A. ·-r-com,i-,-with-r-com,i-?-u-({0,

{. ,

, The same string x is used in all steps while enabling dichotomic searches; (ii) At each step, the prover indeed uses some coordinate of x (without revealing which one), the choice of which is dictated by a path in the tree determined by var(?). public, both parties can deterministically compute the root u tree of the Merkle tree. For each ? ? [L], we consider the binary representation d ?,1 ,. .. , d ?,?? of var(?), which is part of the encoding of BP deened in (9.11), The Merkle tree will actually serve as a "bridge" ensuring that: (i)

, Now, our task can be divided into 3 steps: (i) Proving that the searches on Merkle tree yield y 1

L. Ooooooooo, The Peikert-VaikuntanathanWaters [PVW08] construction, based on dual-mode encryption, achieves 1-out-of-2 composable oblivious transfer (which can be generalized to 1-out-of-2 t OT), without relying on zero-knowledge proofs, but it does not imply OT with adaptive queries (i.e., where each index ? i may depend on messages received in previous transfers). Actually, the use of ZK proofs is not ruled out in this setting

, However, this protocol uses the trapdoor extractability of

, Groth-Sahai proofs [GS08] to achieve straight-line extraction

, As explained in the introduction, it is the digital equivalent of real-life money. A body of research followed its introduction [CFN88, OO91, CP92, FY93, Oka95, Tsi97], and the rst compact realization was given by Camenisch, Hohenberger and Lysyanskaya, Question 3. Can we obtain a more eecient compact e-cash system from lattice assumptions? Another privacy-preserving primitive is compact e-cash [Cha82, Cha83, CHL05b

, A recent line of work makes steps forward in this direction

, The Stern-like proof systems we studied in this thesis, despite being exible enough to prove a large variety of statements, suuer from the stiiness of being combinatorial. The choice of permutations used to ensure the zero-knowledge property (and thus witnessindistinguishability) is quite strict, and forces the challenge space to be ternary

S. Arora and B. Barak, Computational Complexity: A Modern Approach, p.13, 2009.

S. Agrawal, D. Boneh, and X. Boyen, EEcient lattice (H)IBE in the standard model, Citations: § xviii, vol.6110, p.154, 2010.

M. Abe, J. Camenisch, M. Dubovitskaya, and R. Nishimaki, Universally composable adaptive oblivious transfer (with access control) from standard assumptions, ACM Workshop on Digital Identity Management, vol.7, p.187, 2013.

G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik, A practical and provably secure coalition-resistant group signature scheme, Crypto, volume 1880 of LNCS, p.43, 2000.

D. Aggarwal, D. Dadush, O. Regev, and N. Stephens-davidowitz, Solving the Shortest Vector Problem in 2 n Time Using Discrete Gaussian Sampling, STOC, p.22, 2015.

D. Aggarwal, D. Dadush, and N. Stephens-davidowitz, Solving the Closest Vector Problem in 2 n Time-The Discrete Gaussian Strikes Again! In FOCS, p.22, 2015.

M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, and M. Ohkubo, Structurepreserving signatures and commitments to group elements, Crypto, vol.6223, p.96, 2010.

M. R. Albrecht, R. Fitzpatrick, and F. Göpfert, On the EEcacy of Solving LWE by Reduction to Unique-SVP, ICISC 2013, p.22, 2014.

D. F. Aranha and C. P. Gouvêa, RELIC is an EEcient LIbrary for Cryptography

W. Aiello, Y. Ishai, and O. Reingold, Priced oblivious transfer: How to sell digital goods, Eurocrypt, vol.146, p.147, 2001.

G. Asharov, A. Jain, A. Lopez-alt, E. Tromer, V. Vaikuntanathan et al., Multiparty computation with low communication, computation and interaction via threshold FHE, Eurocrypt, vol.7237, p.158, 2012.

M. Ajtai, Generating Hard Instances of Lattice Problems, ACM, editor, STOC, p.23, 1996.

C. Aguilar-melchor, S. Bettaieb, X. Boyen, L. Fousse, and P. Gaborit, Adapting Lyubashevsky's Signature Schemes to the Ring Signature Setting, Africacrypt, vol.7918, p.118, 2013.

