2326 lines
194 KiB
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

%\chapter{Lattice-Based Oblivious Transfer with Access Control}
%\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens}
Oblivious transfer ($\mathsf{OT}$) is a central cryptographic primitive coined by Rabin~\cite{Rab81} and extended by Even \textit{et al.} \cite{EGL85}.
It involves a
sender $\mathsf{S}$ with a database of messages $M_1, \ldots, M_N$ and a receiver $\mathsf{R}$ with an index $\rho \in \{1,\ldots,N\}$. The
protocol allows $\mathsf{R}$ to retrieve the $\rho$-th entry $M_{\rho}$ from $\mathsf{S}$ without letting $\mathsf{S}$ infer anything
on $\mathsf{R}$'s choice $\rho$. Moreover, $\mathsf{R}$ only obtains $M_{\rho}$ learns nothing about $\{M_i\}_{i \neq \rho}$.
In its adaptive flavor \cite{NP99}, $\mathsf{OT}$ allows the receiver to interact $k$ times with $\mathsf{S}$ to retrieve
$M_{\rho_1},\ldots,M_{\rho_k}$ in such a way that, for each index $i \in \{2,\ldots,k\}$, the $i$-th index $\rho_{i} $ may depend on the messages
$M_{\rho_1},\ldots,M_{\rho_{i-1}}$ previously obtained by $\mathsf{R}$.
$\mathsf{OT}$ is known to be a complete building block for cryptography (as for example, \cite{GMW87}) in that, if it can be realized, then
any secure multiparty computation can be. In its adaptive variant, $\mathsf{OT}$ is motivated by applications in privacy-preserving access
to sensitive databases (e.g., medical records or financial data) stored in encrypted form on remote servers, oblivious searches or location-based
As far as efficiency goes, adaptive $\mathsf{OT}$ protocols should be designed in such a way that, after an inevitable initialization phase with
linear communication complexity in $N$ and the security parameter $\lambda$, the complexity of each transfer is at most poly-logarithmic in $N$. At the same time, this asymptotic efficiency should not come at the expense of sacrificing ideal security properties.
The most efficient adaptive $\mathsf{OT}$ protocols that satisfy the latter criterion stem from the work of Camenisch, Neven and shelat
\cite{CNS07} and its follow-ups \cite{GH07,GH08,GH11}.
In its basic form, (adaptive) $\mathsf{OT}$ does not restrict in any way the population of users who can obtain specific records. In many
sensitive databases (e.g., DNA databases or patients' medical history),
however, not all users should be able to download all records: it is vital access to certain entries be conditioned on the receiver holding suitable credentials delivered by authorities. At the same time, privacy protection mandates that authorized users be able to query database records while
leaking as little as possible about their interests or activities. In medical datasets, for example, the specific entries retrieved by a given doctor
could reveal which disease his patients are suffering from. In financial or patent datasets, the access pattern of a company could betray its investment
strategy or the invention it is developing.
In order to combine user-privacy and fine-grained database security, it is thus desirable to enrich adaptive $\mathsf{OT}$ protocols with refined access control mechanisms in many of their natural use cases.
This motivated Camenisch, Dubovitskaya and Neven \cite{CDN09} to introduce
a variant
named \textit{ oblivious transfer with access control} (OT-AC), where each database record is protected by a different access control policy $P : \{0,1\}^\ast
\rightarrow \{0,1\}$.
Based on their attributes, users can obtain credentials generated by pre-determined authorities, which entitle them to anonymously retrieve database records of which the access policy accepts their certified attributes: in other words, the user can only download the records for which he has a
valid credential $\mathsf{Cred}_x$ for an attribute string $x \in \{0,1\}^\ast$ such that
$P(x)=1$. During the transfer phase, the user demonstrates possession of a pair $(\mathsf{Cred}_x,x)$ and simultaneously
convinces the sender that he is querying some record $M_{\rho}$ associated with a policy $P$ such that $P(x)=1$. The only
information that the database holder eventually learns is that some user retrieved some record which he was authorized to obtain.
Camenisch \textit{et al.} formalized the OT-AC primitive and provided a construction in groups with a bilinear map \cite{CDN09}.
While efficient, their solution ``only'' supports access policies consisting of conjunctions: each policy $P$ is specified by a list
of attributes that a given user should obtain a credential for in order to complete the transfer. Several subsequent works
considered more expressive access policies while even hiding the access policies in some cases \cite{CDNZ11,CDEN12}. Unfortunately,
all of them rely on non-standard assumptions (known as ``$q$-type assumptions'' as described in~\cref{ch:proofs}) in groups with a bilinear maps. For the sake of not putting
all one's eggs in the same basket, a primitive as powerful as OT-AC ought to have alternative realizations based on firmer foundations.
In this chapter, we propose a solution based on lattice assumptions where access policies consist of any branching program of width $5$,
which is known \cite{Bar86} to suffice for the realization of any access policy in $\mathsf{NC1}$. As a result of independent interest, we provide
protocols for proving the correct evaluation of a committed branching program. More precisely, we give zero-knowledge arguments for demonstrating possession of a secret input $\mathbf x \in \{0,1\}^\kappa$ and
a secret (and possibly certified) branching program $\BPR$ such that $\BPR(\mathbf x)=1$.
\index{Complexity classes!$\mathsf{NC}1$}
\paragraph{Related Work.}
Oblivious transfer with adaptive queries dates back to the work of Naor and Pinkas \cite{NP99}, which
requires $O( \log N)$ interaction rounds per transfer.
Naor and Pinkas \cite{NP05} also gave generic constructions of
(adaptive) $k$-out-of-$N$ OT from private information retrieval (PIR) \cite{CGKS95}. The constructions of~\cite{NP99,NP05}, however, are only secure in the half-simulation model, where simulation-based
security is only considered for one of the two parties (receiver security being formalized in terms of a game-based definition).
Moreover, the constructions of Adaptive OT from PIR \cite{NP05}
requires a complexity $O(N^{1/2})$ at each transfer where Adaptive OT allows for $O(\log N)$ cost.
Before 2007, many OT protocols (e.g., \cite{NP01,AIR01,tau05}) were analyzed in terms of half-simulation.
While several efficient fully simulatable protocols appeared the last 15 years (e.g., \cite{DN03,Lin08,PVW08} and references therein),
full simulatability
remained elusive in
the adaptive $k$-out-of-$N$ setting \cite{NP99} until the work~\cite{CNS07} of
Camenisch, Neven and shelat, who introduced the ``assisted decryption''
paradigm. The latter consists in having the sender obliviously decrypt a re-randomized version of one of the original ciphertexts contained in the database. This technique served as a blueprint for many subsequent protocols \cite{GH07,GH08,GH11,JL09}, including those with access control
\cite{CDN09,CDNZ11,CDEN12,ACDN13} and those presented in this chapter. In the adaptive $k$-out-of-$N$ setting (which we denote as \OTA),
the difficulty is to achieve full simulatability without having to transmit a $O(N)$ bits at each transfer. To our knowledge, except
the oblivious-PRF-based approach of Jarecki and Liu \cite{JL09},
all known fully simulatable \OTA protocols rely on bilinear maps\footnote{Several
pairing-free candidates were suggested in \cite{KPN10,KPN11} but, as pointed out in \cite{GH11},
they cannot achieve full simulatability in the sense of \cite{CNS07}. In particular, the sender can detect if the receiver fetches the same
record in two distinct transfers.
%The constructions of \cite{KN09} do achieve full simulatability but each transfer costs $\Theta(N)$ bits in terms
%of communication.
}. A recent work of D\"ottling \textit{et al.}~\cite{DFKS16} uses non-black-box techniques to realize $\LWE$-based $2$-round oblivious PRF (OPRF) protocols~\cite{FIPR05}. However, while fully simulatable OPRFs imply \cite{JL09}
fully simulatable adaptive OT, the OPRF construction of~\cite{DFKS16} does not satisfy the standard
notion of full simulation-based security against malicious adversaries (which is impossible to achieve in two rounds). It also relies on the full power of
homomorphic encryption, which we do not require.
A number of works introduced various forms of access control in OT. Priced OT \cite{AIR01}
assigns variable prices to all database records. In conditional OT \cite{DCOR99}, access to a record is made contingent on the user's secret
satisfying some predicate. Restricted OT \cite{Her11} explicitly protects each record with an independent access policy. Still, none of these
OT flavors aims at protecting the anonymity of users. The model of Coull, Green and Hohenberger \cite{CGH09} does consider user anonymity via stateful
credentials. For the applications of OT-AC, it would nevertheless require re-issuing user credentials at each transfer.
While efficient, the initial OT-AC protocol of Camenisch \textit{et al.} \cite{CDN09} relies on non-standard
assumptions in groups with a bilinear map and only realizes access policies made of conjunctions. Abe \textit{et al.} \cite{ACDN13}
gave a different protocol which they proved secure under more standard assumptions in the universal composability framework \cite{Can01}.
Their policies, however, remain limited to conjunctions. It was mentioned in \cite{CDN09,ACDN13}
that disjunctions and DNF formulas can be handled by duplicating database entries. Unfortunately, this approach rapidly
becomes prohibitively expensive in the case of $(t,n)$-threshold policies with $t \approx n/2$.
Moreover, securing the protocol against malicious senders
requires them to prove that
all duplicates encrypt the same message. More expressive policies were considered by Zhang \textit{et al.} \cite{ZAW+10} who
gave a construction based on attribute-based encryption \cite{SW05} that
extends to access policies expressed by any Boolean formulas (and thus $\mathsf{NC}1$ circuits).
Camenisch, Dubovitskaya, Neven and Zaverucha \cite{CDNZ11} generalized the OT-AC functionality so as
to hide the access policies. In \cite{CDEN12}, Camenisch \textit{et al.} gave a more efficient
construction with hidden policies based on the attribute-based
encryption scheme of \cite{NYO08}. At the expense of a proof in the generic group model, \cite{CDEN12} improves upon the expressiveness
of \cite{CDNZ11} in that its policies
extend into CNF formulas. While the solutions of \cite{CDNZ11,CDEN12} both hide the access policies to users (and the successful termination
of transfers to the database), their policies can only live in a proper subset of $\mathsf{NC1}$. As of now,
threshold policies can only be efficiently handled by the ABE-based construction of Zhang \textit{et al.} \cite{ZAW+10}, which requires
\textit{ad hoc} assumptions in groups with a bilinear map.
In the forthcoming sections, we first present the adaptive oblivious transfer scheme and its access control flavour, then we present the needed building blocks, in particular a simpler version of the signature scheme presented in~\cref{se:gs-lwe-sigep}.
We next present our constructions and the zero-knowledge protocol to guarantee the correct execution of a branching program.
Finally, we close this chapter with the description of a shift of our scheme from the standard model to the random oracle model to reduce the communication complexity cost, and a comparison table between the different existing solutions.
\section{Adaptive Oblivious Transfer}
\index{Adaptive Oblivious Transfer}
In the syntax of \cite{CNS07}, an adaptive $k$-out-of-$N$ OT scheme $\OT_k^N$ is a tuple of stateful $\ppt$ algorithms $(\SI, \RI, \ST, \RT)$.
The sender $\mathsf{S}=(\SI,\ST)$ consists of two interactive algorithms $\SI$ and $\ST$ and the receiver has a similar representation as algorithms $\RI$ and $\RT$.
In the \textit{initialization phase}, the sender and the receiver run interactive algorithms $\SI$ and $\RI$, respectively, where $\SI$ takes as input messages $M_1, \ldots, M_N$ while $\RI$ has no input.
This phase ends with the two algorithms $\SI$ and $\RI$ outputting their state information $S_0$ and $R_0$ respectively.
During the $i$-th \textit{transfer}, $1 \leq i \leq k$, both parties run an interactive protocol via the $\RT$ and $\ST$ algorithms.
The sender starts runs $\ST(S_{i-1})$ to obtain its updated state information $S_i$ while the receiver runs $\RT(R_{i-1}, \rho_i)$ on input of its previous state $R_{i-1}$ and the index $\rho_i \in \{1, \ldots, N \}$ of the message it wishes to retrieve. At the end, $\RT$ outputs an updated state $R_i$ and a message $M'_{\rho_i}$.
\textit{Correctness} mandates that, for all $M_1, \ldots, M_N$, for all $\rho_1, \ldots, \rho_k \in [ N]$ and all coin tosses $\varpi$ of the (honestly run) algorithms, we have $M'_{\rho_i} = M_{\rho_i}$ for all $i$.
We consider protocols that are secure (against static corruptions) in the sense of simulation-based definitions. The security
properties against a cheating sender and a cheating receiver are formalized via the ``real-world/ideal-world'' paradigm. The
security definitions of \cite{CNS07} are recalled in the following Section.
\subsection{Security Definitions for Adaptive $k$-out-of-$N$ Oblivious Transfer} \label{def-AOT}
Security is defined via the ``real-world/ideal-world'' paradigm which was first introduced in the Universal Composability (UC) framework~\cite{Can01}. Like \cite{CNS07,CDN09}, however, we do not incorporate all the formalities of the UC framework.
We define two experiments: the \textbf{Real} experiment, where the two parties run the actual protocol, and the \textbf{Ideal} experiment wherein a \textit{trusted third party} assumes the role of the functionality.
The model of \cite{CNS07} formalizes two security notions called \textit{sender security} and \textit{receiver security}.
The former considers the security of honest senders against cheating senders whereas the latter considers the security of honest receivers interacting
with malicious senders.
For an adaptive OT protocol $\OT_k^N$ comprised of algorithms $(\SI, \ST, \RI, \RT)$, we denote define the honest sender $\mathsf S$ as the algorithm that runs
$\SI(M_1, \ldots, M_N)$ during the initialization phase, runs $\ST$ at each transfer and eventually returns $S_k = \epsilon$ as its final output.
Similarly, the honest receiver $\mathsf R$ is the algorithm that runs $\RI$ in the initialization phase, runs $\RT(R_{i-1}, \rho_i)$ during the $i$-th transfer and eventually returns $R_k = (M'_{\rho_1}, \ldots, M'_{\rho_k})$ as its final output.
\paragraph{Real Experiment.}
Here, a sender $\hS$ and a receiver $\hR$ which proceed as follows for experiment $\textbf{Real\,}_{\hS, \hR}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k)$.\\ \smallskip
The sender $\hS$ is given messages $M_1, \ldots, M_N$ and interacts with $\hR$ which does not have any input in the initialization phase.
At end of the latter, $\hS$ and \hR output their initial states $S_0$ and $R_0$ respectively. Then, $\hS$ and \hR start $k$ sequential interactions:
for $i \in [k]$, in the $i$-th transfer, the sender $\hS$ and the receiver $\hR$ run $S_i \gets \hS(S_{i-1})$ and $(R_i, M'_{\rho_i}) \gets \hR(R_{i-1}, \rho_i)$, where $\rho_i \in [N]$ is a message index and $(S_i,R_i)$ denote updated states for $\hS$ and $\hR$, respectively.
Note that $M'_{\rho_i}$ may be different from $M_{\rho_i}$ if one of the participant deviates from the protocol. At the end of the $k$-th interaction, $\hS$ and $\hR$ output strings $S_k$ and $R_k$ respectively. The output of $\textbf{Real\,}_{\hS,\hR}$ is the pair $(S_k, R_k)$.
The honest sender $\mathsf{S}$ is the algorithm that runs $\mathsf{S}(M_1,\ldots,M_N)$ as in the initialization phase, runs $\mathsf{S}_\mathsf{T}$ in all subsequent interactions
and always outputs $S_k=\varepsilon$. The honest receiver $\mathsf{R}$ is the algorithm that runs $\mathsf{R}_\mathsf{I}$ in the initialization phase, runs
$\mathsf{R}_{\mathsf{T}}(\mathsf{R}_{i-1},\rho_i)$ at the $i$-th transfer and returns the list of received messages
$R_k=(M_{\rho_1}',\ldots,M_{\rho_k}')$ as its final output.
\paragraph{Ideal Experiment.}
We define the experiment $\textbf{Ideal\,}_{\hS', \hR'}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k)$ as follows.\\ \smallskip
The (possibly malicious) algorithm $\hS'(M_1, \ldots, M_N)$ generates messages $M'_1, \ldots, M'_N$ which are given to the trusted party $\mathsf{T}$. In each of the $k$ transfers, $\mathsf{T}$ obtains
a bit $b_i$ from the sender $\hS'$ and an index $\rho'_i$ from the (possibly malicious) receiver $\hR'(\rho_i)$. If $b_i = 1$, and
$\rho_i' \in [N]$,
then $\mathsf{T}$ reveals $M'_{\rho_i}$ to the receiver $\hR'$.
Otherwise, $\hR'$ receives $\bot$ from $\mathsf{T}$. At the end of the $k$-th transfer, $\hS'$ and $\hR'$ output a string $S_k$ and $R_k$ and
output of the experiment is the pair $(S_k, R_k)$.
The ideal sender $\mathsf{S}'(M_1,\ldots,M_N)$ is defined the be the sender that sends $(M_1,\ldots,M_N)$ which sends the messages
$(M_1,\ldots,M_N)$ to $\mathsf{T}$ in the initialization phase, sends $b_i=1$ in each transfer and outputs the final state $S_k=\varepsilon$. The honest
ideal receiver $\mathsf{R}'$ is defined to be the algorithm that sends $\mathsf{T}$ the real selection index $\rho_i$ at each transfer and eventually outputs
the list of all received messages $R_k=(M_{\rho_1}',\ldots,M_{\rho_k}')$ as its final state.
