1 About
2 Introduction
In addition, as we discuss in more detail later, we notice that all works regarding efficient post-quantum group signatures [22, 38, 47, 48, 60] do not satisfy the ideal security properties (which are by now considered standard) formalized by Bootle et al. [20]. Thus, we are also interested in the following question:Can we construct an efficient group signature secure from isogenies? Moreover, can we have a generic construction that can be instantiated from versatile assumptions, including those based on less structured lattices?
To address these questions, in this work we focus on accountable ring signatures [84]. An accountable ring signature offers the flexibility of choosing the group of users when creating a signature (like a ring signature [82]), while also enforcing accountability by including one of the openers in the group (like a group signature). Although research on accountable ring signatures is still limited [19, 48, 62, 68, 84], we advocate that they are as relevant and interesting as group and ring signatures. As shown by Bootle et al. [19], accountable ring signatures imply group and ring signatures by naturally limiting or downgrading their functionality. Thus, an efficient post-quantum solution to an accountable ring signature implies solutions for both secure (dynamic) group signatures [9] and ring signatures, making it an attractive target to focus on.Can we construct efficient post-quantum group signatures satisfying the ideal security properties formalized by Bootle et al. [20]?
2.1 Our contribution
N | Hardness | Security | Anonymity | Manager | |||||
---|---|---|---|---|---|---|---|---|---|
2 | \(2^5\) | \(2^6\) | \(2^{10}\) | \(2^{21}\) | Assumption | Level | Account | ||
Isogeny | 3.6 | 6.0 | 6.6 | 9.0 | 15.5 | CSIDH-512 | \(*\) | \(\textsf{CCA}\) | Yes |
Lattice | 124 | 126 | 126 | 129 | 134 | MSIS/MLWE | NIST 2 | \(\textsf{CCA}\) | Yes |
Lattice | 86 | 88 | 89 | 91 | 96 | MSIS/MLWE | NIST 2 | \(\textsf{CCA}\) | No |
[47] | / | 12 | / | 19 | / | MSIS/MLWE | NIST 2 | \(\textsf{CPA}\) | No |
[60] | / | / | 280 | 418 | / | LowMC | NIST 5 | \(\textsf{selfless}\)-\(\textsf{CCA}\) | No |
2.2 Technical overview
3 Preliminaries
3.1 Sigma protocols
-
The prover, on input \(({\textsf{X}}, {\textsf{W}}) \in R\), runs \(\textsf{com}\leftarrow {P}^{\mathcal {O}}_1({\textsf{X}}, {\textsf{W}})\) and sends a commitment \(\textsf{com}\) to the verifier.
-
The verifier runs \(\textsf{chall}\leftarrow {V}^{\mathcal {O}}_1(1^\uplambda )\) to obtain a random challenge \(\textsf{chall}\) from \({\textsf{ChSet}}\), and sends it to the prover.
-
The prover, given \(\textsf{chall}\), runs \(\textsf{resp}\leftarrow {P}^{\mathcal {O}}_2( {\textsf{X}}, {\textsf{W}}, \textsf{chall})\) and returns a response \(\textsf{resp}\) to the verifier. Here, we allow \({P}_2\) to abort with some probability. In such cases we assign \(\textsf{resp}\) with a special symbol \(\bot \) denoting abort.
-
The verifier runs \({V}^{\mathcal {O}}_2({\textsf{X}}, \textsf{com}, \textsf{chall}, \textsf{resp})\) and outputs \(\top \) (accept) or \(\bot \) (reject).
3.2 Non-interactive Zero-knowledge proofs of knowledge in the ROM
-
\((\texttt{hash}, x)\): The challenger updates \(L_{\mathcal {O}}\leftarrow L_{\mathcal {O}}\cup \{ x, {\mathcal {O}}(x) \}\) and returns \({\mathcal {O}}(x)\). We assume below that \({\mathcal {A}}\) runs the verification algorithm after receiving a proof from the prover oracle and before submitting a proof to the extract oracle.8
-
\((\texttt{prove},\textsf{lbl}, {\textsf{X}},{\textsf{W}})\): The challenger returns \(\bot \) if \(\textsf{lbl} \not \in {\textsf{L}} \) or \(({\textsf{X}},{\textsf{W}}) \not \in R\). Otherwise, it returns \(\pi \leftarrow \textsf{Prove}^{\mathcal {O}}(\textsf{lbl}, {\textsf{X}},{\textsf{W}})\) and updates \(L_{P}\leftarrow L_{P}\cup \{ \textsf{lbl}, {\textsf{X}}, \pi \}\).
-
\((\texttt{extract}, \textsf{lbl}, {\textsf{X}}, \pi )\): The challenger checks if \(\textsf{Verify}^{\mathcal {O}}(\textsf{lbl}, {\textsf{X}}, \pi ) = \top \) and \((\textsf{lbl}, {\textsf{X}}, \pi ) \not \in L_{P}\), and returns \(\bot \) if not. Otherwise, it runs \({\textsf{W}}\leftarrow \textsf{OnlineExtract} ^{\mathcal {O}}(\textsf{lbl}, {\textsf{X}}, \pi , L_{\mathcal {O}})\) and checks if \(({\textsf{X}},{\textsf{W}}) \not \in {\tilde{R}}\), and returns \(\bot \) if yes and sets \(\textsf{flag} = 1\). Otherwise, if all checks pass, it returns \({\textsf{W}}\).
3.3 Public-key encryption
-
\(\textsf{Setup}(1^\uplambda ) \rightarrow {{\textsf{p}}}{{\textsf{p}}}:\) On input the security parameter \(1^\uplambda \), it outputs a public parameter \({{\textsf{p}}}{{\textsf{p}}}\).
-
\(\textsf{KeyGen}({{\textsf{p}}}{{\textsf{p}}}) \rightarrow ({{\textsf{p}}}{{\textsf{k}}}, {{\textsf{s}}}{{\textsf{k}}}):\) On input a public parameter \({{\textsf{p}}}{{\textsf{p}}}\), it outputs a pair of public key and secret key \(({{\textsf{p}}}{{\textsf{k}}}, {{\textsf{s}}}{{\textsf{k}}})\).
-
\(\textsf{Enc}( {{\textsf{p}}}{{\textsf{k}}}, {\textsf{M}}) \rightarrow {{\textsf{c}}}{{\textsf{t}}}\): On input a public key \({{\textsf{p}}}{{\textsf{k}}}_i\) and a message \({\textsf{M}}\in {\mathcal {M}}\), it outputs a ciphertext \({{\textsf{c}}}{{\textsf{t}}}\).
