thesis/chap-GS-LWE.tex
2018-04-30 16:21:16 +02:00

1097 lines
93 KiB
TeX

\section{A Lattice-Based Signature with Efficient Protocols} \label{se:gs-lwe-sigep}
%We first specify the parameters used in our scheme. Let $\lambda$ be the security parameter, and let $n = \bigO(\lambda)$, $q = \mathsf{poly}(n)$, and $m \geq 2n \log q$.
%We assume that messages are vectors of $N$ blocks $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, where each
%block is an $L$-bit string $\mathfrak{m}_k = \mathfrak{m}_k[1] \ldots \mathfrak{m}_k[L] \in \{0,1\}^L$ for $k \in \{1,\ldots, N\}$.
Our scheme can be seen as a variant of the B\"ohl \textit{et al.} signature \cite{BHJ+15}, where
each signature is a triple $(\tau,\mathbf{v},\mathbf{s})$, made of a tag $\tau \in \{0,1\}^\ell$ and integer vectors $(\mathbf{v},\mathbf{s})$ satisfying
$[\mathbf{A} \mid \mathbf{A}_0 + \sum_{j=1}^\ell \tau[j] \cdot \mathbf{A}_j ] \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \mathbf{h} \bmod q$,
where matrices $\mathbf{A}, \mathbf{A}_0, \ldots, \mathbf{A}_\ell, \mathbf{D} \in \Zq^{n \times m}$
are public random matrices and $\mathbf{h} \in \{0,1\}^m$ is a chameleon hash of the message which is computed using randomness $\mathbf{s}$.
A difference is that, while \cite{BHJ+15} uses a short single-use tag $\tau \in \Zq$,
we need the tag to be an $\ell$-bit string $\tau \in \{0,1\}^{\ell}$ which will assume the same role as the prime exponent of Camenisch-Lysyanskaya signatures
\cite{CL02a} in the security proof.
We show that a suitable chameleon hash function makes the scheme compatible with Stern-like zero-knowledge arguments \cite{LNSW13,LNW15} for arguing possession of a valid message-signature pair. \cref{sse:stern} shows how to translate such a statement into asserting that a short witness vector $\mathbf{x}$ with a particular structure satisfies
a relation of the form
$\mathbf{P} \cdot \mathbf{x} = \mathbf{v} \bmod q$, for some public matrix $\mathbf{P}$ and vector~$\mathbf{v}$.
The underlying chameleon hash can be seen as a composition of the chameleon hash of \cite[Se. 4.1]{CHKP10} with
a technique used in \cite{PSTY13,LLNW16}: on input of a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, it outputs the binary decomposition of
$\mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k$, for some discrete Gaussian vector $\mathbf{s}$.
\subsection{Description} \label{desc-sig-protoc}
We assume that messages are vectors of $N$ blocks $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, where each
block is a $2m$-bit string $\mathfrak{m}_k = \mathfrak{m}_k[1] \ldots \mathfrak{m}_k[2m] \in \{0,1\}^{2m}$ for $k \in \{1,\ldots, N\}$.
For each vector $\mathbf{v} \in \Zq^L$, we denote by $\bit(\mathbf{v}) \in \{0,1\}^{L \lceil \log q \rceil}$ the vector obtained by replacing each
coordinate of $\mathbf{v}$ by its binary representation.
\begin{description}
\item[\textsf{Keygen}$(1^\lambda,1^N)$:] Given a security parameter $\lambda>0$ and the number of blocks $N = \mathsf{poly}(\lambda)$, choose the following parameters: $n = \bigO(\lambda)$; a prime modulus $q = \widetilde{\bigO}(N\cdot n^{4})$; dimension $m =2n \lceil \log q \rceil $; an integer $\ell = \Theta(\lambda)$; and Gaussian parameters $\sigma = \Omega(\sqrt{n\log q}\log n)$, $\sigma_0 = 2\sqrt{2}(N+1) \sigma m^{3/2}$, and $\sigma_1 = \sqrt{\sigma_0^2 + \sigma^2}$. Define the message space as $(\{0,1\}^{2m})^N$.
\smallskip
\begin{itemize}
\item[1.] Run $\TrapGen(1^n,1^m,q)$ to get~$\mathbf{A} \in
\Zq^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
$\Lambda_q^{\perp}(\mathbf{A}).$ This basis allows computing short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with a Gaussian parameter $\sigma$.
% $\sigma \geq \| \widetilde{\mathbf{T}_{\mathbf{A}}} \| \cdot \omega (\sqrt{\log m})$.
Next, choose $\ell+1$ random $\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell} \sample U(\Zq^{n \times m})$. %, where $\ell = \Theta(\lambda)$.
\item[2.] Choose random matrices $\mathbf{D} \sample U(\Zq^{n \times m})$, $\mathbf{D}_0,\mathbf{D}_1,\ldots,\mathbf{D}_{N} \sample U(\Zq^{2n \times 2m})$ as well as a random vector
$\mathbf{u} \sample U(\Zq^n)$. \smallskip
\end{itemize}
The private key consists of $SK:= \mathbf{T}_{\mathbf{A}} \in \ZZ^{m \times m}$ and the public key is
$${PK}:=\big( \mathbf{A}, ~ \{\mathbf{A}_j \}_{j=0}^{\ell}, ~ \{\mathbf{D}_k\}_{k=0}^{N},~\mathbf{D}, ~\mathbf{u} \big).$$
% \smallskip
\item[\textsf{Sign}$\big(SK, \mathsf{Msg} \big)$:] To sign an $N$-block message
$\mathsf{Msg}=\left(\mathfrak{m}_1,\ldots,\mathfrak{m}_N \right) \in \left(\{0,1\}^{2m} \right)^N$,
\begin{enumerate}[1.]
\item Choose a random string $\tau \sample U(\{0,1\}^\ell )$. Then, using $SK:=
\mathbf{T}_{\mathbf{A}}$, compute with $\ExtBasis$ a short delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$
for the matrix
\begin{eqnarray} \label{tau-matrix}
\mathbf{A}_{\tau}=
[ \mathbf{A} \mid \mathbf{A}_0 +
\sum_{j=1}^\ell \tau[j] \mathbf{A}_j
] \in \Zq^{ n \times 2m}.
\end{eqnarray}
\item Sample a vector $\mathbf{s} \sample D_{\ZZ^{2m},\sigma_1 }$. Compute $\mathbf{c}_M \in \Zq^{2n}$ as a chameleon hash of $\left(\mathfrak{m}_1,\ldots,\mathfrak{m}_N \right)$: i.e., compute
$\mathbf{c}_M = \mathbf{D}_{0} \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \in \mathbb{Z}_q^{2n} ,$
which is used to define $\mathbf{u}_M=\mathbf{u} + \mathbf{D} \cdot \bit( \mathbf{c}_M) \in \Zq^n .$
Then,
using the delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$, sample a short vector $\mathbf{v} \in \ZZ^{2m}$ in $D_{\Lambda_q^{\mathbf{u}_M}(\mathbf{A}_\tau), \sigma}$.
\end{enumerate}
Output the signature $sig=(\tau,\mathbf{v},\mathbf{s}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m}$. \smallskip
\item[\textsf{Verify}$\big(PK,\mathsf{Msg},sig\big)$:] Given $PK$, a message $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N) \in (\{0,1\}^{2m})^N$ and a purported
signature $sig=(\tau,\mathbf{v},\mathbf{s}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m}$,
return $1$ if
\begin{eqnarray} \label{ver-eq-block}
\mathbf{A}_{\tau} \cdot \mathbf{v} &=& \mathbf{u} + \mathbf{D} \cdot \bit( \mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k ) \bmod q.
\end{eqnarray}
and $\| \mathbf{v} \| < \sigma \sqrt{2m}$, $\| \mathbf{s} \| < \sigma_1 \sqrt{2m}$.
\end{description}
When the scheme is used for obliviously signing committed messages,
the security proof follows Bai \textit{et al.} \cite{BLL+15} in that it applies an argument based on the R\'enyi divergence in one signing query. This argument requires
to sample $\mathbf{s}$ from a Gaussian distribution whose standard deviation $\sigma_1$ is polynomially larger than $\sigma$.
We note that, instead of being included in the public key, the matrices $ \{\mathbf{D}_k\}_{k=0}^{N}$ can be part of common public parameters shared by many signers. Indeed,
only the matrices $(\mathbf{A},\{\mathbf{A}_i\}_{i=0}^\ell)$ should be specific to the user who holds the secret key $SK=\mathbf{T}_{\mathbf{A}}$. In Section \ref{commit-sig}, we use a variant where $ \{\mathbf{D}_k\}_{k=0}^{N}$
belong to public parameters.
\subsection{Security Analysis}
The security analysis in Theorem \ref{th:gs-lwe-security-cma-sig} requires that $q>\ell$.
\begin{theorem} \label{th:gs-lwe-security-cma-sig}
The signature scheme is secure under chosen-message attacks under the $\SIS$ assumption.
\end{theorem}
\begin{proof}
To prove the result, we will distinguish three kinds of attacks:
\begin{description}
\item[Type I attacks] are attacks where, in the adversary's forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$, $\tau^\star$ did not appear in any output
of the signing oracle.
\item[Type II attacks] are such that, in the adversary's forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$, $\tau^\star$ is recycled from an output
$sig^{(i^\star)}=(\tau^{(i^\star)},\mathbf{v}^{(i^\star)},\mathbf{s}^{(i^\star)})$ of the signing oracle, for some index $i^\star \in \{1,\ldots,Q\}$. However,
if $\mathsf{Msg}^\star=(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ and $\mathsf{Msg}^{(i^\star)}=(\mathfrak{m}_1^{(i^\star)},\ldots,\mathfrak{m}_N^{(i^\star)})$ denote the forgery
message and the $i^\star$-th signing query, respectively, we have
$\mathbf{D}_0 \cdot \mathbf{s}^\star + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k^\star \neq \mathbf{D}_0 \cdot \mathbf{s}^{(i^\star)} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k^{(i^\star)}. $
\item[Type III attacks] are those where the adversary's forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$ recycles $\tau^\star $ from an output
$sig^{(i^\star)}=(\tau^{(i^\star)},\mathbf{v}^{(i^\star)},\mathbf{s}^{(i^\star)})$ of the signing oracle (i.e.,
$\tau^{(i^\star)}= \tau^\star$ for some index $i^\star \in \{1,\ldots,Q\}$) and we have the collision
\begin{eqnarray} \label{collision}
\mathbf{D}_0 \cdot \mathbf{s}^\star + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k^\star = \mathbf{D}_0 \cdot \mathbf{s}^{(i^\star)} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k^{(i^\star)}.
\end{eqnarray}
\end{description}
Type III attacks imply a collision for the chameleon hash function of Kawachi \textit{et al.} \cite{KTX08}: if (\ref{collision}) holds,
a short vector
of $\Lambda_q^{\perp}([ \mathbf{D}_0 \mid \mathbf{D}_1 \mid \ldots \mid \mathbf{D}_N])$ is obtained as
$$\big({\mathbf{s}^\star}^T- {\mathbf{s}^{(i^\star)}}^T \mid {\mathfrak{m}_1^\star }^T - {\mathfrak{m}_1^{(i^\star)} }^T \mid \ldots \mid {\mathfrak{m}_N^\star }^T - {\mathfrak{m}_N^{(i^\star)} }^T \big)^T,$$ so that a collision breaks the $\mathsf{SIS}$ assumption.
The security against Type I attacks is proved by \cref{le:lwe-gs-type-I-attacks} which applies the same technique as in \cite{Boy10,MP12}. In particular, the prefix guessing technique
of \cite{HW09} allows keeping the modulus smaller than the number $Q$ of adversarial queries as in \cite{MP12}.
In order to deal with Type II attacks, we can leverage the technique of~\cite{BHJ+15}. In \cref{le:lwe-gs-type-II-attacks}, we prove that Type II attack would also contradict $\mathsf{SIS}$.
\end{proof}
\begin{lemma} \label{le:lwe-gs-type-I-attacks}
The scheme is secure against Type I attacks if the $\mathsf{SIS}_{n,m,q,\beta'}$ assumption holds for $\beta' = m^{3/2} \sigma^2 ( \ell+3) + m^{1/2} \sigma_1 $
\end{lemma}
\begin{proof}
Let $\adv$ be a $\ppt$ adversary that can mount a Type I attack with non-negligible success probability $\varepsilon$. We construct a $\ppt$
algorithm $\bdv$ that uses $\adv$ to break the~$\SIS_{n,m,q,\beta'}$ assumption. It takes as input~$\bar{\mathbf{A}} \in
\Zq^{n \times m}$ and computes $\mathbf{v} \in
\Lambda_q^{\perp}(\bar{\mathbf{A}})$ with~$0 < \|\mathbf{v}\| \leq \beta'$.
Algorithm~$\bdv$ first chooses the $\ell$-bit strings $\tau^{(1)},\ldots,\tau^{(Q)} \sample U(\{0,1\}^\ell)$ to be used in signing queries. As in \cite{HW09}, it
guesses the shortest prefix such that the string $\tau^\star$ contained in $\adv$'s forgery differs from all prefixes of $\tau^{(1)},\ldots,\tau^{(Q)}$. To this
end, $\bdv$ chooses $i^\dagger \sample U(\{1,\ldots, Q\})$ and $t^\dagger \sample U(\{1,\ldots,\ell\})$ so that, with probability $1/(Q \cdot \ell)$, the longest
common prefix between $\tau^\star$ and one of the $\left\{\tau^{(i)} \right\}_{i=1}^Q$ is the string
$\tau^\star[1] \ldots \tau^\star[t^\dagger-1] =\tau^{(i^\dagger)}[1] \ldots \tau^{(i^\dagger)}[t^\dagger-1] \in \{0,1\}^{t^\dagger -1}$ comprised of the
first $(t^\dagger-1)$-th bits of $\tau^\star \in \{0,1\}^\ell$. We define $ \tau^\dagger \in \{0,1\}^{t^\dagger}$ as the $t^\dagger$-bit string $\tau^\dagger=\tau^\star[1] \ldots \tau^\star[t^\dagger] $. By construction, with probability $1/(Q \cdot \ell)$, we have $\tau^\dagger \not \in \left\{\tau^{(1)}_{|{t^\dagger}}, \ldots ,\tau^{(Q)}_{|{t^\dagger}} \right\}$, where $\tau^{(i)}_{|{t^\dagger}}$ denotes
the $t^\dagger$-th prefix of $\tau^{(i)}$ for each $i\in \{1,\ldots,Q\}$.