The bit $b_i$ sent by $\hS'$ at each transfer models its capability of making the transfer fail. By forcing $\hS'$ to choose $b_i$ without seeing
$\rho_i$, the definition prevents the cheating sender
$\hS'$ from deciding to cause a failure of the transfer for specific values of $\rho_i$.
\begin{definition}[Sender Security] \label{def:sender-sec}
\index{Adaptive Oblivious Transfer!Sender Security}
An $\OT_k^N$ protocol is \textit{sender-secure} if, for any PPT real-world cheating receiver $\hR$, there exists a PPT ideal-world receiver $\hR'$ such that, for any polynomial $N_m(\lambda)$, any $N \in [N_m(\lambda)]$, any $k \in [N]$, any messages $M_1, \ldots, M_N$, and any indices $\rho_1, \ldots, \rho_k \in [N]$, no PPT distinguisher can separate the two following distributions with noticeable advantage:
\[ \mathbf{Real}_{\mathsf{S},\hR}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k) \]
\[ \mathbf{Ideal}_{\mathsf{S}', \hR'}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k). \]
\begin{definition}[Receiver Security] \label{def:receiver-sec}
\index{Adaptive Oblivious Transfer!Receiver Security}
An $\OT_k^N$ protocol is \textit{receiver-secure} if, for any PPT real-world cheating sender $\hS$, there exists a PPT ideal-world sender $\hS'$ such that, for any polynomial $N_m(\lambda)$, any $N \in [N_m(\lambda)]$, any $k \in [N]$, any messages $M_1, \ldots, M_N$, and any indices $\rho_1, \ldots, \rho_k \in [N]$, no PPT distinguisher can tell apart the two following distributions with non-negligible advantage:
\[ \mathbf{Real}_{\hS,\mathsf{R}}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k) \]
\[ \mathbf{Ideal}_{\hS', \mathsf{R}'}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k). \]
\subsection{Adaptive Oblivious Transfer with Access Control} \label{se:def-AC-OT}
Camenisch \textit{et al.} ~\cite{CDN09} define oblivious transfer with access control (OT-AC)
as a tuple of PPT algorithms/protocols $(\ISetup, \Issue, \DBSetup, \Transfer)$ such that:
\item[$\ISetup$:] takes as inputs public parameters $\pp$ specifying a set $\mathcal{P}$ of access policies and generates a key pair $(PK_I, SK_I)$ for the issuer.
\item[$\Issue$:] is an interactive protocol between the issuer \textsf{I} and a stateful user $\USR$ under common input $(\pp, {x})$, where $x$ is an attribute string. The issuer \textsf{I} takes as inputs its key pair $(PK_I, SK_I)$ and a user pseudonym $P_\USR$. The user takes as inputs its state information $st_\USR$. The user $\USR$ outputs either an error symbol $\bot$ or a credential $\mathsf{Cred}_\USR$, and an updated state $st'_\USR$.
\item[$\DBSetup$:] is an algorithm that takes as input the issuer's public key $PK_I$, a database $DB = \left(M_i, \mathsf{AP}_i \right)_{i=1}^N$ containing records $M_i$ whose access is restricted by an access policy $\mathsf{AP}_i$ and outputs a database public key $PK_\mathsf{DB}$, an encryption of the records $(ER_i)_{i=1}^N$ and a database secret key $SK_\mathsf{DB}$.
\item[$\Transfer$:] is a protocol between the database $\mathsf{DB}$ and a user $\USR$ with common inputs $(PK_I, PK_\mathsf{DB})$. $\mathsf{DB}$ inputs $SK_\mathsf{DB}$ and
$\USR$ inputs $(\rho, st_\USR, ER_\rho, \mathsf{AP}_\rho)$, where $\rho \in [N]$ is a record index to which $\USR$ is requesting access. The interaction ends with $\USR$ outputting $\bot$ or a string $M_{\rho'}$ and an updated state $st'_\USR$.
We assume private communication links, so that communications between a user and the issuer are authenticated, and those between a user and the database are anonymized: otherwise, anonymizing the $\Transfer$ protocol is impossible.
The security definitions formalize two properties called \textit{user anonymity} and \textit{database security}. The former captures that the database should be unable to tell which {honest user} is making a query and neither can tell which records are being accessed. This should remain true even if the database colludes with corrupted users and the issuer. As for database security, the intuition is that a cheating user cannot access a record for which it does not have the required credentials, even when colluding with other dishonest users. In case the issuer is colluding with these cheating users, they cannot obtain more records from the database than they retrieve.
Similarly to the \OTA case, security is defined by requiring that any PPT real-world adversary $\mathcal A$ and any environment $\env$, there exists a PPT adversary $\mathcal A'$ which controls the same parties and such that no environment $\mathcal E$ can tell if it is
running in the real world interacting with the real $\mathcal A$ or in the ideal-world interacting with $\adv'$.
The distribution of outputs of the environment in the different settings is denoted by $\mathbf{Real}_{\mathcal{E}, \adv}(\lambda)$ and $\mathbf{Ideal}_{\mathcal E, \adv'}(\lambda)$ for real-world adversary $\adv$ and ideal-world adversary $\adv'$, respectively.
\index{Adaptive Oblivious Transfer!with Access Control}
An AC-OT protocol is said to securely implement the functionality if for any real-world adversary $\adv$ and any real world environment $\mathcal E$, there exists an ideal-world simulator $\mathcal A'$ controlling the same parties in the ideal-world as $\adv$ does in the real-world, such that
\[ | \mathbf{Real}_{\mathcal E, \adv}(\lambda) - \mathbf{Ideal}_{\mathcal{E}, \adv}(\lambda) | \leq \negl(\lambda). \]
\paragraph{Real World.}
We describe the way that real-world algorithms interact when all participants (i.e., the real-world users $\USR_1,\ldots, \USR_{U}$, the database $\mathsf{DB}$ and the issuer $\mathsf{I}$) are honest. The issuer starts by generating a key pair $(PK_I, SK_I) \gets \mathsf{ISetup}(\pp)$, and sends $PK_I$ to all users $\{\USR_i\}_{i=1}^U$ and the database $\mathsf{DB}$.
When $\mathcal E$ sends a message $\bigl(\texttt{initdb}, \mathrm{DB} = (M_i, \mathsf{AP}_i)_{i=1}^N\bigr)$ to the database $\mathsf{DB}$, the latter encrypts the database $\mathrm{DB}$ by running $\DBSetup$ and sends the encrypted records to all users.
When $\mathcal E$ sends a message $(\texttt{issue}, {x})$ to user $\USR_i$, this user starts an $\Issue$ protocol with the issuer on common input ${x}$, at the end of which it returns $1$ to the environment if the protocol succeeded or $0$ otherwise.
When $\mathcal E$ sends a message $(\texttt{transfer}, \rho)$ to user $\USR_i$, this user first checks if its credentials $\mathsf{Cred}_\USR$ are sufficient to access the record $M_\rho$. If it is the case, it engages in a $\Transfer$ protocol with the database $\mathsf{DB}$, at the end of which it receives either the message $M_\rho$, or an error symbol $\bot$. If it failed at any steps, the user returns $0$ to $\mathcal E$, or $1$ if it succeeded.
Notice that in this setting, neither the database nor the issuer return any outputs to the environment.
\paragraph{Ideal World.}
In the ideal world, participants only communicate via the trusted party $\mathsf{T}$ which implements the functionality of the protocol. We describe how
$\mathsf{T}$ proceeds when receiving inputs from the ideal-world users $\{\USR'_i\}_{i=1}^U$, issuer $\mathsf{I}'$ and database $\mathsf{DB}'$. $\mathsf{T}$ maintains an initially empty set $C_i$ for each user $\USR'_i$ and sets $\mathrm{DB} \gets \bot$. It handles the queries of the different parties as follows:\\
\item[$\bullet$ ] When receiving a message $(\texttt{initdb}, \mathrm{DB} = (M_i, \mathsf{AP}_i)_{i=1}^N)$ from $\mathsf{DB}'$, $\mathsf{T}$ sets $\mathrm{DB} = (M_i, \mathsf{AP}_i)_{i=1}^N$.
\item[ $\bullet$] When receiving $(\texttt{issue}, {x})$ from $\USR'_i$, $\mathsf{T}$ sends $(\texttt{issue}, \USR'_i, {x})$ to $\mathsf{I}'$ which
replies with a bit $b$. If $b=1$, then $\mathsf{T}$ adds ${x}$ to $C_i$. In any cases, $\mathsf{T}$ sends $b$ to $\USR'_i$.
\item[ $\bullet$ ] When receiving $(\texttt{transfer}, \rho)$ from $\USR'_i$, the trusted party $\mathsf{T}$ acts as follows. If $\USR_i'$ previously sent
a message of the form $(\texttt{transfer},.)$, $\mathsf{T}$ defines $f_{\USR',DB}=1$. Otherwise, it sets $f_{\USR',DB}=0$.
If $\mathrm{DB} \neq \bot$,
it sends $(\texttt{transfer},f_{\USR',DB})$ to $\mathsf{DB}'$, who sends a bit $b$. If $b=1$ and if $st_i$ contains a vector $\mathbf{x}$ such that $\mathsf{AP}_i({x})=1$, then it sends the record to $\USR'_i$. In any other cases, it sends $\bot$ to $\USR'_i$.
In other words, the ideal-world users, database and issuer relay inputs and outputs between the environment $\mathcal E$ and the trusted party $\mathsf{T}$.
Note that, like \cite{CDN09}, the ideal functionality allows the database to learn whether a given user interacts with the database for the first time or
not. The reason is that, like the protocol of \cite{CDN09}, our basic OT-AC scheme requires the database to provide a particular interactive zero-knowledge proof at the very first time each user queries the database.
In protocols where the database generates such an interactive proof, it is inevitable for $\USR$ to reveal his state bit $f_{DB}$ to $\mathsf{DB}$.
In constructions where the zero-knowledge proof is made non-interactive and made publicly available at the same time as the database itself,
this can be avoided and we can prevent $\mathsf{DB}$ from learning the state bit $f_{DB}$. In this case, $\mathsf{T}$ does not send $f_{\USR',DB}$ to $\mathrm{DB}'$ in
the ideal-world experiment.
The ideal world thus implies the following security properties.
\item[User Anonymity.] The database cannot tell which user a given query comes from and neither can it tell which record is being accessed.
It only learns whether the user previously queried the database or not. Otherwise, two transfers involving the same users are unlinkable.
\item[Database Security.] A single cheating user cannot access a record for which he does not have a certified authorized attribute string.
Colluding users cannot pool their credentials to gain access to a record which none of them can individually access.
Moreover, if the issuer colludes with some users, the protocol still provides the equivalent of sender security in the \OTA functionality.
\section{Building Blocks}
We will use two distinct signature schemes because one of them only needs to be secure in
the sense of a weaker security notion and can be more
efficient. This weaker notion is sufficient to sign the database entries and
allows a better efficiency in the scheme of Section \ref{OT-scheme}. In particular, by making
it stateful (which also suffices since all database entries are signed at once), we
can reduce the public key size to $\log N$ matrices if $N$ is the number of database entries. The second scheme must be stateful and secure in the
standard EUF-CMA sense since the issuer uses it to certify users' attributes. The
signature scheme of \cref{se:gs-lwe-sigep} is only used in the OT-AC protocol of Section \ref{OT-scheme}
while the scheme of Section \ref{RMA-sec} is used in the adaptive OT protocol of Section
\ref{OT-AC-scheme} as well.
We first use the signature scheme described in \cref{se:gs-lwe-sigep} which extends the
the B\"ohl \textit{et al.} signature~\cite{BHJ+15} in order to sign messages comprised of multiple blocks while keeping the scheme compatible with zero-knowledge proofs.
\subsection{A Simpler Variant with Bounded-Message Security and Security Against Non-Adaptive Chosen-Message Attacks} \label{RMA-sec}
We consider a stateful variant of the scheme in Section \ref{se:gs-lwe-sigep} where a bound $Q \in \mathsf{poly}(n)$ on the number of signed messages is fixed at key generation time. In the context of \OTA, this is sufficient and leads to efficiency improvements.
In the modified scheme hereunder, the string $\tau \in \{0,1\}^\ell$ is an $\ell$-bit counter maintained by the signer to keep track of the number of previously signed messages.
This simplified variant resembles
the $\mathsf{SIS}$-based signature scheme of B\"ohl \textit{et al.} \cite{BHJ+15}.
In this version, the message space is $ \{0,1\}^{n \lceil \log q \rceil} $ so that vectors of $\Zq^n$ can be signed by first decomposing them using
\item[\textsf{Keygen}$(1^\lambda,1^Q)$:] Given $\lambda>0$ and the maximal number $Q \in \mathsf{poly}(\lambda)$ of signatures, choose $n = \mathcal{O}(\lambda)$, a prime $q = \widetilde{\mathcal{O}}(Q \cdot n^{4})$, $m =2n \lceil \log q \rceil $, an integer $\ell = \lceil \log Q \rceil$ and Gaussian parameters $\sigma = \Omega(\sqrt{n\log q}\log n)$. The message space is $ \{0,1\}^{m_d} $, for some $m_d \in \mathsf{poly}(\lambda)$ with $m_d \geq m$.
\smallskip \smallskip
\item[1.] Run $\TrapGen(1^n,1^m,q)$ to get~$\mathbf{A} \in
\Zq^{n \times m}$ and a short basis $\mathbf{T}_{\mathbf{A}}$ of
$\Lambda_q^{\perp}(\mathbf{A}),$ which allows sampling short vectors in $\Lambda_q^{\perp}(\mathbf{A})$ with a Gaussian parameter $\sigma$.
Next, choose $\ell+1$ random $\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell} \sample U(\Zq^{n \times m})$.
\item[2.] Choose $\mathbf{D} \sample U(\Zq^{n \times m_d})$ as well as a random vector
$\mathbf{u} \sample U(\Zq^n)$. \smallskip \smallskip
The counter $\tau$ is initialized to $\tau=0$. The private key consists of $SK:=
\mathbf{T}_{\mathbf{A}} $ and the public key is ${PK}:=\big( \mathbf{A}, ~
\{\mathbf{A}_j \}_{j=0}^{\ell}, ~\mathbf{D}, ~\mathbf{u} \big).$
\item[\textsf{Sign}$\big(SK, \tau, \mathfrak{m} \big)$:] To sign a message $\mathfrak{m} \in \{0,1\}^{m_d}$, \smallskip
\item[1.] Increment the counter by setting $\tau:=\tau+1$ and interpret it as a string $\tau \in \{0,1\}^\ell $. Then, using $SK:=
\mathbf{T}_{\mathbf{A}} $, compute a short delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$
for the matrix
$ \mathbf{A}_{\tau}=
[ \mathbf{A} \mid \mathbf{A}_0 +
\sum_{j=1}^\ell \tau[j] \mathbf{A}_j
] \in \Zq^{ n \times 2m}.$
\item[2.] Compute the vector $\mathbf{u}_M=\mathbf{u} + \mathbf{D} \cdot \mathfrak{m} \in \Zq^n .$
using the delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$, sample a short vector $\mathbf{v} \in \ZZ^{2m}$ in $D_{\Lambda_q^{\mathbf{u}_M}(\mathbf{A}_\tau), \sigma}$.
Output the signature $sig=(\tau,\mathbf{v} ) \in \{0,1\}^\ell \times \ZZ^{2m} $. \smallskip
\item[\textsf{Verify}$\big(PK,\mathfrak{m},sig\big)$:] Given $PK$, $\mathfrak{m} \in \{0,1\}^{m_d}$ and a
signature $sig=(\tau,\mathbf{v}) \in \{0,1\}^\ell \times \ZZ^{2m} $,
return $1$ if $\| \mathbf{v} \| < \sigma \sqrt{2m}$ and
$ \mathbf{A}_{\tau} \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \mathfrak{m} \bmod q.$
For our purposes, the scheme only needs to satisfy a notion of bounded-message security under non-adaptive chosen-message
attack. In this relaxed model,
the adversary only obtains a
bounded number of signatures for messages that are chosen non-adaptively
(i.e., all at once and before seeing the public key) by the adversary. This
security notion is sufficient for signing the $N$ database entries. Note that the queries are
non-adaptive but the adversary can adaptively choose its forgery message.
\begin{theorem} \label{thm-version-3}
The scheme is bounded message secure under non-adaptive chosen-message attacks if the $\mathsf{SIS}$ assumption holds.
We show that the scheme presented in Section~\ref{RMA-sec} is secure against non-adaptive chosen-message attacks ({na-CMA}) under the $\SIS$ assumption.
The shape of the proof is similar to the security proof of the signature scheme of~\cref{se:gs-lwe-sigep}. Namely, to prove the security, we distinguish two kinds of attacks:
\item[Type I attacks,] where in the adversary's forgery $sig^\star = (\tau^\star, \mathbf v^\star)$, $\tau^\star$ did not appear in any outputs of the signing oracle.
\item[Type II attacks,] where in the adversary's forgery $sig^\star = (\tau^\star, \mathbf v^\star)$, $\tau^\star$ has been recycled from an output $sig^{(i^\star)} = \bigl(\tau^{(i^\star)}, \mathbf v^{(i^\star)} \bigr)$ of the signing oracle for some query $i^\star \in \{ 1, \ldots, Q \}$.