-
\(\textsf{Dec}( {{\textsf{s}}}{{\textsf{k}}}, {{\textsf{c}}}{{\textsf{t}}}) \rightarrow {\textsf{M}}\text { or } \bot :\) On input a secret key \({{\textsf{s}}}{{\textsf{k}}}\) and a ciphertext \({{\textsf{c}}}{{\textsf{t}}}\), it outputs either \({\textsf{M}}\in {\mathcal {M}}\) or a special symbol \(\bot \not \in {\mathcal {M}}\).
3.4 Accountable ring signatures
-
\(\textsf{opk}\in {\mathcal {K}}_{\textsf{opk}}\), \({\textsf{R}}\subseteq {\mathcal {K}}_{{{\textsf{v}}}{{\textsf{k}}}}\), and \({{\textsf{v}}}{{\textsf{k}}}\in {\textsf{R}}\),
-
\(\textsf{Verify}(\textsf{opk}, {\textsf{R}}, {\textsf{M}}, \sigma ) = \bot \).
-
\((\texttt{sign}, {\textsf{R}}, {\textsf{M}}, {{\textsf{s}}}{{\textsf{k}}}_0, {{\textsf{s}}}{{\textsf{k}}}_1)\): The challenger runs \(\sigma _i \leftarrow \textsf{Sign}(\textsf{opk}, {{\textsf{s}}}{{\textsf{k}}}_i, {\textsf{R}}, {\textsf{M}})\) for \(i \in \{ 0,1 \} \) and returns \(\bot \) if \(\textsf{Verify}(\textsf{opk}, {\textbf {R}}, {\textsf{M}}, \sigma _i)= \bot \) for either of \(i \in \{ 0,1 \} \). Otherwise, it updates \({\textsf{Q}}_{\texttt{sign}}\leftarrow {\textsf{Q}}_{\texttt{sign}}\cup \{ ( {\textsf{R}}, {\textsf{M}}, \sigma _b) \}\) and returns \(\sigma _b\).
-
\((\texttt{open}, {\textsf{R}}, {\textsf{M}}, \sigma )\): The challenger returns \(\bot \) if \(({\textsf{R}}, {\textsf{M}},\sigma ) \in {\textsf{Q}}_{\texttt{sign}}\). Otherwise, it returns \(\textsf{Open}(\textsf{osk}, {\textsf{R}}, {\textsf{M}}, \sigma )\).
-
\((\texttt{ukeygen})\): The challenger runs \(({{\textsf{v}}}{{\textsf{k}}}, {{\textsf{s}}}{{\textsf{k}}}) \leftarrow \textsf{UKGen}({{\textsf{p}}}{{\textsf{p}}})\). If \({\textsf{D}}_{\texttt{UKey}}[{{\textsf{v}}}{{\textsf{k}}}] \ne \bot \), then it returns \(\bot \). Otherwise, it updates \({\textsf{D}}_{\texttt{UKey}}[{{\textsf{v}}}{{\textsf{k}}}] = {{\textsf{s}}}{{\textsf{k}}}\) and \({\textsf{Q}}_{\texttt{UKey}}\leftarrow {\textsf{Q}}_{\texttt{UKey}}\cup \{ {{\textsf{v}}}{{\textsf{k}}} \}\), and returns \({{\textsf{v}}}{{\textsf{k}}}\).
-
\((\texttt{sign}, \textsf{opk},{{\textsf{v}}}{{\textsf{k}}},{\textsf{R}}, {\textsf{M}})\): The challenger returns \(\bot \) if \({{\textsf{v}}}{{\textsf{k}}}\not \in {\textsf{Q}}_{\texttt{UKey}}\cap {\textsf{R}}\). Otherwise, it runs \(\sigma \leftarrow \textsf{Sign}(\textsf{opk}, {\textsf{D}}_{\texttt{UKey}}[{{\textsf{v}}}{{\textsf{k}}}],{\textsf{R}}, {\textsf{M}})\). The challenger updates \({\textsf{Q}}_{\texttt{sign}}\leftarrow {\textsf{Q}}_{\texttt{sign}}\cup \{ (\textsf{opk}, {{\textsf{v}}}{{\textsf{k}}}, {\textsf{R}}, {\textsf{M}}, \sigma ) \}\) and returns \(\sigma \).
-
\((\texttt{corrupt}, {{\textsf{v}}}{{\textsf{k}}})\): The challenger returns \(\bot \) if \({{\textsf{v}}}{{\textsf{k}}}\not \in {\textsf{Q}}_{\texttt{UKey}}\). Otherwise, it updates \({\textsf{Q}}_{\texttt{cor}}\leftarrow {\textsf{Q}}_{\texttt{cor}}\cup \{ {{\textsf{v}}}{{\textsf{k}}} \}\) and returns \({\textsf{D}}_{\texttt{UKey}}[{{\textsf{v}}}{{\textsf{k}}}]\).
-
\((\textsf{opk}, *, {\textsf{R}}, {\textsf{M}}, \sigma ) \not \in {\textsf{Q}}_{\texttt{sign}}\), \({\textsf{R}}\subseteq {\textsf{Q}}_{\texttt{UKey}}\backslash {\textsf{Q}}_{\texttt{cor}}\),
-
\(\textsf{Verify}(\textsf{opk}, {\textsf{R}}, {\textsf{M}}, \sigma ) = \top \),
-
\((\textsf{opk}, {{\textsf{v}}}{{\textsf{k}}}, {\textsf{R}}, {\textsf{M}}, \sigma ) \not \in {\textsf{Q}}_{\texttt{sign}}\), \({{\textsf{v}}}{{\textsf{k}}}\in {\textsf{Q}}_{\texttt{UKey}}\backslash {\textsf{Q}}_{\texttt{cor}}\),
-
\(\textsf{Judge}(\textsf{opk}, {\textsf{R}}, {{\textsf{v}}}{{\textsf{k}}}, {\textsf{M}}, \sigma , \pi ) = \top \).
-
\(\textsf{Verify}(\textsf{opk}, {\textsf{R}}, {\textsf{M}}, \sigma ) = \top \), where \((\textsf{opk}, \textsf{osk})\leftarrow \textsf{OKGen}({{\textsf{p}}}{{\textsf{p}}}; {{\textsf{r}}}{{\textsf{r}}})\), and
-
\(\textsf{Judge}(\textsf{opk}, {\textsf{R}}, {{\textsf{v}}}{{\textsf{k}}}, {\textsf{M}}, \sigma , \pi ) = \bot \), where \(({{\textsf{v}}}{{\textsf{k}}}, \pi ) \leftarrow \textsf{Open}(\textsf{osk}, {\textsf{R}}, {\textsf{M}}, \sigma )\).