Then, $\bdv$ runs
$\TrapGen(1^n,1^m,q)$ to obtain $\mathbf{C} \in \Zq^{n \times m}$ and a
basis $\mathbf{T}_{\mathbf{C}}$ of~$\Lambda_q^{\perp}(\mathbf{C})$ with
$\|\widetilde{\mathbf{T}_{\mathbf{C}}}\| \leq \bigO(\sqrt{n \log q})$. Then,
it picks~$\ell+1$ matrices~$\mathbf{Q}_0,\ldots, \mathbf{Q}_{\ell} \in \ZZ^{m \times m}$, where
each matrix $\mathbf{Q}_i$ has its columns sampled independently from~$D_{\ZZ^m, \sigma}$. The
reduction $\bdv$ defines the matrices $\{ \mathbf{A}_j\}_{j=0}^{\ell}$ as
\begin{eqnarray*}
\left\{
\begin{array}{ll}
\mathbf{A}_0 = \bar{\mathbf{A}} \cdot \mathbf{Q}_0 + (\sum_{j=1}^{t^\dagger} {\tau^\star[j]}) \cdot
\mathbf{C} \\
\mathbf{A}_j = \bar{\mathbf{A}} \cdot \mathbf{Q}_j + (-1)^{\tau^\star[j]} \cdot
\mathbf{C}, \qquad \quad \text{ for } j \in
[1,t^\dagger] \\
\mathbf{A}_j = \bar{\mathbf{A}} \cdot \mathbf{Q}_j , \qquad \quad \qquad \quad~~ \qquad \quad \text{ for } j \in
[t^\dagger+1,\ell]
\end{array}
\right.
\end{eqnarray*}
It also sets $\mathbf{A}=\bar{\mathbf{A}}$.
We note that we have
% \vspace*{-.1cm}
\begin{eqnarray*}
\mathbf{A}_{\tau^{(i)}} &=& \left[ \begin{array}{c|c} \bar{\mathbf{A}} & \mathbf{A}_0 +
\sum_{j=1}^\ell \tau^{(i)}[j] \mathbf{A}_j
\end{array} \right] \\
& = & \left[
\begin{array}{c|c}
\bar{\mathbf{A}} ~ & ~ \bar{\mathbf{A}} \cdot (\mathbf{Q}_0 +
\sum_{j=1}^{\ell} \tau^{(i)}[j] \mathbf{Q}_j) + (
\sum_{j=1}^{t^\dagger} \tau^\star[j] +(-1)^{\tau^\star[j]} \tau^{(i)}[j])\cdot \mathbf{C}
\end{array} \right]
\\
&=&
\left[
\begin{array}{c|c}
\bar{\mathbf{A}} ~ & ~ \bar{\mathbf{A}} \cdot (\mathbf{Q}_0 +
\sum_{j=1}^{\ell} \tau^{(i)}[j] \mathbf{Q}_j) + h_{\tau^{(i)}} \cdot \mathbf{C}
\end{array} \right]
\end{eqnarray*}
where $ h_{\tau^{(i)}} \in [1,t^\dagger] \subset [1,\ell]$ stands for the Hamming distance between
$\tau^{(i)}_{|t^\dagger}$ and $\tau^\star_{|t^\dagger}$. Note that, with probability $1/(Q \cdot \ell)$ and since $q>\ell$, we have
$ h_{\tau^{(i)}} \neq 0 \bmod q$ whenever $\tau^{(i)}_{|t^\dagger} \neq \tau^\star_{|t^\dagger}$.
Next, $\bdv$ chooses the matrices $\mathbf{D}_k \sample U(\Zq^{2n \times 2m})$ uniformly at random for each $k \in [0,N]$. Then, it picks a random short matrix $\mathbf{R} \in \ZZ^{m \times m}$ which has its columns independently sampled from $D_{\ZZ^m,\sigma}$
and computes
\begin{eqnarray*}
\mathbf{D} &=& \bar{\mathbf{A}} \cdot \mathbf{R}. % \qquad \qquad \qquad \quad~ \forall k \in \{0,\ldots,N\}.
\end{eqnarray*}
Finally, $\bdv$ samples a short vector $\mathbf{e}_u \sample D_{\ZZ^m,\sigma_1}$ and computes the vector $\mathbf{u} \in \Zq^n$
as $\mathbf{u} = \bar{\mathbf{A}} \cdot \mathbf{e}_u \in \Zq^n$. The public key $${PK}:=\big( \mathbf{A}, ~
\{\mathbf{A}_j \}_{j=0}^{\ell}, ~ \{\mathbf{D}_k\}_{k=0}^{N},~\mathbf{D}, ~\mathbf{u} \big)$$
is given to $\adv$.
%Hence,
% $\bdv$ is able to compute a trapdoor $\mathbf{T}_{\tau^{(i)}} \in \ZZ^{2m \times 2m}$ for each matrix $\{\mathbf{A}_{\tau^{(i)}} \}_{i=1}^Q $ (see~\cite[Se.~4.2]{ABB1},
% using the basis~$\mathbf{T}_{\mathbf{C}}$ of~$\Lambda_q^{\perp}(\mathbf{C})$.
At the $i$-th signing query $\mathsf{Msg}^{(i)}=(\mathfrak{m}_1^{(i)},\ldots,\mathfrak{m}_N^{(i)}) \in (\{0,1\}^{2m})^N$, $\bdv$ can use the trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ to generate a signature.
To do this, $\bdv$ first samples $\mathbf{s}^{(i)} \sample D_{\ZZ^{2m},\sigma_1}$ and computes a vector $\mathbf{u}_M \in \Zq^m$ as
$$\mathbf{u}_M = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i)} } + \mathbf{D}_{0} \cdot {\mathbf{s}^{(i)} } \bigr) ~~ \bmod q.$$
Using $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$, $\bdv$ can then sample a short vector $\mathbf{v}^{(i)} \in \ZZ^{2m}$ in $D^{\mathbf{u}_M}_{\Lambda^{\perp}(\mathbf{A}_{\tau^{(i)}}), \sigma}$ such
that $\big(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)} \big)$ satisfies the verification equation (\ref{ver-eq-block}).
When $\adv$ halts, it outputs a valid signature $sig^\star=\big(\tau^{(i^\dagger)},\mathbf{v}^\star,\mathbf{s}^\star \big)$ on a
message $\mathsf{Msg}^\star=(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ with $\| \mathbf{v}^\star \| \leq \sigma \sqrt{2m}$ and $\| \mathbf{s}^\star \| \leq \sigma_1 \sqrt{2m}$.
At this point, $\bdv$ aborts and declares failure if it was unfortunate in its choice of $i^\dagger \in \{1,\ldots,Q\}$ and $t^\dagger \in \{1,\ldots,\ell\}$. Otherwise,
with probability $1/(Q \cdot \ell)$, $\bdv$ correctly guessed $i^\dagger \in \{1,\ldots,Q\}$ and $t^\dagger \in \{1,\ldots,\ell\}$, in which case it can solve the given $\mathsf{SIS}$ instance as follows.
If we parse $\mathbf{v}^\star \in \ZZ^{2m}$ as $({\mathbf{v}_1^\star }^T \mid {\mathbf{v}_2^\star }^T )^T$ with $\mathbf{v}_1^\star,\mathbf{v}_2^\star \in \ZZ^m$, we have the equality
\begin{align*}
&\left[ \begin{array}{c|c} \bar{\mathbf{A}} ~&~ \bar{\mathbf{A}} \cdot (\mathbf{Q}_0 +
\sum_{j=1}^{\ell} \tau^\star[j] \mathbf{Q}_j)
\end{array} \right] \cdot
\left[\begin{array}{c} {\mathbf{v}_1^\star } \\ \hline {\mathbf{v}_2^\star } \end{array} \right] \\
& \hspace{3cm}= \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } +
\sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \bigr) \bmod q \\
& \hspace{3cm}= \bar{\mathbf{A}} \cdot \Bigl( \mathbf{e}_u + \mathbf{R} \cdot \bit \bigl( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } +
\sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \bigr) \Bigr) \bmod q ,
\end{align*}
which implies that the vector
\begin{eqnarray*}
\mathbf{w} &=& {\mathbf{v}_1^\star } + (\mathbf{Q}_0 +
\sum_{j=1}^{\ell} \tau^\star[j] \mathbf{Q}_j) \cdot {\mathbf{v}_2^\star } - \mathbf{e}_u - \mathbf{R} \cdot \bit \bigl( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } +
\sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \bigr) \in \ZZ^m
\end{eqnarray*}
is in $\Lambda_q^{\perp}(\bar{\mathbf{A}})$. Moreover, with overwhelming probability, this vector is non-zero since, in $\adv$'s view, the distribution of
$\mathbf{e}_u \in \ZZ^m$ is $D_{\Lambda_q^{\mathbf{u}}(\bar{\mathbf{A}}),\sigma_1}$, which ensures that $\mathbf{e}_u$ is statistically hidden by
the syndrome $\mathbf{u} = \bar{\mathbf{A}} \cdot \mathbf{e}_u $. Finally, the norm of $\mathbf{w}$ is smaller than
% modified by Khoa: $\| \mathbf{w} \| \leq m^{3/2} \sigma ( \sigma_1 + N / \sqrt{2}) + m^{1/2} ( \sigma + \sigma_1) + (\ell+1) \sigma m$,
$\beta' = m^{3/2} \sigma^2 ( \ell+3) + m^{1/2} \sigma_1 $
which yields a valid solution of the given $\mathsf{SIS}_{n,m,q,\beta'}$ instance
with overwhelming probability.
\end{proof}
\begin{lemma} \label{le:lwe-gs-type-II-attacks}
The scheme is secure against Type II attacks if the $\mathsf{SIS}_{n,m,q,\beta''}$ assumption holds for $\beta'' = \sqrt{2} (\ell+2) \sigma^2 m^{3/2} + m^{1/2} $.
\end{lemma}
\begin{proof}
We prove the result using a sequence of games. For each $i$, we denote by $W_i$ the event that the adversary wins by outputting a Type II forgery in \textsf{Game} $i$.
\medskip
\begin{description}
\item[\textsf{Game} 0:] This is the real game where, at the $i$-th signing query $\mathsf{Msg}^{(i)}=(\mathfrak{m}_1^{(i)},\ldots,\mathfrak{m}_N^{(i)})$,
the adversary obtains a signature $sig^{(i)}=(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)})$ for each $i \in \{1,\ldots,Q\}$ from the signing oracle. At the end of the game, the adversary
outputs a forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$ on a message $\mathsf{Msg}^{\star}=(\mathfrak{m}_1^{\star},\ldots,\mathfrak{m}_N^{\star})$.
By hypothesis, the adversary's advantage is $\varepsilon = \Pr[W_0]$. We assume without loss of generality that the random $\ell$-bit strings $\tau^{(1)}, \ldots, \tau^{(Q)}$ are chosen
at the very beginning of the game.
Since $(\mathsf{Msg}^\star,sig^\star)$ is a Type II forgery, there exists an index $i^\star \in \{1,\ldots,Q\}$ such that $\tau^\star =\tau^{(i^\star)} $.
\item[\textsf{Game} 1:] This game is identical to \textsf{Game} $0$ with the difference that the reduction aborts the experiment in the unlikely event that, in the adversary's forgery
$sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$, $\tau^\star$ coincides with more than one of the random $\ell$-bit strings $\tau^{(1)}, \ldots, \tau^{(Q)}$
used by the challenger. If we call $F_1$ the latter event, we have $\Pr[F_1] < Q^2/2^\ell$ since we are guaranteed to have $\neg F_1$ as long as no two $\tau^{(i)}$, $\tau^{(i')}$ collide.
Given that \textsf{Game} $1$ is identical to \textsf{Game} $0$ until $F_1$ occurs, we have $|\Pr[W_1]-\Pr[W_0]| \leq \Pr[F_1] < Q^2/2^\ell$.
\item[\textsf{Game} 2:] This game is like \textsf{Game} $1$ with the following difference. At the outset of the game, the challenger $\bdv$ chooses a random index
$i^\dagger \sample U(\{1,\ldots,Q\})$ as a guess that $\adv$'s forgery will recycle the $\ell$-bit string $\tau^{(i^\dagger)} \in \{0,1\}^\ell$ of the $i^\dagger$-th signing query.
When $\adv$ outputs its Type II forgery $sig^\star=(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star)$, the challenger aborts
in the event that $\tau^{(i^\dagger)} \neq \tau^\star$ (i.e., $i^\dagger \neq i^\star$). Since the choice of $i^\dagger $ in $\{1,\ldots,Q\}$ is independent of $\adv$'s view, we
have $\Pr[W_2]=\Pr[W_1]/Q$.
\item[\textsf{Game} 3:] In this game, we modify the key generation phase and the way to answer signing queries.
First, the challenger $\bdv$ randomly picks $h_0,h_1,\ldots,h_\ell \in \Zq$ subject to the constraints
\begin{eqnarray*}
h_0 + \sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot h_j &=& 0 \bmod q \\
h_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \cdot h_j & \neq & 0 \bmod q \qquad \qquad i \in \{1,\ldots,Q\} \setminus \{i^\dagger\}
\end{eqnarray*}
It runs $(\mathbf{C},\mathbf{T}_{\mathbf{C}}) \leftarrow \mathsf{TrapGen}(1^n,1^m,q)$,
$(\mathbf{D}_0,\mathbf{T}_{\mathbf{D}_0}) \leftarrow \mathsf{TrapGen}(1^{2n},1^{2m},q)$ so as to obtain statistically random matrices $\mathbf{C} \in \Zq^{n \times m} $, $\mathbf{D}_0 \in \Zq^{2n \times 2m}$ with
trapdoors $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$, $\mathbf{T}_{\mathbf{D}_0} \in \ZZ^{2m \times 2m}$ consisting of short bases of $\Lambda_q^{\perp}(\mathbf{C})$ and $\Lambda_q^{\perp}(\mathbf{D}_0)$, respectively. Then,
$\bdv$
chooses
a uniformly random $\mathbf{D} \sample U(\Zq^{n \times m})$ and re-randomizes it using short matrices
$\mathbf{S},\mathbf{S}_0,\mathbf{S}_1,\ldots,\mathbf{S}_{\ell} \sample \ZZ^{m \times m}$, which are obtained
by sampling their columns from the distribution $D_{\ZZ^m,\sigma}$. Namely, from $\mathbf{D} \in \Zq^{n \times m}$, $\bdv$
defines
\begin{eqnarray} \nonumber
\mathbf{A} &=& \mathbf{D} \cdot \mathbf{S} \\ \label{setup-sig3}
\mathbf{A}_0 &=& \mathbf{D} \cdot \mathbf{S}_0 + h_0 \cdot \mathbf{C} \\ \nonumber
\mathbf{A}_j &=& \mathbf{D} \cdot \mathbf{S}_j + h_j \cdot \mathbf{C} \qquad \qquad \forall j \in \{1,\ldots,\ell\} %\\ \nonumber
%\mathbf{D}_k &=& \mathbf{D} \cdot \mathbf{R}_k \qquad \qquad \qquad \quad~ \forall k \in \{1,\ldots,N\}.
