfer and outputs the final state $S_k=\varepsilon$. The honest
ideal receiver $\mathsf{R}'$ is defined to be the algorithm that sends $\mathsf{T}$ the real selection index $\rho_i$ at each transfer and eventually outputs
the list of all received messages $R_k=(M_{\rho_1}',\ldots,M_{\rho_k}')$ as its final state.
The bit $b_i$ sent by $\hS'$ at each transfer models its capability of making the transfer fail. By forcing $\hS'$ to choose $b_i$ without seeing
$\rho_i$, the definition prevents the cheating sender
$\hS'$ from deciding to cause a failure of the transfer for specific values of $\rho_i$.
\begin{definition}[Sender Security] \label{def:sender-sec}
An $\OT_k^N$ protocol is \textit{sender-secure} if, for any PPT real-world cheating receiver $\hR$, there exists a PPT ideal-world receiver $\hR'$ such that, for any polynomial $N_m(\lambda)$, any $N \in [N_m(\lambda)]$, any $k \in [N]$, any messages $M_1, \ldots, M_N$, and any indices $\rho_1, \ldots, \rho_k \in [N]$, no PPT distinguisher can separate the two following distributions with noticeable advantage:
\[ \mathbf{Real}_{\mathsf{S},\hR}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k) \]
and
\[ \mathbf{Ideal}_{\mathsf{S}', \hR'}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k). \]
\end{definition}
\begin{definition}[Receiver Security] \label{def:receiver-sec}
An $\OT_k^N$ protocol is \textit{receiver-secure} if, for any PPT real-world cheating sender $\hS$, there exists a PPT ideal-world sender $\hS'$ such that, for any polynomial $N_m(\lambda)$, any $N \in [N_m(\lambda)]$, any $k \in [N]$, any messages $M_1, \ldots, M_N$, and any indices $\rho_1, \ldots, \rho_k \in [N]$, no PPT distinguisher can tell apart the two following distributions with non-negligible advantage:
\[ \mathbf{Real}_{\hS,\mathsf{R}}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k) \]
and
\[ \mathbf{Ideal}_{\hS', \mathsf{R}'}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k). \]
\end{definition}
\subsection{Adaptive Oblivious Transfer with Access Control} \label{se:def-AC-OT}
Camenisch \textit{et al.} ~\cite{CDN09} define oblivious transfer with access control (OT-AC)
as a tuple of PPT algorithms/protocols $(\ISetup, \Issue, \DBSetup, \Transfer)$ such that:
\begin{description}
\item[$\ISetup$:] takes as inputs public parameters $\pp$ specifying a set $\mathcal{P}$ of access policies and generates a key pair $(PK_I, SK_I)$ for the issuer.
\item[$\Issue$:] is an interactive protocol between the issuer \textsf{I} and a stateful user $\USR$ under common input $(\pp, {x})$, where $x$ is an attribute string. The issuer \textsf{I} takes as inputs its key pair $(PK_I, SK_I)$ and a user pseudonym $P_\USR$. The user takes as inputs its state information $st_\USR$. The user $\USR$ outputs either an error symbol $\bot$ or a credential $\mathsf{Cred}_\USR$, and an updated state $st'_\USR$.
\item[$\DBSetup$:] is an algorithm that takes as input the issuer's public key $PK_I$, a database $DB = \left(M_i, \mathsf{AP}_i \right)_{i=1}^N$ containing records $M_i$ whose access is restricted by an access policy $\mathsf{AP}_i$ and outputs a database public key $PK_\mathsf{DB}$, an encryption of the records $(ER_i)_{i=1}^N$ and a database secret key $SK_\mathsf{DB}$.
\item[$\Transfer$:] is a protocol between the database $\mathsf{DB}$ and a user $\USR$ with common inputs $(PK_I, PK_\mathsf{DB})$. $\mathsf{DB}$ inputs $SK_\mathsf{DB}$ and
$\USR$ inputs $(\rho, st_\USR, ER_\rho, \mathsf{AP}_\rho)$, where $\rho \in [N]$ is a record index to which $\USR$ is requesting access. The interaction ends with $\USR$ outputting $\bot$ or a string $M_{\rho'}$ and an updated state $st'_\USR$.
\end{description}
We assume private communication links, so that communications between a user and the issuer are authenticated, and those between a user and the database are anonymized: otherwise, anonymizing the $\Transfer$ protocol is impossible.
The security definitions formalize two properties called \textit{user anonymity} and \textit{database security}. The former captures that the database should be unable to tell which {honest user} is making a query and neither can tell which records are being accessed. This should remain true even if the database colludes with corrupted users and the issuer. As for database security, the intuition is that a cheating user cannot access a record for which it does not have the required credentials, even when colluding with other dishonest users. In case the issuer is colluding with these cheating users, they cannot obtain more records from the database than they retrieve.
Similarly to the \OTA case, security is defined by requiring that any PPT real-world adversary $\mathcal A$ and any environment $\env$, there exists a PPT adversary $\mathcal A'$ which controls the same parties and such that no environment $\mathcal E$ can tell if it is
running in the real world interacting with the real $\mathcal A$ or in the ideal-world interacting with $\adv'$.
The distribution of outputs of the environment in the different settings is denoted by $\mathbf{Real}_{\mathcal{E}, \adv}(\lambda)$ and $\mathbf{Ideal}_{\mathcal E, \adv'}(\lambda)$ for real-world adversary $\adv$ and ideal-world adversary $\adv'$, respectively.
% This captures the security notions described in the above paragraph.
\medskip
\begin{definition}
An AC-OT protocol is said to securely implement the functionality if for any real-world adversary $\adv$ and any real world environment $\mathcal E$, there exists an ideal-world simulator $\mathcal A'$ controlling the same parties in the ideal-world as $\adv$ does in the real-world, such that
\[ | \mathbf{Real}_{\mathcal E, \adv}(\lambda) - \mathbf{Ideal}_{\mathcal{E}, \adv}(\lambda) | = \negl(\lambda). \]
\end{definition}
\paragraph{Real World.}
We describe the way that real-world algorithms interact when all participants (i.e., the real-world users $\USR_1,\ldots, \USR_{U}$, the database $\mathsf{DB}$ and the issuer $\mathsf{I}$) are honest. The issuer starts by generating a key pair $(PK_I, SK_I) \gets \mathsf{ISetup}(\pp)$, and sends $PK_I$ to all users $\{\USR_i\}_{i=1}^U$ and the database $\mathsf{DB}$.
When $\mathcal E$ sends a message $\bigl(\texttt{initdb}, \mathrm{DB} = (M_i, \mathsf{AP}_i)_{i=1}^N\bigr)$ to the database $\mathsf{DB}$, the latter encrypts the database $\mathrm{DB}$ by running $\DBSetup$ and sends the encrypted records to all users.
When $\mathcal E$ sends a message $(\texttt{issue}, {x})$ to user $\USR_i$, this user starts an $\Issue$ protocol with the issuer on common input ${x}$, at the end of which it returns $1$ to the environment if the protocol succeeded or $0$ otherwise.
When $\mathcal E$ sends a message $(\texttt{transfer}, \rho)$ to user $\USR_i$, this user first checks if its credentials $\mathsf{Cred}_\USR$ are sufficient to access the record $M_\rho$. If it is the case, it engages in a $\Transfer$ protocol with the database $\mathsf{DB}$, at the end of which it receives either the message $M_\rho$, or an error symbol $\bot$. If it failed at any steps, the user returns $0$ to $\mathcal E$, or $1$ if it succeeded.
Notice that in this setting, neither the database nor the issuer return any outputs to the environment.
\medskip
\paragraph{Ideal World.}
In the ideal world, participants only communicate via the trusted party $\mathsf{T}$ which implements the functionality of the protocol. We describe how
$\mathsf{T}$ proceeds when receiving inputs from the ideal-world users $\{\USR'_i\}_{i=1}^U$, issuer $\mathsf{I}'$ and database $\mathsf{DB}'$. $\mathsf{T}$ maintains an initially empty set $C_i$ for each user $\USR'_i$ and sets $\mathrm{DB} \gets \bot$. It handles the queries of the different parties as follows:\\
\begin{itemize}
\item[$\bullet$ ] When receiving a message $(\texttt{initdb}, \mathrm{DB} = (M_i, \mathsf{AP}_i)_{i=1}^N)$ from $\mathsf{DB}'$, $\mathsf{T}$ sets $\mathrm{DB} = (M_i, \mathsf{AP}_i)_{i=1}^N$.
\item[ $\bullet$] When receiving $(\texttt{issue}, {x})$ from $\USR'_i$, $\mathsf{T}$ sends $(\texttt{issue}, \USR'_i, {x})$ to $\mathsf{I}'$ which
replies with a bit $b$. If $b=1$, then $\mathsf{T}$ adds ${x}$ to $C_i$. In any cases, $\mathsf{T}$ sends $b$ to $\USR'_i$.
\item[ $\bullet$ ] When receiving $(\texttt{transfer}, \rho)$ from $\USR'_i$, the trusted party $\mathsf{T}$ acts as follows. If $\USR_i'$ previously sent
a message of the form $(\texttt{transfer},.)$, $\mathsf{T}$ defines $f_{\USR',DB}=1$. Otherwise, it sets $f_{\USR',DB}=0$.
If $\mathrm{DB} \neq \bot$,
it sends $(\texttt{transfer},f_{\USR',DB})$ to $\mathsf{DB}'$, who sends a bit $b$. If $b=1$ and if $st_i$ contains a vector $\mathbf{x}$ such that $\mathsf{AP}_i({x})=1$, then it sends the record to $\USR'_i$. In any other cases, it sends $\bot$ to $\USR'_i$.
\end{itemize}
In other words, the ideal-world users, database and issuer relay inputs and outputs between the environment $\mathcal E$ and the trusted party $\mathsf{T}$.
Note that, like \cite{CDN09}, the ideal functionality allows the database to learn whether a given user interacts with the database for the first time or
not. The reason is that, like the protocol of \cite{CDN09}, our basic OT-AC scheme requires the database to provide a particular interactive zero-knowledge proof at the very first time each user queries the database.
In protocols where the database generates such an interactive proof, it is inevitable for $\USR$ to reveal his state bit $f_{DB}$ to $\mathsf{DB}$.
In constructions where the zero-knowledge proof is made non-interactive and made publicly available at the same time as the database itself,
this can be avoided and we can prevent $\mathsf{DB}$ from learning the state bit $f_{DB}$. In this case, $\mathsf{T}$ does not send $f_{\USR',DB}$ to $\mathrm{DB}'$ in
the ideal-world experiment.
\medskip
The ideal world thus implies the following security properties.
\begin{description}
\item[User Anonymity.] The database cannot tell which user a given query comes from and neither can it tell which record is being accessed.
It only learns whether the user previously queried the database or not. Otherwise, two transfers involving the same users are unlinkable.
%This is captured by the fact that the functionality is securely implemented whenever the database or the issuer is cheating.\\
\item[Database Security.] A single cheating user cannot access a record for which he does not have a certified authorized attribute string.
Colluding users cannot pool their credentials to gain access to a record which none of them can individually access.
Moreover, if the issuer colludes with some users, the protocol still provides the equivalent of sender security in the \OTA functionality.
%This is captured by the security of the scheme with an honest database.
\end{description}
\section{Building Blocks}
We will use two distinct signature schemes because one of them only needs to be secure in
the sense of a weaker security notion and can be more
efficient. This weaker notion is sufficient to sign the database entries and
allows a better efficiency in the scheme of Section \ref{OT-scheme}. In particular, by making
it stateful (which also suffices since all database entries are signed at once), we
can reduce the public key size to $\log N$ matrices if $N$ is the number of database entries. The second scheme must be stateful and secure in the
standard EUF-CMA sense since the issuer uses it to certify users' attributes. The
signature scheme of \cref{se:gs-lwe-sigep} is only used in the OT-AC protocol of Section \ref{OT-scheme}
while the scheme of Section \ref{RMA-sec} is used in the adaptive OT protocol of Section
\ref{OT-AC-scheme} as well.
We first use the signature scheme described in \cref{se:gs-lwe-sigep} which extends the
the B\"ohl \textit{et al.} signature~\cite{BHJ+15} in order to sign messages comprised of multiple blocks while keeping the scheme compatible with zero-knowledge proofs.
\subsection{A Simpler Variant with Bounded-Message Security and Security Against Non-Adaptive Chosen-Message Attacks} \label{RMA-sec}
We consider a stateful variant of the scheme in Section \ref{se:gs-lwe-sigep} where a bound $Q \in \mathsf{poly}(n)$ on the number of signed messages is fixed at key generation time. In the context of \OTA, this is sufficient and leads to efficiency improvements.