-
\({{\textsf{v}}}{{\textsf{k}}}_0 \ne {{\textsf{v}}}{{\textsf{k}}}_1\),
-
\(\textsf{Judge}(\textsf{opk}, {\textsf{R}}, {{\textsf{v}}}{{\textsf{k}}}_0, {\textsf{M}}, \sigma , \pi _0) = \top \),
-
\(\textsf{Judge}(\textsf{opk}, {\textsf{R}}, {{\textsf{v}}}{{\textsf{k}}}_1, {\textsf{M}}, \sigma , \pi _1) = \top \).
3.5 Isogenies and ideal class group actions
3.6 Lattices
-
\({\mathcal {O}}_{{{\textbf {A}}}}\): Sample \(({{\textbf {s}}}, {{\textbf {e}}}) \leftarrow D^k \times D^\ell \) and output \({{\textbf {A}}}{{\textbf {s}}}+ {{\textbf {e}}}\in R_q^k\),
-
\({\mathcal {O}}_{\$}\): Output a random \({{\textbf {b}}}\leftarrow R_q^k\).
4 Generic construction of accountable ring signature and dynamic group signature
4.1 Generic construction of accountable ring signature
-
A hard-instance generator contains a setup algorithm \(\textsf{RelSetup}\) that, on input a security parameter \(\uplambda \), outputs a description \({{\textsf{p}}}{{\textsf{p}}}\) of a pair of binary relations \(R_{{\textsf{p}}}{{\textsf{p}}}\subseteq {\tilde{R}}_{{\textsf{p}}}{{\textsf{p}}}\), and an instance generator \(\textsf{IGen}\) for those pairs of relations. That is, \(\textsf{RelSetup}\) and \(\textsf{IGen}\) are PPT algorithms such that \( \Pr [ ({\textsf{x}},{\textsf{w}}) \in R_{{\textsf{p}}}{{\textsf{p}}}~ \mid ~ {{\textsf{p}}}{{\textsf{p}}}\leftarrow \textsf{RelSetup}(1^\uplambda ); ({\textsf{x}},{\textsf{w}}) \leftarrow \textsf{IGen}({{\textsf{p}}}{{\textsf{p}}})] = 1\), and such that if we define the advantage of an adversary \({\mathcal {A}}\) against \((\textsf{RelSetup},\textsf{IGen})\) asthen \(\textsf{Adv}^{\textsf{Hard}}_{\textsf{RelSetup},\textsf{IGen}}({\mathcal {A}})\) is a negligible function of \(\uplambda \) for every PPT adversary \({\mathcal {A}}\).
-
A public-key encryption scheme \(\Pi _\textsf{PKE} = (\mathsf {PKE.Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})\) with multi-challenge IND-CPA security, and with \(({\mathcal {R}}',{{\mathcal {K}}}{{\mathcal {R}}}')\)-correctness for some relaxed randomness set \({\mathcal {R}}'\) and some relaxed key relation \({{\mathcal {K}}}{{\mathcal {R}}}'\). The message space of the encryption scheme contains a set of indices [N] for any polynomially large \(N \in {\mathbb {N}}\).
-
A multi-proof online extractable \(\textsf{NIZK}\) proof system with labels \(\Pi _{\textsf{NIZK},\textsf{lbl}} = (\textsf{NIZK}.\textsf{Setup}_\textsf{lbl},\textsf{NIZK}.\textsf{Prove}_\textsf{lbl}, \textsf{NIZK}.\textsf{Verify}_\textsf{lbl})\) for the relationsTo be precise, we need to also include the public parameters output by \(\textsf{RelSetup}\) and \(\mathsf {PKE.Setup}\) in the statement. We omit them for better readability.$$\begin{aligned} R_{\textsf{sig}}&= \left\{ \left( (\{{\textsf{x}} _i\}_{i\in [N]}, {{\textsf{p}}}{{\textsf{k}}}, {{\textsf{c}}}{{\textsf{t}}}), (I,{\textsf{w}},r) \right) \begin{array}{c} ({\textsf{x}} _I,{\textsf{w}}) \in R_{{\textsf{p}}}{{\textsf{p}}}\wedge {{\textsf{c}}}{{\textsf{t}}}=\textsf{Enc}({{\textsf{p}}}{{\textsf{k}}},I;r) \end{array} \right\} \,\\ {\tilde{R}}_{\textsf{sig}}&= \left\{ \left( (\{{\textsf{x}} _i\}_{i\in [N]}, {{\textsf{p}}}{{\textsf{k}}}, {{\textsf{c}}}{{\textsf{t}}}), (I,{\textsf{w}},r) \right) \begin{array}{c} ({\textsf{x}} _I, {\textsf{w}}) \in {\tilde{R}}_{{\textsf{p}}}{{\textsf{p}}}\wedge {{\textsf{c}}}{{\textsf{t}}}=\textsf{Enc}({{\textsf{p}}}{{\textsf{k}}},I;r) \end{array} \right\} \, . \end{aligned}$$
-
A statistically sound \(\textsf{NIZK}\) proof system (without labels) \(\Pi _\textsf{NIZK} = (\textsf{NIZK}.\textsf{Setup}, \textsf{NIZK}.\textsf{Prove}, \textsf{NIZK}.\textsf{Verify})\) for the relationsSimilarly to above, we omit the public parameter output by \(\mathsf {PKE.Setup}\) in the statement. We emphasize that \(\Pi _\textsf{NIZK} \) does not need to be online extractable.$$\begin{aligned} R_{\textsf{open}}&= \left\{ (({{\textsf{p}}}{{\textsf{k}}}, {{\textsf{c}}}{{\textsf{t}}}, I),{{\textsf{s}}}{{\textsf{k}}}) ({{\textsf{p}}}{{\textsf{k}}},{{\textsf{s}}}{{\textsf{k}}}) \in {{\mathcal {K}}}{{\mathcal {R}}}\wedge \textsf{Dec}({{\textsf{s}}}{{\textsf{k}}}, {{\textsf{c}}}{{\textsf{t}}}) = I \right\} \\ {\tilde{R}}_{\textsf{open}}&= \left\{ (({{\textsf{p}}}{{\textsf{k}}}, {{\textsf{c}}}{{\textsf{t}}}, I),{{\textsf{s}}}{{\textsf{k}}}) ({{\textsf{p}}}{{\textsf{k}}},{{\textsf{s}}}{{\textsf{k}}}) \in {{\mathcal {K}}}{{\mathcal {R}}}' \wedge \textsf{Dec}({{\textsf{s}}}{{\textsf{k}}}, {{\textsf{c}}}{{\textsf{t}}}) = I \right\} . \, \end{aligned}$$
4.2 Accountable ring signature to dynamic group signature
4.3 Tightly secure variant
-
A hard multi-instance generator \((\textsf{RelSetup},\textsf{IGen})\) contains a setup algorithm \(\textsf{RelSetup}\) that outputs a description \({{\textsf{p}}}{{\textsf{p}}}\) of a pair of relations \(R_{{\textsf{p}}}{{\textsf{p}}}\subseteq {\tilde{R}}_{{\textsf{p}}}{{\textsf{p}}}\), and an instance generator \(\textsf{IGen}\) for these pairs of relations. That is, \(\textsf{RelSetup}\) and \(\textsf{IGen}\) are PPT algorithms such that \(\Pr [ ({\textsf{x}} _i,{\textsf{w}} _i) \in R_{{\textsf{p}}}{{\textsf{p}}}~ \mid ~ {{\textsf{p}}}{{\textsf{p}}}\leftarrow \textsf{RelSetup}(1^\uplambda ); \{({\textsf{x}} _i, {\textsf{w}} _i)\}_{i \in [N]} \leftarrow \textsf{IGen}({{\textsf{p}}}{{\textsf{p}}}, N)] = 1\). Moreover, if we define the advantage of an adversary \({\mathcal {A}}\) against \((\textsf{RelSetup},\textsf{IGen})\) asthen \(\textsf{Adv}^{\mathsf {Multi{\text{- }}Hard}}_{\textsf{RelSetup},\textsf{IGen},N}({\mathcal {A}})\) is a negligible function in \(\uplambda \) for every PPT adversary \({\mathcal {A}}\).