\end{eqnarray}
In addition, $\bdv$ picks random matrices $\mathbf{D}_1,\ldots,\mathbf{D}_N \sample U(\Zq^{2n \times 2m})$ and a random vector $\mathbf{c}_M \sample U(\Zq^{2n})$. It samples
short vectors $\mathbf{v}_1 ,\mathbf{v}_2 \sample D_{\ZZ^m,\sigma}$ and computes $\mathbf{u} \in \Zq^n$
as $\mathbf{u} = \mathbf{A}_{\tau^{(i^\dagger)}} \cdot
\left[
\begin{array}{c}
\mathbf{v}_1 \\ \hline \mathbf{v}_2
\end{array} \right]
- \mathbf{D} \cdot \bit( \mathbf{c}_M ) \bmod q$, where
\begin{eqnarray*}
\mathbf{A}_{\tau^{(i^\dagger)}} &=& \left[
\begin{array}{c|c} \mathbf{A} ~ & ~ \mathbf{A}_0 +
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{A}_j
\end{array} \right] \\ &=& \left[
\begin{array}{c|c} \mathbf{D} \cdot \mathbf{S} ~ & ~ \mathbf{D}\cdot (\mathbf{S}_0 +
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j)
\end{array} \right] .
\end{eqnarray*}
The adversary's signing queries are then answered as follows.
\begin{itemize}
\item At the $i$-th signing query $ (\mathfrak{m}_1^{(i)},\ldots,\mathfrak{m}_N^{(i)})$, whenever $i \neq i^\dagger$, we have
\begin{eqnarray*}
\mathbf{A}_{\tau^{(i)}} &=& \left[
\begin{array}{c|c} \mathbf{A} ~& ~ \mathbf{A}_0 +
\sum_{j=1}^\ell \tau^{(i)}[j] \cdot \mathbf{A}_j
\end{array} \right] \\
&=& \left[
\begin{array}{c|c} \mathbf{A} ~ & ~ \mathbf{D} \cdot (\mathbf{S}_0 +
\sum_{j=1}^\ell \tau^{(i)}[j] \cdot \mathbf{S}_j) + h_{\tau^{(i)}} \cdot \mathbf{C}
\end{array} \right]
\in \Zq^{ n \times 2m},
\end{eqnarray*}
with $h_{\tau^{(i)}} = h_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \cdot h_j \neq 0$. This implies that $\bdv$ can use the trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ to generate a signature.
To this end, $\bdv$ first samples a discrete Gaussian vector $\vec{s}^{(i)} \sample D_{\ZZ^{2m},\sigma_1}$ and computes $\mathbf{u}_M \in \Zq^n$ as
$$\mathbf{u}_M = \mathbf{u} + \mathbf{D} \cdot \bit( \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i)} } + \mathbf{D}_{0} \cdot {\mathbf{s}^{(i)} } ) ~~ \bmod q.$$ Then,
using $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$, it samples a short vector $\mathbf{v}^{(i)} \in \ZZ^{2m}$ in $D^{\mathbf{u}_M}_{\Lambda^{\perp}(\mathbf{A}_{\tau^{(i)}}), \sigma}$ such
that $(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)})$ satisfies (\ref{ver-eq-block}).
\item At the $i^\dagger$-th signing query $ (\mathfrak{m}_1^{(i^\dagger)},\ldots,\mathfrak{m}_N^{(i^\dagger)})$, we have
\begin{eqnarray} \nonumber
\mathbf{A}_{\tau^{(i^\dagger)}} &=& \left[
\begin{array}{c|c} \mathbf{A} ~& ~ \mathbf{A}_0 +
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{A}_j
\end{array} \right] \\
\label{i-mat} &=& \left[
\begin{array}{c|c} \mathbf{D} \cdot \mathbf{S} ~&~ \mathbf{D} \cdot (\mathbf{S}_0 +
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j)
\end{array} \right]
\in \Zq^{ n \times 2m} \quad
\end{eqnarray}
due to the constraint $h_0 + \sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot h_j = 0 \bmod q $.
To answer the query, $\bdv$ uses the trapdoor $\mathbf{T}_{\mathbf{D}_0} \in \ZZ^{2m \times 2m}$ of $\Lambda_q^{\perp}(\mathbf{D}_0)$ to sample a short vector
$\mathbf{s}^{(i^\dagger)} \in D_{\Lambda_q^{\mathbf{c}'_M} (\mathbf{D}_0), \sigma_1}$, where $\mathbf{c}'_M = \mathbf{c}_M - \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i^\dagger)} } \in \Zq^{2n}$.
The obtained vector $\mathbf{s}^{(i^\dagger)} \in \ZZ^{2m}$ thus verifies
\begin{eqnarray} \label{sim-s}
\mathbf{D}_0 \cdot {\mathbf{s}^{(i^\dagger)} } &=&
\mathbf{c}_M - \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i^\dagger)} } ~\bmod q,
\quad
\end{eqnarray}
and $\adv$ receives $sig^{(i^\dagger)}=(\tau^{(i^\dagger)},\mathbf{v}^{(i^\dagger)},\mathbf{s}^{(i^\dagger)})$, where $ \mathbf{v}^{(i^\dagger)} = (\mathbf{v}_1^T \mid \mathbf{v}_2^T)^T $.
By construction, the returned signature $sig^{(i^\dagger)}$ satisfies
\begin{eqnarray*}
\mathbf{A}_{\tau^{(i^\dagger)}}
\cdot \left[ \begin{array}{c}
\mathbf{v}_1 \\ \hline \mathbf{v}_2 \end{array} \right]
&=& \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot {\mathbf{s}^{(i^\dagger)} } + \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i^\dagger)} } \bigr) \quad \bmod q,
\end{eqnarray*}
and the distribution of $(\tau^{(i^\dagger)},\mathbf{v}^{(i^\dagger)},\mathbf{s}^{(i^\dagger)})$ is statistically the same as in \textsf{Game} $2$.
\end{itemize}
\end{description}
We conclude that $\Pr[W_2]$ is negligibly far apart from $\Pr[W_3]$ since, by the Leftover Hash Lemma (see \cite[Le. 13]{ABB10}), the public key $PK$ in \textsf{Game} $3$ is statistically close to its distribution in \textsf{Game} $2$.
\medskip
In \textsf{Game} $3$, we claim that the challenger $\bdv$ can use $\adv$ to solve the $\mathsf{SIS}$ problem by finding a short vector of $\Lambda_q^\perp(\mathbf{D})$ with probability $\Pr[W_3]$. Indeed,
with proba\-bility $\Pr[W_3]$, the adversary outputs a valid signature $sig^\star=(\tau^{(i^\dagger)},\mathbf{v}^\star,\mathbf{s}^\star)$ on a message $\mathsf{Msg}^\star=(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ with $\| \mathbf{v}^\star \| \leq \sigma \sqrt{2m}$ and $\| \mathbf{s}^\star \| \leq \sigma_1 \sqrt{2m}$.
If we parse $\mathbf{v}^\star \in \ZZ^{2m}$ as $({\mathbf{v}_1^\star }^T \mid {\mathbf{v}_2^\star }^T )^T$ with $\mathbf{v}_1^\star,\mathbf{v}_2^\star \in \ZZ^m$, we have
the equality
\begin{eqnarray} \label{first-sol}
\mathbf{A}_{\tau^{(i^\dagger)}} \cdot \left[ \begin{array}{c}
\mathbf{v}_1^\star \\ \hline \mathbf{v}_2^\star
\end{array} \right]
&=& \mathbf{u} + \mathbf{D} \cdot \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) \quad \bmod q.
\end{eqnarray}
Due to the way $\mathbf{u} \in \Zq^n$ was defined at the outset of the game, $\bdv$ also knows short vectors $\mathbf{v}^{(i^\dagger)}=(\mathbf{v}_1^T \mid \mathbf{v}_2^T)^T \in \ZZ^{2m}$
such that
\begin{eqnarray} \label{second-sol} \mathbf{A}_{\tau^{(i^\dagger)}} \cdot
\left[\begin{array}{c}
\mathbf{v}_1 \\ \hline \mathbf{v}_2
\end{array} \right] = \mathbf{u} + \mathbf{D} \cdot \bit( \mathbf{c}_M ) \bmod q. \end{eqnarray}
Relation (\ref{sim-s}) implies that $ \mathbf{c}_M \neq \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \bmod q$ by hypothesis. It follows that $\bit(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) $ is a non-zero vector in $\{-1,0,1\}^m$. Subtracting (\ref{second-sol}) from (\ref{first-sol}), we get
\begin{eqnarray*}
\mathbf{A}_{\tau^{(i^\dagger)}} \cdot \left[\begin{array}{c}
\mathbf{v}_1^\star - \mathbf{v}_1 \\ \hline \mathbf{v}_2^\star - \mathbf{v}_1
\end{array} \right]
&=& \mathbf{D} \cdot \bigl( \bit(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) \bigr) \mod q,
\end{eqnarray*}
which implies
\begin{multline} \label{eq-un}
\left[
\begin{array}{c|c} \mathbf{D} \cdot \mathbf{S} ~ &~ \mathbf{D} \cdot (\mathbf{S}_0 +
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j)
\end{array} \right] \cdot \left[ \begin{array}{c} {\mathbf{v}_1^\star -\mathbf{v}_1 } \\ \hline {\mathbf{v}_2^\star - \mathbf{v}_2 } \end{array} \right] \\ = \mathbf{D} \cdot \bigl( \bit(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) \bigr) \mod q .
\end{multline}
The above implies that the vector
\begin{eqnarray} \nonumber
\mathbf{w} &=&
\mathbf{S} \cdot (\mathbf{v}_1^\star - \mathbf{v}_1) + (\mathbf{S}_0 + \sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j ) \cdot (\mathbf{v}_2^\star - \mathbf{v}_2) \\
\nonumber && \hspace{2.75cm} ~+ \bit \big( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } + \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \big) - \bit(\mathbf{c}_M)
\end{eqnarray}
is a short integer vector of $\Lambda_q^{\perp}(\mathbf{D})$. Indeed, its norm can be bounded as $\| \mathbf{w} \| \leq \beta'' = \sqrt{2} (\ell+2) \sigma^2 m^{3/2} + m^{1/2} $. We argue that it is non-zero with overwhelming probability. We already observed that
$ \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) - \bit(\mathbf{c}_M)$ is a non-zero vector of $\{-1,0,1\}^m$, which rules out the event that
$({\mathbf{v}_1^\star}, {\mathbf{v}_2^\star} ) =({\mathbf{v}_1} , {\mathbf{v}_2}) $. Hence, we can only have $\mathbf{w}=\mathbf{0}^m$ when the equality
\begin{multline} \label{final-eq}
\mathbf{S} \cdot (\mathbf{v}_1^\star - \mathbf{v}_1) + (\mathbf{S}_0 +
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j ) \cdot (\mathbf{v}_2^\star - \mathbf{v}_2) \\ = \bit(\mathbf{c}_M) - \bit \big( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \big) \qquad
\end{multline}
holds over $\ZZ$. However, as long as either $\mathbf{v}_1^\star \neq \mathbf{v}_1$ or $\mathbf{v}_2^\star \ne \mathbf{v}_2$, the left-hand-side member of (\ref{final-eq})
is information theoretically unpredictable since the columns of matrices $\mathbf{S}$ and $\{\mathbf{S}_j\}_{j=0}^\ell$ are statistically hidden in the view of $\adv$.
Indeed, conditionally on the public key, each column of $\mathbf{S}$ and $\{\mathbf{S}_j\}_{j=0}^\ell$ has at least $n$ bits
of min-entropy, as shown by, e.g., \cite[Le. 2.7]{MP12}.
\end{proof}
\subsection{Protocols for Signing a Committed Value and Proving Possession of a Signature} \label{commit-sig}
We first show a two-party protocol whereby a user can interact with the signer in order to obtain a signature on a committed message.
In order to prove that the scheme still guarantees unforgeability for obliviously signed messages,
we will assume that each message block $\mathfrak{m}_k \in \{0,1\}^{2m}$ is obtained by encoding
the actual message $M_k =M_k[1] \ldots M_k[m] \in \{0,1\}^m$ as $\mathfrak{m}_k= \mathsf{Encode}(M_k)=( \bar{M}_k[1] , M_k[1],\ldots, \bar{M}_k[m] , M_k[m] ) $. Namely,
each $0$ (respectively each $1$) is encoded as a pair $(1,0)$ (resp. $(0,1)$). The reason for this encoding is that the proof of Theorem \ref{commit-thm} requires that at least one block
$\mathfrak{m}_k^\star $ of the forgery message is $1$ while the same bit is $0$ at some specific signing query. We will show (see \cref{se:gs-lwe-stern}) that the correctness of this encoding can
be efficiently proved using Stern-like~\cite{Ste96} protocols.
To sign committed messages, a first idea is exploit the fact that our signature of Section \ref{desc-sig-protoc} blends well with the $\mathsf{SIS}$-based commitment scheme suggested by Kawachi \textit{et al.}~\cite{KTX08}.
In the latter scheme, the commitment key consists of matrices $(\mathbf{D}_0,\mathbf{D}_1) \in \Zq^{2n \times 2m} \times \Zq^{2n \times 2m}$, so that message
$\mathfrak{m} \in \{0,1\}^{2m}$ can be committed to by sampling a Gaussian vector $\mathbf{s} \sample D_{\ZZ^{2m},\sigma}$ and computing
$\mathbf{C}= \mathbf{D}_0 \cdot \mathbf{s} + \mathbf{D}_1 \cdot \mathfrak{m} \in \Zq^{2n}$. This scheme extends to commit to multiple messages $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$ at once by computing
$\mathbf{C}=\mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \in \Zq^{2n}$ using a longer
commitment key $(\mathbf{D}_0,\mathbf{D}_1,\ldots,\mathbf{D}_N) \in (\Zq^{2n \times 2m})^{N+1} $. It is easy to see that the resulting commitment remains statistically hiding and computationally
binding under the $\mathsf{SIS}$ assumption.