Lemma~\ref{le-type1-RMA} states that the signature scheme is secure against Type I forgery using the same technique as is~\cite{ABB10,Boy10,MP12}.
Lemma~\ref{le-type2-RMA} claims that the signature scheme resists Type II attacks, with a proof that is very similar to the one of Lemma~\ref{le-type1-RMA}. Both security proofs assume the computational hardness of the $\SIS$ problem.
The signature scheme of Section~\ref{RMA-sec} is secure against Type I attacks if the $\SIS_{n, m, q, \beta'}$ assumption holds, with $\beta' = \sigma^2 m^{3/2} (\ell + 2) + \sigma m^{1/2}$.
Let $\adv$ be a $\ppt$ adversary against the \textsf{na-CMA} security of our scheme that mounts Type I attacks with non negligible success probability $\varepsilon$.
We construct a $\ppt$ algorithm $\bdv$ using $\adv$ to break the $\SIS_{n,m,q,\beta'}$ assumption.
Our reduction $\bdv$ takes as input a target matrix $\bar{\mathbf A} \in \ZZ_q^{n \times m}$ and computes $\mathbf v \in \Lambda_q^\perp(\bar{\mathbf A})$ satisfying $0 < \| \mathbf v \| \leq \beta'$.
At first, $\bdv$ calls $\adv$ to obtain the messages to be queried: $\mathfrak m^{(1)}, \ldots, \mathfrak m^{(Q)}$.
For the sake of readability, let us define $\tau^{(i)} = i$, viewed as a bit-string, to be the tag corresponding to the $i$-th signature in our scheme. \medskip
\textbf{Setup.} As in~\cite{HW09}, the reduction guesses the shortest prefix such that the string $\tau^\star$ embedded in $\adv$'s forgery differs from all prefixes to $\{\tau^{(1)}, \dots, \tau^{(Q)}\}$.
To achieve this, $\bdv$ chooses at random $i^\dag \sample U(\{1, \ldots, Q\})$ and $t^\dag \sample U(\{1, \ldots, \ell\})$.
Then, with probability $1/(Q \cdot \ell)$, the longest common prefix between $\tau^\star$ and one of the tags $\{ \tau^{(i)} \}_{i = 1}^{Q}$ is the string $\tau^\star[1] \cdots \tau^\star[t^\dag - 1] \in \bit^{t^\dag - 1}$: the first $(t^\dag - 1)$-th bits of $\tau^\star$.
Let us define $\tau^\dag = \tau^\star_{\mid t^\dag}$, where $s_{|i}$ denotes the $i$-th prefix for a string~$s$.
By construction $\tau^\dag \notin \{ \tau_{\mid t^\dag}^{(1)}, \ldots, \tau_{\mid t^\dag}^{(Q)} \}$ with probability $1/(Q \cdot \ell)$.
Next, the reduction $\bdv$ runs $\TrapGen(1^n, 1^m, q)$ to obtain matrices $\mathbf C \in \Zq^{n \times m}$ and a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of
$\Lambda_q^\perp(\mathbf C)$, which will be useful to answer the following opening oracle queries.
The reduction $\bdv$ continues by picking $\ell + 1$ matrices $\mathbf Q_0, \ldots, \mathbf Q_\ell \in \ZZ^{m \times m}$ where each matrix $\mathbf Q_i$ has its column independently sampled from
$D_{\ZZ^m, \sigma}$, and \bdv defines the matrices $\mathbf A=\bar{\mathbf A}$ and $\{\mathbf A_j\}_{j=0}^{\ell}$ as follows
\mathbf A_0 = \bar{\mathbf A} \cdot \mathbf Q_0 + \left( \sum_{j=1}^{t^\dag} \tau^\star[j] \right) \cdot \mathbf C \\
\mathbf A_j = \bar{\mathbf A} \cdot \mathbf Q_j + (-1)^{\tau^\star[j]} \cdot \mathbf C & \text{for $j \in [ 1, t^\dag ]$} \\
\mathbf A_j = \bar{\mathbf A} \cdot \mathbf Q_j & \text{for $j \in [t^\dag + 1, \ell]$}
We can notice that
\mathbf A_{\tau^{(i)}} & = \Bigr[ \mathbf A ~\Big|~ \mathbf A_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \mathbf A_j \Bigl] \\
& = \Bigr[ \bar{\mathbf A} ~\Big|~ \bar{\mathbf A} \cdot \bigl(\mathbf Q_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \cdot \mathbf Q_j\bigr) + \bigl(\sum_{j=1}^{t^\dag} \tau^\star[j] + (-1)^{\tau^\star[j]} \cdot \tau^{(i)}[j]\bigr) \cdot \mathbf C \Bigl] \\
& = \Bigr[ \bar{\mathbf A} ~\Big|~ \bar{\mathbf A} \cdot \bigl(\mathbf Q_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \cdot \mathbf Q_j\bigr) + h_{\tau^{(i)}} \cdot \mathbf C \Bigl],
where $h_{\tau^{(i)}}$ denotes the hamming distance between $\tau^{(i)}_{\mid t^\dag}$ and $\tau^\dag$. With probability $1/(Q\cdot \ell)$, and as $\ell > q$, it holds that $h_{\tau^{(i)}} \neq 0 \bmod q$ whenever $\tau^{(i)}_{\mid t^\dag} \neq \tau^\star_{\mid t^\dag}$.
The reduction then picks a random short matrix $\mathbf R \sample \ZZ^{m \times m_d}$ which has its $m_d$ columns independently sampled from $D_{\ZZ^m, \sigma}$, and \bdv computes
\[ \mathbf D = \bar{\mathbf A} \cdot \mathbf R \in \ZZ_q^{n \times m_d}. \]
To finish, $\bdv$ samples a short vector $\mathbf e_u \in D_{\ZZ^m, \sigma}$ and computes the vector $\mathbf u = \bar{\mathbf A} \cdot \mathbf e_u$. The following public key is finally given to \adv:
\[ PK := (\mathbf A, \{ \mathbf A_j \}_{j=0}^\ell, \mathbf D, \mathbf u). \]
\textbf{Signing queries.} To handle signature queries, the reduction $\bdv$ uses the trapdoor $\mathbf{T_C} \in \ZZ^{m \times m}$ to generate a signature.
To this end, $\bdv$ starts by computing the vector $\mathbf u_M = \mathbf u + \mathbf D \cdot \mathfrak m^{(i)}$.
Then $\bdv$ can use $\mathbf{T_C}$ with the algorithm \textsf{SampleRight} from Lemma~\ref{lem:sampler} to
compute a short vector $\mathbf v^{(i)}$ in $D_{\Lambda^\perp(\mathbf A_{\tau^{(i)}}), \sigma}^{\mathbf u_M}$, distributed like a
valid signature and satisfying the verification equation~\eqref{ver-eq-block}.
\textbf{Output.} At some point, the attacker $\adv$ halts and outputs a \textit{valid} signature $sig^\star = (\tau^\star, \mathbf v^\star)$ for a message $\mathfrak m^\star \notin \{ \mathfrak{m}^{(1)}, \ldots, \mathfrak{m}^{(Q)}\}$.
Since the signature is valid, it satisfies $\| \mathbf v^\star \| \leq \sigma \sqrt{2m}$.
Parsing $\mathbf v^\star$ as $[ \mathbf{v}_1^\star \mid \mathbf{v}_2^\star]$ with $\mathbf v_1^\star, \mathbf v_2^\star \in \ZZ^m$ and injecting it in~\eqref{ver-eq-block} give:
\Bigr[ \bar{\mathbf A} ~\Big|~ \bar{\mathbf A} \cdot \bigl(\mathbf Q_0 + \sum_{j=1}^\ell \tau^\star[j] \cdot \mathbf Q_j\bigr) \Bigl] \cdot \begin{bmatrix} \mathbf v_1^\star \\ \hline \mathbf v_2^\star \end{bmatrix}
& = \mathbf u + \mathbf D \cdot \mathfrak m^\star \mod q \\
& = \bar{\mathbf A} \cdot \bigl( \mathbf e_u + \mathbf R \cdot \mathfrak m^\star \bigr) \mod q
Thus, the vector
\[ \mathbf v' = \mathbf v_1^\star + \bigl( \mathbf Q_0 + \sum_{j=1}^\ell \tau^\star[j] \cdot \mathbf Q_j \bigr) \cdot \mathbf v_2^\star - \mathbf e_u - \mathbf R \cdot \mathfrak m^\star \]
is in $\Lambda^\perp(\bar{\mathbf A})$, and $\mathbf v'$ is non-zero with overwhelming probabilities, since in $\adv$'s view, the distribution of $\mathbf e_u$ is
$D_{\Lambda^\mathbf u_q(\mathbf A), \sigma}$, which guarantees that $\mathbf e_u$ is statistically hidden by the syndrome $\mathbf u = \bar{\mathbf A} \cdot \mathbf e_u$.
Finally, the norm of $\mathbf v'$ is upper bounded by
$\beta' = \sigma^2 m^{3/2} (\ell + 2) + 2 \sigma m^{1/2}$.
The signature scheme of Section~\ref{RMA-sec} is secure against Type II attacks if $\SIS_{n,m,q,\beta''}$ holds, with $\beta'' = \sqrt 2 (\ell + 2) \sigma m^{3/2} + m^{1/2}$.
We will prove this result using techniques analogous to the previous proof. We show that given an adversary $\adv$ that comes out with a Type II signature in the \textsf{na-CMA} game with non negligible probability $\varepsilon$, we can construct a PPT $\bdv$ that breaks the $\SIS$ assumption with advantage $\varepsilon/Q$ using $\adv$.
Firstly, the reduction $\bdv$ is given a matrix $\mathbf{A} \in \Zq^{n \times m_d}$ as input and has to output an integer vector $\mathbf v \in \ZZ^{m_d}$ in $\Lambda^\perp_q(\mathbf{A})$ such that $0 < \| \mathbf v \| \leq \beta''$.
Next, $\bdv$ receives from $\adv$ the messages $\mathfrak{m}^{(1)}, \ldots, \mathfrak{m}^{(Q)}$ for which $\adv$ will further ask signature queries.
To compute the public key, at the outset of the game, the reduction $\bdv$ starts by sampling $i^\dag \sample U(\{1, \ldots, Q\})$ corresponding to the guess that $\adv$'s forgery will recycle $\tau^{(i\dag)}$.
This is independent of $\adv$'s view, and the guess will be correct with probability $1/Q$.
Using this guess to compute $PK$, the reduction $\bdv$ picks $h_0, \ldots, h_\ell \in \Zq$ subject to the constraints
\begin{equation} \label{eq:h-constraints}
h_0 + \sum_{j=1}^\ell \tau^{(i^\dag)}[j] \cdot h_j = 0 \mod q & \\
h_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \cdot h_j \neq 0 \mod q & \forall i \in \{1, \ldots, Q\} \backslash \{i^\dag\}
\bdv then runs $(\mathbf C, \mathbf{T_C}) \gets \TrapGen(1^n, 1^m, q)$.
The resulting matrix $\mathbf C \in \Zq^{n \times m}$ is statistically random, and the trapdoor $\mathbf{T_C} \in \ZZ^{m \times m}$ is a short basis of $\Lambda^\perp_q(\mathbf C)$.
Next \bdv re-randomize $\mathbf{A}$ using short matrices $\mathbf S, \mathbf S_0, \mathbf S_1, \ldots, \mathbf S_\ell \in \ZZ^{m_d \times m}$ which are obtained by sampling their columns from the distribution $D_{\ZZ^{m_d}, \sigma}$.
The challenger $\bdv$ then uses these matrices to define:
\mathbf A &= \mathbf{A} \cdot \mathbf S \nonumber \\
\mathbf A_0 &= \mathbf{A} \cdot \mathbf S_0 + h_0 \cdot \mathbf C \label{eq:rel-rerand} \\
\mathbf A_j &= \mathbf{A} \cdot \mathbf S_j + h_j \cdot \mathbf C & j \in \{1, \ldots, \ell\} \nonumber
and sets $\mathbf D = \mathbf{A} \in \ZZ_q^{n \times m_d}$. Observe that matrices $\mathbf{A},\{\mathbf{A}_j\}_{j=0}^\ell$ are all statistically uniform over $\ZZ_q^{n \times m}$.
Then, $\bdv$ samples short vectors ${\mathbf v_1^\dag, \mathbf v_2^\dag \sample D_{\ZZ^m, \sigma}}$ and computes $\mathbf u \in \Zq^n$ as
\begin{equation} \label{eq:rel-uM}
\mathbf u = \mathbf A_{\tau^{(i^\dag)}} \cdot \begin{bmatrix} \mathbf v_1^{\dag} \\\hline \mathbf v_2^{\dag} \end{bmatrix} - \mathbf{A} \cdot \mathfrak m^{(i^\dag)} \mod q.
Finally, $\bdv$ sends to $\adv$ the public key
\[ PK := \bigl( \mathbf A, \{\mathbf A_j \}_{j=0}^\ell, \mathbf D, \mathbf u \bigr) \]
which is distributed as the $PK$ of the real scheme.
\smallskip \smallskip
To answer signing queries, the challenger $\bdv$ do as follows.
\item If the query is not the $i^\dag$-th, we have:
\mathbf A_{\tau^{(i)}} &= \Bigl[ \mathbf A ~\Big|~ \mathbf A_0 + \sum_{j=0}^\ell \tau^{(i)} [j] \cdot \mathbf A_j \Bigr] \\
&= \Bigl[ \mathbf{A} \cdot \mathbf S ~\Big|~ \mathbf{A} \cdot ( \mathbf S_0 + \sum_{j=0}^\ell \tau^{(i)} [j] \cdot \mathbf S_j) + h_{\tau^{(i)}} \cdot \mathbf C \Bigr],
with $h_{\tau^{(i)}} = h_0 + \sum \tau^{(i)}[j] \cdot h_j \neq 0$ due to the first constraint of~\eqref{eq:h-constraints}. Thus, using the same technique as in the previous proof from~\cite{MP12}, the challenger $\bdv$ can use the trapdoor $\mathbf{T_C}$ along with \textsf{SampleRight} algorithm to sample a short vector in $\Lambda_q^{\mathbf u_M}(\mathbf A_{\tau^{(i)}})$ satisfying~\eqref{ver-eq-block}.
\item At the $i^\dag$-th query, thanks to the second constraint of~\eqref{eq:h-constraints}, we have:
\mathbf A_{\tau^{(i^\dag)}} &= \Bigl[ \mathbf A ~\Big|~ \mathbf A_0 + \sum_{j=0}^\ell \tau^{(i^\dag)} [j] \cdot \mathbf A_j \Bigr] \\
&= \Bigl[ \mathbf{A} \cdot \mathbf S ~\Big|~ \mathbf{A} \cdot ( \mathbf S_0 + \sum_{j=0}^\ell \tau^{(i^\dag)} [j] \cdot \mathbf S_j) \Bigr].
To answer this specific query, the challenger $\bdv$ returns $sig^{(i^\dag)} = (\tau^{(i^\dag)}, \mathbf v^{(i^\dag)})$ where $\mathbf v^{(i^\dag)} = ( \mathbf v_1^{\dag T} \mid \mathbf v_2^{\dag T})^T$ verifying~\eqref{eq:rel-uM}, which furthermore implies that $sig^{(i^\dag)}$ verifies~\eqref{ver-eq-block}.
Thus we claim that $\bdv$ can solve the $\SIS$ problem using the Type II forgery provided by $\adv$.
At the end of the game, the adversary outputs a valid signature $sig^\star = (\tau^{(i^\star)}, \mathbf v^\star)$ on a message $\mathfrak m^\star$ with $\| \mathbf v^\star \| \leq \sigma \sqrt{2m}$.
In the event that $\tau^{(i^\star)} \neq \tau^{i^\dag}$, the reduction aborts. The latter event happens with probability $1-1/Q$.
If we parse $\mathbf v^\star$ as $(\mathbf v_1^{\star, T} \mid \mathbf v_2^{\star T})^T \in \ZZ^{2m}$, with $\mathbf v_1^{\star}, \mathbf v_2^\star \in \ZZ^m$, it holds that:
\begin{equation} \label{eq:sub-rel-1}
\mathbf A_{\tau^{(i^\dag)}} \cdot \begin{bmatrix} \mathbf v_1^{\star} \\\hline \mathbf v_2^{\star} \end{bmatrix} = \mathbf u + \mathbf{A} \cdot \mathfrak m^{\star} \mod q.
According to the way $\mathbf u$ was defined at the beginning of the game, we also have a vector $\mathbf v^\dag = (\mathbf v_1^{\dag T} \mid \mathbf v_2^{\dag T})^T$ such that
\begin{equation} \label{eq:sub-rel-2}
\mathbf A_{\tau^{(i^\dag)}} \cdot \begin{bmatrix} \mathbf v_1^{\dag} \\\hline \mathbf v_2^{\dag} \end{bmatrix} = \mathbf u + \mathbf{A} \cdot \mathfrak m^{\dag} \mod q.