-
A public-key encryption scheme \(\Pi _\textsf{PKE} = (\mathsf {PKE.Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})\) with multi-challenge IND-CPA security, and with \(({\mathcal {R}}',{{\mathcal {K}}}{{\mathcal {R}}}')\)-correctness for some relaxed randomness set \({\mathcal {R}}'\) and some relaxed key relation \({{\mathcal {K}}}{{\mathcal {R}}}'\). The message space of the encryption scheme contains a set of indices [N] for any polynomially large \(N \in {\mathbb {N}}\).
-
A multi-proof online extractable NIZK proof system with labels \(\Pi _{\textsf{NIZK},\textsf{lbl}} = (\textsf{NIZK}.\textsf{Setup}_\textsf{lbl},\) \(\textsf{NIZK}.\textsf{Prove}_\textsf{lbl},\) \(\textsf{NIZK}.\textsf{Verify}_\textsf{lbl})\) for the family of relations
-
A second \(\textsf{NIZK}\) proof system (without labels) \(\Pi _\textsf{NIZK} = (\textsf{NIZK}.\textsf{Setup}, \textsf{NIZK}.\textsf{Prove}, \textsf{NIZK}.\textsf{Verify})\) for the family of relationswith statistical soundness (Def. 3.9).$$\begin{aligned} R_{\textsf{open}}&= \left\{ (({{\textsf{p}}}{{\textsf{k}}}, {{\textsf{c}}}{{\textsf{t}}}, I),{{\textsf{s}}}{{\textsf{k}}}) ({{\textsf{p}}}{{\textsf{k}}},{{\textsf{s}}}{{\textsf{k}}}) \in {{\mathcal {K}}}{{\mathcal {R}}}\wedge \textsf{Dec}({{\textsf{s}}}{{\textsf{k}}}, {{\textsf{c}}}{{\textsf{t}}}) = I \right\} \\ {\tilde{R}}_{\textsf{open}}&= \left\{ (({{\textsf{p}}}{{\textsf{k}}}, {{\textsf{c}}}{{\textsf{t}}}, I),{{\textsf{s}}}{{\textsf{k}}}) ({{\textsf{p}}}{{\textsf{k}}},{{\textsf{s}}}{{\textsf{k}}}) \in {{\mathcal {K}}}{{\mathcal {R}}}' \wedge \textsf{Dec}({{\textsf{s}}}{{\textsf{k}}}, {{\textsf{c}}}{{\textsf{t}}}) = I \right\} \, , \end{aligned}$$
-
The first game, \(\textsf{Game}_1\), is the original unforgeability game defined in Def. 3.18. The adversary’s advantage in this game is \(\textsf{Adv}_1({\mathcal {A}}) = \textsf{Adv}^{\textsf{Unf}}_{\textsf{ARS}}({\mathcal {A}})\) by definition.
-
\(\textsf{Game}_2\) is the same as \(\textsf{Game}_1\), but with a modified winning condition. We let the challenger maintain a list \(L_{\mathcal {O}}\) of all the random-oracle queries that \({\mathcal {A}}\) makes. When \({\mathcal {A}}\) finishes the game by outputting \((\textsf{opk}, {{\textsf{v}}}{{\textsf{k}}}, {\textsf{R}}, {\textsf{M}}, \sigma = ({{\textsf{c}}}{{\textsf{t}}}, \pi _\texttt{sign}), \pi )\), the challenger runs \((I, b, {{\textsf{s}}}{{\textsf{k}}}, r) \leftarrow \textsf{OnlineExtract} ({\textsf{M}}, ({{\textsf{p}}}{{\textsf{p}}}_1, {\textsf{R}}, \textsf{opk}, {{\textsf{c}}}{{\textsf{t}}}),\) \(\pi _\texttt{sign}, L_{\mathcal {O}})\). The game results in a loss if \((({{\textsf{p}}}{{\textsf{p}}}_1, {\textsf{R}}, \textsf{opk}, {{\textsf{c}}}{{\textsf{t}}}), (I,,b,{{\textsf{s}}}{{\textsf{k}}}, r)) \not \in {\tilde{R}}_{\textsf{sig}}^\textsf{Tight}\), otherwise, the winning condition is not changed. As we have shown in the proof of Theorem 4.6, there exists an online-extractability adversary \({\mathcal {B}}_1\) for \(\Pi _{\textsf{NIZK},\textsf{lbl}} \) running in time O(T) such that \(\textsf{Adv}_1({\mathcal {A}}) \le \textsf{Adv}_2({\mathcal {A}}) + \textsf{Adv}_{\Pi _{\textsf{NIZK},\textsf{lbl}}}^{\textsf{OE}}({\mathcal {B}}_1)\).