%If we assume that the signer only sees perfectly hiding commitments $ \mathbf{c}_{\mathfrak{m}} = \mathbf{D}_0 \cdot \mathbf{s}' + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k$ and $\mathbf{C}= \mathbf{B}_0 \cdot %\mathbf{r} + \sum_{k=1}^N \mathbf{B}_k \cdot \mathfrak{m}_k$ to the message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N) \in (\{0,1\}^m)^N$ on which the
%user wants to obtain a signature, a simple way for the
%user to prove that $\mathbf{C}$ and $ \mathbf{c}_{\mathfrak{m}}$ are commitments to the same message is to
% generate a witness indistinguishable proof of knowledge of a short vector
% $$\mathbf{v}=[ \mathfrak{m}_1^T \mid \ldots \mid \mathfrak{m}_N^T \mid \mathbf{r}^T \mid {\mathbf{s}'}^T ]^T \in (\{0,1\}^m)^N \times (\ZZ^m)^2 $$ satisfying
% \begin{eqnarray*}
% \left[ \begin{array}{c|c|c|c|c|c}
%\mathbf{B}_1 ~ & ~ \mathbf{B}_2 ~ & ~ \ldots ~ &~ \mathbf{B}_{N} ~& ~ \mathbf{B}_0 ~ & \\ \hline
% \mathbf{D}_1 ~ & ~ \mathbf{D}_2~ & ~ \ldots ~ & ~\mathbf{D}_N~ & & ~ \mathbf{D}_0~
% \end{array} \right] \cdot \mathbf{v}
%= \begin{bmatrix}
%\mathbf{C} \\ \hline \mathbf{c}_{\mathfrak{m}}
%\end{bmatrix}.
%\end{eqnarray*}
In order to make our construction usable in the definitional framework of Camenisch \textit{et al.} \cite{CKL+15}, we assume common public parameters
(i.e., a common reference string) and encrypt all witnesses of which knowledge is being proved under a public key included in the common reference string. The resulting ciphertexts thus serve as statistically binding commitments
to the witnesses.
To enable this, the common public parameters comprise public keys $\mathbf{G}_0 \in \Zq^{n \times \ell}$, $\mathbf{G}_1 \in \Zq^{n \times 2m}$
for multi-bit variants of the dual Regev cryptosystem \cite{GPV08} and all parties are denied access to the underlying private keys. The flexibility of Stern-like protocols allows us to prove that the content of a perfectly hiding commitment $ \mathbf{c}_{\mathfrak{m}}$ is consistent with
encrypted values.%, the protocols of Ling \textit{et al.} \cite{LNW15} come in handy.
\begin{description}
\item[\textsf{Global}\textrm{-}\textsf{Setup}:] Let $B = \sqrt{n} \omega(\log n)$ and let $\chi$ be a $B$-bounded distribution.
Let $p = \sigma \cdot \omega(\sqrt{m})$ upper-bound entries of vectors sampled from the distribution~$D_{\ZZ^{2m},\sigma}$.
Generate two public keys for the dual Regev encryption scheme
in its multi-bit variant. These keys consists of a public random matrix
$\mathbf{B} \sample U(\Zq^{n \times m})$ and random matrices $\mathbf{G}_0 = \mathbf{B} \cdot \mathbf{E}_0 \in \Zq^{n \times \ell }$, $\mathbf{G}_1 = \mathbf{B} \cdot \mathbf{E}_1 \in \Zq^{n \times 2m}$,
where $\mathbf{E}_0 \in \ZZ^{ m \times \ell}$ and $\mathbf{E}_1 \in \ZZ^{m \times 2m}$ are short Gaussian matrices with columns sampled from $D_{\ZZ^{m},\sigma}$. These matrices will be
used to encrypt integer vectors of dimension $\ell$ and $2m$, respectively. Finally, generate public parameters $CK:=\{ \mathbf{D}_k \}_{k=0}^N$ consisting of uniformly
random matrices $\mathbf{D}_k \sample U(\Zq^{2n \times 2m})$ for a statistically hiding commitment
to vectors in $(\{0,1\}^{2m})^N$.
Return public parameters consisting of
$$ \mathsf{par}:= \{ ~\mathbf{B} \in \Zq^{n \times m} ,~\mathbf{G}_0 \in \Zq^{n \times \ell},~\mathbf{G}_1 \in \Zq^{n \times 2m},~CK \}. $$
%where $p > \sigma_1 \sqrt{m}$ upper-bounds entries of vectors sampled from the distribution $D_{\ZZ^m,\sigma_1}$,
\item[\textsf{Issue} $\leftrightarrow$ \textsf{Obtain} :] The signer $S$, who holds a key pair $PK:=\{ \mathbf{A} , ~\{\mathbf{A}_j\}_{j=0}^\ell,~\mathbf{D},~\mathbf{u} \}$, $SK:=\mathbf{T}_{\mathbf{A}}$, interacts with the user $U$
who has a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, in the following interactive protocol. \smallskip
\begin{itemize}
\item[1.] $U$ samples $\mathbf{s}' \sample D_{\ZZ^{2m},\sigma} $ and computes $ \mathbf{c}_{\mathfrak{m}} = \mathbf{D}_0 \cdot \mathbf{s}' + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \in \mathbb{Z}_q^{2n}$
which is sent to $S$ as a commitment to $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$. In addition, $U$ encrypts $\{\mathfrak{m}_k\}_{k=1}^N$ and $\mathbf{s}'$ under the dual-Regev public key $(\mathbf{B},\mathbf{G}_1)$
by computing for all $k \in \{1,\ldots,N\}$:
\begin{eqnarray} \label{enc-Mk} \nonumber
\mathbf{c}_{k} &=& (\mathbf{c}_{k,1},\mathbf{c}_{k,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \mathfrak{m}_k \cdot \lfloor q/2 \rfloor \big) \in \Zq^m \times \Zq^{2m} \qquad %\forall k\in \{1,\ldots,N\}
%\qquad
\end{eqnarray}
for randomly chosen $\mathbf{s}_{k} \sample \chi^n$, $\mathbf{e}_{k,1} \sample \chi^m$, $\mathbf{e}_{k,2} \sample \chi^{2m}$,
and \begin{eqnarray} \label{enc-s} \nonumber
\mathbf{c}_{s'} &=& (\mathbf{c}_{s',1},\mathbf{c}_{s',2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,2} + \mathbf{s}' \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m}
\end{eqnarray}
where $\mathbf{s}_{0} \sample \chi^n$, $\mathbf{e}_{0,1} \sample \chi^m$, $\mathbf{e}_{0,2} \sample \chi^{2m}$. The ciphertexts $\{\mathbf{c}_k\}_{k=1}^N$ and $\mathbf{c}_{s'}$ are
sent to $S$ along with $\mathbf{c}_{\mathfrak{m}}$.
Then, $U$ generates an interactive zero-knowledge argument to convince~$S$ that
$ \mathbf{c}_{\mathfrak{m}}$ is a commitment to $(\mathfrak{m}_1, \ldots, \mathfrak{m}_N)$ with the randomness $\mathbf{s}'$ such that $\{\mathfrak{m}_k\}_{k=1}^N$ and
$\mathbf{s}'$ were honestly encrypted to $\{ \mathbf{c}_{k} \}_{i=1}^N$ and $\mathbf{c}_{s'}$, as in~(\ref{enc-Mk}) and~(\ref{enc-s}).
%is consistent with the messages encrypted in $\{ \mathbf{c}_{k} \}_{i=1}^N$ and $\mathbf{c}_{s'}$.
For convenience, this argument system will be described in Section~\ref{subsection:zk-for-commitments}, where we demonstrate that, together with other zero-knowledge protocols used in this work, it can be derived from a Stern-like~\cite{Ste96} protocol constructed in \cref{se:gs-lwe-stern}.
\item[2.] If the argument of step 1 properly verifies, $S$ samples $\mathbf{s}'' \sample D_{\ZZ^{2m},\sigma_0}$ and computes
a vector $\mathbf{u}_{\mathfrak{m}}= \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{c}_{\mathfrak{m}} + \mathbf{D}_0 \cdot \mathbf{s}'' \bigr) \in \Zq^n$.
Next, $S$ randomly picks $\tau \sample \{0,1\}^\ell$ and
uses $\mathbf{T}_{\mathbf{A}}$ to compute a delegated basis $\mathbf{T}_{\tau} \in \ZZ^{2m \times 2m}$ for the matrix $\mathbf{A}_{\tau} \in \Zq^{n \times 2m}$ of (\ref{tau-matrix}).
Using $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$, $S$ samples a short vector $\mathbf{v} \in \ZZ^{2m}$ in $D^{\mathbf{u}_M}_{\Lambda^{\perp}(\mathbf{A}_\tau), \sigma}$. It returns
the vector $( \tau,\mathbf{v},\mathbf{s}'') \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m} $ to $U$.
\item[3.] $U$ computes $\mathbf{s} = \mathbf{s}'+\mathbf{s}''$ over $\ZZ$ and verifies that $$\mathbf{A}_{\tau} \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \bit
\bigl( \mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \bigr) \bmod q.$$ If so, it outputs $(\tau,\mathbf{v},\mathbf{s})$. Otherwise, it outputs $\perp$.
\end{itemize}
\end{description}
Note that, if both parties faithfully run the protocol, the user obtains a valid signature $(\tau,\mathbf{v},\mathbf{s})$ for which the distribution of $\mathbf{s}$ is $D_{\ZZ^{2m},\sigma_1}$,
where $\sigma_1=\sqrt{\sigma^2 + \sigma_0^2}$.
The following protocol allows proving possession of a message-signature pair.
\begin{description}
\item[\textsf{Prove}:] On input of a signature $(\tau,\mathbf{v}=(\mathbf{v}_1^T \mid \mathbf{v}_2^T)^T,\mathbf{s}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m}$ on the message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, the user
does the following. \smallskip \smallskip
\begin{itemize}
\item[1.] Using $(\mathbf{B},\mathbf{G}_0)$ and $(\mathbf{B},\mathbf{G}_1)$ generate perfectly binding commitments to $\tau \in \{0,1\}^\ell$, $\{\mathfrak{m}_k \}_{k=1}^N$,
$\mathbf{v}_1,\mathbf{v}_2 \in \ZZ^m$ and $\mathbf{s} \in \ZZ^{2m}$. Namely, compute
\begin{eqnarray*} \nonumber
\mathbf{c}_{\tau} &=& (\mathbf{c}_{\tau,1},\mathbf{c}_{\tau,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{\tau} + \mathbf{e}_{\tau,1} ,~ \mathbf{G}_0^T \cdot \mathbf{s}_{\tau} + \mathbf{e}_{\tau,2} + \tau
\cdot \lfloor q/2 \rfloor \big) \in \Zq^m \times \Zq^\ell, \\
\mathbf{c}_{k} &=& (\mathbf{c}_{k,1},\mathbf{c}_{k,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \mathfrak{m}_k \cdot \lfloor q/2 \rfloor \big) \in \Zq^m \times \Zq^{2m}
\\ && \hspace{7.6cm} \forall k\in \{1,\ldots,N\} \qquad
\end{eqnarray*}
where $\mathbf{s}_{\tau}, \mathbf{s}_{k} \sample \chi^n$, $\mathbf{e}_{\tau,1} , \mathbf{e}_{k,1} \sample \chi^m$, $\mathbf{e}_{\tau,2} \sample \chi^\ell$, $\mathbf{e}_{k,2} \sample \chi^{2m}$,
as well as \begin{eqnarray*} \nonumber
\mathbf{c}_{\mathbf{v}} &=& (\mathbf{c}_{\mathbf{v},1},\mathbf{c}_{\mathbf{v},2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \mathbf{v} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m}
\\
%\mathbf{c}_{\mathbf{v}_2} &=& (\mathbf{c}_{\mathbf{v}_2,1},\mathbf{c}_{\mathbf{v}_2,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,1} ,~ \mathbf{G}_1^T %\cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,2} + \mathbf{v}_2 \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^m \\
\mathbf{c}_{s} &=& (\mathbf{c}_{s,1},\mathbf{c}_{s,2}) \\ &=& \big( \mathbf{B}^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,1} ,~ \mathbf{G}_1^T \cdot \mathbf{s}_{0} + \mathbf{e}_{0,2} + \mathbf{s} \cdot \lfloor q/p \rfloor \big) \in \Zq^m \times \Zq^{2m} ,
\end{eqnarray*}
where $\mathbf{s}_{\mathbf{v}}, \mathbf{s}_{0} \sample \chi^n$, $\mathbf{e}_{\mathbf{v},1},\mathbf{e}_{0,1} \sample \chi^m$,
$\mathbf{e}_{\mathbf{v},2},\mathbf{e}_{0,2}\sample \chi^{2m}$.
\item[2.] Prove in zero-knowledge that $\mathbf{c}_{\tau}$, $\mathbf{c}_{s}$, $\mathbf{c}_{\mathbf{v} }$, $\{\mathbf{c}_k\}_{k=1}^N$ encrypt a valid message-signature pair. In Section~\ref{subsection:zk-for-signature}, we show that this involved zero-knowledge protocol can be derived from the statistical zero-knowledge argument of knowledge for a simpler, but more general relation that we explicitly present in \cref{se:gs-lwe-stern}. The proof system can be made statistically ZK for a malicious verifier using standard techniques (assuming a common reference string, we can use \cite{Dam00}). In the random oracle model, it can
be made non-interactive using the Fiat-Shamir heuristic \cite{FS86}.
\end{itemize}
\end{description}
%To establish the security of the protocol,
We require that the adversary be unable to prove possession of a signature of a message $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$ for which it did not legally
obtain a credential by interacting with the issuer. Note that the messages that are blindly signed by the issuer are uniquely defined since, at each signing
query, the adversary is required to supply perfectly binding commitments $\{\mathbf{c}_k\}_{k=1}^N$ to $(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$.
In instantiations using non-interactive proofs, we assume that these can be bound to a verifier-chosen nonce to prevent replay attacks, as suggested in \cite{CKL+15}.
The security proof (in Theorem \ref{commit-thm}) makes crucial use of the R\'enyi divergence using arguments in the spirit of Bai \textit{et al.} \cite{BLL+15}. The
reduction has to guess upfront the index $i^\star \in \{1,\ldots,Q\}$ of the specific signing query for which the adversary will re-use $\tau^{(i^\star)}$. For
this query, the reduction will have to make sure that the simulation trapdoor of Agrawal \textit{et al.} \cite{ABB10} (used by the $\mathsf{SampleRight}$ algorithm
of Lemma \ref{lem:sampler}) vanishes: otherwise, the adversary's forgery would not be usable for solving $\mathsf{SIS}$. This means that, as in the proof of
\cite{BHJ+15}, the reduction must answer exactly one signing query in a different way, without using the trapdoor. While B\"ohl \textit{et al.} solve this
problem by exploiting the fact that they only need to prove security against non-adaptive forgers, we directly use a built-in chameleon hash function mechanism
which is implicitly realized by the matrix $\mathbf{D}_0$ and the vector $\mathbf{s}$. Namely, in the signing query for which the Agrawal \textit{et al.}
trapdoor~\cite{ABB10} cancels, we assign a special value to the vector $\mathbf{s} \in \ZZ^{2m}$, which depends on the adaptively-chosen signed message
$(\mathsf{Msg}_1^{(i^\star)},\ldots,\mathsf{Msg}_N^{(i^\star)})$ and some Gaussian matrices $\{\mathbf{R}_k\}_{k=1}^N$ hidden behind $\{\mathbf{D}_k\}_{k=1}^N$.