As $sig^\star$ is a valid forgery for the dn-CMA game, it follows that $m^\dag \neq m^\star$. And we get by subtracting \eqref{eq:sub-rel-1} and \eqref{eq:sub-rel-2}
\mathbf A_{\tau^{(i^\dag)}} \cdot \begin{bmatrix} \mathbf v_1^\star - \mathbf v_1^{\dag} \\\hline \mathbf v_2^\star - \mathbf v_2^{\dag} \end{bmatrix} &= \mathbf{A} \cdot \left (\mathfrak m^{\star} - \mathfrak m^\dag \right) \mod q, \\
\Bigl[ \mathbf{A} \cdot \mathbf S ~\Big|~ \mathbf{A} \cdot ( \mathbf S_0 + \sum_{j=0}^\ell \tau^{(i^\dag)} [j] \cdot \mathbf S_j) \Bigr]\cdot \begin{bmatrix} \mathbf v_1^\star - \mathbf v_1^{\dag} \\\hline \mathbf v_2^\star - \mathbf v_2^{\dag} \end{bmatrix} &= \mathbf{A} \cdot \left (\mathfrak m^{\star} - \mathfrak m^\dag \right) \mod q.
Leading us to the fact that
\begin{equation} \label{eq:non-zero}
\mathbf v' = \underbrace{\mathbf S \cdot (\mathbf v_1^\star - \mathbf v_2^\dag) + \left( \mathbf S_0 + \sum_{j=1}^\ell \tau^{(i^\dag)}[j] \cdot \mathbf S_j \right) \cdot (\mathbf v_2^\star - \mathbf v_2^\dag)}_{(a)} + \underbrace{\mathfrak m^\dag - \mathfrak m^\star}_{-(b)}
is an integer vector of $\Lambda_q^\perp(\mathbf{A})$, with norm bounded by $\| \mathbf v' \| \leq \sqrt 2 (\ell + 2) \sigma m^{3/2} + m^{1/2} = \beta''$.
Furthermore, if $\mathbf v'$ was zero, it implies that $(a) = (b)$ in Equation~\eqref{eq:non-zero}.
And as $sig^\star \neq sig^\dag$, we have that either $\mathbf v_1^\star \neq \mathbf v_1^\dag$ or $\mathbf v_2^\star \neq \mathbf v_2^\dag$.
As a consequence, $(a)$ is information theoretically unpredictable for $\adv$ since the columns of $\mathbf S, \mathbf S_0, \ldots \mathbf S_\ell$ are statistically hidden from $\adv$, as shown in~\cite{MP12} for instance: conditionally on the public key, each column of $\mathbf S$ and $\{\mathbf S_j\}_{j=0}^\ell$ has at least $n$ bits of min-entropy.
\section{A Fully Simulatable Adaptive OT Protocol} \label{OT-scheme}
Our basic \OTA protocol builds on the ``assisted decryption'' technique \cite{CNS07}. The databases holder encrypts all entries
using a multi-bit variant \cite{PVW08} of Regev's cryptosystem \cite{Reg05} and proves the well-formedness of its public key and all ciphertexts. In addition,
all ciphertexts are signed using a signature scheme. At each
transfer, the receiver statistically re-randomizes a blinded version of the desired ciphertext, where the blinding is done via the additive
homomorphism of Regev. Then, the receiver provides a witness indistinguishable (\textsf{WI}) argument that the modified ciphertext (which is
submitted for oblivious decryption) is
a transformation of one of the original ciphertexts by arguing knowledge of a signature on this hidden ciphertext. In response,
the sender obliviously decrypts the modified ciphertext and argues in zero-knowledge that the response is correct.
Adapting the technique of \cite{CNS07} to the lattice setting requires the following building blocks:
(i) A signature scheme allowing to sign ciphertexts while remaining compatible with ZK proofs; (ii) A ZK protocol allowing to prove knowledge of a signature on some hidden ciphertext which belongs to a public set and was transformed into a given ciphertext; (iii) A protocol for proving the correct decryption of a ciphertext; (iv) A method of statistically re-randomizing an $\LWE$-encrypted ciphertext in a way that enables oblivious decryption. The first three ingredients can be obtained from \cref{ch:gs-lwe}. Since component (i) only needs to be secure against random-message attacks as
long as the adversary obtains at most $N$ signatures, we use the simplified $\SIS$-based signature scheme
of Section \ref{RMA-sec}.
The statistical re-randomization of Regev ciphertexts is handled via the noise flooding technique \cite{AJL+12}, which consists in drowning the initial noise with a sub-exponentially larger
noise. While recent results \cite{DS16,BDPMW16} provide potentially more efficient alternatives,
we chose the flooding technique for simplicity because it does not require the use of FHE (and also because
the known multi-bit version \cite{HAO15} of the GSW FHE~\cite{GSW13} incurs an \textit{ad hoc} circular security assumption).
Our scheme works with security parameter $\lambda$, modulus $q$, lattice dimensions $n = \mathcal{O}(\lambda)$ and $m= 2 n \lceil \log q \rceil$. Let $B_\chi = \widetilde{\mathcal{O}}(\sqrt{n})$, and let $\chi$ be a $B_\chi$-bounded distribution. We also define an integer~$B$ as a randomization parameter such that $B= n^{\omega(1)}\cdot (m+1)B_\chi$ and $B+ (m+1)B_\chi \leq q/5$ (to ensure decryption correctness).
Our basic \OTA protocol goes as follows.
\item[\textsf{Initialization}$\big(\mathsf{S}_\mathsf{I}(1^\lambda,\mathsf{DB}),\mathsf{R}_{\mathsf{I}}(1^\lambda) \big)$:] In this protocol, the sender $\mathsf{S}_\mathsf{I}$ has a database $\mathsf{DB}=(M_1,\ldots,M_N)$ of $N$ messages, where $M_i \in \{0,1\}^{t}$ for each $i \in [N]$,
for some $t \in \mathsf{poly}(\lambda)$. It interacts with the receiver $\mathsf{R}_\mathsf{I}$ as follows. \smallskip \smallskip
\item[1.] Generate a key pair for the signature scheme of Section \ref{RMA-sec} in order to sign $Q=N$ messages of length $m_d = (n+t) \cdot \lceil \log q \rceil$ each.
This key pair consists of $SK_{sig}=\mathbf{T}_{\mathbf{A}} \in \ZZ^{m \times m}$ and
${PK}_{sig}:=\big( \mathbf{A},
\{\mathbf{A}_j \}_{j=0}^{\ell}, \mathbf{D}, \mathbf{u} \big),$ where $\ell=\log N$ and $\mathbf{A},\mathbf{A}_0,\ldots,\mathbf{A}_{\ell} \in U(\Zq^{n \times m})$, $\mathbf{D} \in U(\Zq^{n \times m_d})$.
%with $m = 2n \lceil \log q \rceil$, $m_d = (n+t) \lceil \log q \rceil$.
The counter is initialized to $\tau=0$.
\item[2.] Choose $\mathbf{S} \sample \chi^{n \times t}$ that will serve as a secret key for an $\LWE$-based encryption scheme.
Then, sample $\mathbf{F} \sample U(\Zq^{n \times m})$, $\mathbf{E} \sample \chi^{m \times t }$ and compute
\begin{eqnarray} \label{PK-gen}
\mathbf{P} = [\mathbf{p}_1 | \ldots | \mathbf{p}_t] = \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} ~\in \Zq^{m \times t},
so that $(\mathbf{F},\mathbf{P}) \in \Zq^{n \times m} \times \Zq^{m \times t }$ forms a public key for a $t$-bit variant of Regev's encryption scheme \cite{Reg05}.
% (or, equivalently,
% a set of $m$ encryptions of the all-zeroes $t$-bit string).
Sample vectors $\mathbf{a}_1,\ldots ,\mathbf{a}_N \sample
U(\Zq^n)$ and $\mathbf{x}_1,\ldots,\mathbf{x}_{N} \sample \chi^{t}$ to
\begin{align} \label{init-db}
(\mathbf{a}_i,\mathbf{b}_i) &= \bigl( \mathbf{a}_i, ~ \mathbf{S}^T \cdot \mathbf{a}_i + \mathbf{x}_i + M_i \cdot \lfloor q/2 \rfloor \bigr) \in \Zq^n \times \Zq^{t} & \forall i \in [N].
\item[4.] For each $i \in [N]$, generate a signature $(\tau_i,\mathbf{v}_i ) \leftarrow \mathsf{Sign}(SK_{sig},\tau,\mathfrak{m}_i)$ on the decomposition
$\mathfrak{m}_i=\mathsf{vdec}_{n+t,q-1}(\mathbf{a}_i^T |\mathbf{b}_i^T )^T \in \{0,1\}^{m_d}$. % of $(\mathbf{a}_i^T | \mathbf{b}_i^T)^T \in \Zq^{n+t}$.
\item[5.] $\mathsf{S}_\mathsf{I}$ sends
$ R_0= \bigl( PK_{sig} ,~(\mathbf{F},\mathbf{P}),~\{(\mathbf{a}_i,\mathbf{b}_i),(\tau_i,\mathbf{v}_i ) \}_{i=1}^N \bigr) $ to $\mathsf{R}_\mathsf{I}$ and interactively proves knowledge of small-norm $\mathbf{S} \in \ZZ^{n \times t}$, $\mathbf{E} \in \ZZ^{m \times t}$, short vectors $\{\mathbf{x}_i\}_{i=1}^N$ and
$t$-bit messages $\{M_i\}_{i=1}^N$,
for which~\eqref{PK-gen} and~\eqref{init-db} hold. To this end, $\mathsf{S}_\mathsf{I}$ plays the role of the prover in the ZK argument system described in Section~\ref{subsection:ZK-protocol-1}.
If the argument of knowledge does not verify
%at step b
or if there exists $i \in [N]$ such that $(\tau_i,\mathbf{v}_i)$ is an invalid signature on the message
$\mathfrak{m}_i=\mathsf{vdec}_{n+t,q-1} (\mathbf{a}_i^T |\mathbf{b}_i^T)^T $ w.r.t. $PK_{sig}$, then $\mathsf{R}_\mathsf{I}$ aborts.
\item[6.] Finally $\mathsf{S}_\mathsf{I}$ defines $S_0= \big( (\mathbf{S},\mathbf{E}) ,(\mathbf{F},\mathbf{P}),PK_{sig} \big)$, which it keeps to itself. \medskip \smallskip
\item[\textsf{Transfer}$\big(\mathsf{S}_\mathsf{T}(S_{i-1}),\mathsf{R}_{\mathsf{T}}(R_{i-1},\rho_i) \big)$:] At the $i$-th transfer, the receiver $\mathsf{R}_\mathsf{T}$ has state $R_{i-1}$ and
an index $\rho_i \in [1,N]$. It interacts as follows with the sender $\mathsf{S}_\mathsf{T}$ that has state $S_{i-1}$ in order to obtain $M_{\rho_i}$ from $\mathsf{DB}$. \smallskip \smallskip \smallskip
\item[1.] $\mathsf{R}_\mathsf{T}$ samples vectors $\mathbf{e} \sample U(\{-1,0,1\}^m)$, $\mu \sample U(\{0,1\}^t)$ and a random $\nu \sample U([-B,B]^t)$ to compute
\begin{eqnarray} \label{rand-CT}
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{\rho_i} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{\rho_i} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
which is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i} + \mu \cdot \lfloor q/2 \rfloor )$. The ciphertext $(\mathbf{c}_0,\mathbf{c}_1)$ is sent to
$\mathsf{S}_\mathsf{T}$. In addition, $\mathsf{R}_\mathsf{T}$ provides an interactive \textsf{WI} argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is indeed a transformation of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$ for some $\rho_i \in [N]$, and $\mathsf{R}_\mathsf{T}$ knows
a signature on $\mathfrak{m} = \mathsf{vdec}_{n+1,q-1}(\mathbf{a}_{\rho_i}^T | \mathbf{b}_{\rho_i}^T)^T \in \{0,1\}^{m_d}$.
To this end, $\mathsf{R}_\mathsf{T}$ runs the prover in the ZK argument system in Section~\ref{subsection:ZK-protocol-3}.
\item[2.] If the argument of step 1 verifies, $\mathsf{S}_\mathsf{T}$ uses $\mathbf{S}$ to decrypt $(\mathbf{c}_0,\mathbf{c}_1) \in \Zq^n \times \Zq^t$ and
obtain $M' = \lfloor (\mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$
which is sent back to $\mathsf{R}_\mathsf{T}$. In addition, $\mathsf{S}_\mathsf{T}$ provides a zero-knowledge argument of knowledge of vector $\mathbf{y}= \mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0 - M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$
of norm $\| \mathbf{y} \|_{\infty} \leq q/5$ and small-norm matrices $\mathbf{E}\in \ZZ^{m \times t}$, $\mathbf{S} \in \ZZ^{n \times t}$ satisfying (modulo $q$)
\begin{align} \label{test-transfer}
\mathbf{P} &= \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} & \mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T &= \mathbf{c}_1^T - {M'}^T \cdot \lfloor q/2 \rfloor.
To this end, $\mathsf{S}_\mathsf{T}$ runs the prover in the ZK argument system in Section~\ref{subsection:ZK-protocol-2}.
\item[3.] If the ZK argument produced by $\mathsf{S}_\mathsf{T}$ does not properly verify at step 2, $\mathsf{R}_\mathsf{T}$ halts and outputs $\perp$. Otherwise, $\mathsf{R}_\mathsf{T}$ recalls
the random string $\mu \in \{0,1\}^t$ that was chosen at step 1 and computes $M_{\rho_i}=M' \oplus \mu$. The transfer ends with $\mathsf{S}_\mathsf{T}$ and $\mathsf{R}_\mathsf{T}$
outputting $S_i=S_{i-1}$ and $R_i=R_{i-1}$, respectively.
In the initialization phase, the sender has to repeat step 5 with each
receiver to prove that $\left\{(\mathbf{a}_i,\mathbf{b}_i)\right\}_{i=1}^N$ are well-formed. Using the Fiat-Shamir heuristic \cite{FS86}, we can decrease this initialization
cost from $O(N \cdot U)$ to $O(N)$ (regardless of the number of users $U$) by making the proof non-interactive.
This modification also reduces each transfer to $5$ communication rounds since, even in the transfer phase, the sender's ZK arguments can be non-interactive and the receiver's arguments only need to be \textsf{WI}, which is preserved when the basic ZK protocol (which has a ternary challenge space) is repeated $\omega(\log n)$ times in parallel. To keep the security proof
simple, we derive the matrix $\mathbf{F} \in \Zq^{n \times m}$ from a second random oracle.
%which the sender can build his $\LWE$-based public key $\mathbf{P}=\mathbf{F} \cdot \mathbf{S} + \mathbf{E}$, for small-norm matrices $\mathbf{S} \in \ZZ^{n \times t}$
%and $\mathbf{E} \in \ZZ^{m \times t}$.
Knowing a short basis of $\Lambda_q^{\perp}(\mathbf{F})$, the simulator can extract
the columns of $\mathbf{S}$ from the public key $\mathbf{P} \in \Zq^{n \times m}$. Details are given in Appendix~\ref{optimized}.
The security of the above \OTA protocol against static corruptions is stated by the following theorems.
\begin{theorem} \label{sender-sec}
The $\OTA$ protocol provides receiver security under the $\SIS$ assumption.
We prove that any real-world cheating sender $\hat{\mathsf{S}}$ implies an ideal-world cheating sender $\hat{\mathsf{S}}'$ such that, under the $\SIS$ assumption,
the two distributions $\REAL_{\hat{\mathsf{S}},{\mathsf{R}}}$ and $\IDEAL_{\hat{\mathsf{S}}',{\mathsf{R}}'}$ with common inputs $(N,k,M_1,\ldots,M_N,\rho_1,\ldots,\rho_k)$ are indistinguishable
to any PPT distinguisher $\ddv$.