-
The third game, \(\textsf{Game}_3\), is the same as \(\textsf{Game}_2\) except that we change the way the challenger answers signing queries from \({\mathcal {A}}\). Specifically, the challenger generates \({{\textsf{c}}}{{\textsf{t}}}\) as in \(\textsf{Game}_2\) but uses the \(\Pi _{\textsf{NIZK},\textsf{lbl}} \) zero-knowledge simulator \(\textsf{Sim}=(\textsf{Sim}_0,\textsf{Sim}_1)\) to create the proof \(\pi _\texttt{sign}\). As we have shown in the proof of Theorem 4.6, there exists a zero-knowledge adversary \({\mathcal {B}}_2\) for \(\Pi _{\textsf{NIZK},\textsf{lbl}} \) running in time O(T) and such that \(\textsf{Adv}_2({\mathcal {A}}) \le \textsf{Adv}_3({\mathcal {A}}) + \textsf{Adv}_{\Pi _{\textsf{NIZK},\textsf{lbl}}}^{\textsf{ZK}}({\mathcal {B}}_2)\).
-
Finally, we consider an adversary \({\mathcal {B}}_3\) against the hardness of \((\textsf{RelSetup},\textsf{IGen})\) which simulates \(\textsf{Game}_3\) for \({\mathcal {A}}\). At the beginning of the game, the adversary \({\mathcal {B}}_3\) is given the instances \(({{\textsf{p}}}{{\textsf{p}}}_1,\{ {\textsf{x}} \}_{i \in [{\mathcal {Q}}_{u}]})\). \({\mathcal {B}}_3\) uses the public parameter \({{\textsf{p}}}{{\textsf{p}}}_1\) that is given to him, rather than generating new \({{\textsf{p}}}{{\textsf{p}}}_1\) himself using \(\textsf{RelSetup}\). Moreover, when answering the i-th \(\texttt{ukeygen}\) query, \({\mathcal {B}}_3\) uniformly draws \(b_i\) from \(\{ 1,2 \}\), generates \(({\widetilde{{\textsf{x}}}}_i,{\widetilde{{\textsf{w}}}}_i) \leftarrow \textsf{IGen}({{\textsf{p}}}{{\textsf{p}}}_1)\), and assigns \({{\textsf{v}}}{{\textsf{k}}}_{i} = ({\textsf{x}} _i^{(1)},{\textsf{x}} _i^{(2)})\) where \(({\textsf{x}} _i^{(b_i)},{\textsf{x}} _i^{(3-b_i)})=({\widetilde{{\textsf{x}}}}_i,{\textsf{x}} _i)\). Note that now \({\mathcal {B}}_3\) is able to respond to any valid corruption query \(\texttt{corrupt}\). In fact, for any \(i\in [{\mathcal {Q}}_{u}]\), if \({\mathcal {A}}\) makes a corruption query to corrupt \({{\textsf{v}}}{{\textsf{k}}}_{i}\), then \({\mathcal {B}}_3\) responds by \({{\textsf{s}}}{{\textsf{k}}}=(b_i,{\widetilde{{\textsf{w}}}}_i)\). The view of \({\mathcal {A}}\) during \({\mathcal {B}}_3\)’s simulation is the same as its view during a real execution of \(\textsf{Game}_3\), so \(\textsf{OnlineExtract} \) outputs a valid witness \(({\widetilde{I}},{{\textsf{s}}}{{\textsf{k}}}=(b',{\textsf{w}} '),r)\) with probability at least \(\textsf{Adv}_3({\mathcal {A}})\). Since the sampling of the statements and witnesses follows the same distribution determined by \(\textsf{IGen}({{\textsf{p}}}{{\textsf{p}}}_1)\) in the real execution, there is an 1/2 chance that \(b'=(3-b_{{\widetilde{I}}})\). That is, \(({\textsf{x}} _{{\widetilde{I}}},{\textsf{w}} ') \in {\widetilde{R}}_{{{\textsf{p}}}{{\textsf{p}}}_1}\). Therefore, we have \(\textsf{Adv}_3({\mathcal {A}})/2 \le \textsf{Adv}^{\mathsf {Multi{\text{- }}Hard}}_{\textsf{RelSetup},\textsf{IGen},{\mathcal {Q}}_{u}}({\mathcal {B}}_3)\).
5 Group-action-based hard instance generators and PKEs
5.1 Group-action-based hard instance generator
-
On input a security parameter \(\uplambda \), \(\textsf{RelSetup}\) outputs \({{\textsf{p}}}{{\textsf{p}}}= (G,S_1,S_2,\delta ,X_0,{\mathcal {X}},\star )\) such that: G is an additive group whose elements can be represented uniquely, \(S_1 \subseteq S_2\) are symmetric subsets of G, such that membership in \(S_1\) and \(S_2\) can be decided efficiently, and such that the group law can be computed efficiently for elements in \(S_1 \cup S_2\). Moreover, the intersection \(S_3 = \cap _{g \in S_1} g + S_2\) has cardinality \(\delta |S_2 |\) and membership of \(S_3\) can be decided efficiently. \(\star \) is an action \(\star : G \times {\mathcal {X}}\rightarrow {\mathcal {X}}\) of G on a set \({\mathcal {X}}\) that contains the element \(X_0\). \(\star \) can be evaluated efficiently on elements of \(S_1 \cup S_2\). These parameters describe an NP-relationand a relaxed NP-relation$$\begin{aligned} R_{{\textsf{p}}}{{\textsf{p}}}= \left\{ (X,s) \, \, s \in S_1: s \star X_0 = X \right\} , \end{aligned}$$$$\begin{aligned} {\tilde{R}}_{{\textsf{p}}}{{\textsf{p}}}= \left\{ (X,s) \, \, s \in S_2 + S_3: s \star X_0 = X \right\} . \end{aligned}$$
-
On input \({{\textsf{p}}}{{\textsf{p}}}\), \(\textsf{IGen}\) samples an element s from \(S_1\) and outputs \((s~\star ~X_0,s) \in ~R_{{\textsf{p}}}{{\textsf{p}}}\).
-
\((\textsf{RelSetup}, \textsf{IGen})\) is a hard instance generator as defined in Sect. 4.