One issue is that this results in a different distribution for the vector $\mathbf{s} \in \ZZ^m$. However, we can still view $\mathbf{s}$ as a vector sampled from a
Gaussian distribution centered away from $\mathbf{0}^{2m}$. Since this specific situation occurs only once during the simulation, we can apply a result proved in
\cite{LSS14} which upper-bounds the R\'enyi divergence between two Gaussian distributions with identical standard deviations but different centers. By
choosing the standard deviation $\sigma_1$ of $\mathbf{s} \in \ZZ^{2m}$ to be polynomially larger than that of the columns of matrices $\{\mathbf{R}_k\}_{k=1}^N$, we can
keep the R\'enyi divergence between the two distributions of $\mathbf{s}$ (i.e., the one of the simulation and the one of the real game) sufficiently small to apply
the probability preservation property (which still gives a polynomial reduction since the argument must only be applied on one signing query). Namely, the
latter implies that, if the R\'enyi divergence $R_2(\mathbf{s}^{\mathsf{real}}||\mathbf{s}^{\mathsf{sim}})$ is polynomial, the probability that the simulated vector
$\mathbf{s}^{\mathsf{sim}} \in \ZZ^{2m}$ passes the verification test will only be polynomially smaller than in the real game and so will be the adversary's
probability of success.
Another option would have been to keep the statistical distance between $\mathbf{s}^{\mathsf{real}}$ and $\mathbf{s}^{\mathsf{sim}}$ negligible using the smudging
technique of \cite{AJL+12}. However, this would have implied to use an exponentially large modulus $q$ since $\sigma_1$ should have been exponentially larger
than the standard deviations of the columns of $\{\mathbf{R}_k\}_{k=1}^N$.
\begin{theorem} \label{commit-thm}
Under the $\mathsf{SIS}_{n,2m, q, \hat{\beta}}$ assumption, where $\hat{\beta} = N \sigma (2m)^{3/2} + 4 \sigma_1 m^{3/2}$\hspace*{-1.5pt}, the above
protocols are secure protocols for obtaining a signature on a committed message and proving possession of a valid message-signature pair.
\end{theorem}
In the following proof, we make use of the Rényi divergence in a similar way to~\cite{BLL+15}:
instead of the classical statistical distance we sometimes use the R\'enyi divergence, which is a measurement of the distance between two distributions.
Its use in security proofs for lattice-based systems was first considered by Bai {\em et al.}~\cite{BLL+15} and further improved by Prest~\cite{Pre17}. We first recall its definition.
\defRenyi*
We will focus on the following properties of the R\'enyi divergence, the proofs can be found in~\cite{LSS14}.
\begin{lemma}[{\cite[Le. 2.7]{BLL+15}}]
\label{lem:renyi}
Let $a \in [1, +\infty]$. Let $P$ and $Q$ denote distributions with $\Supp(P)
\subseteq \Supp(Q)$. Then the following properties hold:
\begin{description}
\item[Log. Positivity:] $R_a(P||Q) \geq R_a(P||P) = 1$
\item[Data Processing Inequality:] $R_a(P^f || Q^f) \leq R_a(P||Q)$ for any
function $f$, where $P^f$ denotes the distribution of $f(y)$ induced by
sampling $y \sample P$ (resp. $y \sample Q$)
\item[Multiplicativity:] Assume $P$ and $Q$ are two distributions of a pair
of random variables $(Y_1, Y_2)$. For $i \in \{1,2\}$, let $P_i$ (resp.
$Q_i$) denote the marginal distribution of $Y_i$ under $P$ (resp. $Q$),
and let $P_{2|1}(\cdot|y_1)$ (resp. $Q_{2|1}(\cdot|y_1)$) denote the conditional distribution of $Y_2$ given that $Y_1 = y_1$. Then we have:
\begin{itemize} \renewcommand\labelitemi{$\bullet$}
\item $R_a(P||Q) = P_a(P_1 || Q_1) \cdot R_a(P_2||Q_2)$ if $Y_B$ and $Y_2$ are independent;
\item $R_a(P||Q) \leq R_\infty (P_1 || Q_1) \cdot max_{y_1 \in X} R_a\left( P_{2|1}(\cdot | y_1) || Q_{2|1}(\cdot | y_1) \right)$.
\end{itemize}
\item[Probability Preservation:] Let $A \subseteq \Supp(Q)$ be an arbitrary
event. If $a \in ]1, +\infty[$, then $Q(A) \geq
P(A)^{\frac{a}{a-1}}/R_a(P||Q)$. Further we have:
\[ Q(A) \geq P(A) / R_\infty(P||Q) \]
\item[Weak Triangle Inequality:] Let $P_1, P_2, P_3$ be three distributions
with \[\Supp(P_1) \subseteq \Supp(P_2) \subseteq \Supp(P_3).\]
Then we have:
\[ R_a(P_1||P_3) \leq \begin{cases}
R_a(P_1 || P_2) \cdot R_\infty(P_2 || P_3),\\[2mm]
R_\infty(P_1||P_2)^{\frac{a}{a-1}} \cdot R_a(P_2||P_3) & \mbox{if } a \in ]1, +\infty[.
\end{cases}\]
\end{description}
\end{lemma}
In our proofs, we mainly use the probability preservation to bound the
probabilities during hybrid games where the two distributions are not close in terms of statistical distance.
%--------- PROOF ----------
\begin{proof} The proof is very similar to the proof of \cref{th:gs-lwe-security-cma-sig} and we will only explain the changes.
Assuming that an adversary $\adv$ can prove possession of a signature on a message $(\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star)$ which has not been blindly signed by the issuer,
we outline an algorithm $\bdv$ that solves a $\mathsf{SIS}_{n,2m,q,\beta}$ instance $\bar{\mathbf{A}}$, where $\bar{\mathbf{A}} =
[ \bar{\mathbf{A}}_1 \mid \bar{\mathbf{A}}_2 ] \in \ZZ_q^{ n \times 2m}$ with
$\bar{\mathbf{A}}_1, \bar{\mathbf{A}}_2 \in U(\ZZ_q^{n \times m})$.
At the outset of the game, $\bdv$ generates the common parameters $\mathsf{par}$ by choosing
$\mathbf{B} \in_R \ZZ_q^{n \times m}$ and defining $\mathbf{G}_0 = \mathbf{B} \cdot \mathbf{E}_0 \in \ZZ_q^{n \times \ell }$, $\mathbf{G}_1 = \mathbf{B} \cdot \mathbf{E}_1 \in \ZZ_q^{n \times 2m}$.
The short Gaussian matrices $\mathbf{E}_0 \in \ZZ^{ m \times \ell}$ and $\mathbf{E}_1 \in \ZZ^{m \times 2m}$ are retained for later use. Also, $\bdv$ flips a coin $coin \in \{0,1,2\}$ as
a guess for the kind of attack that $\adv$ will mount. If $coin=0$, $\bdv$ expects a Type I forgery, where $\adv$'s forgery involves a new $\tau^\star \in \{0,1\}^\ell$ that
was never used by the signing oracle. If $coin=1$, $\bdv$ expects $\adv$ to recycle a tag $\tau^\star$ involved in some signing query in its forgery. Namely,
if $coin=1$, $\bdv$ expects an attack which is either a Type II forgery or a Type III forgery.
If $coin=2$, $\bdv$ rather bets that $\adv$ will break the soundness of the interactive argument systems used in the signature issuing protocol or the $\mathsf{Prove}$ protocol.
Depending on the value of $coin \in \{0,1,2 \}$, $\bdv$ generates the issuer's public key $PK$ and simulates $\adv$'s view in different ways. \medskip
\noindent $\bullet$ If $coin=0$, $\bdv$ undertakes to find a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}}_1)$, which in turn yields a short non-zero vector
of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$. To this end, it defines $\mathbf{A}=\bar{\mathbf{A}}_1$ and
generates $PK$ by computing $\{\mathbf{A}_j\}_{j=0}^\ell$ as re-randomizations of $\mathbf{A} \in \ZZ_q^{n \times m}$ as in the proof of Lemma \ref{le:lwe-gs-type-I-attacks}. This implies that $\bdv$ can always answer signing queries using the trapdoor $\mathbf{T}_{\mathbf{C}}
\in \ZZ^{m \times m}$ of the matrix $\mathbf{C}$ without even knowing the messages hidden in the commitments $ \mathbf{c}_{\mathfrak{m}}$ and $\{\mathbf{c}_k\}_{k=1}^N$, $\mathbf{c}_{s'}$.
When the adversary generates a proof of possession of its own at the end of the game, $\bdv$ uses the matrices $\mathbf{E}_0 \in \ZZ^{ m \times \ell}$ and $\mathbf{E}_1 \in \ZZ^{m \times 2m}$
as an extraction trapdoor to extract a plain message-signature pair $\big( (\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star), (\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star) \big)$
from the ciphertexts
$\{ \mathbf{c}_k^\star\}_{k=1}^N$ $(\mathbf{c}_{\mathbf{v}_1}^\star,\mathbf{c}_{\mathbf{v}_2^\star})$, $\mathbf{c}_{\tau}^\star$, $\mathbf{c}_{\mathbf{s}}^\star$ produced by $\adv$ as part of its forgery.
If the extracted $\tau^\star$ is not a new tag, then $\bdv$ aborts. Otherwise, it can solve the given $\mathsf{SIS}$ instance exactly as in the proof of Lemma \ref{le:lwe-gs-type-I-attacks}.
\medskip
\noindent $\bullet$ If $coin=1$, the proof proceeds as in the proof of Lemma \ref{le:lwe-gs-type-II-attacks} with one difference in \textsf{Game} $3$. This difference is that \textsf{Game} $3$ is no longer statistically
indistinguishable from \textsf{Game} $2$: instead, we rely on an argument based on the R\'enyi divergence.
In \textsf{Game} $3$, $\bdv$ generates $PK$ exactly as in the proof of Lemma \ref{le:lwe-gs-type-II-attacks}. This implies that $\bdv$ takes a guess $i^\dagger \leftarrow U(\{1,\ldots,Q\})$
with the hope that $\adv$ will choose to recycle the tag $\tau^{(i^\dagger)} $ of the $i^\dagger$-th signing query (i.e., $ \tau^\star =\tau^{(i^\dagger)} $).
As in the proof of Lemma \ref{le:lwe-gs-type-II-attacks}, $\bdv$ defines $\mathbf{D}=\bar{\mathbf{A}}_1 \in \ZZ_q^{n \times m}$ and $\mathbf{A}= \bar{\mathbf{A}}_1 \cdot \mathbf{S} $ for a small-norm
matrix $\mathbf{S} \in \ZZ^{m \times m}$ with Gaussian entries. It also ``programs'' the matrices $\{ \mathbf{A}_j\}_{j=0}^\ell$ in such a way that
the trapdoor precisely vanishes at the $i^\dagger$-th signing query: in other words,
the sum $$\mathbf{A}_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \mathbf{A}_j = \bar{\mathbf{A}}_1 \cdot (\mathbf{S}_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \cdot \mathbf{S}_j) + (h_0 + \sum_{j=1}^\ell \tau^{(i)} [j] \cdot h_j ) \cdot \mathbf{C} $$ does not depend on the matrix $\mathbf{C} \in \ZZ_q^{n \times m}$
(of which a trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ is known to $\bdv$) when $\tau^{(i)} = \tau^{(i^\dagger)}$, but it does for all other tags $\tau^{(i)} \neq \tau^{(i^\dagger)}$. In the setup phase,
$\bdv$ also sets up a random matrix $\mathbf{D}_0 \in U(\ZZ_q^{2n \times 2m})$ which it obtains by choosing
$\mathbf{A}' \sample U(\ZZ_q^{n \times 2m})$ to define
\begin{eqnarray} \label{def-D0}
\mathbf{D}_0=\begin{bmatrix} \bar{\mathbf{A}} \\ \hline \mathbf{A}' \end{bmatrix} \in \ZZ_q^{2n \times 2m}.
\end{eqnarray}
Then, it computes $\mathbf{c}_M = \mathbf{D}_0 \cdot \mathbf{s}_0 \in \ZZ_q^{2n}$ for a short Gaussian vector
$\mathbf{s}_0 \sample D_{\ZZ^{2m},\sigma_0}$, which will be used in the $i^\dagger$-th query.
Next, it samples short vectors $\mathbf{v}_1,\mathbf{v}_2 \sample D_{\ZZ^m,\sigma}$ to define
$$\mathbf{u}= \mathbf{A}_{\tau^{(i^\dagger)}} \cdot \begin{bmatrix} \mathbf{v}_1 \\ \mathbf{v}_2 \end{bmatrix} - \mathbf{D} \cdot \bit (\mathbf{c}_M) ~ \in \ZZ_q^n.$$
In addition, $\bdv$ picks extra small-norm matrices $\mathbf{R}_1,\ldots,\mathbf{R}_N \sample \ZZ^{2m \times 2m}$ whose columns are sampled from $D_{\ZZ^m,\sigma}$, which
are used to define randomizations of $\mathbf{D}_0$ by computing $\mathbf{D}_k = \mathbf{D}_0 \cdot \mathbf{R}_k$ for each $k \in \{1,\ldots,N\}$.
The adversary is given public parameters $\mathsf{par}:=\{\mathbf{B},\mathbf{G}_0,\mathbf{G}_1,CK\}$, where $CK=\{\mathbf{D}_k\}_{k=0}^N$, and the public key $PK:=\big( \mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{D},\mathbf{u} \big)$.