In the modified scheme hereunder, the string $\tau \in \{0,1\}^\ell$ is an $\ell$-bit counter maintained by the signer to keep track of the number of previously signed messages.
\begin{comment}
\begin{description}
\item[\textsf{Keygen}$(1^\lambda,1^N,1^Q)$:] Given a security parameter $\lambda>0$, the desired number of blocks $N = \mathsf{poly}(\lambda)$ and
the number $Q$ of messages to be signed, choose $n = \mathcal{O}(\lambda)$, a prime modulus $q = \widetilde{\mathcal{O}}(Q\cdot n^{4})$, a dimension $m =2n \lceil \log q \rceil $, an integer $\ell = \lceil \log Q \rceil$ and Gaussian parameters $\sigma = \Omega(\sqrt{n\log q}\log n)$. The message space is
$(\{0,1\}^{m_d})^N$, for some $m_d \in \mathsf{poly}(\lambda)$.
\smallskip \smallskip
\begin{itemize}
\item[1.] Run $\TrapGen(1^n,1^m,q)$ to get~$\mathbf{A} \in
\Zq^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
$\Lambda_q^{\perp}(\mathbf{A}).$ This basis allows computing short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with a Gaussian parameter $\sigma$.
% $\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
Next, choose $\ell+1$ random $\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell} \sample U(\Zq^{n \times m})$.
\item[2.] Choose random matrices $\mathbf{D} \sample U(\Zq^{n \times m_d})$, $\mathbf{D}_0,\mathbf{D}_1,\ldots,\mathbf{D}_N \sample U(\Zq^{n \times m})$ as well as a random vector
$\mathbf{u} \sample U(\Zq^n)$. \smallskip
\end{itemize}
The initial state $\tau$ is set to $\tau=0$. The private key consists of $SK:=
\mathbf{T}_{\mathbf{A}} $ and the public key is $${PK}:=\big( \mathbf{A}, ~
\{\mathbf{A}_j \}_{j=0}^{\ell}, ~ \{\mathbf{D}_k\}_{k=0}^{N},~\mathbf{D}, ~\mathbf{u} \big).$$
% \smallskip
\item[\textsf{Sign}$\big(SK,\tau, \mathsf{Msg} \big)$:] To sign an $N$-block message
$\mathsf{Msg}=\left(\mathfrak{m}_1,\ldots,\mathfrak{m}_N \right) \in \left(\{0,1\}^{m_d} \right)^N$, \smallskip
\begin{itemize}
\item[1.] Increment the counter $\tau $ by setting $\tau:=\tau+1$ and interpret it as a binary string $\tau \in \{0,1\}^\ell $. Then, using $SK:=
\mathbf{T}_{\mathbf{A}} $, compute a short delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$
for the matrix
\begin{eqnarray} \label{tau-matrix}
\mathbf{A}_{\tau}=
[ \mathbf{A} \mid \mathbf{A}_0 +
\sum_{j=1}^\ell \tau[j] \cdot \mathbf{A}_j
] \in \Zq^{ n \times 2m}.
\end{eqnarray}
\item[2.] Choose a discrete Gaussian vector $\mathbf{r} \sample D_{\ZZ^{m},\sigma }$. Compute the vector $\mathbf{c}_M \in \Zq^{n}$ as a chameleon hash of $\left(\mathfrak{m}_1,\ldots,\mathfrak{m}_N \right)$. Namely, compute
$$\mathbf{c}_M = \mathbf{D}_{0} \cdot \mathbf{r} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \in \mathbb{Z}_q^{n} ,$$
which is used to define $\mathbf{u}_M=\mathbf{u} + \mathbf{D} \cdot \mathsf{vdec}_{n,q-1}( \mathbf{c}_M) \in \Zq^n .$
Then,
using the delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$, sample a short vector $\mathbf{v} \in \ZZ^{2m}$ in $D_{\Lambda_q^{\mathbf{u}_M}(\mathbf{A}_\tau), \sigma}$.
\end{itemize}
Output the signature $sig=(\tau,\mathbf{v},\mathbf{r}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^m$. \smallskip
\item[\textsf{Verify}$\big(PK,\mathsf{Msg},sig\big)$:] Given $PK$, a message $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N) \in (\{0,1\}^{m})^N$ and a purported
signature $sig=(\tau,\mathbf{v},\mathbf{r}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{m}$,
return $1$ if
\begin{eqnarray} \label{ver-eq-block}
\mathbf{A}_{\tau} \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \mathsf{vdec}_{n,q-1}( \mathbf{D}_0 \cdot \mathbf{r} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k ) \bmod q.
\end{eqnarray}
and $\| \mathbf{v} \| < \sigma \sqrt{2m}$, $\| \mathbf{r} \| < \sigma \sqrt{m}$.
\end{description}
\end{comment}
This simplified variant resembles
the $\mathsf{SIS}$-based signature scheme of B\"ohl \textit{et al.} \cite{BHJ+15}. \\
\indent In this version, the message space is $ \{0,1\}^{n \lceil \log q \rceil} $ so that vectors of $\Zq^n$ can be signed by first decomposing them using
$\mathsf{vdec}_{n,q-1}(.)$.
\begin{description}
\item[\textsf{Keygen}$(1^\lambda,1^Q)$:] Given $\lambda>0$ and the maximal number $Q \in \mathsf{poly}(\lambda)$ of signatures, choose $n = \mathcal{O}(\lambda)$, a prime $q = \widetilde{\mathcal{O}}(Q \cdot n^{4})$, $m =2n \lceil \log q \rceil $, an integer $\ell = \lceil \log Q \rceil$ and Gaussian parameters $\sigma = \Omega(\sqrt{n\log q}\log n)$. The message space is $ \{0,1\}^{m_d} $, for some $m_d \in \mathsf{poly}(\lambda)$ with $m_d \geq m$.
\smallskip \smallskip
\begin{itemize}
\item[1.] Run $\TrapGen(1^n,1^m,q)$ to get~$\mathbf{A} \in
\Zq^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
$\Lambda_q^{\perp}(\mathbf{A}),$ which allows sampling short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with a Gaussian parameter $\sigma$.
% $\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
Next, choose $\ell+1$ random $\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell} \sample U(\Zq^{n \times m})$. %, where $\ell = \Theta(\lambda)$.
\item[2.] Choose $\mathbf{D} \sample U(\Zq^{n \times m_d})$ as well as a random vector
$\mathbf{u} \sample U(\Zq^n)$. \smallskip \smallskip
\end{itemize}
The counter $\tau$ is initialized to $\tau=0$. The private key consists of $SK:=
\mathbf{T}_{\mathbf{A}} $ and the public key is ${PK}:=\big( \mathbf{A}, ~
\{\mathbf{A}_j \}_{j=0}^{\ell}, ~\mathbf{D}, ~\mathbf{u} \big).$
% \smallskip
\item[\textsf{Sign}$\big(SK, \tau, \mathfrak{m} \big)$:] To sign a message $\mathfrak{m} \in \{0,1\}^{m_d}$, \smallskip
\begin{itemize}
\item[1.] Increment the counter by setting $\tau:=\tau+1$ and interpret it as a string $\tau \in \{0,1\}^\ell $. Then, using $SK:=
\mathbf{T}_{\mathbf{A}} $, compute a short delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$
for the matrix
%\begin{eqnarray} \label{tau-matrix}
$ \mathbf{A}_{\tau}=
[ \mathbf{A} \mid \mathbf{A}_0 +
\sum_{j=1}^\ell \tau[j] \mathbf{A}_j
] \in \Zq^{ n \times 2m}.$
%\end{eqnarray}
\item[2.] Compute the vector $\mathbf{u}_M=\mathbf{u} + \mathbf{D} \cdot \mathfrak{m} \in \Zq^n .$
Then,
using the delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$, sample a short vector $\mathbf{v} \in \ZZ^{2m}$ in $D_{\Lambda_q^{\mathbf{u}_M}(\mathbf{A}_\tau), \sigma}$.
\end{itemize}
Output the signature $sig=(\tau,\mathbf{v} ) \in \{0,1\}^\ell \times \ZZ^{2m} $. \smallskip
\item[\textsf{Verify}$\big(PK,\mathfrak{m},sig\big)$:] Given $PK$, $\mathfrak{m} \in \{0,1\}^{m_d}$ and a
signature $sig=(\tau,\mathbf{v}) \in \{0,1\}^\ell \times \ZZ^{2m} $,
return $1$ if $\| \mathbf{v} \| < \sigma \sqrt{2m}$ and
%\begin{eqnarray} \label{ver-eq-block-simple}
$ \mathbf{A}_{\tau} \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \mathfrak{m} \bmod q.$
%\end{eqnarray}
\end{description}
For our purposes, the scheme only needs to satisfy a notion of bounded-message security under non-adaptive chosen-message
attack. In this relaxed model,
the adversary only obtains a
bounded number of signatures for messages that are chosen non-adaptively
(i.e., all at once and before seeing the public key) by the adversary. This
security notion is sufficient for signing the $N$ database entries. Note that the queries are
non-adaptive but the adversary can adaptively choose its forgery message.
\begin{theorem} \label{thm-version-3}
The scheme is bounded message secure under non-adaptive chosen-message attacks if the $\mathsf{SIS}$ assumption holds.
\end{theorem}
\begin{proof}
We show that the scheme presented in Section~\ref{RMA-sec} is secure against non-adaptive chosen-message attacks ({na-CMA}) under the $\SIS$ assumption.
The shape of the proof is similar to the security proof of the signature scheme of~\cref{se:gs-lwe-sigep}. Namely, to prove the security, we distinguish two kinds of attacks:
\begin{description}
\item[Type I attacks,] where in the adversary's forgery $sig^\star = (\tau^\star, \mathbf v^\star)$, $\tau^\star$ did not appear in any outputs of the signing oracle.
\item[Type II attacks,] where in the adversary's forgery $sig^\star = (\tau^\star, \mathbf v^\star)$, $\tau^\star$ has been recycled from an output $sig^{(i^\star)} = \bigl(\tau^{(i^\star)}, \mathbf v^{(i^\star)} \bigr)$ of the signing oracle for some query $i^\star \in \{ 1, \ldots, Q \}$.
\end{description}
\noindent
Lemma~\ref{le-type1-RMA} states that the signature scheme is secure against Type I forgery using the same technique as is~\cite{ABB10,Boy10,MP12}.
Lemma~\ref{le-type2-RMA} claims that the signature scheme resists Type II attacks, with a proof that is very similar to the one of Lemma~\ref{le-type1-RMA}. Both security proofs assume the computational hardness of the $\SIS$ problem.
\end{proof}
\begin{lemma}
The signature scheme of Section~\ref{RMA-sec} is secure against Type I attacks if the $\SIS_{n, m, q, \beta'}$ assumption holds, with $\beta' = \sigma^2 m^{3/2} (\ell + 2) + \sigma m^{1/2}$.
\label{le-type1-RMA}
\end{lemma}
\begin{proof}
Let $\adv$ be a $\ppt$ adversary against the \textsf{na-CMA} security of our scheme that mounts Type I attacks with non negligible success probability $\varepsilon$.
We construct a $\ppt$ algorithm $\bdv$ using $\adv$ to break the $\SIS_{n,m,q,\beta'}$ assumption.
Our reduction $\bdv$ takes as input a target matrix $\bar{\mathbf A} \in \ZZ_q^{n \times m}$ and computes $\mathbf v \in \Lambda_q^\perp(\bar{\mathbf A})$ satisfying $0 < \| \mathbf v \| \leq \beta'$.
\smallskip
At first, $\bdv$ calls $\adv$ to obtain the messages to be queried: $\mathfrak m^{(1)}, \ldots, \mathfrak m^{(Q)}$.
For the sake of readability, let us define $\tau^{(i)} = i$, viewed as a bit-string, to be the tag corresponding to the $i$-th signature in our scheme. \medskip
\noindent \textbf{Setup.} As in~\cite{HW09}, the reduction guesses the shortest prefix such that the string $\tau^\star$ embedded in $\adv$'s forgery differs from all prefixes to $\{\tau^{(1)}, \dots, \tau^{(Q)}\}$.
To achieve this, $\bdv$ chooses at random $i^\dag \sample U(\{1, \ldots, Q\})$ and $t^\dag \sample U(\{1, \ldots, \ell\})$.