J. Alwen and C. Peikert, Generating shorter bases for hard random lattices, STACS, vol.3, p.184, 2009.
URL : https://hal.archives-ouvertes.fr/inria-00359718

W. Banaszczyk, New bounds in some transference theorems in the geometry of number, vol.296, p.23, 1993.

D. Barrington, Bounded-width polynomial-size branching programs recognize exactly those languages in nc1, STOC'86, p.146, 1986.

D. Boneh and X. Boyen, EEcient selective-ID secure identity-based encryption without random oracles, Eurocrypt, vol.3027, p.53, 2004.

M. Bellare, A. Boldyreva, A. Desai, and D. Pointcheval, Key-Privacy in Public-Key Encryption, PKC, p.131, 2001.

M. Bellare, A. Boldyreva, K. Kurosawa, and J. Staddon, Multirecipient Encryption Schemes: How to Save on Bandwidth and Computation Without Sacriicing Security, IEEE Trans. on Information Theory, vol.53, issue.11, p.66, 2007.

D. Boneh, X. Boyen, and H. Shacham, Short group signatures, Crypto, vol.3152, p.74, 2004.

M. Belenkiy, J. Camenisch, M. Chase, M. Kohlweiss, A. Lysyanskaya et al., Randomizable Proofs and Delegatable Anonymous Credentials, Crypto, vol.5677, pp.108-125, 2009.

J. Bootle, A. Cerulli, P. Chaidos, E. Ghadaa, and J. Groth, Foundations of Fully Dynamic Group Signatures, ACNS, p.44, 2016.

F. Benhamouda, J. Camenisch, S. Krenn, V. Lyubashevsky, and G. Neven, Better zeroknowledge proofs for lattice encryption and their application to group signatures, Asiacrypt, number 8873 in LNCS, p.118, 2014.
URL : https://hal.archives-ouvertes.fr/hal-01084737

M. Belenkiy, M. Chase, M. Kohlweiss, and A. Lysyanskaya, P-signatures and Noninteractive Anonymous Credentials, TCC, number 4948 in LNCS, pp.356-374

. Springer, Citations: § xviii, 4, and 54, 2008.

M. Belenkiy, M. Chase, M. Kohlweiss, and A. Lysyanskaya, Compact E-Cash and Simulatable VRFs Revisited, Pairing, vol.5671, pp.114-131, 2009.

P. Bichsel, J. Camenisch, G. Neven, N. P. Smart, and B. Warinschi, Get Shorty via Group Signatures without Encryption, SCN, p.75, 2010.

R. Barbulescu and S. Duquesne, Updating Key Size Estimations for Pairings, Citations: § xix, 4, and 21, pp.1-39, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01534101

F. Bourse, R. Pino, M. Minelli, and H. Wee, FHE Circuit Privacy Almost for Free, Crypto, number 9815 in LNCS, vol.158, p.190, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01360110

D. Boneh and M. Franklin, Identity-based encryption from the weil pairing, vol.21, p.192, 2001.

M. Bellare and O. Goldreich, On Deening Proofs of Knowledge, Crypto, vol.740, p.28, 1992.

L. Ballard, M. Green, B. De-medeiros, and F. Monrose, Correlation-resistant storage via keyword-searchable encryption, Cryptology ePrint Archive, 2005.

F. Böhl, D. Hofheinz, T. Jager, J. Koch, and C. Striecks, Connned guessing: New signatures from standard assumptions, Citations: § xviii, vol.28, p.153, 2015.

F. Benhamouda, S. Krenn, V. Lyubashevsky, and K. Pietrzak, EEcient zero-knowledge proofs for commitments from learning with errors over rings, ESORICS, vol.9326, pp.305-325, 2015.

S. Bai, A. Langlois, T. Lepoint, D. Stehlé, and R. Steinfeld, Improved security proofs in lattice-based cryptography: Using the Rényi divergence rather than the statistical distance, Citations: § 18, vol.9452, p.91, 2015.