Using $\mathbf{T}_{\mathbf{C}}$,
$\bdv$ can perfectly emulate the signing oracle at all queries, except the $i^\dagger$-th query where the
vector ${\mathbf{s}''}^{(i^\dagger)}$ chosen by $\bdv$ is sampled from a distribution that departs from $D_{\ZZ^{2m},\sigma_0}$. At the $i^\dagger$-th query,
$\bdv$ uses the extraction trapdoor $\mathbf{E}_1 \in \ZZ^{m \times 2m}$ to obtain $ {\mathbf{s}' }^{(i^\dagger)} \in \ZZ^{2m}$ and $\{\mathfrak{m}_k\}_{k=1}^N$ -- which form a valid opening
of $\mathbf{c}_{\mathfrak{m}}$ unless the soundness of the proof system is broken (note that the latter case is addressed by the situation $coin=3$) -- from the ciphertexts
$\mathbf{c}_{s'}^{(i^\dagger)} $ and $\{ \mathbf{c}_k\}_{k=1}^N$ sent by $\adv$ at step 1 of the signing protocol. Then, $\bdv$
computes the vector ${\mathbf{s}''}^{(i^\dagger)}$ as
\begin{eqnarray} \label{sim-s-prime}
{\mathbf{s}'' }^{(i^\dagger)} = \mathbf{s}_0 - \sum_{k=1}^N \mathbf{R}_k \cdot \mathfrak{m}_k^{(i^\dagger)} - {\mathbf{s}' }^{(i^\dagger)} \in \ZZ^{2m},
\end{eqnarray}
which satisfies $\mathbf{c}_M=\sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k^{(i^\dagger)} + \mathbf{D}_0 \cdot ({\mathbf{s}' }^{(i^\dagger)} + {\mathbf{s}'' }^{(i^\dagger)} ) $ and
allows returning $(\tau^{(i^\dagger)},\mathbf{v}^{(i^\dagger)}, {\mathbf{s}'' }^{(i^\dagger)} )$ such that
$(\tau^{(i^\dagger)},\mathbf{v}^{(i^\dagger)}, {\mathbf{s}' }^{(i^\dagger)} + {\mathbf{s}'' }^{(i^\dagger)} )$ satisfies the verification
equation of the signature scheme. Moreover, we argue that, with noticeable probability, the integer
vector ${\mathbf{s} }^{(i^\dagger)} ={\mathbf{s}' }^{(i^\dagger)} + {\mathbf{s}'' }^{(i^\dagger)}$ will be accepted by the verification algorithm since the R\'enyi divergence
between the simulated distribution of ${\mathbf{s}'' }^{(i^\dagger)}$ and its distribution in the real game will be sufficiently small. Indeed, its distribution
is now that of a Gaussian vector $D_{\ZZ^{2m},\sigma_0,\mathbf{z}^\dagger }$ centered in $$\mathbf{z}^\dagger = - \sum_{k=1}^N
\mathbf{R}_k \cdot {\mathfrak{m}_k^{(i^\dagger)} }
- {\mathbf{s}' }^{(i^\dagger)} \in \ZZ^{2m} ,$$ whose norm is at most $\| \mathbf{z}^\dagger \|_2 \leq N \sigma ({2m})^{3/2} + \sigma (2m)^{1/2}$. By choosing the standard deviation $\sigma_0$ to
be at least
$\sigma_0> N \sigma (2m)^{3/2} + \sigma (2m)^{1/2} $, the R\'enyi divergence between the simulated
distribution of ${\mathbf{s}'' }^{(i^\dagger)}$ (in \textsf{Game} $3$) and its real distribution (which is the one of \textsf{Game} $2$) can be kept constant: we have
\begin{eqnarray} \label{r-bound}
R_2( {\mathbf{s}'' }^{(i^\dagger),2} ||{\mathbf{s}'' }^{(i^\dagger),3} ) \leq \exp \big( 2\pi \cdot \frac{ \| \mathbf{z}^\dagger \|_2^2}{\sigma_0^2} \big) \leq \exp(2 \pi).
\end{eqnarray}
This ensures that, with noticeable
probability, $(\tau^{(i^\dagger)},\mathbf{v}^{(i^\dagger)}, {\mathbf{s} }^{(i^\dagger)} )$ will pass the verification test and lead $\adv$ to eventually output a valid forgery.
So, the success probability of $\adv$ in \textsf{Game} $3$ remains noticeable as (\ref{r-bound}) implies $\Pr[W_3] \geq \Pr[W_2]^2 / \exp(2\pi)$.
When $W_3$ occurs in \textsf{Game} $3$, $\bdv$ uses the matrices $(\mathbf{E}_0,\mathbf{E}_1)$ to extract a plain message-signature pair $\big((\mathfrak{m}_1^\star,\ldots,\mathfrak{m}_N^\star),(\tau^\star,\mathbf{v}^\star,\mathbf{s}^\star) \big)$ from the extractable commitments
$\{ \mathbf{c}_k^\star\}_{k=1}^N$ $(\mathbf{c}_{\mathbf{v}_1}^\star,\mathbf{c}_{\mathbf{v}_2}^\star)$, $\mathbf{c}_{\tau}^\star$, $\mathbf{c}_{\mathbf{s}}^\star$ generated by $\adv$.
At this point, two cases can be distinguished. First, if $\mathbf{c}_M \neq \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k^\star + \mathbf{D}_0 \cdot \mathbf{s}^\star \bmod q$, then algorithm
$\bdv$ can
find a short vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}}_1)=\Lambda_q^{\perp}( {\mathbf{D}})$ exactly as in the proof of Lemma~\ref{le:lwe-gs-type-II-attacks}. In the event that $\mathbf{c}_M = \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k^\star + \mathbf{D}_0 \cdot \mathbf{s}^\star $,
$\bdv$ can use the fact that the collision $\mathbf{c}_M = \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i^\dagger)} } + \mathbf{D}_0 \cdot {\mathbf{s}^{(i^\dagger)} } $ allows computing
$$ \mathbf{w}= \mathbf{s}^\star -{\mathbf{s}^{(i^\dagger)}} + \sum_{k=1}^N \mathbf{R}_k \cdot \left(\mathfrak{m}_k^\star - \mathfrak{m}_k^{(i^\dagger)} \right) ~ \in \ZZ^{2m} , $$
which belongs to $\Lambda_q^{\perp}(\mathbf{D}_0)$ and has norm $\| \mathbf{w} \|_2 \leq N \sigma (2m)^{3/2} + 4 \sigma_1 m^{3/2} $. Moreover, it
is non-zero with overwhelming probability. Indeed, there exists at least one $k \in [1,N]$ such that $\mathfrak{m}_k^{(i^\dagger)} \neq \mathfrak{m}_k^\star$. Let us assume w.l.o.g.
that they differ in their first two bits where $\mathfrak{m}_k^{(i^\dagger)}$ contains a $0$ and $\mathfrak{m}_k^\star$ contains a $1$ (recall that each bit $b$
is encoded as $(\bar{b},b)$ in both messages).
This implies that $ {\mathbf{s}'' }^{(i^\dagger)} $ (as computed in (\ref{sim-s-prime})) does not depend on the first column of $\mathbf{R}_k$ but $\mathbf{w}$ does.
Hence, given that the columns of $\mathbf{R}_k$ have at least $n$ bits of min-entropy conditionally on $\mathbf{D}_k =\mathbf{D}_0 \cdot \mathbf{R}_k$, the vector
$\mathbf{w} \in \ZZ^{2m}$ is unpredictable to the adversary.
Due to the definition of $\mathbf{D}_0 \in \ZZ_q^{2n \times 2m}$ in (\ref{def-D0}), we finally note that
$\mathbf{w} \in \ZZ^{2m}$ is also a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$.
\medskip
\noindent $\bullet$ If $coin=2$, $\bdv$ faithfully generates $\mathsf{par}$ and $PK$, but it retains the extraction trapdoor $(\mathbf{E}_0,\mathbf{E}_1)$ associated with the dual Regev public keys
$(\mathbf{G}_0,\mathbf{G}_1)$. Note that $\adv$ can break the soundness of the proof system by either: (i) Generating ciphertexts
$\{\mathbf{c}_k\}_{k=1}^N$ and $\mathbf{c}_{s'}$ that do not encrypt an opening of $\mathbf{c}_{\mathfrak{m}}$ in the signature issuing protocol; (ii) Generating ciphertexts
$\{\mathbf{c}_k\}_{k=1}^N$, $\mathbf{c}_{\tau}$, $\mathbf{c}_{\mathbf{v}_1}$, $\mathbf{c}_{\mathbf{v}_2}$ and $\mathbf{c}_{s}$ that do not encrypt a valid signature in the $\mathsf{Prove}$ protocol.
In either case, the reduction $\bdv$ is able to detect the event by decrypting dual Regev ciphertext using $(\mathbf{E}_0,\mathbf{E}_1)$ and create a breach in the
soundness of the argument system. \medskip
It it easy to see that, since $coin \in \{0,1,2 \}$ is chosen independently of $\adv$'s view, it turns out to be correct with probability $1/3$. As a consequence, if $\adv$'s advantage
is non-negligible, so is $\bdv$'s.
\end{proof}
\begin{theorem} \label{anon-cred}
The scheme provides anonymity under the $\mathsf{LWE}_{n,q,\chi}$ assumption.
\end{theorem}
\begin{proof}
The proof is rather straightforward and consists of a sequence of three games.
\medskip
\begin{description}
\item[\textsf{Game} 0:] This is the real game. Namely, the adversary is given common public parameters $\mathsf{par}$ and comes up with a public key $PK$ of its own.
The adversary can run oblivious signing protocols with honest users. At each query, the adversary chooses a user index $i$ and triggers an execution of the signing protocol
with the challenger emulating the honest users. At some point, the adversary chooses some user index $i^\star$ for which the execution of the signing protocol ended successfully.
At this point, the challenger $\bdv$ runs the real $\mathsf{Prove}$ protocol on behalf of user $i$. At the end of the game, the adversary outputs
a bit $b' \in \{0,1\}$. We define $W_0$ to be the event that
$b'=1$.
\smallskip
\item[\textsf{Game} 1:] This game is like \textsf{Game} $0$ with the difference that, at each execution of the $\mathsf{Prove}$ protocol, the challenger runs the zero-knowledge
simulator of the interactive proof system. The latter simulator uses either a trapdoor hidden in the common reference string (if Damg\aa rd's technique \cite{Damg00} is used) or
proceeds by programming the random oracle which allows implementing the Fiat-Shamir heuristic. In either case, the statistical zero-knowledge property ensures that the
adversary cannot distinguish \textsf{Game} $1$ from \textsf{Game} $0$ and $|\Pr[W_1] - \Pr[W_0] | \in \mathsf{negl}(\lambda)$.
\smallskip
\item[Game 3:] This game is like \textsf{Game} $1$ except that, at each execution of the $\mathsf{Prove}$ protocol, the ciphertexts $\{\mathbf{c}_k\}_{k=1}^N$, $\mathbf{c}_s$, $\mathbf{c}_{\tau}$,
and $\mathbf{c}_{\mathbf{v}_1}$, $\mathbf{c}_{\mathbf{v}_2}$ encrypt random messages instead of the actual witnesses. The semantic security of the dual Regev cryptosystem ensures that,
under the $\LWE_{n,q,\chi}$ assumption, the adversary is unable to see the difference. Hence, we have $|\Pr[W_2] - \Pr[W_1]| \leq \mathbf{Adv}_{\bdv}^{\mathsf{LWE}}(\lambda)$.
\end{description}
\medskip
\noindent In \textsf{Game} $2$, we can notice that the adversary is interacting with a simulator that emulates the user in the $\mathsf{Prove}$ protocol \textit{without} using
any message-signature pair. We thus conclude that, under the $\LWE_{n,q,\chi}$ assumption, $\adv$'s view cannot distinguish a real proof of signature possession from a simulated proof
produced without any witness.
\end{proof}
\section{Subprotocols for Stern-like Argument}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Protocoles pour les preuves à la Stern}
\label{se:gs-lwe-stern}
\subsection{Proving the Consistency of Commitments}\label{subsection:zk-for-commitments}
The argument system used in our protocol for signing a committed value in Section~\ref{commit-sig} can be summarized as follows.
\begin{description}
\item[Common Input:] Matrices $\{\mathbf{D}_k\in \ZZ_q^{2n \times 2m}\}_{k=0}^N$; $\mathbf{B}\in \ZZ_q^{n \times m}$; $\mathbf{G}_1 \in \mathbb{Z}_q^{n \times 2m}$;
\smallskip
\hspace*{-7.5pt}vectors $\mathbf{c}_{\mathfrak{m}} \in \mathbb{Z}_q^{2n}$; $\{\mathbf{c}_{k,1} \in \ZZ_q^{m}\}_{k=1}^N$; $\{\mathbf{c}_{k,2} \in \ZZ_q^{2m}\}_{k=1}^N$; $\mathbf{c}_{\mathbf{s}', 1} \in \ZZ_q^{m}$; $\mathbf{c}_{\mathbf{s}',2} \in \mathbb{Z}_q^{2m}$. \medskip
\item[Prover's Input:] $\mathfrak{m} = (\mathfrak{m}_1^T \| \ldots \| \mathfrak{m}_N^T)^T \in \mathsf{CorEnc}(mN)$;
$\{\mathbf{s}_{k} \in [-B,B]^n, \hspace*{2.5pt} \mathbf{e}_{k,1}\in [-B,B]^m; \hspace*{2.5pt} \mathbf{e}_{k,2}\in [-B,B]^{2m}\}_{k=1}^N$; \hspace*{5pt} $\mathbf{s}_0\in [-B,B]^n$;
$\mathbf{e}_{0,1}\in [-B,B]^m; \hspace*{5pt} \mathbf{e}_{0,2}\in [-B,B]^{2m}$; \hspace*{5pt} $\mathbf{s}' \in [-(p-1), (p-1)]^{2m}$ \smallskip
\item[Prover's Goal:] Convince the verifier in \textsf{ZK} that:
\end{description}
\vspace*{-10pt}
\begin{eqnarray}\label{equation:R-commit-statement}
\hspace*{-5pt}
\begin{cases}
\mathbf{c}_{\mathfrak{m}}= \mathbf{D}_0 \cdot \mathbf{s}' + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \bmod q; \\[2.5pt]
\mathbf{c}_{\mathbf{s}', 1}= \mathbf{B}^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,1} \bmod q; \hspace*{5pt}\mathbf{c}_{\mathbf{s}',2}= \mathbf{G}_1^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,2} + \lfloor q/p \rfloor\cdot \mathbf{s}'\bmod q; \\[2.5pt]
\forall k\in [N]: \mathbf{c}_{k,1}= \mathbf{B}^T\cdot\mathbf{s}_{k} + \mathbf{e}_{k,1}; \hspace*{5pt}\mathbf{c}_{k,2}= \mathbf{G}_1^T\cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \lfloor q/2 \rfloor\cdot \mathfrak{m}_k.
\end{cases}
\end{eqnarray}
We will show that the above argument system can be obtained from the one in \cref{sse:stern-abstraction}. We proceed in two steps.