To this end, we consider a sequence of hybrid experiments with binary outputs. In each experiment $\textsf{Exp}_i$, a distinguisher $\ddv$ takes
as input the states $(S_k,R_k)$ produced by $\hat{\mathsf{S}}$ and $\mathsf{R}'$ at the end of the experiment and outputs a bit. We define $W_i$ as the event that the output of experiment $\textsf{Exp}_i$ is $1$. The first experiment outputs whatever the distinguisher $\ddv$ outputs and corresponds to the real interaction between the cheating sender $\hat{\mathsf{S}}$ and the
receiver $\mathsf{R}$. \smallskip
\item[\textsf{Exp}$_0$:] This experiment involves a real execution of $\hat{\mathsf{S}}$ in interaction with a honest receiver $\mathsf{R}$ which queries the index $\rho_i \in [N]$ at
the $i$-th transfer for each $i \in [k]$. The output of $\textsf{Exp}_0$
is exactly the output of the distinguisher $\ddv$ on input of $X=(S_k,R_k) \leftarrow \REAL_{\mathsf{S},\hat{\mathsf{R}}} $, so that
we have
$$\Pr[W_0]=\Pr[ \ddv (X) =1 \mid X \leftarrow \REAL_{\hat{\mathsf{S}},{\mathsf{R}}} ].$$
\item[\textsf{Exp}$_1$:] This experiment is like $\textsf{Exp}_0$ except that, at step 5 of the initialization phase, the knowledge extractor of the argument system is used to
extract the witnesses $\mathbf{s}_j \in \chi^n$, $\mathbf{e}_j \in \chi^m$, $\bar{\mathbf{x}}_j \in \chi^N$, $\bar{M}_j \in \{0,1\}^N$, for each $j \in [t]$, from the sender's argument. In the event that the knowledge
extractor fails to extract valid witnesses, the experiment aborts and outputs $\perp$. We know that the zero-knowledge argument system is computationally sound
as long as the underlying commitment is computationally binding. If the perfectly hiding commitment of \cite{KTX08} is used, the binding property is in turn
implied by the $\SIS$ assumption. Under the
$\SIS$ assumption, it follows that $\textsf{Exp}_1$ returns $1$ with about the same probability as $\textsf{Exp}_0$. Specifically, there exists a $\SIS$ solver $\bdv$ such that
$ | \Pr[W_1] -\Pr[W_0] | \leq \mathbf{Adv}^{\SIS}_\bdv (\lambda). $ \smallskip
\item[\textsf{Exp}$_2$:] This experiment is identical to \textsf{Exp}$_1$ except that the receiver $\mathsf{R}'$ makes use of the matrix $\mathbf{S} \in \chi^{n \times t}$, which underlies $\mathbf{P} \in \ZZ_q^{m \times t}$ in
\eqref{PK-gen} and was extracted at step 5 of the initialization phase. Namely, at step 2 of each transfer, $\mathsf{R}'$ uses
$\mathbf{S}$ to determine if the ZK argument sent by $\hat{\mathsf{S}}$ is really an argument for a true statement or if $\hat{\mathsf{S}}$ somehow managed
to break the soundness of the argument system. Namely, upon receiving the response $M ' \in \{0,1\}^t$ of $\hat{\mathsf{S}}$ at step 2, $\mathsf{R}'$
uses the previously extracted $\mathbf{S} \in \chi^{n \times t}$ to determine whether there exists a vector $\mathbf{y} \in \ZZ^t$ of norm $\| \mathbf{y} \|_{\infty}
\leq q/5$ such that
\begin{eqnarray} \label{test-deux}
\mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T = \mathbf{c}_1^T - {M'}^T \cdot \lfloor q/2 \rfloor .
If no such vector $\mathbf{y}$ exists, $\mathsf{R}'$ infers that $\hat{\mathsf{S}}$ broke the soundness of the argument system. In this case, $\hat{\mathsf{S}}$ can be
rewound so as to break the binding property of the statistically hiding commitment scheme used by the ZK argument system, which in turn contradicts
the $\SIS$ assumption. We thus have $ | \Pr[W_2] -\Pr[W_1] | \leq \mathbf{Adv}^{\SIS}_\bdv (\lambda) $ for some efficient algorithm $\bdv$ which
is given rewinding access to $\hat{\mathsf{S}}$.
\item[\textsf{Exp}$_3$:] This experiment is like $\textsf{Exp}_2$ with the difference that, at each transfer, the receiver $\mathsf{R}'$ chooses the index $\rho_i=1$ and thus always requests
the first message of the encrypted database. In more details, at each transfer, $\mathsf{R}'$
samples vectors $\mathbf{e} \sample U(\{-1,0,1\}^m)$, $\mu \sample U(\{0,1\}^t)$ and $\nu \sample U([-B,B]^t)$ to compute and send
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{1} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{1} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \ZZ_q^n \times \ZZ_q^t,
which is a re-randomization of $(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$.
Moreover, $\mathsf{R}_\mathsf{T}'$ uses the witness $\rho_i=1$ to faithfully generate an interactive \textsf{WI} argument that
$(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$.
It thus generates a \textsf{WI} argument of knowledge of vectors $\mathfrak{m} = \mathsf{vdec}_{n+t,q-1}(\mathbf{a}_1| \mathbf{b}_1) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ satisfying relations~\eqref{eq:protocol-3-original}. %(\ref{statement-rand-un})-(\ref{statement-rand-deux}).
By the statistically \textsf{WI} of the interactive argument system, this modification has no noticeable impact on the output distribution of a cheating sender $\hat{\mathsf{S}}$. Indeed, since we chose $B$ as a randomization parameter
such that $(m+1) \alpha q / B $ is negligible, the result of \cite[Section 4.1]{DS16} implies that always re-randomizing
$(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$ leaves the view of $\hat{\mathsf{S}}$ statistically unchanged.
We have $ | \Pr[W_2] -\Pr[W_1] | \leq \mathsf{negl}(\lambda). $ \smallskip
In $\textsf{Exp}_3$, we can define the ideal-world cheating sender $\hat{\mathsf{S}}'$ which emulates the honest receiver $\mathsf{R}'$ interacting with $\hat{\mathsf{S}}$. At the initialization
phase, $\hat{\mathsf{S}}'$ appeals to the knowledge extractor of the argument system so as to extract the small-norm matrices $\mathbf{S} = [\mathbf{s}_1|\ldots|\mathbf{s}_t] \in \chi^{n \times t}$
and $\mathbf{E}=[\mathbf{e}_1| \ldots |\mathbf{e}_t] \in \chi^{m \times t}$ satisfying \eqref{PK-gen}. Armed with the decryption key $\mathbf{E} \in \chi^{m \times t}$ of the cryptosystem,
$\hat{\mathsf{S}}'$ can decrypt $\{(\mathbf{a}_i,\mathbf{b}_i)\}_{i=1}^N$ and obtain the messages $M_1,\ldots,M_N \in \{0,1\}^N$ that were encrypted in \eqref{init-db} by $\hat{\mathsf{S}}$.
It then submits $M_1,\ldots,M_N \in \{0,1\}^N$ to the trusted party $\mathsf{T}$. As in $\textsf{Exp}_2$, during each transfer phase, $\hat{\mathsf{S}}'$ computes $(\mathbf{c}_0,\mathbf{c}_1)$ as
a re-randomization of $(\mathbf{a}_1,\mathbf{b}_1) \in \ZZ_q^n \times \ZZ_q^t$ and faithfully generates the receiver's argument of knowledge using the witness $\rho_i=1$ at step 1.
At step 2 of each transfer, $\hat{\mathsf{S}}'$ plays the role of the verifier on behalf of $\mathsf{R}'$ in the interactive zero-knowledge argument generated by $\hat{\mathsf{S}}$. If $\hat{\mathsf{S}}'$ detects that $\hat{\mathsf{S}}$ creates a verifying argument for a false statement (which $\hat{\mathsf{S}}'$ can detect using the
extracted matrix $\mathbf{S} \in \ZZ^{n \times t}$, by applying the test
\eqref{test-deux}), it aborts the interaction as in $\textsf{Exp}_3$.
If the ZK
argument involves a true statement, $\hat{\mathsf{S}}'$ sends $1$ to the trusted party $\mathsf{T}$ so as to authorize the transfer in the ideal world. Otherwise, $\hat{\mathsf{S}}'$ sends $0$ to $\mathsf{T}$.
At the end of the $k$-th transfer phase, $\hat{\mathsf{S}}'$ outputs whatever $\hat{\mathsf{S}}$ outputs as its final state $S_k$.
In $\textsf{Exp}_3$, it is easy to see that
$$ \Pr[W_3] = \Pr[ \ddv (X) =1 \mid X \leftarrow \IDEAL_{\hat{\mathsf{S}}',{\mathsf{R}}'} ] .$$
When putting the above altogether, we find that there exists a PPT $\SIS$ solver $\bdv$ such that
| \Pr[ \ddv (X) =1 \mid X \leftarrow \REAL_{\hat{\mathsf{S}},{\mathsf{R}}} ] \\ - \Pr[ \ddv (X) =1 \mid X \leftarrow \IDEAL_{\hat{\mathsf{S}}',{\mathsf{R}}'} ] | \leq 2 \cdot \mathbf{Adv}_\bdv^{\SIS}(\lambda)
+ \mathsf{negl}(\lambda) ,
which proves the result.
\begin{theorem} \label{rec-sec}
The $\OTA$ protocol provides sender security under the $\SIS$ and $\LWE$ assumptions.
%-------------------- PROOF --------------------
Given a real malicious receiver $\hat{\mathsf{R}}$, we construct a cheating receiver $\hat{\mathsf{R}}'$ in the ideal world such that, under the $\SIS$ and $\LWE$ assumption, no PPT distinguisher $\ddv$ can tell apart
the distributions $\REAL_{\mathsf{S},\hat{\mathsf{R}}}$ and $\IDEAL_{\mathsf{S}',\hat{\mathsf{R}}'}$ under common inputs: $N$, $k$, $M_1,\ldots,M_N$, $\rho_1,\ldots,\rho_k$.
To do this, we proceed again via a sequence of hybrid experiments with binary outputs.
For each $i$, we consider the probability that a distinguisher $\ddv$ outputs $1$ on input of the states $(S_k,R_k)$ that constitute the outcome of experiment $\textsf{Exp}_i$. We also define $W_i$ to be the event that experiment $\textsf{Exp}_i$ outputs $1$.
\item[\textsf{Exp}$_0$:] This experiment corresponds to a real execution of $\hat{\mathsf{R}}$ in interaction with a honest sender $\mathsf{S}(M_1,\ldots,M_N)$. The output of the experiment
is identical to that of the distinguisher $\ddv$ on input of $X=(S_k,R_k) \leftarrow \REAL_{\mathsf{S},\hat{\mathsf{R}}} $.
We have
$$\Pr[W_0]=\Pr[ \ddv (X) =1 \mid X \leftarrow \REAL_{\mathsf{S},\hat{\mathsf{R}}} ].$$
\item[\textsf{Exp}$_1$:] This experiment departs from $\textsf{Exp}_0$ in that,
when the dishonest receiver $\hat{\mathsf{R}}_{\mathsf{T}}$ sends the ciphertext $(\mathbf{c}_0,\mathbf{c}_1) \in \Zq^n \times \Zq^t$
at step 1 of each transfer, the knowledge extractor of the argument system is used to
extract the witnesses $\mathfrak{m} \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $\mathbf{v} =(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ which
satisfy \eqref{eq:protocol-3-original}. %(\ref{statement-rand-un})-(\ref{statement-rand-deux}).
If the knowledge extractor fails to produce valid witnesses at some transfer, the experiment aborts and outputs $\perp$. Recall that the zero-knowledge argument system is computationally sound
if the underlying commitment is binding, which is equivalent to the $\SIS$ assumption if the perfectly hiding commitment of \cite{KTX08} is used. Under the
$\SIS$ assumption, experiment $\textsf{Exp}_1$ returns $1$ with about the same probability as $\textsf{Exp}_0$. There thus exists a $\SIS$ solver $\bdv$ such that
$ | \Pr[W_1] -\Pr[W_0] | \leq k \cdot \mathbf{Adv}^{\SIS}_\bdv (\lambda) $, where $k$ is the number of transfers.
\item[\textsf{Exp}$_2$:] This experiment is identical to $\textsf{Exp}_1$ except that, at step 1 of each transfer, the experiment aborts if the extracted
witnesses $\mathfrak{m} \in \{0,1\}^{m_d}$, ${\mathbf{e} \in \{-1,0,1\}^t}$, $\mu \in \{0,1\}^t$,
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $\mathbf{v} =(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ are such that the product
\left[ \begin{array}{c} \mathbf{a}_{\mathfrak{m}} \\ \hline \mathbf{b}_{\mathfrak{m}} \end{array} \right] = \left[ \begin{array}{cc}
\mathbf{H}_{n,q-1} ~ & ~ ~ \\ \hline
& ~\mathbf{H}_{t,q-1}~
\end{array} \right] \cdot \mathfrak{m} ~ \in \Zq^{n + t}
does not match any ciphertext $\{(\mathbf{a}_i,\mathbf{b}_i)\}_{i=1}^N$ appearing in $R_0$ (namely, we have $(\mathbf{a}_{\mathfrak{m}} , \mathbf{b}_{\mathfrak{m}}) \neq (\mathbf{a}_i,\mathbf{b}_i)$
for each $i \in [N]$). We claim that such an event implies a breach in the bounded message security of the signature scheme: \smallskip
\begin{lemma} \label{sig-rely}
Under the $\SIS$ assumption, experiments $\mathsf{Exp}_2$ and $\mathsf{Exp}_1$ are computationally indistinguishable: there exists a PPT algorithm $\bdv$ such that
$|\Pr[W_2]-\Pr[W_1]| \leq N \cdot \mathbf{Adv}^{\SIS}_\bdv(\lambda)$.
\smallskip \smallskip
\item[\textsf{Exp}$_3$:] This experiment is like $\textsf{Exp}_2$ except that, at step 5 of the initialization phase, the zero-knowledge argument of knowledge of
$\mathbf{s}_j \in \chi^n$, $\mathbf{e}_j \in \chi^m$, $\bar{\mathbf{x}}_j \in \chi^N$, $\bar{M}_j \in \{0,1\}^N$ such that
\begin{eqnarray*} \label{sender-proof-sim}
\left[ \begin{array}{c|c|c|c} ~ \mathbf{F}^T ~ & ~ \mathbf{I}_m ~ & ~ & ~ ~\\ \hline
\rule{0pt}{2.5ex}~\mathbf{A}_{\mathsf{DB}}^T ~ & ~ ~ & ~ \mathbf{I}_N ~ & ~ \lfloor q/2 \rfloor \cdot \mathbf{I}_N ~
\end{array} \right]
\cdot \left[ \begin{array}{c} \mathbf{s}_j \\ \hline \mathbf{e}_j \\ \hline \bar{\mathbf{x}}_j \\ \hline \rule{0pt}{2.5ex} \bar{{M}}_j \end{array} \right] = \left[ \begin{array}{c}
\mathbf{p}_j \\ \hline
\end{array} \right] \qquad \forall j \in [t]
is replaced by a simulated interactive argument and
so is the ZK argument of knowledge of $\{(\mathbf{s}_j,\mathbf{e}_j,\mathbf{y}[j])\}_{j=1}^t$ satisfying \eqref{eq:protocol-2-original}
at step 2 of each transfer protocol. From this experiment on,
we notice that
the small-norm matrices $\mathbf{S}=[\mathbf{s}_1 | \ldots |\mathbf{s}_t] \in \ZZ^{n \times t}$, $\mathbf{E} = [\mathbf{e}_1 | \ldots | \mathbf{e}_t ] \in \chi^{m \times t}$ satisfying
are no longer used by the sender $\mathsf{S}$. Yet, the statistical ZK property of the zero-knowledge argument system ensures that
$|\Pr[W_3]-\Pr[W_2]| \leq \mathsf{negl}(\lambda)$. \smallskip
\item[\textsf{Exp}$_4$:] This experiment is like $\textsf{Exp}_3$ with the difference that, at step 2 of the initialization phase, each column $\mathbf p_i$ of the Regev's encryption public key matrix $\mathbf{P}= \left[ \mathbf{p}_1 \mid \ldots \mid \mathbf{p}_t \right] = \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} \in \Zq^{m \times t}$ is traded for a uniformly random vector $\mathbf{p}_i \gets U(\ZZ_{q}^{m})$.
At the same time, each $\mathbf b_i = \mathbf S^T \cdot \mathbf a_i + \mathbf x_i + M_i \lfloor \tfrac{q}{2} \rfloor \in \Zq^t$ is replaced by a truly uniform random vector in $\Zq^t$.
Therefore, $\mathbf P$ is a uniformly distributed matrix in $\Zq^{m \times t}$, and the $(\mathbf b_i)_{i=1}^N$ are distributed as uniform vectors in $(\Zq^t)^N$.
Now, at step 5 of the initialization phase and step 2 of each transfer, the sender's zero-knowledge arguments are simulated arguments for false statements.
However, a straightforward reduction shows that, under the $\LWE$ assumption over $t\cdot(m + N)$ samples,
these changes should remain unnoticed to the malicious receiver $\hat{\mathsf{R}}$ and have no impact on the distinguisher's output: we have $|\Pr[W_4]-\Pr[W_3]| \leq \mathbf{Adv}^{\LWE}_\bdv(\lambda)$. \smallskip
%\item[\textsf{Exp}$_5$:] In this experiment, we modify again the initialization phase and replace $\{(\mathbf{a}_i,\mathbf{b}_i)\}_{i=1}^N$ by truly random pairs $(\mathbf{a}_i,\mathbf{b}_i)
%\leftarrow U(\Zq^{n} \times \Zq^t)$.% As in \cite{Reg05}, the Leftover Hash Lemma implies that this experiment is statistically indistinguishable
%from $\textsf{Exp}_4$: we have $|\Pr[W_5]-\Pr[W_4]| \leq \mathsf{negl}(\lambda)$. \medskip
The ideal-world receiver $\hat{\mathsf{R}}'$ is defined as follows. It assumes the role of the sender $\mathsf{S}'$ in interaction with the real-world receiver $\hat{\mathsf{R}}$ in $\textsf{Exp}_4$.
This implies that, in the initialization phase, the matrices $(\mathbf{F},\mathbf{P})$ are chosen as uniformly random matrices $(\mathbf{F},\mathbf{P}) \leftarrow U(\Zq^{n \times m}
\times \Zq^{m \times t} )$ and while, at step 3, $(\mathbf{a}_i,\mathbf{b}_i) \leftarrow U(\Zq^{n} \times \Zq^t)$ is chosen at random for each $i \in [N]$.