Then, with probability $1/(Q \cdot \ell)$, the longest common prefix between $\tau^\star$ and one of the tags $\{ \tau^{(i)} \}_{i = 1}^{Q}$ is the string $\tau^\star[1] \cdots \tau^\star[t^\dag - 1] \in \bit^{t^\dag - 1}$: the first $(t^\dag - 1)$-th bits of $\tau^\star$.
Let us define $\tau^\dag = \tau^\star_{\mid t^\dag}$, where $s_{|i}$ denotes the $i$-th prefix for a string~$s$.
By construction $\tau^\dag \notin \{ \tau_{\mid t^\dag}^{(1)}, \ldots, \tau_{\mid t^\dag}^{(Q)} \}$ with probability $1/(Q \cdot \ell)$.
Next, the reduction $\bdv$ runs $\TrapGen(1^n, 1^m, q)$ to obtain matrices $\mathbf C \in \Zq^{n \times m}$ and a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of
$\Lambda_q^\perp(\mathbf C)$, which will be useful to answer the following opening oracle queries.
The reduction $\bdv$ continues by picking $\ell + 1$ matrices $\mathbf Q_0, \ldots, \mathbf Q_\ell \in \ZZ^{m \times m}$ where each matrix $\mathbf Q_i$ has its column independently sampled from
$D_{\ZZ^m, \sigma}$, and \bdv defines the matrices $\mathbf A=\bar{\mathbf A}$ and $\{\mathbf A_j\}_{j=0}^{\ell}$ as follows
\[\begin{cases}
\mathbf A_0 = \bar{\mathbf A} \cdot \mathbf Q_0 + \left( \sum_{j=1}^{t^\dag} \tau^\star[j] \right) \cdot \mathbf C \\
\mathbf A_j = \bar{\mathbf A} \cdot \mathbf Q_j + (-1)^{\tau^\star[j]} \cdot \mathbf C & \text{for $j \in [ 1, t^\dag ]$} \\
\mathbf A_j = \bar{\mathbf A} \cdot \mathbf Q_j & \text{for $j \in [t^\dag + 1, \ell]$}
\end{cases}.\]
We can notice that
\begin{align*}
\mathbf A_{\tau^{(i)}} & = \Bigr[ \mathbf A ~\Big|~ \mathbf A_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \mathbf A_j \Bigl] \\
& = \Bigr[ \bar{\mathbf A} ~\Big|~ \bar{\mathbf A} \cdot \bigl(\mathbf Q_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \cdot \mathbf Q_j\bigr) + \bigl(\sum_{j=1}^{t^\dag} \tau^\star[j] + (-1)^{\tau^\star[j]} \cdot \tau^{(i)}[j]\bigr) \cdot \mathbf C \Bigl] \\
& = \Bigr[ \bar{\mathbf A} ~\Big|~ \bar{\mathbf A} \cdot \bigl(\mathbf Q_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \cdot \mathbf Q_j\bigr) + h_{\tau^{(i)}} \cdot \mathbf C \Bigl],
\end{align*}
where $h_{\tau^{(i)}}$ denotes the hamming distance between $\tau^{(i)}_{\mid t^\dag}$ and $\tau^\dag$. With probability $1/(Q\cdot \ell)$, and as $\ell > q$, it holds that $h_{\tau^{(i)}} \neq 0 \bmod q$ whenever $\tau^{(i)}_{\mid t^\dag} \neq \tau^\star_{\mid t^\dag}$.
The reduction then picks a random short matrix $\mathbf R \sample \ZZ^{m \times m_d}$ which has its $m_d$ columns independently sampled from $D_{\ZZ^m, \sigma}$, and \bdv computes
\[ \mathbf D = \bar{\mathbf A} \cdot \mathbf R \in \ZZ_q^{n \times m_d}. \]
To finish, $\bdv$ samples a short vector $\mathbf e_u \in D_{\ZZ^m, \sigma}$ and computes the vector $\mathbf u = \bar{\mathbf A} \cdot \mathbf e_u$. The following public key is finally given to \adv:
\[ PK := (\mathbf A, \{ \mathbf A_j \}_{j=0}^\ell, \mathbf D, \mathbf u). \]
\noindent \textbf{Signing queries.} To handle signature queries, the reduction $\bdv$ uses the trapdoor $\mathbf{T_C} \in \ZZ^{m \times m}$ to generate a signature.
To this end, $\bdv$ starts by computing the vector $\mathbf u_M = \mathbf u + \mathbf D \cdot \mathfrak m^{(i)}$.
Then $\bdv$ can use $\mathbf{T_C}$ with the algorithm \textsf{SampleRight} from Lemma~\ref{lem:sampler} to
compute a short vector $\mathbf v^{(i)}$ in $D_{\Lambda^\perp(\mathbf A_{\tau^{(i)}}), \sigma}^{\mathbf u_M}$, distributed like a
valid signature and satisfying the verification equation~\eqref{ver-eq-block}.
\medskip
\noindent \textbf{Output.} At some point, the attacker $\adv$ halts and outputs a \textit{valid} signature $sig^\star = (\tau^\star, \mathbf v^\star)$ for a message $\mathfrak m^\star \notin \{ \mathfrak{m}^{(1)}, \ldots, \mathfrak{m}^{(Q)}\}$.
Since the signature is valid, it satisfies $\| \mathbf v^\star \| \leq \sigma \sqrt{2m}$.
\noindent Parsing $\mathbf v^\star$ as $[ \mathbf{v}_1^\star \mid \mathbf{v}_2^\star]$ with $\mathbf v_1^\star, \mathbf v_2^\star \in \ZZ^m$ and injecting it in~\eqref{ver-eq-block} give:
\begin{align*}
\Bigr[ \bar{\mathbf A} ~\Big|~ \bar{\mathbf A} \cdot \bigl(\mathbf Q_0 + \sum_{j=1}^\ell \tau^\star[j] \cdot \mathbf Q_j\bigr) \Bigl] \cdot \begin{bmatrix} \mathbf v_1^\star \\ \hline \mathbf v_2^\star \end{bmatrix}
& = \mathbf u + \mathbf D \cdot \mathfrak m^\star \mod q \\
& = \bar{\mathbf A} \cdot \bigl( \mathbf e_u + \mathbf R \cdot \mathfrak m^\star \bigr) \mod q
\end{align*}
Thus, the vector
\[ \mathbf v' = \mathbf v_1^\star + \bigl( \mathbf Q_0 + \sum_{j=1}^\ell \tau^\star[j] \cdot \mathbf Q_j \bigr) \cdot \mathbf v_2^\star - \mathbf e_u - \mathbf R \cdot \mathfrak m^\star \]
is in $\Lambda^\perp(\bar{\mathbf A})$, and $\mathbf v'$ is non-zero with overwhelming probabilities, since in $\adv$'s view, the distribution of $\mathbf e_u$ is
$D_{\Lambda^\mathbf u_q(\mathbf A), \sigma}$, which guarantees that $\mathbf e_u$ is statistically hidden by the syndrome $\mathbf u = \bar{\mathbf A} \cdot \mathbf e_u$.
Finally, the norm of $\mathbf v'$ is upper bounded by
$\beta' = \sigma^2 m^{3/2} (\ell + 2) + 2 \sigma m^{1/2}$.
\end{proof}
\begin{lemma}
The signature scheme of Section~\ref{RMA-sec} is secure against Type II attacks if $\SIS_{n,m,q,\beta''}$ holds, with $\beta'' = \sqrt 2 (\ell + 2) \sigma m^{3/2} + m^{1/2}$.
\label{le-type2-RMA}
\end{lemma}
\begin{proof}
We will prove this result using techniques analogous to the previous proof. We show that given an adversary $\adv$ that comes out with a Type II signature in the \textsf{na-CMA} game with non negligible probability $\varepsilon$, we can construct a PPT $\bdv$ that breaks the $\SIS$ assumption with advantage $\varepsilon/Q$ using $\adv$.
\medskip
\noindent Firstly, the reduction $\bdv$ is given a matrix $\mathbf{A} \in \Zq^{n \times m_d}$ as input and has to output an integer vector $\mathbf v \in \ZZ^{m_d}$ in $\Lambda^\perp_q(\mathbf{A})$ such that $0 < \| \mathbf v \| \leq \beta''$.
Next, $\bdv$ receives from $\adv$ the messages $\mathfrak{m}^{(1)}, \ldots, \mathfrak{m}^{(Q)}$ for which $\adv$ will further ask signature queries.
\medskip
\noindent To compute the public key, at the outset of the game, the reduction $\bdv$ starts by sampling $i^\dag \sample U(\{1, \ldots, Q\})$ corresponding to the guess that $\adv$'s forgery will recycle $\tau^{(i\dag)}$.
This is independent of $\adv$'s view, and the guess will be correct with probability $1/Q$.
Using this guess to compute $PK$, the reduction $\bdv$ picks $h_0, \ldots, h_\ell \in \Zq$ subject to the constraints
% \medskip
% \noindent \textbf{\textsf{\GGame $0$}\,:}\; This is the real na-CMA game: at the beginning of the game, the adversary $\adv$ sends messages $\mathfrak m^{(0)}, \ldots, \mathfrak m^{(Q)}$ it wants to query signatures on.
% Then he receives $sig^{(i)} = (\tau^{(i)}, \mathbf v^{(i)})$ for each $i \in \{1, \dots, Q\}$ from the signing oracle.
% At the end of the game, the adversary \adv outputs a forgery $sig^\star = (\tau^\star, \mathbf v^\star)$ on a message $\mathfrak m^\star$.
% We let the adversary advantage be $\varepsilon = \Pr[W_0]$. Since $(\mathfrak m^\star, sig^\star)$ is a Type II forgery, there exists and index $i^\star \in \{1, \ldots, Q\}$ such that $\tau^\star = \tau^{(i^\star)}$.
% Notice that from the choice $\ell = \lceil \log Q \rceil$, it follows that there is no two queries with the same tag.
% \medskip
%
% \noindent \textbf{\textsf{\GGame $1$}\,:}\; This game is like \SFGame $1$ with the following difference: at the outset of the game, the challenger $\bdv$ chooses a random index $i^\dag \sample U(\{1, \ldots, Q\})$ which corresponds to a guess that $\adv$'s forgery will recycle $\tau^{(i^\dag)}$ to produce its forgery.
% At the end of the game, \adv outputs a Type II forgery $sig^\star = (\tau^\star, \mathbf v^\star)$. If $\tau^\star \neq \tau^{(i^\dag)}$, the challenger $\bdv$ aborts.
% Since the choice of $i^\dag$ in $\{1, \ldots, Q\}$ is independent of \adv's view, we have $\Pr[W_1] = \Pr[W_0]/Q$.
% \medskip
%
% \noindent \textbf{\textsf{\GGame $2$}\,:}\; In this game we modify the key generation phase of \SFGame $1$, along with the way to answer queries. First the challenger $\bdv$ picks $h_0, \ldots, h_\ell \in \Zq$ subject to the following constraints:
\begin{equation} \label{eq:h-constraints}
\begin{cases}
h_0 + \sum_{j=1}^\ell \tau^{(i^\dag)}[j] \cdot h_j = 0 \mod q & \\
h_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \cdot h_j \neq 0 \mod q & \forall i \in \{1, \ldots, Q\} \backslash \{i^\dag\}
\end{cases}
\end{equation}
\noindent \bdv then runs $(\mathbf C, \mathbf{T_C}) \gets \TrapGen(1^n, 1^m, q)$.
The resulting matrix $\mathbf C \in \Zq^{n \times m}$ is statistically random, and the trapdoor $\mathbf{T_C} \in \ZZ^{m \times m}$ is a short basis of $\Lambda^\perp_q(\mathbf C)$.
Next \bdv re-randomize $\mathbf{A}$ using short matrices $\mathbf S, \mathbf S_0, \mathbf S_1, \ldots, \mathbf S_\ell \in \ZZ^{m_d \times m}$ which are obtained by sampling their columns from the distribution $D_{\ZZ^{m_d}, \sigma}$.
The challenger $\bdv$ then uses these matrices to define:
\begin{align*}
\mathbf A &= \mathbf{A} \cdot \mathbf S \nonumber \\
\mathbf A_0 &= \mathbf{A} \cdot \mathbf S_0 + h_0 \cdot \mathbf C \label{eq:rel-rerand} \\
\mathbf A_j &= \mathbf{A} \cdot \mathbf S_j + h_j \cdot \mathbf C & j \in \{1, \ldots, \ell\} \nonumber
\end{align*}
and sets $\mathbf D = \mathbf{A} \in \ZZ_q^{n \times m_d}$. Observe that matrices $\mathbf{A},\{\mathbf{A}_j\}_{j=0}^\ell$ are all statistically uniform over $\ZZ_q^{n \times m}$.