Z. Brakerski, A. Langlois, C. Peikert, O. Regev, and D. Stehlé, On the classical hardness of learning with errors, STOC, p.25, 2013.

D. Boneh, B. Lynn, and H. Shacham, Short signatures from the Weil pairing, In Asiacrypt, p.192, 2001.

Z. Brakerski, A. Lombardi, G. Segev, and V. Vaikuntanathan, Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions. In Eurocrypt, p.192, 2018.

M. Blum, Coin Flipping by Telephone, Crypto, p.29, 1981.

M. Bellare, D. Micciancio, and B. Warinschi, Foundations of group signatures: Formal deenitions, simpliied requirements, and a construction based on general assumptions, Eurocrypt, vol.3376, p.44, 2003.

P. S. Barreto and M. Naehrig, Pairing-friendly elliptic curves of prime order, Selected Areas in Cryptography, pp.319-331

. Springer, Citations: § xviii, 4, 21, 71, 72, p.75, 2006.

X. Boyen, Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and more, Citations: § xviii, xix, vol.6056, p.154, 2010.

E. Brickell, D. Pointcheval, S. Vaudenay, and M. Yung, Design validations for discrete logarithm based signature schemes, PKC, vol.1751, pp.276-292

. Springer, Citations: § 103, vol.106, p.185, 2000.

M. Bellare and P. Rogaway, Random Oracles Are Practical: A Paradigm for Designing EEcient Protocols, CCS. ACM, 1993. Citations: § 16, p.51

I. F. Blake, G. Seroussi, and N. P. Smart, Advances in elliptic curve cryptography, vol.317, p.53, 2005.

M. Bellare, H. Shi, and C. Zhang, Foundations of group signatures: The case of dynamic groups, CT-RSA, volume 2656 of LNCS, vol.44, p.99, 2005.

Z. Brakerski and V. Vaikuntanathan, EEcient fully homomorphic encryption from (standard) LWE, Citations: § xviii, p.4, 2011.

R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, Citations: § 11, vol.19, p.148, 2001.

J. Camenisch, M. Dubovitskaya, R. Enderlein, and G. Neven, Oblivious transfer with hidden access control from attribute-based encryption, SCN, vol.7485, p.187, 2012.

R. Cramer, I. Damgård, and P. Mackenzie, EEcient Zero-Knowledge Proofs of Knowledge Without Intractability Assumptions, PKC, p.67, 2000.

J. Camenisch, M. Dubovitskaya, and G. Neven, Oblivious transfer with access control, Citations: § xxii, p.187, 2009.

J. Camenisch, M. Dubovitskaya, G. Neven, and G. Zaverucha, Oblivious transfer with hidden access control policies, Citations: § xxii, vol.6571, p.187, 2011.

R. Canetti and M. Fischlin, Universally composable commitments, Crypto, p.20, 2001.

D. Chaum, A. Fiat, and M. Naor, Untraceable electronic cash, Crypto, vol.403, p.190, 1988.

R. Canetti, O. Goldreich, and S. Halevi, The random oracle methodology, revisited, STOC, vol.45, p.16, 1998.

S. Coull, M. Green, and S. Hohenberger, Controlling access to an oblivious database using stateful anonymous credentials, PKC, number 5443 in LNCS, p.147, 2009.

B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, Private information retrieval, FOCS, p.146, 1995.

D. Chaum, Blind signatures for untraceable payments, Citations: § xvi, vol.2, p.190, 1982.

D. Chaum, Blind signature system, In Crypto, p.190, 1983.

D. Chaum, Security without Identiication: Transactions System to Make Big Brother Obsolete, Citations: § xvi, vol.28, p.51, 1985.

J. H. Cheon, Security analysis of the strong diie-hellman problem, Eurocrypt, vol.4004, p.22, 2006.

R. Canetti, S. Halevi, and J. Katz, Chosen-Ciphertext Security from Identity-Based Encryption, Eurocrypt, vol.77, p.192, 2004.

D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert, Bonsai trees, or how to delegate a lattice basis, Citations: § xix, vol.6110, p.80, 2010.