\smallskip \smallskip
\textbf{Step 1:} \emph{Transforming the equations in~(\ref{equation:R-commit-statement}) into a unified one of the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{v} \bmod q$, where $\|\mathbf{x}\|_\infty =1$ and $\mathbf{x} \in \mathsf{VALID}$ - a ``specially-designed'' set.}
To do so, we first form the following vectors and matrices:
\[
\scriptsize
\begin{cases}
\mathbf{x}_1 \hspace*{-1pt}= \hspace*{-1pt}\big(\mathbf{s}_0^T \| \mathbf{e}_{0,1}^T \| \mathbf{e}_{0,2}^T \| \mathbf{s}_{1}^T \| \mathbf{e}_{1,1}^T \| \mathbf{e}_{1,2}^T \| \ldots \| \mathbf{s}_{N}^T \| \mathbf{e}_{N,1}^T \| \mathbf{e}_{N,2}^T \big)^T\hspace*{-3.5pt} \in \hspace*{-1.5pt}[-B,B]^{(n+3m)(N+1)}; \\[2.5pt]
%\mathbf{x}_2 = \big(\mathfrak{m}_1^T \| \ldots\| \mathfrak{m}_N^T\big)^T \in \mathsf{CorEnc}(mN); \hspace*{10pt} \mathbf{x}_3 = \mathbf{s}' \in [-(p-1), (p-1)]^{2m};\\[2.5pt]
\mathbf{v} = \big(\mathbf{c}_{\mathfrak{m}}^T \| \mathbf{c}_{\mathbf{s}',1}^T\| \mathbf{c}_{\mathbf{s}',2}^T\| \mathbf{c}_{1,1}^T \|\mathbf{c}_{1,2}^T \| \ldots \|\mathbf{c}_{N,1}^T \|\mathbf{c}_{N,2}^T \big)^T \in \mathbb{Z}_q^{2n + 3m(N+1)};\\[5pt]
%\mathbf{D} = [\mathbf{D}_1 | \ldots | \mathbf{D}_N]; \hspace*{5pt}
\mathbf{P}_1 = \left(
\begin{array}{ccc}
\begin{array}{c}
\mathbf{B}^T \\
\hline
\rule{0pt}{3ex}\mathbf{G}_1^T
\end{array}
& \vline
& \mathbf{I}_{3m}
\end{array}
\right); \hspace*{10pt}
\mathbf{Q}_2 = \left(
\begin{array}{c}
\mathbf{0} \\
\hline
\rule{0pt}{3ex}\lfloor\frac{q}{2}\rfloor\mathbf{I}_{2m}
\end{array}
\right); \hspace*{10pt}
\mathbf{Q}_p = \left(
\begin{array}{c}
\mathbf{0} \\
\hline
\rule{0pt}{3ex}\lfloor\frac{q}{p}\rfloor\mathbf{I}_{2m}
\end{array}
\right)\\[5pt]
\mathbf{M}_1 = \left(
\begin{array}{c}
\mathbf{0} \\
\hline
\rule{0pt}{3ex}
\begin{array}{cccc}
\mathbf{P}_1 & & & \\
& \mathbf{P}_1 & & \\
& & \xddots & \\
& & & \mathbf{P}_1 \\
\end{array}
\\
\end{array}
\right); \hspace*{15pt}
\mathbf{M}_2 = \left(
\begin{array}{c}
\mathbf{D}_1 | \ldots | \mathbf{D}_N \\
\hline
\rule{0pt}{3ex}
\mathbf{0} \\
\hline
\rule{0pt}{3ex}
\begin{array}{ccc}
\mathbf{Q}_2 & & \\
& \xddots & \\
& & \mathbf{Q}_2 \\
\end{array}
\\
\end{array}
\right); \hspace*{15pt}
\mathbf{M}_3 = \left(
\begin{array}{c}
\mathbf{D}_0 \\
\hline
\rule{0pt}{3ex}
\mathbf{Q}_p \\
\hline
\rule{0pt}{3ex}
\\
\mathbf{0} \\
\\
\end{array}
\right).
\end{cases}
\]
We then observe that (\ref{equation:R-commit-statement}) can be rewritten as:
\begin{eqnarray}\label{equation:R-commit-unified}
\vspace*{-5pt}
\mathbf{M}_1 \cdot \mathbf{x}_1 + \mathbf{M}_2 \cdot \mathfrak{m} + \mathbf{M}_3 \cdot \mathbf{s}' = \mathbf{v} \in \mathbb{Z}_q^D,
\end{eqnarray}
where $D = 2n + 3m(N+1)$.
Now we employ the techniques from \cref{sse:stern-abstraction} to convert~\eqref{equation:R-commit-unified} into the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{v} \bmod q$. Specifically, if we let:
\[
\vspace*{-5pt}
\begin{cases}
\mathsf{DecExt}_{(n+3m)(N+1),B}(\mathbf{x}_1) \rightarrow \hat{\mathbf{x}}_1 \in \mathsf{B}^3_{(n+3m)(N+1)\delta_B}; \\[2.5pt]
{\mathbf{M}}'_1 = \mathbf{M}_1 \cdot \widehat{\mathbf{K}}_{(n+3m)(N+1),B} \in \ZZ_q^{D \times 3(n+3m)(N+1)\delta_B}; \\[2.5pt]
%\mathsf{Ext}_{2mN}(\mathbf{x}_2) \rightarrow \hat{\mathbf{x}}_2 \in \mathsf{B}_{2(2mN)}; \hspace*{5pt}
%{\mathbf{M}}'_2 = \big[\mathbf{M}_2 | \mathbf{0}^{D \times 2mN}] \in \mathbb{Z}_q^{D \times 4mN}; \\[5pt]
\mathsf{DecExt}_{2m, p-1}(\mathbf{s}') \rightarrow \hat{\mathbf{s}} \in \mathsf{B}^3_{2m\delta_{p-1}}; \hspace*{5pt}
{\mathbf M}'_3 = \mathbf{M}_3 \cdot \widehat{\mathbf K}_{2m,p-1} \in \mathbb{Z}_q^{D \times 6m\delta_{p-1}},
\end{cases}
\]
$L = 3(n+3m)(N+1)\delta_B + 2mN + 6m\delta_{p-1}$, and $\mathbf{P} \hspace*{-1pt}= \hspace*{-1pt}\big[\mathbf{M}'_1 | \mathbf{M}_2 | \mathbf{M}'_3\big] \hspace*{-2pt}\in \hspace*{-1pt}\mathbb{Z}_q^{D \times L}$, and $\mathbf{x} = \big(\hat{\mathbf{x}}_1^T \| \mathfrak{m}^T \| \hat{\mathbf{s}}^T\big)^T$, then we will obtain the desired equation:
\[
\mathbf{P}\cdot \mathbf{x} = \mathbf{v} \bmod q.
\]
Having performed the above unification, we now define $\mathsf{VALID}$ as the set of all vectors $\mathbf{t} \hspace*{-1pt}\in\hspace*{-1pt} \{-1,0,1\}^L$ of the form $\mathbf{t}\hspace*{-1pt} =\hspace*{-1pt} \big(\mathbf{t}_1^T \| \mathbf{t}_2^T \| \mathbf{t}_3^T\big)^T$\hspace*{-2.5pt}, where $\mathbf{t}_1 \in \mathsf{B}^3_{(n+3m)(N+1)\delta_B}$, $\mathbf{t}_2 \in \mathsf{CorEnc}(mN)$, and $\mathbf{t}_3 \in \mathsf{B}^3_{2m\delta_{p-1}}$. Note that $\mathbf{x} \in \mathsf{VALID}$. \\
\smallskip
\textbf{Step 2:} \emph{Specifying the set $\mathcal{S}$ and permutations of $L$ elements $\{T_\pi: \pi \in \mathcal{S}\}$ for which the conditions in~(\ref{eq:zk-equivalence}) hold.}
\begin{itemize}
\item Define $\mathcal{S}: = \mathcal{S}_{3(n+3m)(N+1)\delta_B} \times \{0,1\}^{mN} \times \mathcal{S}_{6m\delta_{p-1}}$. \smallskip
\item For $\pi = (\pi_1, \mathbf{b}, \pi_3) \in \mathcal{S}$, and for vector $\mathbf{w} = \big(\mathbf{w}_1^T \| \mathbf{w}_2^T \| \mathbf{w}_3^T\big)^T \in \mathbb{Z}_q^L$, where $\mathbf{w}_1 \in \ZZ_q^{3(n+3m)(N+1)\delta_B}$, $\mathbf{w}_2 \in \ZZ_q^{2mN}$, $\mathbf{w}_3 \in \ZZ_q^{6m\delta_{p-1}}$, we define: \vspace*{-5pt}
\[
T_{\pi} = \big(\pi_1(\mathbf{w}_1)^T \| E_{\mathbf{b}}(\mathbf{w}_2)^T \| \pi_3(\mathbf{w}_3)^T\big)^T.
\]
\end{itemize}
\vspace*{-2.5pt}
By inspection, it can be seen that the properties in~(\ref{eq:zk-equivalence}) are satisfied, as desired. As a result, we can obtain the required argument system by running the protocol in \cref{sse:stern-abstraction} with common input $(\mathbf{P}, \mathbf{v})$ and prover's input $\mathbf{x}$.
%--------------------------------------------------
\subsection{Proving the Possession of a Signature on a Committed Value}\label{subsection:zk-for-signature}
We now describe how to derive the protocol for proving the possession of a signature on a committed value, that is used in Section~\ref{commit-sig}.
\begin{description}
\item[Common Input:] Matrices $\mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{D} \in \ZZ_q^{n \times m}$; $\{\mathbf{D}_k\in \ZZ_q^{2n \times 2m}\}_{k=0}^N$; $\mathbf{B}\in \ZZ_q^{n \times m}$; $\mathbf{G}_1 \in \mathbb{Z}_q^{n \times 2m}$;
$\mathbf{G}_0 \in \mathbb{Z}_q^{n \times \ell}$; vectors
$ \{\mathbf{c}_{k,1}\}_{k=1}^N, \mathbf{c}_{\tau,1}, \mathbf{c}_{\mathbf{v}, 1}, \mathbf{c}_{s, 1} \in \ZZ_q^m$; $\{\mathbf{c}_{k,2}\}_{k=1}^N,\mathbf{c}_{\mathbf{v}, 2}, \mathbf{c}_{s,2} \in \ZZ_q^{2m}$; $\mathbf{c}_{\tau,2} \in \ZZ_q^\ell$; $\mathbf{u} \in \mathbb{Z}_q^n$.
\smallskip
\item[Prover's Input:] $\mathbf{v} = \left(
\begin{array}{c}
\mathbf{v}_1 \\
\mathbf{v}_2 \\
\end{array}
\right)
$, where $\mathbf{v}_1, \mathbf{v}_2\in [-\beta, \beta]^m$ and $\beta = \sigma\cdot \omega(\log m)$ - the infinity norm bound of signatures; $\tau \in \{0,1\}^\ell$; $\mathbf{s} \in [-(p-1), (p-1)]^{2m}$;
\smallskip
$\mathfrak{m} = (\mathfrak{m}_1^T \| \ldots \| \mathfrak{m}_N^T)^T \in \mathsf{CorEnc}(mN)$; $\{\mathbf{s}_{k}\}_{k=1}^N$, $\mathbf{s}_{\mathbf{v}}$, $\mathbf{s}_0$, $\mathbf{s}_\tau \in [-B,B]^n$;
\smallskip
$\{\mathbf{e}_{k,1}\}_{k=1}^N$, $\mathbf{e}_{\mathbf{v}, 1}$, $\mathbf{e}_{0,1}$, $\mathbf{e}_{\tau,1} \in [-B,B]^m$;
$\{\mathbf{e}_{k,2}\}_{k=1}^N, \mathbf{e}_{0,2},\mathbf{e}_{\mathbf{v},2} \in [-B,B]^{2m}$;
\smallskip
$\mathbf{e}_{\tau,2} \in [-B,B]^\ell$.
\end{description}
\textbf{Prover's Goal:} Convince the verifier in \textsf{ZK} that: \vspace*{-7.5pt}
\begin{eqnarray}\label{equation:R-sign-signature}
\hspace*{-5pt}
\mathbf{A}\hspace*{-1.5pt}\cdot\hspace*{-1.5pt}\mathbf{v}_1 + \mathbf{A}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{v}_2 + \sum_{i=1}^\ell \mathbf{A}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \tau[i] \mathbf{v}_2 - \mathbf{D}\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathsf{bin}(\mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k) = \mathbf{u} \bmod q,\vspace*{-10pt}
\end{eqnarray}
and that (modulo $q$)
\begin{eqnarray}\label{equation:R-sign-ciphertext}
\hspace*{-12.5pt}
\begin{cases}
\forall k\in [N]: \mathbf{c}_{k,1}= \mathbf{B}^T\cdot\mathbf{s}_{k} + \mathbf{e}_{k,1} ; \hspace*{5pt}\mathbf{c}_{k,2}= \mathbf{G}_1^T\cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \lfloor q/2 \rfloor\cdot \mathfrak{m}_k ; \\
\mathbf{c}_{\mathbf{v}, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ; \\
\mathbf{c}_{\mathbf{v},2}= \mathbf{G}_1^T \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{s}_{\mathbf{v}} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{e}_{\mathbf{v},2}\hspace*{-2pt}+\hspace*{-2pt} \lfloor\frac{q}{p}\rfloor \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{v} \hspace*{-2pt}=\hspace*{-2pt} \mathbf{G}_1^T \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{s}_{\mathbf{v}} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{e}_{\mathbf{v},2}\hspace*{-2pt}+\hspace*{-2pt} \left(\hspace*{-2pt}
\begin{array}{c}
\lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\
\mathbf{0}\\
\end{array}
\hspace*{-2pt}\right)\cdot \mathbf{v}_1
\hspace*{-2pt}+ \hspace*{-2pt} \left(\hspace*{-2pt}
\begin{array}{c}
\mathbf{0}\\
\lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\
\end{array}
\hspace*{-2pt}\right)\hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{v}_2
; \\
%\mathbf{c}_{\mathbf{v}_2, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,1} ; \hspace*{2.5pt}
%\mathbf{c}_{\mathbf{v}_2,2}= \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,2}+ \lfloor\frac{q}{p}\rfloor \cdot %\mathbf{v}_2 ; \\
\mathbf{c}_{\mathbf{s}, 1}= \mathbf{B}^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,1} ; \hspace*{5pt}\mathbf{c}_{\mathbf{s},2}= \mathbf{G}_1^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,2} + \lfloor q/p \rfloor\cdot \mathbf{s} ; \\
\mathbf{c}_{\tau,1} = \mathbf{B}^T\cdot \mathbf{s}_\tau + \mathbf{e}_{\tau,1} ; \hspace*{2.5pt} \mathbf{c}_{\tau,2}= \mathbf{G}_0^T\cdot \mathbf{s}_\tau + \mathbf{e}_{\tau,2} + \lfloor q/2 \rfloor\cdot \tau .
\end{cases}
\end{eqnarray}
$~$ \\
We proceed in two steps.