Then, $\bdv$ samples short vectors ${\mathbf v_1^\dag, \mathbf v_2^\dag \sample D_{\ZZ^m, \sigma}}$ and computes $\mathbf u \in \Zq^n$ as
\begin{equation} \label{eq:rel-uM}
\mathbf u = \mathbf A_{\tau^{(i^\dag)}} \cdot \begin{bmatrix} \mathbf v_1^{\dag} \\\hline \mathbf v_2^{\dag} \end{bmatrix} - \mathbf{A} \cdot \mathfrak m^{(i^\dag)} \mod q.
\end{equation}
\noindent Finally, $\bdv$ sends to $\adv$ the public key
\[ PK := \bigl( \mathbf A, \{\mathbf A_j \}_{j=0}^\ell, \mathbf D, \mathbf u \bigr) \]
which is distributed as the $PK$ of the real scheme.
\medskip
\noindent
\begin{comment}
We can notice that
\begin{align*}
\mathbf A_{\tau^{(i^\dag)}} &= \Bigl[ \mathbf A ~\Big|~ \mathbf A_0 + \sum_{j=0}^\ell \tau^{(i^\dag)} [j] \cdot \mathbf A_j \Bigr] \\
&= \Bigl[ \mathbf D \cdot \mathbf S ~\Big|~ \mathbf D \cdot ( \mathbf S_0 + \sum_{j=0}^\ell \tau^{(i^\dag)} [j] \cdot \mathbf S_j) \Bigr].
\end{align*}
\end{comment}
To answer signing queries, the challenger $\bdv$ do as follows.
\begin{itemize}
\item If the query is not the $i^\dag$-th, we have:
\begin{align*}
\mathbf A_{\tau^{(i)}} &= \Bigl[ \mathbf A ~\Big|~ \mathbf A_0 + \sum_{j=0}^\ell \tau^{(i)} [j] \cdot \mathbf A_j \Bigr] \\
&= \Bigl[ \mathbf{A} \cdot \mathbf S ~\Big|~ \mathbf{A} \cdot ( \mathbf S_0 + \sum_{j=0}^\ell \tau^{(i)} [j] \cdot \mathbf S_j) + h_{\tau^{(i)}} \cdot \mathbf C \Bigr],
\end{align*}
with $h_{\tau^{(i)}} = h_0 + \sum \tau^{(i)}[j] \cdot h_j \neq 0$ due to the first constraint of~\eqref{eq:h-constraints}. Thus, using the same technique as in the previous proof from~\cite{MP12}, the challenger $\bdv$ can use the trapdoor $\mathbf{T_C}$ along with \textsf{SampleRight} algorithm to sample a short vector in $\Lambda_q^{\mathbf u_M}(\mathbf A_{\tau^{(i)}})$ satisfying~\eqref{ver-eq-block}.
\item At the $i^\dag$-th query, thanks to the second constraint of~\eqref{eq:h-constraints}, we have:
\begin{align*}
\mathbf A_{\tau^{(i^\dag)}} &= \Bigl[ \mathbf A ~\Big|~ \mathbf A_0 + \sum_{j=0}^\ell \tau^{(i^\dag)} [j] \cdot \mathbf A_j \Bigr] \\
&= \Bigl[ \mathbf{A} \cdot \mathbf S ~\Big|~ \mathbf{A} \cdot ( \mathbf S_0 + \sum_{j=0}^\ell \tau^{(i^\dag)} [j] \cdot \mathbf S_j) \Bigr].
\end{align*}
To answer this specific query, the challenger $\bdv$ returns $sig^{(i^\dag)} = (\tau^{(i^\dag)}, \mathbf v^{(i^\dag)})$ where $\mathbf v^{(i^\dag)} = ( \mathbf v_1^{\dag T} \mid \mathbf v_2^{\dag T})^T$ verifying~\eqref{eq:rel-uM}, which furthermore implies that $sig^{(i^\dag)}$ verifies~\eqref{ver-eq-block}.
\end{itemize}
\noindent Thus we claim that $\bdv$ can solve the $\SIS$ problem using the Type II forgery provided by $\adv$.
At the end of the game, the adversary outputs a valid signature $sig^\star = (\tau^{(i^\star)}, \mathbf v^\star)$ on a message $\mathfrak m^\star$ with $\| \mathbf v^\star \| \leq \sigma \sqrt{2m}$.
In the event that $\tau^{(i^\star)} \neq \tau^{i^\dag}$, the reduction aborts. The latter event happens with probability $1-1/Q$.
If we parse $\mathbf v^\star$ as $(\mathbf v_1^{\star, T} \mid \mathbf v_2^{\star T})^T \in \ZZ^{2m}$, with $\mathbf v_1^{\star}, \mathbf v_2^\star \in \ZZ^m$, it holds that:
\begin{equation} \label{eq:sub-rel-1}
\mathbf A_{\tau^{(i^\dag)}} \cdot \begin{bmatrix} \mathbf v_1^{\star} \\\hline \mathbf v_2^{\star} \end{bmatrix} = \mathbf u + \mathbf{A} \cdot \mathfrak m^{\star} \mod q.
\end{equation}
According to the way $\mathbf u$ was defined at the beginning of the game, we also have a vector $\mathbf v^\dag = (\mathbf v_1^{\dag T} \mid \mathbf v_2^{\dag T})^T$ such that
\begin{equation} \label{eq:sub-rel-2}
\mathbf A_{\tau^{(i^\dag)}} \cdot \begin{bmatrix} \mathbf v_1^{\dag} \\\hline \mathbf v_2^{\dag} \end{bmatrix} = \mathbf u + \mathbf{A} \cdot \mathfrak m^{\dag} \mod q.
\end{equation}
As $sig^\star$ is a valid forgery for the dn-CMA game, it follows that $m^\dag \neq m^\star$. And we get by subtracting \eqref{eq:sub-rel-1} and \eqref{eq:sub-rel-2}
\begin{align*}
\mathbf A_{\tau^{(i^\dag)}} \cdot \begin{bmatrix} \mathbf v_1^\star - \mathbf v_1^{\dag} \\\hline \mathbf v_2^\star - \mathbf v_2^{\dag} \end{bmatrix} &= \mathbf{A} \cdot \left (\mathfrak m^{\star} - \mathfrak m^\dag \right) \mod q, \\
\Bigl[ \mathbf{A} \cdot \mathbf S ~\Big|~ \mathbf{A} \cdot ( \mathbf S_0 + \sum_{j=0}^\ell \tau^{(i^\dag)} [j] \cdot \mathbf S_j) \Bigr]\cdot \begin{bmatrix} \mathbf v_1^\star - \mathbf v_1^{\dag} \\\hline \mathbf v_2^\star - \mathbf v_2^{\dag} \end{bmatrix} &= \mathbf{A} \cdot \left (\mathfrak m^{\star} - \mathfrak m^\dag \right) \mod q.
\end{align*}
Leading us to the fact that
\begin{equation} \label{eq:non-zero}
\mathbf v' = \underbrace{\mathbf S \cdot (\mathbf v_1^\star - \mathbf v_2^\dag) + \left( \mathbf S_0 + \sum_{j=1}^\ell \tau^{(i^\dag)}[j] \cdot \mathbf S_j \right) \cdot (\mathbf v_2^\star - \mathbf v_2^\dag)}_{(a)} + \underbrace{\mathfrak m^\dag - \mathfrak m^\star}_{-(b)}
\end{equation}
is an integer vector of $\Lambda_q^\perp(\mathbf{A})$, with norm bounded by $\| \mathbf v' \| \leq \sqrt 2 (\ell + 2) \sigma m^{3/2} + m^{1/2} = \beta''$.
Furthermore, if $\mathbf v'$ was zero, it implies that $(a) = (b)$ in Equation~\eqref{eq:non-zero}.
And as $sig^\star \neq sig^\dag$, we have that either $\mathbf v_1^\star \neq \mathbf v_1^\dag$ or $\mathbf v_2^\star \neq \mathbf v_2^\dag$.
As a consequence, $(a)$ is information theoretically unpredictable for $\adv$ since the columns of $\mathbf S, \mathbf S_0, \ldots \mathbf S_\ell$ are statistically hidden from $\adv$, as shown in~\cite{MP12} for instance: conditionally on the public key, each column of $\mathbf S$ and $\{\mathbf S_j\}_{j=0}^\ell$ has at least $n$ bits of min-entropy.
\end{proof}
\section{A Fully Simulatable Adaptive OT Protocol} \label{OT-scheme}
Our basic \OTA protocol builds on the ``assisted decryption'' technique \cite{CNs07}. The databases holder encrypts all entries
using a multi-bit variant \cite{PVW08} of Regev's cryptosystem \cite{Reg05} and proves the well-formedness of its public key and all ciphertexts. In addition,
all ciphertexts are signed using a signature scheme. At each
transfer, the receiver statistically re-randomizes a blinded version of the desired ciphertext, where the blinding is done via the additive
homomorphism of Regev. Then, the receiver provides a witness indistinguishable (WI) argument that the modified ciphertext (which is
submitted for oblivious decryption) is
a transformation of one of the original ciphertexts by arguing knowledge of a signature on this hidden ciphertext. In response,
the sender obliviously decrypts the modified ciphertext and argues in zero-knowledge that the response is correct.
Adapting the technique of \cite{CNs07} to the lattice setting requires the following building blocks:
(i) A signature scheme allowing to sign ciphertexts while remaining compatible with ZK proofs; (ii) A ZK protocol allowing to prove knowledge of a signature on some hidden ciphertext which belongs to a public set and was transformed into a given ciphertext; (iii) A protocol for proving the correct decryption of a ciphertext; (iv) A method of statistically re-randomizing an $\LWE$-encrypted ciphertext in a way that enables oblivious decryption. The first three ingredients can be obtained from \cref{ch:gs-lwe}. Since component (i) only needs to be secure against random-message attacks as
long as the adversary obtains at most $N$ signatures, we use the simplified $\SIS$-based signature scheme
of Section \ref{RMA-sec}.
The statistical re-randomization of Regev ciphertexts is handled via the noise flooding technique \cite{AJL+12}, which consists in drowning the initial noise with a super-polynomially larger
noise. While recent results \cite{DS16,BDPMW16} provide potentially more efficient alternatives,
we chose the flooding technique for simplicity because it does not require the use of FHE (and also because
the known multi-bit version \cite{HAO15} of the GSW FHE~\cite{GSW13} incurs an \textit{ad hoc} circular security assumption).
\subsection{Description}
Our scheme works with security parameter $\lambda$, modulus $q$, lattice dimensions $n = \mathcal{O}(\lambda)$ and $m= 2 n \lceil \log q \rceil$. Let $B_\chi = \widetilde{\mathcal{O}}(\sqrt{n})$, and let $\chi$ be a $B_\chi$-bounded distribution. We also define an integer~$B$ as a randomization parameter such that $B= n^{\omega(1)}\cdot (m+1)B_\chi$ and $B+ (m+1)B_\chi \leq q/5$ (to ensure decryption correctness).
Our basic \OTA protocol goes as follows.
\begin{description}
\item[\textsf{Initialization}$\big(\mathsf{S}_\mathsf{I}(1^\lambda,\mathsf{DB}),\mathsf{R}_{\mathsf{I}}(1^\lambda) \big)$:] In this protocol, the sender $\mathsf{S}_\mathsf{I}$ has a database $\mathsf{DB}=(M_1,\ldots,M_N)$ of $N$ messages, where $M_i \in \{0,1\}^{t}$ for each $i \in [N]$,
for some $t \in \mathsf{poly}(\lambda)$. It interacts with the receiver $\mathsf{R}_\mathsf{I}$ as follows. \smallskip \smallskip
\begin{itemize}
\item[1.] Generate a key pair for the signature scheme of Section \ref{RMA-sec} in order to sign $Q=N$ messages of length $m_d = (n+t) \cdot \lceil \log q \rceil$ each.
This key pair consists of $SK_{sig}=\mathbf{T}_{\mathbf{A}} \in \ZZ^{m \times m}$ and
${PK}_{sig}:=\big( \mathbf{A},
\{\mathbf{A}_j \}_{j=0}^{\ell}, \mathbf{D}, \mathbf{u} \big),$ where $\ell=\log N$ and $\mathbf{A},\mathbf{A}_0,\ldots,\mathbf{A}_{\ell} \in U(\Zq^{n \times m})$, $\mathbf{D} \in U(\Zq^{n \times m_d})$.