The randomly generated pairs $\{(\mathbf{a}_i,\mathbf{b}_i)\}_{i=1}^N$ are faithfully signed using $SK_{sig}=\mathbf{T}_{\mathbf{A}}$ at step 4. In step 5 of the initialization phase,
$\hat{\mathsf{R}}'$ appeals to the simulator of the ZK argument. At the $i$-th transfer, when $\hat{\mathsf{R}}$ sends $(\mathbf{c}_0,\mathbf{c}_1)$ and argues knowledge
of $(\mathfrak{m},\mathbf{e},\mu,\nu,\tau,\mathbf{v}_1,\mathbf{v}_2)$ at step 1, $\hat{\mathsf{R}}'$ uses the knowledge extractor of the argument system to extract the witnesses
$(\mathfrak{m},\mathbf{e},\mu,\nu,\tau,\mathbf{v}_1,\mathbf{v}_2) \in \{0,1\}^{m_d} \times \{-1,0,1\}^t \times \{0,1\}^t \times [-B,B]^t \times \{0,1\}^{\ell}$ and determine
the index $\rho_i \in [N]$ such that
\left[ \begin{array}{c} \mathbf{a}_{\rho_i} \\ \hline \mathbf{b}_{\rho_i} \end{array} \right] = \left[ \begin{array}{cc}
\mathbf{H}_{n,q-1} ~ & ~ ~ \\ \hline
& ~\mathbf{H}_{t,q-1}~
\end{array} \right] \cdot \mathfrak{m} ~ \in \Zq^{n + t}.
Note that, by Lemma \ref{sig-rely}, such an index must exist unless $\hat{\mathsf{R}}$ can forge a signature. Having determined the index $\rho_i \in [N]$ of the queried
database entry, $\hat{\mathsf{R}}'$ sends $\rho_i$ to the trusted party $\mathsf{T}$ which returns the message $M_{\rho_i} \in \{0,1\}^t$. The latter is used together with the
extracted witness $\mu \in \{0,1\}^t$ to define the response $M'=M_{\rho_i} \oplus \mu \in \{0,1\}^t$ that $\hat{\mathsf{R}}'$ generates on behalf of the sender $\hat{\mathsf{S}}'$ at step 2 of the transfer. In addition,
the ideal-world dishonest receiver $\hat{\mathsf{R}}'$ appeals to the simulator of the zero-knowledge argument system to simulate an argument of knowledge
of $\{(\mathbf{s}_j,\mathbf{e}_j,\mathbf{y}[j])\}_{j=1}^t$ for the statement~\eqref{eq:protocol-2-original}.
It is easy to see that, when $\hat{\mathsf{R}}$ interacts with the simulator $\hat{\mathsf{R}}'$ that emulates the real-world sender $\mathsf{S}'$, its view is identical to that
of $\textsf{Exp}_4$: we have
$$ \Pr[W_4] = \Pr[ \ddv (X) =1 \mid X \leftarrow \IDEAL_{{\mathsf{S}}',\hat{\mathsf{R}}'} ] .$$
When combining the above, we conclude that there exist PPT algorithms $\bdv$ and $\bdv'$ such that
| \Pr[ \ddv (X) =1 \mid X \leftarrow \REAL_{{\mathsf{S}},\hat{\mathsf{R}}} ] \\ - \Pr[ \ddv (X) =1 \mid X \leftarrow \IDEAL_{{\mathsf{S}}',\hat{\mathsf{R}}'} ] | \leq 2 \cdot \mathbf{Adv}_\bdv^{\SIS}(\lambda)
+ \mathbf{Adv}_{\bdv'}^{\LWE}(\lambda)
+ \mathsf{negl}(\lambda) . \end{multline*}
This proves the sender security under the $\SIS$ and $\LWE$ assumptions.
%%%%%%%%%%%% Access control
\section{OT with Access Control for Branching Programs} \label{OT-AC-scheme}
In this section, we extend our protocol of Section \ref{OT-scheme} into a protocol where database entries can be protected
by access control policies consisting of branching programs. In a nutshell, the construction goes as follows.
When the database is set up, the sender signs (a binary representation of) each database entry $(\mathbf{a}_i,\mathbf{b}_i)$ together
with a hash value $\mathbf{h}_{\BPR,i} \in \Zq^n$ of the corresponding branching program. For each possessed attribute $\mathbf{x} \in \{0,1\}^\kappa$,
the user $\USR$
obtains a credential $\mathsf{Cred}_{\USR,\mathbf{x}}$ from the issuer. \\ \indent If $\USR$ has a credential $\mathsf{Cred}_{\USR,\mathbf{x}}$ for an attribute $\mathbf{x}$ satisfying
the $\rho$-th branching program, $\USR$ can re-randomize $(\mathbf{a}_\rho,\mathbf{b}_\rho)$ into $(\mathbf{c}_0,\mathbf{c}_1)$, which is given to the sender,
while proving that: (i) He knows a signature
$(\tau,\mathbf{v})$ on some message $(\mathbf{a}_\rho,\mathbf{b}_\rho,\mathbf{h}_{\BPR,\rho})$ such that $(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of
$(\mathbf{a}_\rho,\mathbf{b}_\rho)$; (ii) The corresponding $\mathbf{h}_{\BPR,\rho}$ is the hash value of (the binary representation of) a branching program
$\BPR_{\rho}$ that accepts an attribute $\mathbf{x} \in \{0,1\}^\kappa$ for which he has a valid credential $\mathsf{Cred}_{\USR,\mathbf{x}}$
(i.e., $\BPR_{\rho}(\mathbf{x})=1$). \\
\indent While statement (i) can be proved as in Section \ref{OT-scheme}, handling (ii) requires a method of proving the possession of a (committed) branching program $\BPR$ and a (committed) input $\mathbf{x} \in \{0,1\}^\kappa$ such that $\BPR(\mathbf{x})=1$ while demonstrating possession of a credential for
Recall that a branching program $\BPR$ of length $L$, input space $\{0,1\}^{\kappa}$ and width $5$ is specified by $L$ tuples of the
form $(\var(\theta),\pi_{\theta,0},\pi_{\theta,1})$ where
\item[-] $\var: [L] \rightarrow [0, \kappa-1]$ is a function that associates the $\theta$-th tuple with the coordinate ${x}_{\var(\theta)} \in \{0,1\}$ of
the input $\mathbf{x} = (x_0, \ldots, x_{\kappa-1})^T$.
\item[-] $\pi_{\theta,0},\pi_{\theta,1} : \{0,1,2,3,4\} \rightarrow \{0,1,2,3,4\}$ are permutations that determine the $\theta$-th step of the
On input $\mathbf{x} = (x_0, \ldots, x_{\kappa-1})^T$, $\BPR$ computes its output as follows.
For each bit $b \in \{0,1\}$, let $\bar{b}$ denote the bit $1-b$.
Let $\eta_\theta$ denote the state of computation at step $\theta$. The initial state is $\eta_0 = 0$ and, for $\theta \in [1,L]$, the state $\eta_\theta$ is computed as
\eta_\theta = \pi_{\theta, x_{\mathrm{var}(\theta)}}(\eta_{\theta-1}) = \pi_{\theta, 0}(\eta_{\theta-1})\cdot \bar{x}_{\mathrm{var}(\theta)} + \pi_{\theta, 1}(\eta_{\theta-1})\cdot {x}_{\mathrm{var}(\theta)}.
Finally, the output of evaluation is $\mathsf{BP}(\mathbf{x})=1$ if $\eta_L =0$, otherwise $\mathsf{BP}(\mathbf{x})=0$.
We now let $\delta_{\kappa} = \lceil\log_2 \kappa\rceil$ and note that each integer in $[0,\kappa-1]$ can be determined by $\delta_\kappa$ bits. In particular, for each $\theta \in [ L]$, let $d_{\theta,1}, \ldots, d_{\theta, \delta_\kappa}$ be the bits representing $\mathrm{var}(\theta)$. Then, we consider the following representation of $\mathsf{BP}$:
\hspace*{-12pt} \mathbf{z}_{\mathsf{BP}} = \big(
d_{1,1}, \ldots, d_{1, \delta_\kappa}, \ldots, d_{L,1}, \ldots, d_{L, \delta_\kappa}, \pi_{1,0}(0), \ldots, \pi_{1,0}(4), \pi_{1,1}(0), \ldots, \\
%&& \hspace*{-25pt}
\pi_{1,1}(4), \ldots,
\pi_{L,0}(0), \ldots, \pi_{L,0}(4), \pi_{L,1}(0), \ldots, \pi_{L,1}(4)
\big)^T \in [0,4]^{\zeta}, ~~~
where $\zeta= L(\delta_\kappa +10)$.
\subsection{The OT-AC Protocol} \label{the-ot-ac}
We assume public parameters $\pp$
consisting of a modulus $q$, integers $n$, $m$ such that $m = 2n \lceil \log q \rceil$, a public matrix $\bar{\mathbf{A}} \in \Zq^{n \times m}$,
the maximal length $L \in \mathsf{poly}(n)$ of branching programs and their desired input length $\kappa \in \mathsf{poly}(n)$.
\item[\textsf{ISetup}$\big(\pp \big)$:] Given public parameters $\pp=\{ q,n,m, \bar{\mathbf{A}}, L,\kappa\}$, first generate a key pair $(PK_{I},SK_{I})\gets \mathsf{Keygen}(\pp,1)$ for the signature scheme
in Section \ref{se:gs-lwe-sigep} in order to sign single-block messages (i.e., $N_b=1$) of length $m_I = n \cdot \lceil \log q \rceil + \kappa$. %$m=2 n \lceil \log q \rceil$.
Letting $\ell_I = \mathcal{O}(n)$, this key pair contains $SK_{I}=\mathbf{T}_{\mathbf{A}_I}
\in \ZZ^{m \times m}$ and
$${PK}_{I}:=\big( \mathbf{A}_I, ~
\{\mathbf{A}_{I,j} \}_{j=0}^{\ell_{I}}, ~\mathbf{D}_I, ~ \{ \mathbf{D}_{I,0}, \mathbf{D}_{I,1}\} , ~\mathbf{u}_I \big).$$
\item[\textsf{Issue}$\big( \mathsf{I}(\pp,SK_I,PK_I,P_\USR,\mathbf{x}) \leftrightarrow \mathsf{U}(\pp,\mathbf{x},st_\USR) \big)$:]
On common input $\mathbf{x} \in \{0,1\}^\kappa$, the issuer
$\mathsf{I}$ and the user $\USR$ interact in the following way: \smallskip
\item[1.] If $st_{\USR} = \emptyset$, $\USR$ creates a pseudonym $P_\USR= \bar{\mathbf{A}} \cdot \mathbf{e}_{\USR} \in \Zq^n$, for a randomly chosen $\mathbf{e}_{\USR} \sample U(\{0,1\}^m)$, which is sent to $\mathsf{I}$. It sets
$st_{\USR}=(\mathbf{e}_\USR, P_\USR, 0, \emptyset ,\emptyset)$. Otherwise, $\USR$ parses its state $st_\USR$ as $(\mathbf{e}_\USR,P_{\USR},f_{DB},C_\USR,\mathsf{Cred}_{\USR})$.
\item[2.] The issuer $\mathsf{I}$ defines the message $\mathfrak{m}_{\USR,\mathbf{x}} = (\mathsf{vdec}_{n,q-1}(P_{\USR})^T|\mathbf{x}^T )^T \in \{0,1\}^{m_I}$.
Then, it runs the signing algorithm of Section \ref{se:gs-lwe-sigep} to obtain and return
$\crt_{\USR,\mathbf{x}} = \big(\tau_{\USR},\mathbf{v}_{\USR},\mathbf{r}_{\USR} \big) \leftarrow \mathsf{Sign}(SK_I,\mathfrak{m}_{\USR,\mathbf{x}}) \in \{0,1\}^{\ell_{I}} \times \ZZ^{2m} \times \ZZ^{m}$, which binds $\USR$'s pseudonym $P_\USR$
to the attribute string $\mathbf{x} \in \{0,1\}^\kappa$.
\item[3.] $\USR$ checks that $\crt_{\USR,\mathbf{x}}$
satisfies \eqref{ver-eq-block} and that $\|\mathbf{v}_\USR\| \leq \sigma \sqrt{2m},\mathbf{r}_\USR \leq \sigma \sqrt{m}$. If so, $\USR$ sets
$C_\USR := C_{\USR} \cup \{\mathbf{x}\}$, $\mathsf{Cred}_\USR := \mathsf{Cred}_\USR \cup \{\crt_{\USR,\mathbf{x}}\}$ and updates its state $st_\USR=(\mathbf{e}_\USR,P_\USR,f_{DB},C_\USR,\mathsf{Cred}_\USR)$. If $\crt_{\USR,\mathbf{x}}$ does not properly verify, $\USR$ aborts the interaction and leaves $st_{\USR}$ unchanged. \smallskip
\item[\textsf{DBSetup}$\big(PK_I, \mathsf{DB}=\{(M_i,\BPR_i)\}_{i=1}^N \big)$:] The sender % \textsf{DB}
has $\mathsf{DB}=\{(M_i,\BPR_i)\}_{i=1}^N $ which is a database of $N$ pairs made of a message
$M_i \in \{0,1\}^{t}$ and a policy realized by a length-$L$
branching program $\BPR_i = \{\var_i(\theta),\pi_{i,\theta,0},\pi_{i,\theta,1}\}_{\theta=1}^L$. %.of length $L \in \mathsf{poly}(n)$,
\smallskip \smallskip
\item[1.] Choose a random matrix $\mathbf{A}_{\mathrm{HBP}} \sample U \big(\Zq^{n \times \zeta } \big)$ which will be used to hash the description of
branching programs.
\item[2.] Generate a key pair for the signature scheme of Section \ref{RMA-sec} in order to sign $Q=N$ messages of length $m_d = (2n+t) \cdot \lceil \log q \rceil$ each.
This key pair consists of $SK_{sig}=\mathbf{T}_{\mathbf{A}} \in \ZZ^{m \times m}$ and
${PK}_{sig}:=\big( \mathbf{A},
\{\mathbf{A}_j \}_{j=0}^{\ell}, \mathbf{D}, \mathbf{u} \big),$ where $\ell=\lceil \log N \rceil$ and $\mathbf{A},\mathbf{A}_0,\ldots,\mathbf{A}_{\ell} \in U(\Zq^{n \times m})$, $\mathbf{D} \in U(\Zq^{n \times m_d})$ with
$m = 2n \lceil \log q \rceil$, $m_d = (2n+t) \lceil \log q \rceil$. The counter is initialized to $\tau=0$.
\item[3.] Sample $\mathbf{S} \sample \chi^{n \times t}$ which will serve as a secret key for an $\LWE$-based encryption scheme.
Then, sample $\mathbf{F} \sample U(\Zq^{n \times m})$, $\mathbf{E} \sample \chi^{m \times t }$ to compute
\begin{eqnarray} \label{PK-gen-ac}
\mathbf{P} = [\mathbf{p}_1 | \ldots | \mathbf{p}_t] = \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} ~\in \Zq^{m \times t}
so that $(\mathbf{F},\mathbf{P}) $ forms a public key for a $t$-bit variant of Regev's system.
Sample vectors $\mathbf{a}_1,\ldots ,\mathbf{a}_N \sample
U(\Zq^n)$ and $\mathbf{x}_1,\ldots,\mathbf{x}_{N} \sample \chi^{t}$ to
\begin{eqnarray} \label{init-db-ac}
(\mathbf{a}_i,\mathbf{b}_i)= \bigl( \mathbf{a}_i, ~ \mathbf{a}_i^T \cdot \mathbf{S} + \mathbf{x}_i + M_i \cdot \lfloor q/2 \rfloor \bigr) \in \Zq^n \times \Zq^{t} \qquad \forall i \in [N]
\item[5.] For each $i=1$ to $N$, $ (\mathbf{a}_i,\mathbf{b}_i)$ is bound to $\BPR_i$ as follows. \smallskip \begin{itemize} \item[a.]
Let $\mathbf{z}_{\BPR,i} \in [0,4]^\zeta $ be the binary representation of the branching program.
Compute its digest $\mathbf{h}_{\BPR,i} = \mathbf{A}_{\mathrm{HBP}} \cdot \mathbf{z}_{\BPR,i} \in \Zq^n$.
% via the matrix $\mathbf{A}_{\mathrm{HBP}} \in \Zq^{n \times \zeta} $.
\item[b.] Using $SK_{sig}$, generate a signature $(\tau_i,\mathbf{v}_i ) \leftarrow \mathsf{Sign}(SK_{sig},\tau,\mathfrak{m}_i)$ on the message
$\mathfrak{m}_i=\mathsf{vdec}_{2n+t,q-1}(\mathbf{a}_i|\mathbf{b}_i|\mathbf{h}_{\BPR,i}) \in \{0,1\}^{m_d}$ obtained by decomposing $(\mathbf{a}_i^T | \mathbf{b}_i^T | \mathbf{h}_{\BPR,i}^T )^T \in \Zq^{2n+t}$.