J. Camenisch, S. Hohenberger, and A. Lysyanskaya, Balancing Accountability and Privacy Using E-Cash, SCN, number 4116 in LNCS, p.53, 2005.

J. Camenisch, S. Hohenberger, and A. Lysyanskaya, Compact e-cash, Eurocrypt, number 3494 in LNCS, vol.27, p.190, 2005.

J. H. Cheon, K. Han, C. Lee, H. Ryu, and D. Stehlé, Cryptanalysis of the Multilinear Map over the Integers, Eurocrypt, 2015. Citations: § xvii and
URL : https://hal.archives-ouvertes.fr/hal-01240445

R. Canetti, E. Kushilevitz, and Y. Lindell, On the limitations of universally composable two-party computation without set-up assumptions, Journal of Cryptology, vol.19, issue.2, p.11, 2006.

J. Camenisch, S. Krenn, A. Lehmann, G. Mikkelsen, G. Neven et al., Formal treatment of privacy-enhancing credential systems, SAC, vol.87, p.90, 2015.

J. Camenisch and A. Lysyanskaya, An eecient system for non-transferable anonymous credentials with optional anonymity revocation, Eurocrypt, number 2045 in LNCS, vol.2, p.51, 2001.

J. Camenisch and A. Lysyanskaya, A signature scheme with eecient protocols, Security and Cryptography for Networks (SCN'02), vol.53, p.79, 2002.

J. Camenisch and A. Lysyanskaya, A signature scheme with eecient protocols, SCN, number 2576 in LNCS, vol.78, p.118, 2002.

J. Camenisch and A. Lysyanskaya, A Signature Scheme with EEcient Protocols, SCN, p.51, 2004.

J. Camenisch and A. Lysyanskaya, Signature Schemes and Anonymous Credentials from Bilinear Maps, Crypto, number 3152 in LNCS, vol.51, p.52, 2004.

J. Cathalo, B. Libert, and M. Yung, Group Encryption: Non-Interactive Realization in the Standard Model, Asiacrypt, number 5912 in LNCS, vol.119, p.121, 2009.

J. Camenisch, G. Neven, and M. Rückert, Fully anonymous attribute tokens from lattices, SCN, vol.7485, p.78, 2012.

J. Camenisch and G. Neven, Simulatable adaptive oblivious transfer, Citations: § 145, vol.4515, p.186, 2007.

S. A. Cook, The complexity of theorem-proving procedures, Proceedings of the Third Annual ACM Symposium on Theory of Computing, STOC '71, pp.151-158

D. Chaum and T. Pedersen, Transferred Cash Grows in Size, Eurocrypt, vol.658, pp.390-407

R. Cramer, Modular Design of Secure, yet Practical Cryptographic Protocols, p.29, 1996.

R. Cramer and V. Shoup, A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack, Crypto, p.66, 1998.

D. Chaum and E. Van-heyst, Group signatures, Eurocrypt, vol.547, p.117, 1991.

I. Damgård, A Design Principle for Hash Functions, Crypto, p.30, 1989.

I. Damgård, EEcient concurrent zero-knowledge in the auxiliary string model, Eurocrypt, volume 1807 of LNCS, vol.89, p.141, 2000.

G. Di-crescenzo, R. Ostrovsky, and S. Rajagopalan, Conditional oblivious transfer and timed-release encryption, Eurocrypt'99, number 1592 in LNCS, p.147, 1999.

N. Döttling, N. Fleischhacker, J. Krupp, and D. Schröder, Two-message, oblivious evaluation of cryptographic functionalities, Crypto, number 9816 in LNCS, p.147, 2016.

N. Döttling and S. Garg, From Selective IBE to Full IBE and Selective HIBE, TCC, p.192, 2017.

N. Döttling and S. Garg, Identity-Based Encryption from the Diie-Hellman Assumption, Crypto, vol.10401, p.4, 2017.

I. Damgård, D. Hofheinz, E. Kiltz, and R. Thorbek, Public-key encryption with non-interactive opening, CT-RSA, vol.4964, p.99, 2008.