%with $m = 2n \lceil \log q \rceil$, $m_d = (n+t) \lceil \log q \rceil$.
The counter is initialized to $\tau=0$.
\item[2.] Choose $\mathbf{S} \sample \chi^{n \times t}$ that will serve as a secret key for an $\LWE$-based encryption scheme.
Then, sample $\mathbf{F} \sample U(\Zq^{n \times m})$, $\mathbf{E} \sample \chi^{m \times t }$ and compute
\begin{eqnarray} \label{PK-gen}
\mathbf{P} = [\mathbf{p}_1 | \ldots | \mathbf{p}_t] = \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} ~\in \Zq^{m \times t},
\end{eqnarray}
so that $(\mathbf{F},\mathbf{P}) \in \Zq^{n \times m} \times \Zq^{m \times t }$ forms a public key for a $t$-bit variant of Regev's encryption scheme \cite{Reg05}.
% (or, equivalently,
% a set of $m$ encryptions of the all-zeroes $t$-bit string).
\item[3.]
Sample vectors $\mathbf{a}_1,\ldots ,\mathbf{a}_N \sample
U(\Zq^n)$ and $\mathbf{x}_1,\ldots,\mathbf{x}_{N} \sample \chi^{t}$ to
compute
\begin{eqnarray} \label{init-db}
(\mathbf{a}_i,\mathbf{b}_i)= \bigl( \mathbf{a}_i, ~ \mathbf{S}^T \cdot \mathbf{a}_i + \mathbf{x}_i + M_i \cdot \lfloor q/2 \rfloor \bigr) \in \Zq^n \times \Zq^{t} \qquad \forall i \in [N].
\qquad
\end{eqnarray}
\item[4.] For each $i \in [N]$, generate a signature $(\tau_i,\mathbf{v}_i ) \leftarrow \mathsf{Sign}(SK_{sig},\tau,\mathfrak{m}_i)$ on the decomposition
$\mathfrak{m}_i=\mathsf{vdec}_{n+t,q-1}(\mathbf{a}_i^T |\mathbf{b}_i^T )^T \in \{0,1\}^{m_d}$. % of $(\mathbf{a}_i^T | \mathbf{b}_i^T)^T \in \Zq^{n+t}$.
\item[5.] $\mathsf{S}_\mathsf{I}$ sends
$ R_0= \bigl( PK_{sig} ,~(\mathbf{F},\mathbf{P}),~\{(\mathbf{a}_i,\mathbf{b}_i),(\tau_i,\mathbf{v}_i ) \}_{i=1}^N \bigr) $ to $\mathsf{R}_\mathsf{I}$ and interactively proves knowledge of small-norm $\mathbf{S} \in \ZZ^{n \times t}$, $\mathbf{E} \in \ZZ^{m \times t}$, short vectors $\{\mathbf{x}_i\}_{i=1}^N$ and
$t$-bit messages $\{M_i\}_{i=1}^N$,
for which~\eqref{PK-gen} and~\eqref{init-db} hold. To this end, $\mathsf{S}_\mathsf{I}$ plays the role of the prover in the ZK argument system described in Section~\ref{subsection:ZK-protocol-1}.
%\item[c.]
If the argument of knowledge does not verify
%at step b
or if there exists $i \in [N]$ such that $(\tau_i,\mathbf{v}_i)$ is an invalid signature on the message
$\mathfrak{m}_i=\mathsf{vdec}_{n+t,q-1} (\mathbf{a}_i^T |\mathbf{b}_i^T)^T $ w.r.t. $PK_{sig}$, then $\mathsf{R}_\mathsf{I}$ aborts.
%\end{itemize}
\item[6.] Finally $\mathsf{S}_\mathsf{I}$ defines $S_0= \big( (\mathbf{S},\mathbf{E}) ,(\mathbf{F},\mathbf{P}),PK_{sig} \big)$, which it keeps to itself. \medskip \smallskip
\end{itemize}
\item[\textsf{Transfer}$\big(\mathsf{S}_\mathsf{T}(S_{i-1}),\mathsf{R}_{\mathsf{T}}(R_{i-1},\rho_i) \big)$:] At the $i$-th transfer, the receiver $\mathsf{R}_\mathsf{T}$ has state $R_{i-1}$ and
an index $\rho_i \in [1,N]$. It interacts as follows with the sender $\mathsf{S}_\mathsf{T}$ that has state $S_{i-1}$ in order to obtain $M_{\rho_i}$ from $\mathsf{DB}$. \smallskip \smallskip \smallskip
\begin{itemize}
\item[1.] $\mathsf{R}_\mathsf{T}$ samples vectors $\mathbf{e} \sample U(\{-1,0,1\}^m)$, $\mu \sample U(\{0,1\}^t)$ and a random $\nu \sample U([-B,B]^t)$ to compute
\begin{eqnarray} \label{rand-CT}
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{\rho_i} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{\rho_i} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
\qquad
\end{eqnarray}
which is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i} + \mu \cdot \lfloor q/2 \rfloor )$. The ciphertext $(\mathbf{c}_0,\mathbf{c}_1)$ is sent to
$\mathsf{S}_\mathsf{T}$. In addition, $\mathsf{R}_\mathsf{T}$ provides an interactive WI argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is indeed a transformation of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$ for some $\rho_i \in [N]$, and $\mathsf{R}_\mathsf{T}$ knows
a signature on $\mathfrak{m} = \mathsf{vdec}_{n+1,q-1}(\mathbf{a}_{\rho_i}^T | \mathbf{b}_{\rho_i}^T)^T \in \{0,1\}^{m_d}$.
To this end, $\mathsf{R}_\mathsf{T}$ runs the prover in the ZK argument system in Section~\ref{subsection:ZK-protocol-3}.
\item[2.] If the argument of step 1 verifies, $\mathsf{S}_\mathsf{T}$ uses $\mathbf{S}$ to decrypt $(\mathbf{c}_0,\mathbf{c}_1) \in \Zq^n \times \Zq^t$ and
obtain $M' = \lfloor (\mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$
which is sent back to $\mathsf{R}_\mathsf{T}$. In addition, $\mathsf{S}_\mathsf{T}$ provides a zero-knowledge argument of knowledge of vector $\mathbf{y}= \mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0 - M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$
of norm $\| \mathbf{y} \|_{\infty} \leq q/5$ and small-norm matrices $\mathbf{E}\in \ZZ^{m \times t}$, $\mathbf{S} \in \ZZ^{n \times t}$ satisfying (modulo $q$)
\begin{eqnarray} \label{test-transfer}
\mathbf{P} &=& \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} ~ , \qquad \mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T = \mathbf{c}_1^T - {M'}^T \cdot \lfloor q/2 \rfloor.
\end{eqnarray}
To this end, $\mathsf{S}_\mathsf{T}$ runs the prover in the ZK argument system in Section~\ref{subsection:ZK-protocol-2}.
\item[3.] If the ZK argument produced by $\mathsf{S}_\mathsf{T}$ does not properly verify at step 2, $\mathsf{R}_\mathsf{T}$ halts and outputs $\perp$. Otherwise, $\mathsf{R}_\mathsf{T}$ recalls
the random string $\mu \in \{0,1\}^t$ that was chosen at step 1 and computes $M_{\rho_i}=M' \oplus \mu$. The transfer ends with $\mathsf{S}_\mathsf{T}$ and $\mathsf{R}_\mathsf{T}$
outputting $S_i=S_{i-1}$ and $R_i=R_{i-1}$, respectively.
\end{itemize}
\end{description}
In the initialization phase, the sender has to repeat step 5 with each
receiver to prove that $\left\{(\mathbf{a}_i,\mathbf{b}_i)\right\}_{i=1}^N$ are well-formed. Using the Fiat-Shamir heuristic \cite{FS86}, we can decrease this initialization
cost from $O(N \cdot U)$ to $O(N)$ (regardless of the number of users $U$) by making the proof non-interactive.
This modification also reduces each transfer to $5$ communication rounds since, even in the transfer phase, the sender's ZK arguments can be non-interactive and the receiver's arguments only need to be WI, which is preserved when the basic ZK protocol (which has a ternary challenge space) is repeated $\omega(\log n)$ times in parallel. To keep the security proof
simple, we derive the matrix $\mathbf{F} \in \Zq^{n \times m}$ from a second random oracle.
%which the sender can build his $\LWE$-based public key $\mathbf{P}=\mathbf{F} \cdot \mathbf{S} + \mathbf{E}$, for small-norm matrices $\mathbf{S} \in \ZZ^{n \times t}$
%and $\mathbf{E} \in \ZZ^{m \times t}$.
Knowing a short basis of $\Lambda_q^{\perp}(\mathbf{F})$, the simulator can extract
the columns of $\mathbf{S}$ from the public key $\mathbf{P} \in \Zq^{n \times m}$. Details are given in Appendix~\ref{optimized}.
% \indent In
%Appendix \ref{ot-proofs}, we prove the security of the above \OTA protocol against static corruptions under the $\SIS$ and $\LWE$ assumptions.
\subsection{Security}
The security of the above \OTA protocol against static corruptions is stated by the following theorems.
\begin{theorem} \label{sender-sec}
The $\OTA$ protocol provides receiver security under the $\SIS$ assumption.
\end{theorem}
\begin{proof}
We prove that any real-world cheating sender $\hat{\mathsf{S}}$ implies an ideal-world cheating sender $\hat{\mathsf{S}}'$ such that, under the $\SIS$ assumption,
the two distributions $\REAL_{\hat{\mathsf{S}},{\mathsf{R}}}$ and $\IDEAL_{\hat{\mathsf{S}}',{\mathsf{R}}'}$ with common inputs $(N,k,M_1,\ldots,M_N,\rho_1,\ldots,\rho_k)$ are indistinguishable
to any PPT distinguisher $\ddv$. \\ \indent To this end, we consider a sequence of hybrid experiments with binary outputs. In each experiment $\textsf{Exp}_i$, a distinguisher $\ddv$ takes
as input the states $(S_k,R_k)$ produced by $\hat{\mathsf{S}}$ and $\mathsf{R}'$ at the end of the experiment and outputs a bit. We define $W_i$ as the event that the output of experiment $\textsf{Exp}_i$ is $1$. The first experiment outputs whatever the distinguisher $\ddv$ outputs and corresponds to the real interaction between the cheating sender $\hat{\mathsf{S}}$ and the
receiver $\mathsf{R}$. \smallskip
\begin{description}
\item[\textsf{Exp}$_0$:] This experiment involves a real execution of $\hat{\mathsf{S}}$ in interaction with a honest receiver $\mathsf{R}$ which queries the index $\rho_i \in [N]$ at
the $i$-th transfer for each $i \in [k]$. The output of $\textsf{Exp}_0$
is exactly the output of the distinguisher $\ddv$ on input of $X=(S_k,R_k) \leftarrow \REAL_{\mathsf{S},\hat{\mathsf{R}}} $, so that
we have
$$\Pr[W_0]=\Pr[ \ddv (X) =1 \mid X \leftarrow \REAL_{\hat{\mathsf{S}},{\mathsf{R}}} ].$$
\item[\textsf{Exp}$_1$:] This experiment is like $\textsf{Exp}_0$ except that, at step 5 of the initialization phase, the knowledge extractor of the argument system is used to
extract the witnesses $\mathbf{s}_j \in \chi^n$, $\mathbf{e}_j \in \chi^m$, $\bar{\mathbf{x}}_j \in \chi^N$, $\bar{M}_j \in \{0,1\}^N$, for each $j \in [t]$, from the sender's argument. In the event that the knowledge
extractor fails to extract valid witnesses, the experiment aborts and outputs $\perp$. We know that the zero-knowledge argument system is computationally sound
as long as the underlying commitment is computationally binding. If the perfectly hiding commitment of \cite{KTX08} is used, the binding property is in turn
implied by the $\SIS$ assumption. Under the
$\SIS$ assumption, it follows that $\textsf{Exp}_1$ returns $1$ with about the same probability as $\textsf{Exp}_0$. Specifically, there exists a $\SIS$ solver $\bdv$ such that
$ | \Pr[W_1] -\Pr[W_0] | \leq \mathbf{Adv}^{\SIS}_\bdv (\lambda). $ \smallskip
\item[\textsf{Exp}$_2$:] This experiment is identical to \textsf{Exp}$_1$ except that the receiver $\mathsf{R}'$ makes use of the matrix $\mathbf{S} \in \chi^{n \times t}$, which underlies $\mathbf{P} \in \ZZ_q^{m \times t}$ in
\eqref{PK-gen} and was extracted at step 5 of the initialization phase. Namely, at step 2 of each transfer, $\mathsf{R}'$ uses
$\mathbf{S}$ to determine if the ZK argument sent by $\hat{\mathsf{S}}$ is really an argument for a true statement or if $\hat{\mathsf{S}}$ somehow managed
to break the soundness of the argument system. Namely, upon receiving the response $M ' \in \{0,1\}^t$ of $\hat{\mathsf{S}}$ at step 2, $\mathsf{R}'$
uses the previously extracted $\mathbf{S} \in \chi^{n \times t}$ to determine whether there exists a vector $\mathbf{y} \in \ZZ^t$ of norm $\| \mathbf{y} \|_{\infty}
\leq q/5$ such that
\begin{eqnarray} \label{test-deux}
\mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T = \mathbf{c}_1^T - {M'}^T \cdot \lfloor q/2 \rfloor .