\item[6.] The database's public key is defined as
$ PK_{\mathrm{DB}}= \bigl( PK_{sig} ,~(\mathbf{F},\mathbf{P}),~\mathbf{A}_\mathrm{HBP}\bigr) $
while the encrypted database is
$ \{ER_i=\big(\mathbf{a}_i,\mathbf{b}_i,(\tau_i,\mathbf{v}_i ) \big), \BPR_i \}_{i=1}^N. $
The sender $\mathsf{DB}$ outputs
$ \bigl( PK_{\mathrm{DB}} ,\{ER_i, \BPR_i \}_{i=1}^N \bigr) $
and keeps $SK_{\mathsf{DB}}=\big(SK_{sig},\mathbf{S} \big)$.\smallskip
\item[\textsf{Transfer}$\big(\mathsf{DB}(SK_{\mathsf{DB}},PK_{\mathsf{DB}},PK_I),\USR(\rho,st_\USR,PK_I,PK_\mathsf{DB},ER_\rho,\BPR_\rho) \big)$:]
From an index $\rho \in [N]$, a record
$ER_\rho =\big(\mathbf{a}_\rho,\mathbf{b}_\rho,(\tau_\rho,\mathbf{v}_\rho ) \big) $ and a policy $\BPR_{\rho}$, the user $\USR$ parses
$st_\USR$ as $(\mathbf{e}_\USR,P_{\USR},f_{DB},C_\USR,\mathsf{Cred}_{\USR})$. If $C_\USR$ does not contain any $\mathbf{x} \in \{0,1\}^\kappa$ s.t.
$\BPR_{\rho}(\mathbf{x})=1$ and $\mathsf{Cred}_{\USR}$ contains the corresponding $\crt_{\USR,\mathbf{x}}$, $\USR$ outputs $\perp$. Otherwise, he
selects such a pair $(\mathbf{x},\crt_{\USR,\mathbf{x}})$ and interacts with $\mathsf{DB}$: \smallskip
\item[1.] If $f_{DB}=0$, $\USR$ interacts with $\mathsf{DB}$ for the first time and requires $\mathsf{DB}$ to prove knowledge of small-norm $\mathbf{S} \in \ZZ^{n \times t}$, $\mathbf{E} \in \ZZ^{m \times t}$, $\{\mathbf{x}_i\}_{i=1}^N$ and
$t$-bit messages $\{M_i\}_{i=1}^N$ satisfying~\eqref{PK-gen-ac}-\eqref{init-db-ac}. To do this, $\mathsf{DB}$ uses the ZK argument in Section~\ref{subsection:ZK-protocol-1}.
% to prove knowledge of short matrices $\mathbf{S} \in \ZZ^{n \times t}$ and $\mathbf{E} \in \chi^{m \times t}$ and
% $t$-bit messages $\{M_i\}_{i=1}^N$ -
%satisfying (\ref{PK-gen-ac})-(\ref{init-db-ac}). To this end, $\mathsf{DB}$ does the following. \smallskip \smallskip
% \item[a.]
% Define $\mathbf{A}_{\mathsf{DB}}=[\mathbf{a}_1 | \ldots | \mathbf{a}_N] \in \Zq^{n \times N}$, $\mathbf{B}_{\mathsf{DB}}=[\mathbf{b}_1 | \ldots | \mathbf{b}_N] \in \Zq^{t \times N}$, $\mathbf{M}=[M_1 | \ldots | M_N]
% \in \{0,1\}^{t \times N}$,
%$\mathbf{X}=[\mathbf{x}_1 | \ldots | \mathbf{x}_N] \in \chi^{ t \times N}$
%and parse $\mathbf{S}$ and $\mathbf{E}$ as $\mathbf{S}=[\mathbf{s}_1 | \ldots | \mathbf{s}_t] \in \chi^{n \times t}$,
%$\mathbf{E}=[\mathbf{e}_1 | \ldots | \mathbf{e}_t] \in \chi^{m \times t}$.
%\item[b.] For each $j \in [t]$, define $\bar{M}_j \in \{0,1\}^N$ to be the $j$-th column of $\mathbf{M}^T$. Likewise,
% let $\bar{\mathbf{b}}_j \in \Zq^N$ (resp. $\bar{\mathbf{x}}_j \in \chi^N$) be the $j$-th column of $\mathbf{B}_{\mathsf{DB}}^T \in \Zq^{N \times t} $
%(resp. $\mathbf{X}^T $). Note that (\ref{init-db-ac}) can be written
% \mathbf{B}_{\mathsf{DB}}^T = \mathbf{A}_{\mathsf{DB}}^T \cdot \mathbf{S} + \mathbf{X}^T + \mathbf{M}^T \cdot \lfloor q/2 \rfloor .
%For each $j \in [t]$, $\mathsf{DB}$ argues knowledge
%of $\mathbf{s}_j \in \chi^n$, $\mathbf{e}_j \in \chi^m$, $\bar{\mathbf{x}}_j \in \chi^N$, $\bar{M}_j \in \{0,1\}^N$ such that
%\begin{eqnarray} \label{sender-proof-ac}
% \left[ \begin{array}{c|c|c|c} ~ \mathbf{F}^T ~ & ~ \mathbf{I}_m ~ & ~ & ~ ~\\ \hline
% ~\mathbf{A}_{\mathsf{DB}}^T ~ & ~ ~ & ~ \mathbf{I}_N ~ & ~ \lfloor q/2 \rfloor \cdot \mathbf{I}_N ~
%\end{array} \right]
%\cdot \begin{bmatrix} \mathbf{s}_j \\ \hline \mathbf{e}_j \\ \hline \bar{\mathbf{x}}_j \\ \hline \bar{{M}}_j \end{bmatrix} = \begin{bmatrix}
% \mathbf{p}_j \\ \hline
% \bar{\mathbf{b}}_j
If there exists $i \in [N]$ such that $(\tau_i,\mathbf{v}_i)$ is an invalid signature
on $\mathsf{vdec}_{2n+t,q-1} (\mathbf{a}_i^T|\mathbf{b}_i^T|\mathbf{h}_{\BPR,i}^T)^T $ or if the ZK argument does not verify, $\USR$ aborts. Otherwise, $\USR$ updates $st_\USR$ and sets $f_{DB}=1$.
\item[2.] $\USR$ re-randomizes the pair $(\mathbf{a}_\rho,\mathbf{b}_\rho )$ contained in $ER_\rho$. It samples vectors $\mathbf{e} \sample U(\{-1,0,1\}^m)$, $\mu \sample U(\{0,1\}^t)$ and $\nu \sample U([-B,B]^t)$ to compute
\begin{eqnarray} \label{rand-CT-ac}
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{\rho} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{\rho} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
which is sent to $\mathsf{DB}$ as a re-randomization of $(\mathbf{a}_{\rho},\mathbf{b}_{\rho} + \mu \cdot \lfloor q/2 \rfloor )$. Then, $\USR$ provides an interactive \textsf{WI} argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of some $(\mathbf{a}_{\rho},\mathbf{b}_{\rho})$ associated
with a policy $\BPR_\rho$ for which $\USR$ has a credential $\crt_{\USR,x}$ for some $\mathbf{x} \in \{0,1\}^\kappa$ such that $\BPR_\rho (\mathbf{x})=1$.
%To this end, $\USR$ uses the technique of Section \ref{ineff-method}.
In addition, $\USR$
demonstrates possession of: (i) a preimage $\mathbf{z}_{\BPR,\rho} \in [0,4]^\zeta $ of
$\mathbf{h}_{\BPR,\rho} = \mathbf{A}_{\mathrm{HBP}} \cdot \mathbf{z}_{\BPR,\rho} \in \Zq^n$; (ii) a credential $\mathsf{Cred}_{\USR,\mathbf{x}}$ for the corresponding $\mathbf{x} \in \{0,1\}^\kappa$ and the private key $\mathbf{e}_\USR \in \{0,1\}^m$ for the pseudonym $P_\USR$ to which $\mathbf{x}$ is bound; (iii) the coins leading to the randomization of some
Then entire step is conducted
by arguing knowledge of
\mathbf{e}_{\USR} \in \bit^m, \mathfrak{m}_{\USR,\mathbf{x}} \in \{0,1\}^{m_I} ,~\mathbf{x} \in \{0,1\}^\kappa,~\widehat{\mathfrak{m}}_{\USR,\mathbf{x}} \in \{0,1\}^{m/2}
\tau_{\USR} \in \{0,1\}^{\ell_I},~\mathbf{v}_{\USR}=(\mathbf{v}_{\USR,1}^T | \mathbf{v}_{\USR,2}^T)^T \in [-\beta,\beta]^{2m}, ~\mathbf{r}_{\USR} \in [-\beta,\beta]^m \\ \qquad
\qquad \qquad \quad ~~~~~~~~~~~~~~ \text{ \scriptsize // signature on $\mathfrak{m}_{\USR,\mathbf{x}}=(\mathsf{vdec}_{n,q-1}(P_\USR)^T| \mathbf{x}^T)^T $ } \\
\mathbf{z}_{\BPR,\rho} \in [0,4]^\zeta \qquad ~~~~~~~~~~~~\text{\scriptsize // representation of $\BPR_{\rho}$ } \\
\mathfrak{m} \in \{0,1\}^{m_d}, ~\tau \in \{0,1\}^{\ell},~ \mathbf{v} =(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m} \\ \qquad
\qquad \qquad \quad ~~~~~~~~~~~~~~ \text{ \scriptsize // signature on $\mathfrak{m}=\mathsf{vdec}_{2n+t,q-1}(\mathbf{a}_i^T| \mathbf{b}_i^T|\mathbf{h}_{\BPR,\rho}^T)^T $ } \\
~\mathbf{e} \in \{-1,0,1\}^t, ~\mu \in \{0,1\}^t, ~
\nu \in [-B,B]^t,\\
\qquad \qquad \qquad \quad ~~~~~~~~~~~~~~~ \text{\scriptsize // coins allowing the re-randomization of $(\mathbf{a}_{\rho},\mathbf{b}_\rho) $ }
satisfying the relations (modulo $q$)
%\begin{eqnarray} \label{statement-rand-un-ac}
%\mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} +
%\left[ \begin{array}{c|c|c|c}
%~ \mathbf{F} ~& ~ &~ & ~ \\ \hline \rule{0pt}{2.6ex}
% ~\mathbf{P}^{T}~ & ~ \mathbf{I}_t \lfloor q/2 \rfloor ~ & ~\mathbf{I}_t~ & ~ \\ \hline
%& & & - \mathbf{A}_{\mathrm{HBP}}
%\end{array} \right] \cdot \begin{bmatrix} \mathbf{e} \\ \hline \mu \\ \hline \nu \\ \hline
% \mathbf{z}_{\BPR,\rho}
%\end{bmatrix} &=& \begin{bmatrix} \mathbf{c}_0 \\ \hline \mathbf{c}_1 \\ \hline \mathbf{0}^n \end{bmatrix} \qquad \quad
%(recall that $(\mathbf{a}_\rho^T | \mathbf{b}_{\rho}^T | \mathbf{h}_{\BPR,\rho}^T )^T = \mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} $)
%\begin{eqnarray} \label{statement-rand-deux-ac}
%\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2) - \mathbf{D}\cdot \mathfrak{m} = \mathbf{u},
\mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} +
\left[ \begin{array}{c|c|c|c}
~ \mathbf{F} ~& ~ &~ & ~ \\ \hline \rule{0pt}{2.6ex}
~\mathbf{P}^T ~ & ~ \mathbf{I}_t \cdot \lfloor q/2 \rfloor ~ & ~\mathbf{I}_t~ & ~ \\ \hline
& & & - \mathbf{A}_{\mathrm{HBP}}
\end{array} \right] \cdot \begin{bmatrix} \mathbf{e} \\ \hline \mu \\ \hline \nu \\ \hline
\end{bmatrix} = \begin{bmatrix} \mathbf{c}_0 \\ \hline \mathbf{c}_1 \\ \hline \mathbf{0}^n \end{bmatrix} \\ \qquad \quad \smallskip
\text{{\scriptsize // (recall that $(\mathbf{a}_\rho^T | \mathbf{b}_{\rho}^T | \mathbf{h}_{\BPR,\rho}^T )^T = \mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} $)}} \\[2.5pt]
\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2) - \mathbf{D}\cdot \mathfrak{m} = \mathbf{u} \\[2.5pt]
\mathbf{A}_{I}\cdot \mathbf{v}_{\mathsf{U},1} + \mathbf{A}_{I,0}\cdot \mathbf{v}_{\mathsf{U},2} +
\sum_{j=1}^{\ell_I}\mathbf{A}_{I, j}\cdot (\tau_{\mathsf{U}}[j]\cdot \mathbf{v}_{\mathsf{U},2}) - \mathbf{D}_I\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}} = \mathbf{u}_I \\[2.5pt]
\mathbf{D}_{I,0}\cdot \mathbf{r}_{\mathsf{U}} + \mathbf{D}_{I,1}\cdot \mathfrak{m}_{\mathsf{U}, \mathbf{x}} - \mathbf{H}_{n,q-1}\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}} = \mathbf{0} \\[2.5pt]
\mathbf{H}_{n,q-1} & \mathbf{0} \\
\hline \rule{0pt}{2.6ex}
\mathbf{0} & \mathbf{I}_\kappa \\
\right]\cdot {\mathfrak{m}}_{\USR,\mathbf{x}} + \left[
-\bar{\mathbf{A}} \\
\mathbf{0} \\
\right]\cdot \mathbf{e}_{\mathsf{U}} + \left[
\mathbf{0} \\
-\mathbf{I}_\kappa \\
\right]\cdot \mathbf{x} = \mathbf{0}
and such that $\mathbf{z}_{\BPR,\rho} \in [0,4]^\zeta$ encodes $\BPR_\rho$ such that $\BPR_\rho (\mathbf{x})=1$.
This is done by running the argument system described in Section~\ref{subsection:ZK-Protocol4-BP}.
\item[3.] If the ZK argument of step 2 verifies, $\mathsf{DB}$ decrypts $(\mathbf{c}_0,\mathbf{c}_1) \in \Zq^n \times \Zq^t$ to
obtain $M' = \lfloor (\mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$
which is returned to $\USR$. Then, $\mathsf{DB}$ argues knowledge of
$\mathbf{y}= \mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0 - M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$
of norm $\| \mathbf{y} \|_{\infty} \leq q/5$ and small-norm $\mathbf{E}\in \ZZ^{m \times t}$, $\mathbf{S} \in \ZZ^{n \times t}$ satisfying (modulo $q$)
\mathbf{P} &=& \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} ~ , \qquad \mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T = \mathbf{c}_1^T - {M'}^T \cdot \lfloor q/2 \rfloor .
To this end, $\mathsf{DB}$ uses the ZK argument system of Section~\ref{subsection:ZK-protocol-2}.
\item[4.] If the ZK argument produced by $\mathsf{DB}$ does not verify, $\USR$ outputs $\perp$. Otherwise, $\USR$ recalls
the string $\mu \in \{0,1\}^t$ and outputs $M_{\rho_i}=M' \oplus \mu$.
Like our construction of Section \ref{OT-scheme}, the above protocol requires the $\mathsf{DB}$ to repeat a ZK proof of communication complexity
$\Omega(N)$ with each user $\USR$ during the initialization phase. By applying the Fiat-Shamir heuristic as in Appendix~\ref{optimized}, the cost of the initialization phase
can be made independent of the number of users: the sender can publicize $ \bigl( PK_{\mathrm{DB}} ,\{ER_i, \BPR_i \}_{i=1}^N \bigr) $ along
with a with a universally verifiable non-interactive proof of well-formedness.
The security of the above protocol against static corruptions is proved in~\cite{LLM+17}, under the $\SIS$ and $\LWE$ assumptions and is similar to the previous proofs.
\section{Zero-Knowledge Subprotocols for Stern Protocol}
\subsection{Our Strategy and Basic Techniques, In a Nutshell}\label{subsection:ZK-strategy}
Before going into the details of our protocols, we first summarize our governing strategy and the techniques that will be used in the next subsections.
In each protocol, we prove knowledge of (possibly one-dimensional) integer vectors $\{\mathbf{w}_i\}_i$
that have various constraints (e.g., smallness, special arrangements of coordinates, or correlation with one another) and satisfy a system
\displaystyle \Big\{\sum_i\mathbf{M}_{i,j}\cdot \mathbf{w}_i = \mathbf{v}_j \Big\}_j,
where $\{\mathbf{M}_{i,j}\}_{i,j}$, $\{\mathbf{v}_j\}_{j}$ are public matrices (which are possibly zero or identity matrices) and vectors. Our strategy consists in transforming this entire system into one equivalent equation $\mathbf{M}\cdot \mathbf{w} = \mathbf{v}$, where matrix $\mathbf{M}$ and vector $\mathbf{v}$ are public, while the constraints of the secret vector $\mathbf{w}$ capture those of witnesses $\{\mathbf{w}_i\}_i$ and they are provable in zero-knowledge via random permutations. For this purpose, the Stern-like protocol from \cref{sse:stern} comes in
A typical transformation step is of the form $\mathbf{w}_i \rightarrow \bar{\mathbf{w}}_i$, where there exists public matrix $\mathbf{P}_{i,j}$ such that $\mathbf{P}_{i,j}\cdot \bar{\mathbf{w}}_i = \mathbf{w}_i$. This subsumes the decomposition and extension mechanisms which first appeared in~\cite{LNSW13}.
\item \textbf{Decomposition:} Used when $\mathbf{w}_i$ has infinity norm bound larger than $1$ and we want to work more conveniently with $\bar{\mathbf{w}}_i$ whose norm bound is exactly~$1$. In this case, $\mathbf{P}_{i,j}$ is a decomposition matrix.