5.2 Group-action-based PKE
-
\(\textsf{Setup}(1^\uplambda ) \rightarrow {{\textsf{p}}}{{\textsf{p}}}:\) On input a security parameter \(1^\uplambda \), it returns the public parameter \({{\textsf{p}}}{{\textsf{p}}}= (G, G_{\textsf{M}}, {\mathcal {X}}, S_1, S_2, \delta , D_{{\mathcal {X}}}, \star _{\textsf{M}}, {\mathcal {M}})\) (sometimes implicitly) used by the scheme. Here, \(G, G_{\textsf{M}}\) are additive groups, \(S_1,S_2\) two symmetric subsets of G, \({\mathcal {X}}\) a finite set, \(\delta \) a real number in [0, 1], \(D_{{\mathcal {X}}}\) a distribution over a set of group actions \(\star _{{\textsf{p}}}{{\textsf{k}}}: G \times {\mathcal {X}}\rightarrow {\mathcal {X}}\) and elements in \({\mathcal {X}}\), \(\star _{\textsf{M}}: G_{\textsf{M}}\times {\mathcal {X}}\rightarrow {\mathcal {X}}\) a group action, \({\mathcal {M}}\subseteq G_{\textsf{M}}\) a message space. For any polynomially large \(N \in {\mathbb {N}}\), we assume that there exists a feasible and invertible embedding \(\tau \) from the set of index [N] into the message space \({\mathcal {M}}\). For simplicity, we will write \(\tau (i) \star _{\mathcal {M}}X\), \(\textsf{Enc}({{\textsf{p}}}{{\textsf{k}}},\tau (i))\) as \(i \star _{\textsf{M}}X\), \(\textsf{Enc}({{\textsf{p}}}{{\textsf{k}}},i)\) respectively without causing confusion.
-
\(\textsf{KeyGen}({{\textsf{p}}}{{\textsf{p}}}) \rightarrow ({{\textsf{p}}}{{\textsf{k}}}, {{\textsf{s}}}{{\textsf{k}}}):\) On input a public parameter \({{\textsf{p}}}{{\textsf{p}}}\), it returns a public key \({{\textsf{p}}}{{\textsf{k}}}\) and a secret key \({{\textsf{s}}}{{\textsf{k}}}\). We assume \({{\textsf{p}}}{{\textsf{k}}}= (\star _{{\textsf{p}}}{{\textsf{k}}}, X_{{\textsf{p}}}{{\textsf{k}}})\) to be drawn from \(D_{{\mathcal {X}}}\), where \(\star _{{\textsf{p}}}{{\textsf{k}}}: G \times {\mathcal {X}}\rightarrow {\mathcal {X}}\) is a group action and \(X_{{\textsf{p}}}{{\textsf{k}}}\in {\mathcal {X}}\), and \({{\textsf{s}}}{{\textsf{k}}}\in G\). We also assume \({{\textsf{p}}}{{\textsf{k}}}\) includes \({{\textsf{p}}}{{\textsf{p}}}\) w.l.o.g.
-
\(\textsf{Enc}({{\textsf{p}}}{{\textsf{k}}}, {\textsf{M}}; r) \rightarrow {{\textsf{c}}}{{\textsf{t}}}:\) On input a public key \({{\textsf{p}}}{{\textsf{k}}}= (\star _{{\textsf{p}}}{{\textsf{k}}}, X_{{\textsf{p}}}{{\textsf{k}}})\) and a message \({\textsf{M}}\in {\mathcal {M}}\), it returns a ciphertext \({{\textsf{c}}}{{\textsf{t}}}\). We assume \({{\textsf{c}}}{{\textsf{t}}}\) is generated as \({\textsf{M}}\star _{\textsf{M}}(r \star _{{\textsf{p}}}{{\textsf{k}}}X_{{\textsf{p}}}{{\textsf{k}}}) \in {\mathcal {X}}\), where the encryption randomness is sampled as \(r \overset{_{\tiny \$}}{\leftarrow } S_1\).
-
\(\textsf{Dec}({{\textsf{s}}}{{\textsf{k}}}, {{\textsf{c}}}{{\textsf{t}}}) \rightarrow {\textsf{M}}:\) On input a secret key \({{\textsf{s}}}{{\textsf{k}}}\) and a ciphertext \({{\textsf{c}}}{{\textsf{t}}}\), it (deterministically) returns a message \({\textsf{M}}\in {\mathcal {M}}\).
6 Sigma protocol for a “Traceable” OR relation
6.1 From a group-action-based HIG and PKE to base traceable OR sigma protocol
-
If \(\textsf{chall}= 0\), the simulator executes as \(P^{' {\mathcal {O}}}({\textsf{X}}, \bot ,\textsf{chall})\), where notice \(P'\) does not require the witness when \(\textsf{chall}= 0\). Concretely, the simulator outputs \((\textsf{com}=\textsf{root},\textsf{chall}=0,\textsf{resp}=\textsf{seed})\) where \(\textsf{root},\textsf{seed}\) are honestly generated as in the execution of \(P_1^{' {\mathcal {O}}}\).
-
If \(\textsf{chall}= 1\), the simulator uniformly samples \((s'',r'')\) from \(S_3 \times {\overline{S}}_3\), and \(\textsf{bits}\) from \(\{ 0,1 \}^{\uplambda }\). It computes \({\textsf{C}}_1 = {\mathcal {O}}(\textsf{Com}\parallel s'' \star X_0 \parallel r'' \star _{{\textsf{p}}}{{\textsf{k}}}Y_{{\textsf{p}}}{{\textsf{k}}}\parallel \textsf{bits})\). It then uniformly samples dummy commitments \({\textsf{C}}_i\) for \(i \in \{ 2, \ldots , N \}\) from \(\{ 0,1 \}^{2\uplambda }\), and computes the (index-hiding) Merkle tree \((\textsf{root}, \textsf{tree}) \leftarrow \textsf{MerkleTree}({\textsf{C}}_1, \ldots , {\textsf{C}}_N)\). After that, it extracts the path \(\textsf{path}\leftarrow \textsf{getMerklePath}(\textsf{tree}, 1)\) in the tree and sets \(\textsf{com}= \textsf{root}\), and \(\textsf{resp}= (s'',r'', \textsf{path}, \textsf{bits})\). Finally, the simulator returns \((\textsf{com}, \textsf{chall}=1, \textsf{resp})\).
-
\(\textsf{Sim}_{1}\) is identical to \(\textsf{Sim}_{0}\) except that instead of using \(\textsf{Expand}\) to generate \(s', r', \{\textsf{bits}_{i}\}_{i \in [N]}\), the simulator generates these by sampling uniformly at random from the corresponding domains. This does not change the view of \({\mathcal {A}}\), unless the adversary queries \({\mathcal {O}}\) on input \((\textsf{Expand}\parallel \textsf{seed})\). Since \(\textsf{seed}\) has \(\uplambda \) bits of min-entropy and because it is information-theoretically hidden from \({\mathcal {A}}\), the probability that \({\mathcal {A}}\) queries \({\mathcal {O}}\) on this input is bounded by \(Q_\textsf{Expand}/2^\uplambda \). That is, \(\left|\Pr [{\textsf{E}}_1] - \Pr [{\textsf{E}}_0] \right|\le \frac{Q_\textsf{Expand}}{2^\uplambda }\).