\end{eqnarray}
If no such vector $\mathbf{y}$ exists, $\mathsf{R}'$ infers that $\hat{\mathsf{S}}$ broke the soundness of the argument system. In this case, $\hat{\mathsf{S}}$ can be
rewound so as to break the binding property of the statistically hiding commitment scheme used by the ZK argument system, which in turn contradicts
the $\SIS$ assumption. We thus have $ | \Pr[W_2] -\Pr[W_1] | \leq \mathbf{Adv}^{\SIS}_\bdv (\lambda) $ for some efficient algorithm $\bdv$ which
is given rewinding access to $\hat{\mathsf{S}}$.
\smallskip
\item[\textsf{Exp}$_3$:] This experiment is like $\textsf{Exp}_2$ with the difference that, at each transfer, the receiver $\mathsf{R}'$ chooses the index $\rho_i=1$ and thus always requests
the first message of the encrypted database. In more details, at each transfer, $\mathsf{R}'$
samples vectors $\mathbf{e} \sample U(\{-1,0,1\}^m)$, $\mu \sample U(\{0,1\}^t)$ and $\nu \sample U([-B,B]^t)$ to compute and send
\begin{eqnarray*}
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{1} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{1} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \ZZ_q^n \times \ZZ_q^t,
\end{eqnarray*}
which is a re-randomization of $(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$.
Moreover, $\mathsf{R}_\mathsf{T}'$ uses the witness $\rho_i=1$ to faithfully generate an interactive WI argument that
$(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$.
It thus generates a WI argument of knowledge of vectors $\mathfrak{m} = \mathsf{vdec}_{n+t,q-1}(\mathbf{a}_1| \mathbf{b}_1) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ satisfying relations~\eqref{eq:protocol-3-original}. %(\ref{statement-rand-un})-(\ref{statement-rand-deux}).
By the statistically WI of the interactive argument system, this modification has no noticeable impact on the output distribution of a cheating sender $\hat{\mathsf{S}}$. Indeed, since we chose $B$ as a randomization parameter
such that $(m+1) \alpha q / B $ is negligible, the result of \cite[Section 4.1]{DS16} implies that always re-randomizing
$(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$ leaves the view of $\hat{\mathsf{S}}$ statistically unchanged.
We have $ | \Pr[W_2] -\Pr[W_1] | \leq \mathsf{negl}(\lambda). $ \smallskip
\end{description}
In $\textsf{Exp}_3$, we can define the ideal-world cheating sender $\hat{\mathsf{S}}'$ which emulates the honest receiver $\mathsf{R}'$ interacting with $\hat{\mathsf{S}}$. At the initialization
phase, $\hat{\mathsf{S}}'$ appeals to the knowledge extractor of the argument system so as to extract the small-norm matrices $\mathbf{S} = [\mathbf{s}_1|\ldots|\mathbf{s}_t] \in \chi^{n \times t}$
and $\mathbf{E}=[\mathbf{e}_1| \ldots |\mathbf{e}_t] \in \chi^{m \times t}$ satisfying \eqref{PK-gen}. Armed with the decryption key $\mathbf{E} \in \chi^{m \times t}$ of the cryptosystem,
$\hat{\mathsf{S}}'$ can decrypt $\{(\mathbf{a}_i,\mathbf{b}_i)\}_{i=1}^N$ and obtain the messages $M_1,\ldots,M_N \in \{0,1\}^N$ that were encrypted in \eqref{init-db} by $\hat{\mathsf{S}}$.
It then submits $M_1,\ldots,M_N \in \{0,1\}^N$ to the trusted party $\mathsf{T}$. As in $\textsf{Exp}_2$, during each transfer phase, $\hat{\mathsf{S}}'$ computes $(\mathbf{c}_0,\mathbf{c}_1)$ as
a re-randomization of $(\mathbf{a}_1,\mathbf{b}_1) \in \ZZ_q^n \times \ZZ_q^t$ and faithfully generates the receiver's argument of knowledge using the witness $\rho_i=1$ at step 1.
At step 2 of each transfer, $\hat{\mathsf{S}}'$ plays the role of the verifier on behalf of $\mathsf{R}'$ in the interactive zero-knowledge argument generated by $\hat{\mathsf{S}}$. If $\hat{\mathsf{S}}'$ detects that $\hat{\mathsf{S}}$ creates a verifying argument for a false statement (which $\hat{\mathsf{S}}'$ can detect using the
extracted matrix $\mathbf{S} \in \ZZ^{n \times t}$, by applying the test
\eqref{test-deux}), it aborts the interaction as in $\textsf{Exp}_3$.
If the ZK
argument involves a true statement, $\hat{\mathsf{S}}'$ sends $1$ to the trusted party $\mathsf{T}$ so as to authorize the transfer in the ideal world. Otherwise, $\hat{\mathsf{S}}'$ sends $0$ to $\mathsf{T}$.
At the end of the $k$-th transfer phase, $\hat{\mathsf{S}}'$ outputs whatever $\hat{\mathsf{S}}$ outputs as its final state $S_k$. \\
\indent In $\textsf{Exp}_3$, it is easy to see that
$$ \Pr[W_3] = \Pr[ \ddv (X) =1 \mid X \leftarrow \IDEAL_{\hat{\mathsf{S}}',{\mathsf{R}}'} ] .$$
When putting the above altogether, we find that there exists a PPT $\SIS$ solver $\bdv$ such that
\begin{multline*}
| \Pr[ \ddv (X) =1 \mid X \leftarrow \REAL_{\hat{\mathsf{S}},{\mathsf{R}}} ] \\ - \Pr[ \ddv (X) =1 \mid X \leftarrow \IDEAL_{\hat{\mathsf{S}}',{\mathsf{R}}'} ] | \leq 2 \cdot \mathbf{Adv}_\bdv^{\SIS}(\lambda)
+ \mathsf{negl}(\lambda) ,
\end{multline*}
which proves the result.
\end{proof}
\begin{theorem} \label{rec-sec}
The $\OTA$ protocol provides sender security under the $\SIS$ and $\LWE$ assumptions.
\end{theorem}
\input{merge2}
%%%%%%%%%%%% Access control
\section{OT with Access Control for Branching Programs} \label{OT-AC-scheme}
In this section, we extend our protocol of Section \ref{OT-scheme} into a protocol where database entries can be protected
by access control policies consisting of branching programs. In a nutshell, the construction goes as follows.
When the database is set up, the sender signs (a binary representation of) each database entry $(\mathbf{a}_i,\mathbf{b}_i)$ together
with a hash value $\mathbf{h}_{\BPR,i} \in \Zq^n$ of the corresponding branching program. For each possessed attribute $\mathbf{x} \in \{0,1\}^\kappa$,
the user $\USR$
obtains a credential $\mathsf{Cred}_{\USR,\mathbf{x}}$ from the issuer. \\ \indent If $\USR$ has a credential $\mathsf{Cred}_{\USR,\mathbf{x}}$ for an attribute $\mathbf{x}$ satisfying
the $\rho$-th branching program, $\USR$ can re-randomize $(\mathbf{a}_\rho,\mathbf{b}_\rho)$ into $(\mathbf{c}_0,\mathbf{c}_1)$, which is given to the sender,
while proving that: (i) He knows a signature
$(\tau,\mathbf{v})$ on some message $(\mathbf{a}_\rho,\mathbf{b}_\rho,\mathbf{h}_{\BPR,\rho})$ such that $(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of
$(\mathbf{a}_\rho,\mathbf{b}_\rho)$; (ii) The corresponding $\mathbf{h}_{\BPR,\rho}$ is the hash value of (the binary representation of) a branching program
$\BPR_{\rho}$ that accepts an attribute $\mathbf{x} \in \{0,1\}^\kappa$ for which he has a valid credential $\mathsf{Cred}_{\USR,\mathbf{x}}$
(i.e., $\BPR_{\rho}(\mathbf{x})=1$). \\
\indent While statement (i) can be proved as in Section \ref{OT-scheme}, handling (ii) requires a method of proving the possession of a (committed) branching program $\BPR$ and a (committed) input $\mathbf{x} \in \{0,1\}^\kappa$ such that $\BPR(\mathbf{x})=1$ while demonstrating possession of a credential for
$\mathbf{x}$.
Recall that a branching program $\BPR$ of length $L$, input space $\{0,1\}^{\kappa}$ and width $5$ is specified by $L$ tuples of the
form $(\var(\theta),\pi_{\theta,0},\pi_{\theta,1})$ where
\begin{itemize}
\item[-] $\var: [L] \rightarrow [0, \kappa-1]$ is a function that associates the $\theta$-th tuple with the coordinate ${x}_{\var(\theta)} \in \{0,1\}$ of
the input $\mathbf{x} = (x_0, \ldots, x_{\kappa-1})^T$.
\item[-] $\pi_{\theta,0},\pi_{\theta,1} : \{0,1,2,3,4\} \rightarrow \{0,1,2,3,4\}$ are permutations that determine the $\theta$-th step of the
evaluation.
\end{itemize}
On input $\mathbf{x} = (x_0, \ldots, x_{\kappa-1})^T$, $\BPR$ computes its output as follows.
For each bit $b \in \{0,1\}$, let $\bar{b}$ denote the bit $1-b$.
Let $\eta_\theta$ denote the state of computation at step $\theta$. The initial state is $\eta_0 = 0$ and, for $\theta \in [1,L]$, the state $\eta_\theta$ is computed as
\[
\eta_\theta = \pi_{\theta, x_{\mathrm{var}(\theta)}}(\eta_{\theta-1}) = \pi_{\theta, 0}(\eta_{\theta-1})\cdot \bar{x}_{\mathrm{var}(\theta)} + \pi_{\theta, 1}(\eta_{\theta-1})\cdot {x}_{\mathrm{var}(\theta)}.
\]
Finally, the output of evaluation is $\mathsf{BP}(\mathbf{x})=1$ if $\eta_L =0$, otherwise $\mathsf{BP}(\mathbf{x})=0$.
We now let $\delta_{\kappa} = \lceil\log_2 \kappa\rceil$ and note that each integer in $[0,\kappa-1]$ can be determined by $\delta_\kappa$ bits. In particular, for each $\theta \in [ L]$, let $d_{\theta,1}, \ldots, d_{\theta, \delta_\kappa}$ be the bits representing $\mathrm{var}(\theta)$. Then, we consider the following representation of $\mathsf{BP}$:
\begin{multline}\label{equation:z_BP}
%\nonumber
\hspace*{-12pt} \mathbf{z}_{\mathsf{BP}} = \big(
d_{1,1}, \ldots, d_{1, \delta_\kappa}, \ldots, d_{L,1}, \ldots, d_{L, \delta_\kappa}, \pi_{1,0}(0), \ldots, \pi_{1,0}(4), \pi_{1,1}(0), \ldots, \\
%&& \hspace*{-25pt}
\pi_{1,1}(4), \ldots,
\pi_{L,0}(0), \ldots, \pi_{L,0}(4), \pi_{L,1}(0), \ldots, \pi_{L,1}(4)
\big)^T \in [0,4]^{\zeta}, ~~~
\end{multline}
where $\zeta= L(\delta_\kappa +10)$.
\subsection{The OT-AC Protocol} \label{the-ot-ac}
We assume public parameters $\pp$
consisting of a modulus $q$, integers $n$, $m$ such that $m = 2n \lceil \log q \rceil$, a public matrix $\bar{\mathbf{A}} \in \Zq^{n \times m}$,
the maximal length $L \in \mathsf{poly}(n)$ of branching programs and their desired input length $\kappa \in \mathsf{poly}(n)$.