\item \textbf{Extension:} Used when we insert ``dummy'' coordinates to $\mathbf{w}_i$ to obtain $\bar{\mathbf{w}}_i$ whose coordinates are somewhat balanced. In this case, $\mathbf{P}_{i,j}$ is a $\{0,1\}$-matrix with zero-columns corresponding to positions of insertions.
Such a step transforms the term $\mathbf{M}_{i,j}\cdot \mathbf{w}_i$ into $\overline{\mathbf{M}}_{i,j}\cdot \bar{\mathbf{w}}_i$, where $\overline{\mathbf{M}}_{i,j} = \mathbf{M}_{i,j}\cdot \mathbf{P}_{i,j}$ is a public matrix.
Also, using the commutativity property of addition, we often group together secret vectors having the same constraints.
After a number of transformations, we will reach a system equivalent to~\eqref{eq:big-system}:
\mathbf{M}'_{1,1}\cdot \mathbf{w}'_1 + \mathbf{M}'_{1,2}\cdot \mathbf{w}'_2 + \cdots + \mathbf{M}'_{1,k} \cdot \mathbf{w}'_{k} = \mathbf{v}_1, \\
%\hdotsfor{0} \\
\hfill \vdots \hfill \\
\mathbf{M}'_{t,1}\cdot \mathbf{w}'_1 + \mathbf{M}'_{t,2}\cdot \mathbf{w}'_2 + \cdots + \mathbf{M}'_{t,k} \cdot \mathbf{w}'_{k} = \mathbf{v}_t,
where integers $t,k$ and matrices $\mathbf{M}'_{i,j}$ are public. Defining
\mathbf{M} = \left(
\mathbf{M}'_{1,1} & \mathbf{M}'_{1,2} & \cdots & \mathbf{M}'_{1,k} \\
%\mathbf{M}''_{2,1} & \mathbf{M}''_{2,2} & \ldots & \mathbf{M}''_{2,15} \\
\vdots & \vdots & \ddots & \vdots \\
\mathbf{M}'_{t,1} & \mathbf{M}'_{t,2} & \cdots & \mathbf{M}'_{t,k} \\
\right); \hspace*{10pt} \mathbf{w} = \left(
\mathbf{w}'_1 \\[2.5pt]
%\mathbf{w}'_2 \\[2.5pt]
\vdots \\[2.5pt]
\mathbf{w}'_{k} \\
\mathbf{v} = \left(
\mathbf{v}_1 \\[2.5pt]
% \mathbf{v}_2 \\
\vdots \\[2.5pt]
\mathbf{v}_{t} \\
we obtain the unified equation $\mathbf{M}\cdot \mathbf{w} = \mathbf{v} \bmod q$. At this stage, we will use a properly defined composition of random permutations to prove the constraints of~$\mathbf{w}$. We remark that the crucial aspect of the above process is in fact the manipulation of witness vectors, while the transformations of public matrices/vectors just follow accordingly. To ease the presentation of the next subsections, we will thus only focus on the secret vectors.
In the process, we will employ various extending and permuting techniques which require introducing some notations. The most frequently used ones are given in Table~\ref{table:ZK-notations-techniques}. Some of these techniques appeared (in slightly different forms) in previous works~\cite{LNSW13,LNW15,LLNW16,LLM+16,LLM+16a}. The last three parts of the table summarizes newly-introduced techniques that will enable the treatment of secret-and-correlated objects involved in the evaluation of hidden branching programs.
In particular, the intriguing technique of the last row will be used for proving knowledge of secret integer $z$ of the form $z = x\cdot y$ for some $(x,y) \in [0,4]\times \{0,1\}$ satisfying other relations. The following example illustrates how it works.
Let $(x,y) = (2,1)$ and $(c,b) = (4,1)$. Then we have:
\mathsf{ext}_{5 \times 2}(2,1) &=& \big(0,\hspace*{2.5pt}1,\hspace*{2.5pt}0,\hspace*{2.5pt}0,\hspace*{2.5pt}0,\hspace*{2.5pt}4,\hspace*{2.5pt}0,\hspace*{2.5pt}3,\hspace*{2.5pt}0,\hspace*{2.5pt}2\big)^T\\
T_{5\times 2}[4,1]\big(\mathsf{ext}_{5 \times 2}(2,1)\big) &=& \big(0,\hspace*{2.5pt}0,\hspace*{2.5pt}4,\hspace*{2.5pt}0,\hspace*{2.5pt}3,\hspace*{2.5pt}0,\hspace*{2.5pt}2,\hspace*{2.5pt}0,\hspace*{2.5pt}1,\hspace*{2.5pt}0\big)^T
Note that: $T_{5\times 2}[4,1]\big(\mathsf{ext}_{5 \times 2}(2,1)\big) = \mathsf{ext}_{5 \times 2}(1,0) = \mathsf{ext}_{5 \times 2}(2 + 4 \bmod 5, 1 \oplus 1)$.
% after \\: \hline or \cline{col1-col2} \cline{col3-col4} ...
\textbf{Notation} & \textbf{Meaning/Property/Usage/Technique} \\
% $\mathcal{S}_{\mathfrak{m}}$ & The set of all permutations of~$\mathfrak{m}$ elements \\
$\mathsf{B}^2_{\mathfrak{m}}$ &
\item The set of vectors in~$\{0,1\}^{2\mathfrak{m}}$ with Hamming weight~$\mathfrak{m}$.
\item $\forall \phi \in \mathcal{S}_{2\mathfrak{m}}, \mathbf{x}' \in \mathbb{Z}^{2\mathfrak{m}}: \mathbf{x}' \in \mathsf{B}^2_{\mathfrak{m}} \Leftrightarrow \phi(\mathbf{x}') \in \mathsf{B}^2_{\mathfrak{m}}$.
\item To prove $\mathbf{x} \in \{0,1\}^{\mathfrak{m}}$: Extend $\mathbf{x}$ to $\mathbf{x}' \in \mathsf{B}^2_{\mathfrak{m}}$, then permute $\mathbf{x}'$.
$\mathsf{B}^3_{\mathfrak{m}}$ &
\item The set of vectors in $\{-1,0,1\}^{3\mathfrak{m}}$ that have exactly~$\mathfrak{m}$ coordinates equal to~$j$, for every $j \in \{-1,0,1\}$.
\item $\forall \phi \in \mathcal{S}_{3\mathfrak{m}}, \mathbf{x}' \in \mathbb{Z}^{3\mathfrak{m}}: \mathbf{x}' \in \mathsf{B}^3_{\mathfrak{m}} \Leftrightarrow \phi(\mathbf{x}') \in \mathsf{B}^3_{\mathfrak{m}}$.
\item To prove $\mathbf{x} \in \{-1,0,1\}^{\mathfrak{m}}$: Extend $\mathbf{x}$ to $\mathbf{x}' \in \mathsf{B}^3_{\mathfrak{m}}$, then permute $\mathbf{x}'$.
~~and \\[2.5pt]
\item For $c \in \{0,1\}: \mathsf{ext}_2(c) = (\bar{c}, c)^T \in \{0,1\}^2$.
\item For $b \in \{0,1\}$ and $\mathbf{x} = (x_0, x_1)^T \in \mathbb{Z}^2$: \hspace*{5pt}$T_2[b](\mathbf{x}) = (x_b, x_{\bar{b}})^T $.
\item Property: $\mathbf{x} = \mathsf{ext}_2(c) \Leftrightarrow T_2[b](\mathbf{x}) = \mathsf{ext}_2(c \oplus b)$.
\item To prove $c \in \{0,1\}$ simultaneously satisfies many relations: Extend it to $\mathbf{x} = \mathsf{ext}_2(c)$, then permute and use the \emph{same} $b$ at all appearances.
% \vspace*{0.15cm}
\hspace*{-3.5pt}$\mathsf{expand}(\hspace*{-1pt}\cdot, \hspace*{-1pt}\cdot\hspace*{-1pt})$\\[2.5pt]
~~and \\%[2.5pt]
\hspace*{-3.5pt}$T_{\mathsf{exp}}[\cdot, \hspace*{-1pt}\cdot](\cdot)$
\item For $c \in \{0,1\}$ and $\mathbf{x} \in \mathbb{Z}^{\mathfrak{m}}$: \hspace*{5pt} $\mathsf{expand}(c, \mathbf{x}) = (\bar{c}\cdot \mathbf{x}^T \mid c\cdot \mathbf{x}^T )^T \in \mathbb{Z}^{\mathfrak{2m}}$.
\item For $b \in \{0,1\}, \phi \in \mathcal{S}_{m}$, $\mathbf{v} = \left(
\mathbf{v}_0 \\
\mathbf{v}_1 \\
\in \mathbb{Z}^{\mathfrak{2m}}$: \hspace*{5pt}$T_{\mathsf{exp}}[b, \phi](\mathbf{v}) =
\phi(\mathbf{v}_b) \\
\item Property: $\mathbf{v} = \mathsf{expand}(c, \mathbf{x}) \Leftrightarrow T_{\mathsf{exp}}[b, \phi](\mathbf{v}) = \mathsf{expand}(c \oplus b, \phi(\mathbf{x}))$.
For $k \in \mathbb{Z}$: $[k]_5$ denotes the integer $t \in \{0,1,2,3,4\}$, s.t. $t = k \bmod 5$.
~~and \\[2.5pt]
\item For $x \in [0,4]: \mathsf{ext}_5(x) = ([x+4]_5, [x+3]_5, [x+2]_5, [x+1]_5, x)^T \in [0,4]^5$.
\item For $c \in [0,4]$ and $\mathbf{v} = (v_0, v_1, v_2, v_3, v_4)^T \in \mathbb{Z}^5$:\vspace*{-0.25cm}
T_5[c](\mathbf{v}) = \big(
v_{[-c]_5}, v_{[-c+1]_5}, v_{[-c+2]_5}, v_{[-c+3]_5}, v_{[-c+4]_5}
\big)^T .
\item Property: $\mathbf{v} = \mathsf{ext}_5(x) \Leftrightarrow T_5[c](\mathbf{v}) = \mathsf{ext}_5(x +c \bmod 5)$.
\item To prove $x \in [0,4]$ simultaneously satisfies many relations: Extend it to $\mathbf{v} = \mathsf{ext}_5(x)$, then permute and use the \emph{same} $c$ at all appearances.
\item $\forall x \in [0,4]$: $\mathsf{unit}_x$ is the $5$-dim unit vector $(v_0, \ldots, v_4)^T $ with $v_x = 1$.
\item For $c \in [0,4], \mathbf{v}\in \mathbb{Z}^5$: $\mathbf{v} = \mathsf{unit}_x \Leftrightarrow T_5[c](\mathbf{v}) = \mathsf{unit}_{x + c \bmod 5}$.
\hspace*{-5pt}$\rightarrow$ Allow proving $\mathbf{v} = \mathsf{unit}_x$ for some $x \in [0,4]$ satisfying other relations.
\hspace*{-4.5pt}$\mathsf{ext}_{5\times 2}\hspace*{-1pt}(\cdot\hspace*{-1pt},\hspace*{-1pt}\cdot)$\\[2.5pt]
~~and \\[2.5pt]
\hspace*{-4.5pt}$T_{5\times \hspace*{-1pt}2}[\cdot,\hspace*{-1pt}\cdot](\cdot)$
\item For $x \in [0,4]$ and $y \in \{0,1\}$: \vspace*{-0.15cm}
\mathsf{ext}_{5\times 2}(x,y) &=& ([x+4]_5\hspace*{-1pt}\cdot\hspace*{-1pt} \bar{y}, [x+4]_5\hspace*{-1pt}\cdot\hspace*{-1pt} {y}, [x+3]_5\hspace*{-1pt}\cdot\hspace*{-1pt} \bar{y}, [x+3]_5\hspace*{-1pt}\cdot\hspace*{-1pt} {y}, [x+2]_5\hspace*{-1pt}\cdot\hspace*{-1pt} \bar{y}, \\&&[x+2]_5\hspace*{-1pt}\cdot\hspace*{-1pt} {y}, [x+1]_5\hspace*{-1pt}\cdot\hspace*{-1pt} \bar{y}, [x+1]_5\hspace*{-1pt}\cdot\hspace*{-1pt} {y}, x\hspace*{-1pt}\cdot\hspace*{-1pt} \bar{y}, x\hspace*{-1pt}\cdot\hspace*{-1pt} {y})^T \in [0,4]^{10}
\item For $(c,b) \in [0,4] \times \{0,1\}$ and $\mathbf{v} = (v_{0,0}, v_{0,1}, \ldots, v_{4,0}, v_{4,1})^T \in \mathbb{Z}^{10}$: \vspace*{-0.15cm}
T_{5\times 2}[c,b](\mathbf{v})&=& \big(
v_{[-c]_5, b}, v_{[-c]_5, \overline{b}},
v_{[-c+1]_5, b}, v_{[-c+1]_5, \overline{b}},
v_{[-c+2]_5, b}, \\
&& v_{[-c+2]_5, \overline{b}},
v_{[-c+3]_5, b}, v_{[-c+3]_5, \overline{b}},
v_{[-c+4]_5, b}, v_{[-c+4]_5, \overline{b}}
\item Property: $\mathbf{v} = \mathsf{ext}_{5\times 2}(x,y) \Leftrightarrow T_{5\times 2}[c,b](\mathbf{v}) = \mathsf{ext}_{5\times 2}(x +c \bmod 5, y\oplus b)$.
$\rightarrow$ Allow proving $z = x\cdot y$ for some $(x,y) \in [0,4]\times \{0,1\}$ satisfying other relations: Extend $z$ to $\mathbf{v} = \mathsf{ext}_{5\times 2}(x,y)$, then permute and use the \emph{same} $c,b$ at all appearances of $x, y$, respectively.
%  &  \\
\caption{Basic notations and extending/permuting techniques used in our protocols.}
\subsection{Protocol 1}\label{subsection:ZK-protocol-1}
Let $n, m, q, N, t, B_\chi$ be the parameters defined in Section~\ref{OT-scheme}. The protocol allows the prover to prove knowledge of \textsf{LWE} secrets and the well-formedness of ciphertexts. It is summarized as follows.
\item[Common input:] $\mathbf{F} \in \mathbb{Z}_q^{n \times m}$, \hspace*{5pt}$\mathbf{P} \in \mathbb{Z}_q^{m \times t}$; \hspace*{5pt}
$\{\mathbf{a}_i\in \mathbb{Z}_q^n, \hspace*{3.5pt}\mathbf{b}_i \in \mathbb{Z}_q^t\}_{i=1}^N$. \smallskip
\item[Prover's goal] is to prove knowledge of $\mathbf{S} \in [-B_\chi,B_\chi]^{n \times t}$, $\mathbf{E} \in [-B_\chi,B_\chi]^{m \times t}$, $\{\mathbf{x}_i\in [-B_\chi,B_\chi]^t, M_i \in \{0,1\}^t\}_{i=1}^N$ such that the following equations hold:
\mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} = \mathbf{P} \bmod q \\
\forall i \in [N]: \mathbf{S}^T \cdot \mathbf{a}_i + \mathbf{x}_i + \lfloor q/2\rfloor \cdot M_i = \mathbf{b}_i \bmod q.
For each $j \in [t]$, let $\mathbf{p}_j, \mathbf{s}_j, \mathbf{e}_j$ be the $j$-th column of matrices $\mathbf{P}, \mathbf{S}, \mathbf{E}$, respectively. For each $(i, j) \in [N]\times [t]$, let $\mathbf{b}_i[j], \mathbf{x}_i[j], M_i[j]$ denote the $j$-th coordinate of vectors $\mathbf{b}_i, \mathbf{x}_i, M_i$, respectively. Then, observe that \eqref{eq:protocol-1-original} can be rewritten as:
\forall j \in [t]: \mathbf{F}^T \cdot \mathbf{s}_j + \mathbf{I}_m \cdot \mathbf{e}_j = \mathbf{p}_j \bmod q \\
\forall (i,j) \in [N]\times [t]: \mathbf{a}_i^T \cdot \mathbf{s}_j + 1 \cdot \mathbf{x}_i[j] + \lfloor q/2\rfloor \cdot M_i[j] = \mathbf{b}_i[j] \bmod q.
%Observe further that, all equations in (\ref{eq:protocol-1-step-1}) can be combined in one equation of the form:
%\mathbf{M}_1 \cdot \mathbf{w}_1 + \mathbf{M}_2 \cdot \mathbf{w}_2 = \mathbf{v} \bmod q,
%where matrices $\mathbf{M}_1 \in \mathbb{Z}_q^{(m + N)t \times (n+m+N)t}$, $\mathbf{M}_2 \in \{0,\lfloor q/2\rfloor\}^{(m+N)t \times Nt}$, together with vector $\mathbf{v} \in \mathbb{Z}_q^{(m+N)t}$ are built from the common input, and
%where matrices $\mathbf{M}_1, \mathbf{M}_2$ and vector $\mathbf{v}$ are built from the common input, and
Then, we form the following vectors:
\mathbf{w}_1 &=& \big(
\mathbf{s}_1^T \mid \ldots \mid \mathbf{s}_t^T \mid \mathbf{e}_1^T \mid \ldots \mid \mathbf{e}_t^T \mid ( \mathbf{x}_1[1], \ldots, \mathbf{x}_N[t] )
\big)^T \in [-B_\chi,B<