-
\(\textsf{Sim}_{2}\) is identical to \(\textsf{Sim}_{2}\) except that all the commitments \({\textsf{C}}_i\) for \(i \in [N] \setminus \{I\}\) are generated uniformly at random. This does not change the view of \({\mathcal {A}}\), unless the adversary queries \({\mathcal {O}}\) on input \((\textsf{Com}\parallel T_i \parallel {{\textsf{c}}}{{\textsf{t}}}_i \parallel \textsf{bits}_i)\) for any \(i\in [N] {\setminus } \{ I \}\), where \(T_i= s' \star X_i \) and \({{\textsf{c}}}{{\textsf{t}}}_i=r' \star _{{\textsf{p}}}{{\textsf{k}}}(-i \star _{\textsf{M}}{{\textsf{c}}}{{\textsf{t}}})\). Since for any \(i\in [N] \setminus \{ I \}\) the string \(\textsf{bits}_i\) has \(\uplambda \) bits of min-entropy and because it is information-theoretically hidden from \({\mathcal {A}}\), the probability that \({\mathcal {A}}\) queries \({\mathcal {O}}\) on input \((\textsf{Com}\parallel T_i \parallel {{\textsf{c}}}{{\textsf{t}}}_i \parallel \textsf{bits}_i)\) is bounded by \(Q_{\textsf{Com}}/2^\uplambda \). That is, \(|\Pr [{\textsf{E}}_2] - \Pr [{\textsf{E}}_1] |\le \frac{Q_{\textsf{Com}}}{2^\uplambda }\).
-
\(\textsf{Sim}_{3}\) is identical to \(\textsf{Sim}_{3}\) except that instead of computing \(s'',r''\) as \(s'+s,r'+r\) (conditioned on them respectively lying in \(S_3,{\overline{S}}_3\), due to non-aborting transcripts), the simulator generates these two values by sampling uniformly at random from \(S_3,{\overline{S}}_3\), respectively. Both the distributions are uniform over \(S_3\) and \({\overline{S}}_3\). Therefore, we have \(|\Pr [{\textsf{E}}_3] - \Pr [{\textsf{E}}_2] |= 0\).
-
\(\textsf{Sim}_{4} = \textsf{Sim}\) is identical to \(\textsf{Sim}_{4}\) except that the simulator uses \(I=1\) instead of the value I in the witness \({\textsf{W}}\). These two simulators are indistinguishable because the Merkle tree is index-hiding (by Lemma A.2). Precisely, we have \(|\Pr [{\textsf{E}}_4] - \Pr [{\textsf{E}}_3] |= 0\).
6.2 From base to main traceable OR sigma protocol
-
\(\textsf{Sim}_{1}\) is identical to \(\textsf{Sim}_{0}\), except that, rather than using a \(\textsf{SeedTree}\) with root \(\textsf{seed}_\textsf{root}\) to generate \({\textsf{seeds}_\textsf{internal}}\) and \(\{ \textsf{seed}_i \}_{i \text { s.t. } c_i = 0}\), the simulator instead runs \(\textsf{SimulateSeeds}(1^M \oplus {{\textbf {c}}})\) to obtain \({\textsf{seeds}_\textsf{internal}}\), and then \(\{ \textsf{seed}_i \}_{i \text { s.t. } c_i = 0}\) via \(\textsf{RecoverLeaves}({\textsf{seeds}_\textsf{internal}},1^M \oplus {{\textbf {c}}})\). The simulator picks the remaining seeds (for the challenge components \(c_i\) equal to 1) \(\{ \textsf{seed}_i \}_{i \text { s.t. } c_i = 1}\) uniformly at random from \(\{ 0,1 \}^\uplambda \). Lemma A.3 for the bit string \(1^M \oplus {{\textbf {c}}}\) implies that the distributions of \({\textsf{seeds}_\textsf{internal}}\) and \(\{ \textsf{seed}_i \}_{i \text { s.t. } c_i = 1}\) generated in this way rather than as in the honest protocol can be distinguished with an advantage not greater than \(\frac{Q_0}{2^\uplambda }\). That is, \(|\Pr [{\textsf{E}}_1] - \Pr [{\textsf{E}}_0] |\le \frac{Q_0}{2^\uplambda }\).
-
\(\textsf{Sim}_{2}\) is identical to \(\textsf{Sim}_{1}\) except that the simulator uses the base simulator subroutine \(\textsf{Sim}'\) to compute, for each \(i \in [M]\) such that \(c_i=1\), \(\textsf{com}_i\) and \(\textsf{resp}_i\) on randomness \(\textsf{bits}_i\) by \(\textsf{seed}_i \overset{_{\tiny \$}}{\leftarrow } \{0,1\}^\uplambda \). By Theorem 6.2, the distinguishing advantage of the adversary is bounded by \(\frac{Q_i}{2^\uplambda }\) for each \(i \in [M]\) such that \(c_i=1\). That is, \(|\Pr [{\textsf{E}}_3] - \Pr [{\textsf{E}}_2] |\le \frac{\Sigma ^M_1 Q_i}{2^\uplambda }\).
6.3 Base sigma protocol for the “Tight” relation \(R_{\textsf{sig}}^\textsf{Tight}\)
7 Multi-proof online extractable NIZK from sigma protocol \(\Pi _{\Sigma }^\textsf{tOR}\)
-
We say a tuple \(\textsf{input}_\textsf{base} = ({\textsf{X}}, \textsf{salt}, j, \textsf{com}, \textsf{chall}, \textsf{resp})\) is \(\textsf{valid}\) if the following properties hold:
-
\(\textsf{chall}= 1\);
-
\(V'^{{\mathcal {O}}(\textsf{salt}\parallel j \parallel \cdot )}_2(\textsf{com}, \textsf{chall}, \textsf{resp})\) outputs \(\textsf{accept}\) (i.e., it is a valid transcript for \(\Pi _{\Sigma }^{\textsf{base}}\) with challenge 1);
-
there exists \((\textsf{seed}, s', r', \textsf{bits}_1, \cdots , \textsf{bits}_N)\) such that \(\big ( (\textsf{salt}\parallel j \parallel \textsf{Expand}\parallel \textsf{seed}), (s', r', \textsf{bits}_1, \cdots , \textsf{bits}_N) \big ) \in L_{\mathcal {O}}\), and if we execute \({P}'^{{\mathcal {O}}(\textsf{salt}\parallel j \parallel \cdot )}_1\) with randomness \(\textsf{seed}\), it produces \(\textsf{com}\). Here, we use the fact that \({P}'^{{\mathcal {O}}(\textsf{salt}\parallel j \parallel \cdot )}_1\) can be executed without the witness. By correctness of \(\Pi _{\Sigma }^{\textsf{base}}\), this implies that \((\textsf{com}, 0, \textsf{seed})\) is a valid transcript.