\smallskip
\begin{description}
\item[\textsf{ISetup}$\big(\pp \big)$:] Given public parameters $\pp=\{ q,n,m, \bar{\mathbf{A}}, L,\kappa\}$, first generate a key pair $(PK_{I},SK_{I})\gets \mathsf{Keygen}(\pp,1)$ for the signature scheme
in Section \ref{se:gs-lwe-sigep} in order to sign single-block messages (i.e., $N_b=1$) of length $m_I = n \cdot \lceil \log q \rceil + \kappa$. %$m=2 n \lceil \log q \rceil$.
Letting $\ell_I = \mathcal{O}(n)$, this key pair contains $SK_{I}=\mathbf{T}_{\mathbf{A}_I}
\in \ZZ^{m \times m}$ and
$${PK}_{I}:=\big( \mathbf{A}_I, ~
\{\mathbf{A}_{I,j} \}_{j=0}^{\ell_{I}}, ~\mathbf{D}_I, ~ \{ \mathbf{D}_{I,0}, \mathbf{D}_{I,1}\} , ~\mathbf{u}_I \big).$$
\item[\textsf{Issue}$\big( \mathsf{I}(\pp,SK_I,PK_I,P_\USR,\mathbf{x}) \leftrightarrow \mathsf{U}(\pp,\mathbf{x},st_\USR) \big)$:]
On common input $\mathbf{x} \in \{0,1\}^\kappa$, the issuer
$\mathsf{I}$ and the user $\USR$ interact in the following way: \smallskip
\begin{itemize}
\item[1.] If $st_{\USR} = \emptyset$, $\USR$ creates a pseudonym $P_\USR= \bar{\mathbf{A}} \cdot \mathbf{e}_{\USR} \in \Zq^n$, for a randomly chosen $\mathbf{e}_{\USR} \sample U(\{0,1\}^m)$, which is sent to $\mathsf{I}$. It sets
$st_{\USR}=(\mathbf{e}_\USR, P_\USR, 0, \emptyset ,\emptyset)$. Otherwise, $\USR$ parses its state $st_\USR$ as $(\mathbf{e}_\USR,P_{\USR},f_{DB},C_\USR,\mathsf{Cred}_{\USR})$.
\item[2.] The issuer $\mathsf{I}$ defines the message $\mathfrak{m}_{\USR,\mathbf{x}} = (\mathsf{vdec}_{n,q-1}(P_{\USR})^T|\mathbf{x}^T )^T \in \{0,1\}^{m_I}$.
Then, it runs the signing algorithm of Section \ref{se:gs-lwe-sigep} to obtain and return
$\crt_{\USR,\mathbf{x}} = \big(\tau_{\USR},\mathbf{v}_{\USR},\mathbf{r}_{\USR} \big) \leftarrow \mathsf{Sign}(SK_I,\mathfrak{m}_{\USR,\mathbf{x}}) \in \{0,1\}^{\ell_{I}} \times \ZZ^{2m} \times \ZZ^{m}$, which binds $\USR$'s pseudonym $P_\USR$
to the attribute string $\mathbf{x} \in \{0,1\}^\kappa$.
\item[3.] $\USR$ checks that $\crt_{\USR,\mathbf{x}}$
satisfies \eqref{ver-eq-block} and that $\|\mathbf{v}_\USR\| \leq \sigma \sqrt{2m},\mathbf{r}_\USR \leq \sigma \sqrt{m}$. If so, $\USR$ sets
$C_\USR := C_{\USR} \cup \{\mathbf{x}\}$, $\mathsf{Cred}_\USR := \mathsf{Cred}_\USR \cup \{\crt_{\USR,\mathbf{x}}\}$ and updates its state $st_\USR=(\mathbf{e}_\USR,P_\USR,f_{DB},C_\USR,\mathsf{Cred}_\USR)$. If $\crt_{\USR,\mathbf{x}}$ does not properly verify, $\USR$ aborts the interaction and leaves $st_{\USR}$ unchanged. \smallskip
\end{itemize}
\item[\textsf{DBSetup}$\big(PK_I, \mathsf{DB}=\{(M_i,\BPR_i)\}_{i=1}^N \big)$:] The sender $\mathsf{DB}$
has $\mathsf{DB}=\{(M_i,\BPR_i)\}_{i=1}^N $ which is a database of $N$ pairs made of a message
$M_i \in \{0,1\}^{t}$ and a policy realized by a length-$L$
branching program $\BPR_i = \{\var_i(\theta),\pi_{i,\theta,0},\pi_{i,\theta,1}\}_{\theta=1}^L$. %.of length $L \in \mathsf{poly}(n)$,
\smallskip \smallskip
\begin{itemize}
\item[1.] Choose a random matrix $\mathbf{A}_{\mathrm{HBP}} \sample U \big(\Zq^{n \times \zeta } \big)$ which will be used to hash the description of
branching programs.
\item[2.] Generate a key pair for the signature scheme of Section \ref{RMA-sec} in order to sign $Q=N$ messages of length $m_d = (2n+t) \cdot \lceil \log q \rceil$ each.
This key pair consists of $SK_{sig}=\mathbf{T}_{\mathbf{A}} \in \ZZ^{m \times m}$ and
${PK}_{sig}:=\big( \mathbf{A},
\{\mathbf{A}_j \}_{j=0}^{\ell}, \mathbf{D}, \mathbf{u} \big),$ where $\ell=\lceil \log N \rceil$ and $\mathbf{A},\mathbf{A}_0,\ldots,\mathbf{A}_{\ell} \in U(\Zq^{n \times m})$, $\mathbf{D} \in U(\Zq^{n \times m_d})$ with
$m = 2n \lceil \log q \rceil$, $m_d = (2n+t) \lceil \log q \rceil$. The counter is initialized to $\tau=0$.
\item[3.] Sample $\mathbf{S} \sample \chi^{n \times t}$ which will serve as a secret key for an $\LWE$-based encryption scheme.
Then, sample $\mathbf{F} \sample U(\Zq^{n \times m})$, $\mathbf{E} \sample \chi^{m \times t }$ to compute
\begin{eqnarray} \label{PK-gen-ac}
\mathbf{P} = [\mathbf{p}_1 | \ldots | \mathbf{p}_t] = \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} ~\in \Zq^{m \times t}
\end{eqnarray}
so that $(\mathbf{F},\mathbf{P}) $ forms a public key for a $t$-bit variant of Regev's system.
\item[4.]
Sample vectors $\mathbf{a}_1,\ldots ,\mathbf{a}_N \sample
U(\Zq^n)$ and $\mathbf{x}_1,\ldots,\mathbf{x}_{N} \sample \chi^{t}$ to
compute
\begin{eqnarray} \label{init-db-ac}
(\mathbf{a}_i,\mathbf{b}_i)= \bigl( \mathbf{a}_i, ~ \mathbf{a}_i^T \cdot \mathbf{S} + \mathbf{x}_i + M_i \cdot \lfloor q/2 \rfloor \bigr) \in \Zq^n \times \Zq^{t} \qquad \forall i \in [N]
\qquad
\end{eqnarray}
\item[5.] For each $i=1$ to $N$, $ (\mathbf{a}_i,\mathbf{b}_i)$ is bound to $\BPR_i$ as follows. \smallskip \begin{itemize} \item[a.]
Let $\mathbf{z}_{\BPR,i} \in [0,4]^\zeta $ be the binary representation of the branching program.
Compute its digest $\mathbf{h}_{\BPR,i} = \mathbf{A}_{\mathrm{HBP}} \cdot \mathbf{z}_{\BPR,i} \in \Zq^n$.
% via the matrix $\mathbf{A}_{\mathrm{HBP}} \in \Zq^{n \times \zeta} $.
\item[b.] Using $SK_{sig}$, generate a signature $(\tau_i,\mathbf{v}_i ) \leftarrow \mathsf{Sign}(SK_{sig},\tau,\mathfrak{m}_i)$ on the message
$\mathfrak{m}_i=\mathsf{vdec}_{2n+t,q-1}(\mathbf{a}_i|\mathbf{b}_i|\mathbf{h}_{\BPR,i}) \in \{0,1\}^{m_d}$ obtained by decomposing $(\mathbf{a}_i^T | \mathbf{b}_i^T | \mathbf{h}_{\BPR,i}^T )^T \in \Zq^{2n+t}$.
\end{itemize}
\item[6.] The database's public key is defined as
$ PK_{\mathrm{DB}}= \bigl( PK_{sig} ,~(\mathbf{F},\mathbf{P}),~\mathbf{A}_\mathrm{HBP}\bigr) $
while the encrypted database is
$ \{ER_i=\big(\mathbf{a}_i,\mathbf{b}_i,(\tau_i,\mathbf{v}_i ) \big), \BPR_i \}_{i=1}^N. $
The sender $\mathsf{DB}$ outputs
$ \bigl( PK_{\mathrm{DB}} ,\{ER_i, \BPR_i \}_{i=1}^N \bigr) $
and keeps $SK_{\mathsf{DB}}=\big(SK_{sig},\mathbf{S} \big)$.\smallskip
\end{itemize}
\item[\textsf{Transfer}$\big(\mathsf{DB}(SK_{\mathsf{DB}},PK_{\mathsf{DB}},PK_I),\USR(\rho,st_\USR,PK_I,PK_\mathsf{DB},ER_\rho,\BPR_\rho) \big)$:] Given an index
$\rho \in [N]$, a
record
$ER_\rho =\big(\mathbf{a}_\rho,\mathbf{b}_\rho,(\tau_\rho,\mathbf{v}_\rho ) \big) $ and a policy $\BPR_{\rho}$, the user $\USR$ parses
$st_\USR$ as $(\mathbf{e}_\USR,P_{\USR},f_{DB},C_\USR,\mathsf{Cred}_{\USR})$. If $C_\USR$ does not contain any $\mathbf{x} \in \{0,1\}^\kappa$ s.t.
$\BPR_{\rho}(\mathbf{x})=1$ and $\mathsf{Cred}_{\USR}$ contains the corresponding $\crt_{\USR,\mathbf{x}}$, $\USR$ outputs $\perp$. Otherwise, he
selects such a pair $(\mathbf{x},\crt_{\USR,\mathbf{x}})$ and interacts with $\mathsf{DB}$: \smallskip
\begin{itemize}
\item[1.] If $f_{DB}=0$, $\USR$ interacts with $\mathsf{DB}$ for the first time and requires $\mathsf{DB}$ to prove knowledge of small-norm $\mathbf{S} \in \ZZ^{n \times t}$, $\mathbf{E} \in \ZZ^{m \times t}$, $\{\mathbf{x}_i\}_{i=1}^N$ and
$t$-bit messages $\{M_i\}_{i=1}^N$ satisfying~\eqref{PK-gen-ac}-\eqref{init-db-ac}. To do this, $\mathsf{DB}$ uses the ZK argument in Section~\ref{subsection:ZK-protocol-1}.
% to prove knowledge of short matrices $\mathbf{S} \in \ZZ^{n \times t}$ and $\mathbf{E} \in \chi^{m \times t}$ and
% $t$-bit messages $\{M_i\}_{i=1}^N$ -
%satisfying (\ref{PK-gen-ac})-(\ref{init-db-ac}). To this end, $\mathsf{DB}$ does the following. \smallskip \smallskip
%\begin{itemize}
% \item[a.]
% Define $\mathbf{A}_{\mathsf{DB}}=[\mathbf{a}_1 | \ldots | \mathbf{a}_N] \in \Zq^{n \times N}$, $\mathbf{B}_{\mathsf{DB}}=[\mathbf{b}_1 | \ldots | \mathbf{b}_N] \in \Zq^{t \times N}$, $\mathbf{M}=[M_1 | \ldots | M_N]
% \in \{0,1\}^{t \times N}$,
%$\mathbf{X}=[\mathbf{x}_1 | \ldots | \mathbf{x}_N] \in \chi^{ t \times N}$
%and parse $\mathbf{S}$ and $\mathbf{E}$ as $\mathbf{S}=[\mathbf{s}_1 | \ldots | \mathbf{s}_t] \in \chi^{n \times t}$,
%$\mathbf{E}=[\mathbf{e}_1 | \ldots | \mathbf{e}_t] \in \chi^{m \times t}$.
%\item[b.] For each $j \in [t]$, define $\bar{M}_j \in \{0,1\}^N$ to be the $j$-th column of $\mathbf{M}^T$. Likewise,
% let $\bar{\mathbf{b}}_j \in \Zq^N$ (resp. $\bar{\mathbf{x}}_j \in \chi^N$) be the $j$-th column of $\mathbf{B}_{\mathsf{DB}}^T \in \Zq^{N \times t} $
%(resp. $\mathbf{X}^T $). Note that (\ref{init-db-ac}) can be written
%\begin{eqnarray*}
% \mathbf{B}_{\mathsf{DB}}^T = \mathbf{A}_{\mathsf{DB}}^T \cdot \mathbf{S} + \mathbf{X}^T + \mathbf{M}^T \cdot \lfloor q/2 \rfloor .