\medskip \smallskip
\textbf{Step 1:} \emph{Transforming the equations in~(\ref{equation:R-sign-signature}) and~(\ref{equation:R-sign-ciphertext}) into a unified one of the form $\mathbf{P}\cdot \mathbf{x} = \mathbf{c} \bmod q$, where $\|\mathbf{x}\|_\infty =1$ and $\mathbf{x} \in \mathsf{VALID}$ - a ``specially-designed'' set.}
Note that, if we let $\mathbf{y} = \mathsf{bin}(\mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k) \in \{0,1\}^{m}$, then we have $\mathbf{H}_{2n \times m}\cdot \mathbf{y} = \mathbf{D}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} + \sum_{k=1}^N \mathbf{D}_i\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathfrak{m}_k \bmod q$, and~(\ref{equation:R-sign-signature}) can be equivalently written as:
\begin{eqnarray*}\label{equation:R-sign-signature-2}
\hspace*{-10pt}
\left(
\begin{array}{c}
\mathbf{A} \\
\mathbf{0} \\
\end{array}
\right)\hspace*{-1.5pt}\cdot\hspace*{-1.5pt}
\mathbf{v}_1 +
\left(
\begin{array}{c}
\mathbf{A}_0 \\
\mathbf{0} \\
\end{array}
\right)\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{v}_2 &+&
\sum_{i=1}^\ell \left(
\begin{array}{c}
\mathbf{A}_i \\
\mathbf{0} \\
\end{array}
\right)\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \tau[i] \mathbf{v}_2 +
\left(
\begin{array}{c}
\mathbf{0} \\
\mathbf{D}_0 \\
\end{array}
\right)\cdot \mathbf{s} + \left(
\begin{array}{c}
-\mathbf{D} \\
-\mathbf{H}_{2n \times m} \\
\end{array}
\right)\cdot \mathbf{y} \\
&+&\left(
\begin{array}{c}
\mathbf{0} \\
\mathbf{D}_1 | \ldots | \mathbf{D}_N \\
\end{array}
\right)\cdot \mathfrak{m} = \left(
\begin{array}{c}
\mathbf{u} \\
\mathbf{0}^{2n} \\
\end{array}
\right) ~\bmod q.
\end{eqnarray*}
Next, we use linear algebra to combine this equation and~(\ref{equation:R-sign-ciphertext}) into (modulo $q$):
\begin{align}\label{equation:R-sign-almost}
\hspace*{-10pt}
\mathbf{F}\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{v}_1 \hspace*{-1.5pt}+\hspace*{-1.5pt} \mathbf{F}_0\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{v}_2 \hspace*{-1.5pt}+\hspace*{-1.5pt} \sum_{i=1}^\ell \mathbf{F}_i \hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \tau[i]\mathbf{v}_2 + \mathbf{M}_1 \hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \tau \hspace*{-1.5pt}+\hspace*{-1.5pt} \mathbf{M}_2\hspace*{-1.5pt}\cdot\hspace*{-1.5pt}\mathbf{y} + \mathbf{M}_3\hspace*{-1.5pt}\cdot\hspace*{-1.5pt}\mathfrak{m}
\hspace*{-1.5pt}+ \hspace*{-1.5pt}\mathbf{M}_4 \hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{s} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{M}_5\hspace*{-1.5pt}\cdot\hspace*{-1.5pt} \mathbf{e} \hspace*{-2pt}=\hspace*{-2pt} \mathbf{c},
\end{align}
where, for dimensions $D = \ell + 3n + 7m + 3mN$ and $L_0 = D + nN$,
\begin{itemize}
\item Matrices $\mathbf{F}, \mathbf{F}_0, \mathbf{F}_1, \ldots, \mathbf{F}_\ell \in \mathbb{Z}_q^{D \times m}$, $\mathbf{M}_1 \in \mathbb{Z}_q^{D \times \ell}$, $\mathbf{M}_2 \in \mathbb{Z}_q^{D \times m}$, $\mathbf{M}_3 \in \mathbb{Z}_q^{D \times 2mN}$, $\mathbf{M}_4 \in \mathbb{Z}_q^{D \times 2m}$, $\mathbf{M}_5 \in \mathbb{Z}_q^{D \times L_0}$ and vector $\mathbf{c} \in \mathbb{Z}_q^D$ are built from the public input.
\item Vector $\mathbf{e} = \big(\hspace*{1pt}\mathbf{s}_1^T \hspace*{1pt}\|\hspace*{1pt} \ldots \hspace*{1pt}\|\hspace*{1pt} \mathbf{s}_N^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{s}_{\mathbf{v}}^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{s}_0^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{s}_\tau^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{1,1}^T \hspace*{1pt}\|\hspace*{1pt} \ldots \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{N,1}^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{\mathbf{v},1}^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{0,1}^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{\tau, 1}^T \hspace*{1pt}\| \\
~~~~~~~~~~~~~~~~~\|\hspace*{1pt}\mathbf{e}_{1,2}^T \hspace*{1pt}\|\hspace*{1pt} \ldots \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{N,2}^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{0,2}^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{\mathbf{v},2}^T \hspace*{1pt}\|\hspace*{1pt} \mathbf{e}_{\tau,2}^T\hspace*{1pt}\big)^T \in [-B,B]^{L_0}$.
\end{itemize}
Now we further transform~\eqref{equation:R-sign-almost} using the techniques from \cref{sse:stern-abstraction}. Specifically, we form the following:
\[
\begin{cases}
\mathsf{DecExt}_{m, \beta}(\mathbf{v}_1) \rightarrow \hat{\mathbf{v}}_1 \in \mathsf{B}^3_{m\delta_\beta}; \hspace*{5pt}\mathsf{DecExt}_{m, \beta}(\mathbf{v}_2)\rightarrow \hat{\mathbf{v}}_2 \in \mathsf{B}^3_{m\delta_\beta}; \\[2.5pt]
{\mathbf{F}}' = \big[\mathbf{F} \cdot \widehat{\mathbf{K}}_{m, \beta} | \mathbf{F}_0 \cdot \widehat{\mathbf{K}}_{m, \beta} | \mathbf{F}_1 \cdot \widehat{\mathbf{K}}_{m, \beta} | \ldots | \mathbf{F}_\ell \cdot \widehat{\mathbf{K}}_{m, \beta} | \mathbf{0}^{D \times 3m\delta_\beta \ell}\big] \in \mathbb{Z}_q^{D \times 3m\delta_\beta(2\ell+2)}; \\[2.5pt]
\mathsf{Ext}_{2\ell}(\tau) \rightarrow \hat{\tau} = (\tau[1], \ldots, \tau[\ell], \ldots, \tau[2\ell])^T \in \mathsf{B}^2_{\ell}; \hspace*{2.5pt}\mathbf{M}'_1 = [\mathbf{M}_1 | \mathbf{0}^{D \times \ell}] \in \mathbb{Z}_q^{D \times 2\ell};\\[2.5pt]
\mathsf{Ext}_{2m}(\mathbf{y})\rightarrow \hat{\mathbf{y}} \in \mathsf{B}^2_{m}; \hspace*{2.5pt}\mathbf{M}'_2 = [\mathbf{M}_2 | \mathbf{0}^{D \times m}] \in \ZZ_q^{D \times 2m }; \\[2.5pt]
\mathsf{DecExt}_{2m, p-1}(\mathbf{s}) \rightarrow \hat{\mathbf{s}} \in \mathsf{B}^3_{2m\delta_{p-1}}; \hspace*{2.5pt} \mathbf{M}'_4 = \mathbf{M}_4 \cdot \widehat{\mathbf{K}}_{2m, p-1} \in \mathbb{Z}_q^{D \times 6m\delta_{p-1}}; \\[2.5pt]
\mathsf{DecExt}_{L_0, B}(\mathbf{e}) \rightarrow \hat{\mathbf{e}} \in \mathsf{B}^3_{L_0\delta_{B}}; \hspace*{2.5pt}
\mathbf{M}'_5 = \mathbf{M}_5 \cdot \widehat{\mathbf{K}}_{L_0, B} \in \mathbb{Z}_q^{D \times 3L_0\delta_B}.
\end{cases}
\]
Now, let $L = 3m\delta_\beta(2\ell+2) + 2\ell + 2m + 2mN + 6m\delta_{p-1} + 3L_0\delta_B$, and construct matrix
$\mathbf{P} = \big[\hspace*{1pt}\mathbf{F}' \hspace*{1pt}|\hspace*{1pt} \mathbf{M}'_1 \hspace*{1pt}| \hspace*{1pt}\mathbf{M}'_2 \hspace*{1pt}|\hspace*{1pt} \mathbf{M}_3\hspace*{1pt}|\hspace*{1pt} \mathbf{M}'_4\hspace*{1pt}| \hspace*{1pt} \mathbf{M}'_5 \hspace*{1pt}\big] \in \ZZ_q^{D \times L}$ and vector
\[
\mathbf{x} = \big(\hspace*{1.5pt}\hat{\mathbf{v}}_1^T\hspace*{1.5pt} \|\hspace*{1.5pt} \hat{\mathbf{v}}_2^T \hspace*{1.5pt}\| \hspace*{1.5pt}\tau[1]\hat{\mathbf{v}}_2^T\hspace*{1.5pt} \| \ldots \|\hspace*{1.5pt} \tau[\ell]\hat{\mathbf{v}}_2^T\hspace*{1.5pt}\| \ldots \| \hspace*{1.5pt}\tau[2\ell]\hat{\mathbf{v}}_2^T\hspace*{1.5pt}\| \hspace*{1.5pt} \hat{\tau}^T \hspace*{1.5pt}\| \hspace*{1.5pt}\hat{\mathbf{y}}^T\hspace*{1.5pt} \|\hspace*{1.5pt} \mathfrak{m}^T \hspace*{1.5pt}\|\hspace*{1.5pt} \hat{\mathbf{s}}^T\hspace*{1.5pt}\| \hspace*{1.5pt} \hat{\mathbf{e}}^T\hspace*{1.5pt}\big)^T,
\]
then we will obtain the equation $\mathbf{P}\cdot \mathbf{x} = \mathbf{c} \bmod q$.
Before going on, we define $\mathsf{VALID}$ as the set of
$\mathbf{w} \in \{-1,0,1\}^L$ of the form:
\vspace*{-5pt}
\[
\mathbf{w} = \big(\mathbf{w}_{1}^T \| \mathbf{w}_2^T \| g_1 \mathbf{w}_2^T\| \ldots \| g_{2\ell}\mathbf{w}_2^T \| \mathbf{g}^T\| \mathbf{w}_3^T\| \mathbf{w}_4^T \| \mathbf{w}_5^T \| \mathbf{w}_6^T\big)^T
\vspace*{-5pt}
\]
for some $\mathbf{w}_1, \mathbf{w}_2 \in \mathsf{B}^3_{m\delta_\beta}$, $\mathbf{g} = (g_1, \ldots, g_{2\ell}) \in \mathsf{B}_{2\ell}$, $\mathbf{w}_3 \in \mathsf{B}^2_{m}$, $\mathbf{w}_4 \in \mathsf{CorEnc}(mN)$, $\mathbf{w}_5 \in \mathsf{B}^3_{2m\delta_{p-1}}$, and $\mathbf{w}_6 \in \mathsf{B}^3_{L_0\delta_B}$.
It can be checked that the constructed vector $\mathbf{x}$ belongs to this tailored set $\mathsf{VALID}$.\\
\textbf{Step 2:} \emph{Specifying the set $\mathcal{S}$ and permutations of $L$ elements $\{T_\pi: \pi \in \mathcal{S}\}$ for which the conditions in~(\ref{eq:zk-equivalence}) hold.}
\begin{itemize}
\item Define $\mathcal{S} = \mathcal{S}_{3m\delta_\beta} \times \mathcal{S}_{3m\delta_\beta} \times \mathcal{S}_{2\ell} \times\mathcal{S}_{2m} \times \{0,1\}^{mN}\times \mathcal{S}_{6m\delta_{p-1}} \times \mathcal{S}_{3L_0\delta_B}$. \medskip
\item For $\pi = (\phi, \psi, \gamma, \rho, \mathbf{b}, \eta, \xi) \in \mathcal{S}$ and $\mathbf{z} = \big(\mathbf{z}_0^1 \| \mathbf{z}_0^2 \| \mathbf{z}_1 \| \ldots \| \mathbf{z}_{2\ell} \| \mathbf{g} \| \mathbf{t}_1 \| \mathbf{t}_2 \|\mathbf{t}_3 \| \mathbf{t}_4\big) \in \mathbb{Z}_q^L$,
where ${\mathbf{z}_0^1}, {\mathbf{z}_0^2}, \mathbf{z}_1, \ldots, \mathbf{z}_{2\ell} \in \mathbb{Z}_q^{3m\delta_\beta}$, $\mathbf{g} \in \mathbb{Z}_q^{2\ell}$, $\mathbf{t}_1\in \mathbb{Z}_q^{2m}$, $\mathbf{t}_2 \in \mathbb{Z}_q^{2mN}$, $\mathbf{t}_3 \in \mathbb{Z}_q^{6m\delta_{p-1}}$, and $\mathbf{t}_4 \in \mathbb{Z}_q^{3L_0\delta_B}$, we define:
\begin{eqnarray*}
\hspace*{-15pt}
T_{\pi}(\mathbf{z}) = \big(\phi(\mathbf{z}_0^1)^T\hspace*{1pt} \| \psi(\mathbf{z}_0^2)^T \hspace*{1pt}\| \psi(\mathbf{z}_{\gamma(1)})^T \hspace*{1pt}\| \ldots \| \psi(\mathbf{z}_{\gamma(2\ell)})^T \hspace*{1pt}\| \gamma(\mathbf{g})^T\hspace*{1pt} \| \\
~~~~~~~~\|\rho(\mathbf{t}_1)^T \| E_{\mathbf{b}}(\mathbf{t}_2)^T \hspace*{1pt}\| \eta(\mathbf{t}_3)^T \| \xi(\mathbf{t}_4)^T\hspace*{1pt}\big)^T
\end{eqnarray*}
as the permutation that transforms $\mathbf{z}$ as follows:
\begin{enumerate}
\item It rearranges the order of the $2\ell$ blocks $\mathbf{z}_1, \ldots, \mathbf{z}_{2\ell}$ according to $\gamma$.
\item It then {permutes} block $\mathbf{z}_0^1$ according to $\phi$, blocks $\mathbf{z}_0^2$, $\{\mathbf{z}_i\}_{i=1}^{2\ell}$ according to~$\psi$, block $\mathbf{g}$ according to $\gamma$, block $\mathbf{t}_1$ according to $\rho$, block $\mathbf{t}_2$ according to $E_{\mathbf{b}}$, block $\mathbf{t}_3$ according to~$\eta$, and block $\mathbf{t}_4$ according to $\xi$.
\end{enumerate}
\end{itemize}
It can be check that~(\ref{eq:zk-equivalence}) holds. Therefore, we can obtain a statistical \textsf{ZKAoK} for the given relation by running the protocol in \cref{sse:stern-abstraction}.
\section{A Dynamic Lattice-Based Group Signature}
\input{merge}