L. Ducas and D. Micciancio, Improved Short Lattice Signatures in the Standard Model, Crypto, p.191, 2014.

I. Damgård and J. Nielsen, Universally composable eecient multiparty computation from threshold homomorphic encryption, Crypto, number 2729 in LNCS, p.146, 2003.

C. Delerablée and D. Pointcheval, Dynamic fully anonymous short group signatures, VietCrypt, vol.4341, p.75, 2006.

R. Pino, V. Lyubashevsky, G. Neven, and G. Seiler, Practical Quantum-Safe Voting from Lattices, CCS, 2017. Citations: § xviii, p.35

L. Ducas and D. Stehlé, Sanitization of FHE ciphertexts, Eurocrypt, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01394216

L. E. Aimani and M. Joye, Toward Practical Group Encryption, ACNS 2013, vol.7954, p.119, 2013.

S. Even, O. Goldreich, and A. Lempel, A randomized protocol for signing contracts, Citations: § xxi, vol.28, issue.6, p.145, 1985.

M. F. Ezerman, H. T. Lee, S. Ling, K. Nguyen, and H. Wang, A provably secure group signature scheme from code-based assumptions, Asiacrypt'15, vol.9452, p.128, 2015.

M. Freedman, Y. Ishai, B. Pinkas, and O. Reingold, Keyword search and oblivious pseudorandom functions, TCC, vol.3378, p.147, 2005.

D. M. Freeman, Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups, In Eurocrypt, p.52, 2010.

A. Fiat and A. Shamir, How to prove yourself: Practical solutions to identiication and signature problems, Citations: § 16, vol.27, p.160, 1986.

U. Feige and A. Shamir, Witness Indistinguishable and Witness Hiding Protocols, ACM, editor, STOC, vol.28, p.34, 1990.

M. Franklin and M. Yung, Secure and eecient oo-line digital money, ICALP, vol.700, p.190, 1993.

C. Gentry, Fully homomorphic encryption using ideal lattices, Citations: § xix, 4, p.22, 2009.

M. Green and S. Hohenberger, Blind identity-based encryption and simulatable oblivious transfer, Citations: § 145, vol.4833, p.180, 2007.

M. Green and S. Hohenberger, Universally Composable Adaptive Oblivious Transfer, Asiacrypt, number 5350 in LNCS, vol.147, p.190, 2008.

M. Green and S. Hohenberger, Practical adaptive oblivious transfer from simple assumptions, TCC, vol.6597, p.186, 2011.

J. Gill, Computational Complexity of Probabilistic Turing Machines, SIAM J. on Computing, vol.6, issue.4, p.13, 1977.

S. D. Gordon, J. Katz, and V. Vaikuntanathan, A group signature scheme from lattice assumptions, Asiacrypt, volume 2647 of LNCS, vol.78, p.184, 2010.

M. Gerbush, A. Lewko, A. O'neill, and B. Waters, Dual Form Signatures: An Approach for Proving Security from Static Assumptions, Asiacrypt, p.52, 2012.

S. Goldwasser and S. Micali, Probabilistic encryption & how to play mental poker keeping secret all partial information, Citations: § xvi, vol.2, p.19, 1982.

S. Goldwasser, S. Micali, and C. Rackoo, The knowledge complexity of interactive proof-systems, ACM, 1985. Citations: § 27, vol.28, p.118

O. Goldreich, S. Micali, and A. Wigderson, How to play any mental game or a completeness theorem for protocols with honest majority, STOC, p.145, 1987.

J. Garay, P. Mackenzie, and K. Yang, Strengthening Zero-Knowledge Protocols Using Signatures, Eurocrypt, p.28, 2003.

O. Goldreich, Basic Applications, Foundations of Cryptography, vol.2, p.19, 2004.

J. Groth, R. Ostrovsky, and A. Sahai, Perfect Non-interactive Zero Knowledge for NP, Eurocrypt, 2006. Citations: § xvii, p.190

S. D. Galbraith, C. Petit, and J. Silva, Identiication Protocols and Signature Schemes Based on Supersingular Isogeny Problems, Asiacrypt, p.191, 2017.