-
-
We say a tuple \(\textsf{input}_\textsf{base} = ({\textsf{X}}, \textsf{salt}, j, \textsf{com}, \textsf{chall}, \textsf{resp})\) is \(\textsf{invalid}\) if \(\textsf{chall}= 1\), \(V'^{{\mathcal {O}}(\textsf{salt}\parallel j \parallel \cdot )}_2(\textsf{com}, \textsf{chall}, \textsf{resp})\) outputs \(\textsf{accept}\), but it is not \(\textsf{valid}\).
-
there exists no tuple \((s', r', \textsf{bits}_1, \cdots , \textsf{bits}_N, \textsf{seed})\) and \(j' \in [M]\) such that \(\big ( (\textsf{salt}\parallel j' \parallel \textsf{Expand}\parallel \textsf{seed}), (s', r',\textsf{bits}_1, \cdots , \textsf{bits}_N) \big ) \in L_{{\mathcal {O}}_{P}}\), but if we execute \({P}'^{{\mathcal {O}}(\textsf{salt}\parallel j' \parallel \cdot )}_1\) with randomness \(\textsf{seed}\), it produces \(\textsf{com}_{j^*}\);
-
there exists such a tuple but \(\textsf{seed}\) retains \(\uplambda \)-bits of min-entropy from the view of \({\mathcal {A}}\) except with probability at most \((MQ_{\textsf{salt}})/ 2^\uplambda \).
8 Instantiations
8.1 Instantiation from isogenies
8.2 Instantiation from lattices
-
\((G, {\mathcal {X}}) = (R^\ell _q \times R^k_q, R^k_q)\), where \(X_0\) is an arbitrary element in \({\mathcal {X}}\),
-
For \(b \in \{ 0,1 \} \), \(S_b = \{ ({{\textbf {s}}}, {{\textbf {z}}}) \in G \vert \Vert {{\textbf {s}}}\Vert _{\infty }, \Vert {{\textbf {e}}}\Vert _{\infty } \le B_b \}\), where \(B_1, B_2\) are positive integers such that \(B_1< B_2 < q\),
-
\(\delta _x = \big ( \frac{2(B_2 - B_1) +1}{2 B_2 + 1} \big )^{n (k + \ell )}\),
-
The group action \(\star : G \times {\mathcal {X}}\rightarrow {\mathcal {X}}\) is defined as \(({{\textbf {s}}}, {{\textbf {e}}}) \star {{\textbf {w}}}= ({{\textbf {A}}}{{\textbf {s}}}+ {{\textbf {z}}}) + {{\textbf {w}}}\), where \({{\textbf {A}}}\in R^{k \times \ell }_q\) is a fixed matrix sampled uniformly by \(\textsf{RelSetup}\).
-
\(({\overline{G}}, {\overline{G}}_{\textsf{T}}, {\mathcal {Y}}) = (R^k_q \times R^\ell _q \times R_q, R_q, R^k_q \times R_q)\),
-
For \(b \in \{ 0,1 \} \), \({\overline{S}}_b = \{ ({{\textbf {r}}}, {{\textbf {e}}}, e) \in {\overline{G}}\vert \Vert {{\textbf {r}}}\Vert _{\infty }, \Vert {{\textbf {e}}}\Vert _{\infty }, \Vert e\Vert _{\infty } \le B_b \}\), where \(B_1, B_2\) are positive integers such that \(B_1< B_2 < q\) and \(4(nk + 1) (2B_2 - B_1) \le q\),
-
\(\delta _y = \big ( \frac{2(B_2 - B_1) +1}{2 B_2 + 1} \big )^{n (k + \ell + 1)}\),
-
\(D_{\mathcal {Y}}\) is a distribution that samples a uniform random \(({{\textbf {A}}}, {{\textbf {s}}}, {{\textbf {z}}}) \in R^{k \times \ell } \times R^\ell _q \times R^k_q\) and outputs a group action \(\star : {\overline{G}}\times {\mathcal {Y}}\rightarrow {\mathcal {Y}}\) defined as \(({{\textbf {r}}}, {{\textbf {e}}}, e) \star ({{\textbf {w}}}, w) = (( {{\textbf {A}}}^\top {{\textbf {r}}}+ {{\textbf {e}}}+ {{\textbf {w}}}, {{\textbf {b}}}^\top {{\textbf {r}}}+ e + w)\) and an element \(Y = ({{\textbf {w}}}, w) \in {\mathcal {Y}}\), where \({{\textbf {b}}}= {{\textbf {A}}}{{\textbf {s}}}+ {{\textbf {z}}}\),
-
\(\star _{\textsf{M}}: {\overline{G}}_{\textsf{T}}\times {\mathcal {Y}}\rightarrow {\mathcal {Y}}\) is a group action defined as \({\textsf{M}}\star _{\textsf{M}}({{\textbf {c}}}, c) = ( {{\textbf {c}}}, c + {\textsf{M}}\cdot \lfloor q/2 \rceil )\),
-
The message space \({\mathcal {M}}\) is a subset of \({\overline{G}}_{\textsf{T}}= R_q\) with coefficients in \( \{ 0,1 \} \).
-
\(({\mathcal {R}}',{{\mathcal {K}}}{{\mathcal {R}}}') = ({\overline{S}}_2 + {\overline{S}}_3, U(2B_2 - B_1)^\ell \times U(2B_2 - B_1)^k)\), where recall \(S_3\) is a subset of G with ring elements whose coefficients are all bounded by \(B_2 - B_1\). Specifically, \({\overline{S}}_2 + {\overline{S}}_3 = \{ ({{\textbf {r}}}, {{\textbf {e}}}, e) \in {\overline{G}}\vert \Vert {{\textbf {r}}}\Vert _{\infty }, \Vert {{\textbf {e}}}\Vert _{\infty }, \Vert e\Vert _{\infty } \le 2B_2 - B_1 \}\).