%\end{eqnarray*}
%For each $j \in [t]$, $\mathsf{DB}$ argues knowledge
%of $\mathbf{s}_j \in \chi^n$, $\mathbf{e}_j \in \chi^m$, $\bar{\mathbf{x}}_j \in \chi^N$, $\bar{M}_j \in \{0,1\}^N$ such that
%\begin{eqnarray} \label{sender-proof-ac}
% \left[ \begin{array}{c|c|c|c} ~ \mathbf{F}^T ~ & ~ \mathbf{I}_m ~ & ~ & ~ ~\\ \hline
% ~\mathbf{A}_{\mathsf{DB}}^T ~ & ~ ~ & ~ \mathbf{I}_N ~ & ~ \lfloor q/2 \rfloor \cdot \mathbf{I}_N ~
%\end{array} \right]
%\cdot \begin{bmatrix} \mathbf{s}_j \\ \hline \mathbf{e}_j \\ \hline \bar{\mathbf{x}}_j \\ \hline \bar{{M}}_j \end{bmatrix} = \begin{bmatrix}
% \mathbf{p}_j \\ \hline
% \bar{\mathbf{b}}_j
%\end{bmatrix}
%\end{eqnarray}
%\item[c.]
If there exists $i \in [N]$ such that $(\tau_i,\mathbf{v}_i)$ is an invalid signature
on $\mathsf{vdec}_{2n+t,q-1} (\mathbf{a}_i^T|\mathbf{b}_i^T|\mathbf{h}_{\BPR,i}^T)^T $ or if the ZK argument does not verify, $\USR$ aborts. Otherwise, $\USR$ updates $st_\USR$ and sets $f_{DB}=1$.
%\end{itemize}
\end{itemize}
%\vspace*{-0.05cm}
\begin{itemize}
\item[2.] $\USR$ re-randomizes the pair $(\mathbf{a}_\rho,\mathbf{b}_\rho )$ contained in $ER_\rho$. It samples vectors $\mathbf{e} \sample U(\{-1,0,1\}^m)$, $\mu \sample U(\{0,1\}^t)$ and $\nu \sample U([-B,B]^t)$ to compute
\begin{eqnarray} \label{rand-CT-ac}
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{\rho} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{\rho} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
\qquad
\end{eqnarray}
which is sent to $\mathsf{DB}$ as a re-randomization of $(\mathbf{a}_{\rho},\mathbf{b}_{\rho} + \mu \cdot \lfloor q/2 \rfloor )$. Then, $\USR$ provides an interactive WI argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of some $(\mathbf{a}_{\rho},\mathbf{b}_{\rho})$ associated
with a policy $\BPR_\rho$ for which $\USR$ has a credential $\crt_{\USR,x}$ for some $\mathbf{x} \in \{0,1\}^\kappa$ such that $\BPR_\rho (\mathbf{x})=1$.
%To this end, $\USR$ uses the technique of Section \ref{ineff-method}.
In addition, $\USR$
demonstrates possession of: (i) a preimage $\mathbf{z}_{\BPR,\rho} \in [0,4]^\zeta $ of
$\mathbf{h}_{\BPR,\rho} = \mathbf{A}_{\mathrm{HBP}} \cdot \mathbf{z}_{\BPR,\rho} \in \Zq^n$; (ii) a credential $\mathsf{Cred}_{\USR,\mathbf{x}}$ for the corresponding $\mathbf{x} \in \{0,1\}^\kappa$ and the private key $\mathbf{e}_\USR \in \{0,1\}^m$ for the pseudonym $P_\USR$ to which $\mathbf{x}$ is bound; (iii) the coins leading to the randomization of some
$(\mathbf{a}_{\rho},\mathbf{b}_{\rho})$.
Then entire step is conducted
by arguing knowledge of
\begin{eqnarray*}
\left\{
\begin{array}{l}
\mathbf{e}_{\USR} \in \bit^m, \mathfrak{m}_{\USR,\mathbf{x}} \in \{0,1\}^{m_I} ,~\mathbf{x} \in \{0,1\}^\kappa,~\widehat{\mathfrak{m}}_{\USR,\mathbf{x}} \in \{0,1\}^{m/2}
\\
\tau_{\USR} \in \{0,1\}^{\ell_I},~\mathbf{v}_{\USR}=(\mathbf{v}_{\USR,1}^T | \mathbf{v}_{\USR,2}^T)^T \in [-\beta,\beta]^{2m}, ~\mathbf{r}_{\USR} \in [-\beta,\beta]^m \\ \qquad
\qquad \qquad \quad ~~~~~~~~~~~~~~ \text{ \scriptsize // signature on $\mathfrak{m}_{\USR,\mathbf{x}}=(\mathsf{vdec}_{n,q-1}(P_\USR)^T| \mathbf{x}^T)^T $ } \\
\mathbf{z}_{\BPR,\rho} \in [0,4]^\zeta \qquad ~~~~~~~~~~~~\text{\scriptsize // representation of $\BPR_{\rho}$ } \\
\mathfrak{m} \in \{0,1\}^{m_d}, ~\tau \in \{0,1\}^{\ell},~ \mathbf{v} =(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m} \\ \qquad
\qquad \qquad \quad ~~~~~~~~~~~~~~ \text{ \scriptsize // signature on $\mathfrak{m}=\mathsf{vdec}_{2n+t,q-1}(\mathbf{a}_i^T| \mathbf{b}_i^T|\mathbf{h}_{\BPR,\rho}^T)^T $ } \\
~\mathbf{e} \in \{-1,0,1\}^t, ~\mu \in \{0,1\}^t, ~
\nu \in [-B,B]^t,\\
\qquad \qquad \qquad \quad ~~~~~~~~~~~~~~~ \text{\scriptsize // coins allowing the re-randomization of $(\mathbf{a}_{\rho},\mathbf{b}_\rho) $ }
\end{array}
\right.
\end{eqnarray*}
satisfying the relations (modulo $q$)
%\begin{eqnarray} \label{statement-rand-un-ac}
%\mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} +
%\left[ \begin{array}{c|c|c|c}
%~ \mathbf{F} ~& ~ &~ & ~ \\ \hline \rule{0pt}{2.6ex}
% ~\mathbf{P}^{T}~ & ~ \mathbf{I}_t \lfloor q/2 \rfloor ~ & ~\mathbf{I}_t~ & ~ \\ \hline
%& & & - \mathbf{A}_{\mathrm{HBP}}
%\end{array} \right] \cdot \begin{bmatrix} \mathbf{e} \\ \hline \mu \\ \hline \nu \\ \hline
% \mathbf{z}_{\BPR,\rho}
%\end{bmatrix} &=& \begin{bmatrix} \mathbf{c}_0 \\ \hline \mathbf{c}_1 \\ \hline \mathbf{0}^n \end{bmatrix} \qquad \quad
%\end{eqnarray}
%(recall that $(\mathbf{a}_\rho^T | \mathbf{b}_{\rho}^T | \mathbf{h}_{\BPR,\rho}^T )^T = \mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} $)
%and
%\begin{eqnarray} \label{statement-rand-deux-ac}
%\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2) - \mathbf{D}\cdot \mathfrak{m} = \mathbf{u},
%\end{eqnarray}
\begin{eqnarray}\label{statement-rand-trois-ac}
\begin{cases}
\mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} +
\left[ \begin{array}{c|c|c|c}
~ \mathbf{F} ~& ~ &~ & ~ \\ \hline \rule{0pt}{2.6ex}
~\mathbf{P}^T ~ & ~ \mathbf{I}_t \cdot \lfloor q/2 \rfloor ~ & ~\mathbf{I}_t~ & ~ \\ \hline
& & & - \mathbf{A}_{\mathrm{HBP}}
\end{array} \right] \cdot \begin{bmatrix} \mathbf{e} \\ \hline \mu \\ \hline \nu \\ \hline
\mathbf{z}_{\BPR,\rho}
\end{bmatrix} = \begin{bmatrix} \mathbf{c}_0 \\ \hline \mathbf{c}_1 \\ \hline \mathbf{0}^n \end{bmatrix} \\ \qquad \quad \smallskip
\text{{\scriptsize // (recall that $(\mathbf{a}_\rho^T | \mathbf{b}_{\rho}^T | \mathbf{h}_{\BPR,\rho}^T )^T = \mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} $)}} \\[2.5pt]
\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2) - \mathbf{D}\cdot \mathfrak{m} = \mathbf{u} \\[2.5pt]
\mathbf{A}_{I}\cdot \mathbf{v}_{\mathsf{U},1} + \mathbf{A}_{I,0}\cdot \mathbf{v}_{\mathsf{U},2} +
\sum_{j=1}^{\ell_I}\mathbf{A}_{I, j}\cdot (\tau_{\mathsf{U}}[j]\cdot \mathbf{v}_{\mathsf{U},2}) - \mathbf{D}_I\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}} = \mathbf{u}_I \\[2.5pt]
\mathbf{D}_{I,0}\cdot \mathbf{r}_{\mathsf{U}} + \mathbf{D}_{I,1}\cdot \mathfrak{m}_{\mathsf{U}, \mathbf{x}} - \mathbf{H}_{n,q-1}\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}} = \mathbf{0} \\[2.5pt]
\left[
\begin{array}{c|c}
\mathbf{H}_{n,q-1} & \mathbf{0} \\
\hline \rule{0pt}{2.6ex}
\mathbf{0} & \mathbf{I}_\kappa \\
\end{array}
\right]\cdot {\mathfrak{m}}_{\USR,\mathbf{x}} + \left[
\begin{array}{c}
-\bar{\mathbf{A}} \\
\mathbf{0} \\
\end{array}
\right]\cdot \mathbf{e}_{\mathsf{U}} + \left[
\begin{array}{c}
\mathbf{0} \\
-\mathbf{I}_\kappa \\
\end{array}
\right]\cdot \mathbf{x} = \mathbf{0}
\end{cases}
\end{eqnarray}
and such that $\mathbf{z}_{\BPR,\rho} \in [0,4]^\zeta$ encodes $\BPR_\rho$ such that $\BPR_\rho (\mathbf{x})=1$.
This is done by running the argument system described in Section~\ref{subsection:ZK-Protocol4-BP}.
\item[3.] If the ZK argument of step 2 verifies, $\mathsf{DB}$ decrypts $(\mathbf{c}_0,\mathbf{c}_1) \in \Zq^n \times \Zq^t$ to
obtain $M' = \lfloor (\mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$
which is returned to $\USR$. Then, $\mathsf{DB}$ argues knowledge of
$\mathbf{y}= \mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0 - M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$
of norm $\| \mathbf{y} \|_{\infty} \leq q/5$ and small-norm $\mathbf{E}\in \ZZ^{m \times t}$, $\mathbf{S} \in \ZZ^{n \times t}$ satisfying (modulo $q$)
\begin{eqnarray*}
\mathbf{P} &=& \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} ~ , \qquad \mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T = \mathbf{c}_1^T - {M'}^T \cdot \lfloor q/2 \rfloor .
\end{eqnarray*}
To this end, $\mathsf{DB}$ uses the ZK argument system of Section~\ref{subsection:ZK-protocol-2}.
\item[4.] If the ZK argument produced by $\mathsf{DB}$ does not verify, $\USR$ outputs $\perp$. Otherwise, $\USR$ recalls
the string $\mu \in \{0,1\}^t$ and outputs $M_{\rho_i}=M' \oplus \mu$.
\end{itemize}
\end{description}
Like our construction of Section \ref{OT-scheme}, the above protocol requires the $\mathsf{DB}$ to repeat a ZK proof of communication complexity
$\Omega(N)$ with each user $\USR$ during the initialization phase. By applying the Fiat-Shamir heuristic as in Appendix~\ref{optimized}, the cost of the initialization phase
can be made independent of the number of users: the sender can publicize $ \bigl( PK_{\mathrm{DB}} ,\{ER_i, \BPR_i \}_{i=1}^N \bigr) $ along
with a with a universally verifiable non-interactive proof of well-formedness.
The security of the above protocol against static corruptions is proved in~\cite{LLM+17}, under the $\SIS$ and $\LWE$ assumptions and is similar to the previous proofs.
\input{merge}