C. Gentry, C. Peikert, and V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, Citations: § xviii, xix, vol.87, p.132, 2008.

J. Groth, Fully anonymous group signatures without random oracles, Citations: § xviii and 4, vol.4833, pp.164-180, 2007.

J. Groth and A. Sahai, EEcient non-interactive proof systems for bilinear groups, Eurocrypt, vol.4965, pp.415-432, 2008.

C. Gentry, A. Sahai, and B. Waters, Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based, Crypto, number 8042 in LNCS, pp.75-92, 2013.

R. Hiromasa, M. Abe, and T. Okamoto, Packing messages and optimizing bootstrapping in GSW-FHE, PKC, number 9020 in LNCS, p.158, 2015.

J. Herranz, Restricted adaptive oblivious transfer, Theoretical Computer Science, vol.412, issue.46, p.147, 2011.

G. Herold and E. Kirshanova, Improved algorithms for the approximate k-list problem in Euclidean norm, PKC'17, p.22, 2017.

S. Hohenberger and B. Waters, Short and stateless signatures from the RSA assumption, Crypto, vol.5677, p.154, 2009.

Y. Ishai, E. Kushilevitz, R. Ostrovsky, and A. Sahai, Zero-knowledge from Secure Multiparty Computation, STOC, p.191, 2007.

M. Izabachène, D. Pointcheval, and D. Vergnaud, Mediated traceable anonymous encryption, LATINCRYPT 2010, vol.6212, p.119, 2010.

D. Jao and L. De-feo, Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies, PQCrypto, p.191, 2011.
URL : https://hal.archives-ouvertes.fr/hal-00652846

A. Jain, S. Krenn, K. Pietrzak, and A. Tentes, Commitments and eecient zeroknowledge proofs from learning parity with noise, Asiacrypt, vol.7658, p.118, 2012.

S. Jarecki and X. Liu, EEcient oblivious pseudorandom function with applications to adaptive OT and secure computation of set intersection, Citations: § 147, vol.5444, p.186, 2009.

A. Joux, A one round protocol for tripartite diie-hellman, Algorithmic Number Theory, pp.385-393, 2000.

C. Jutla and A. Roy, Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces, Asiacrypt, vol.32, p.54, 2013.

C. Jutla and A. Roy, Switching Lemma for Bilinear Tests and Constant-Size NIZK Proofs for Linear Subspaces, Crypto, vol.8617, p.53, 2014.

T. Kim and R. Barbulescu, Extended tower number eld sieve: A new complexity for the medium prime case, pp.543-571

. Springer, Citations: § xix, 4, and 21, 2016.

J. Katz and Y. Lindell, Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series), vol.15, p.16, 2007.

K. Kurosawa, L. Phong, and R. Nojima, EEciency-improved fully simulatable adaptive OT under the DDH assumption, SCN, vol.6280, p.186, 2010.

K. Kurosawa, L. Phong, and R. Nojima, Generic fully simulatable adaptive oblivious transfer, ACNS, vol.6715, p.186, 2011.

E. J. Kachisa, E. F. Schaefer, and M. Scott, Constructing brezing-weng pairing-friendly elliptic curves using elements in the cyclotomic eld, Pairing-Based Cryptography-Pairing, pp.126-135, 2008.

A. Kawachi, K. Tanaka, and K. Xagawa, Concurrently secure identiication schemes based on the worst-case hardness of lattice problems, Citations: § xvii, xviii, vol.5350, p.185, 2008.

A. Kiayias, Y. Tsiounis, and M. Yung, Traceable signatures, LNCS, vol.3027, p.119, 2004.

A. Kiayias, Y. Tsiounis, and M. Yung, Group encryption, Asiacrypt, number 4833 in LNCS, vol.6, p.132, 2007.

J. Katz and N. Wang, EEciency improvements for signature schemes with tight security reductions, CCS, pp.155-164, 2003.

E. Kiltz and H. Wee, Quasi-Adaptive NIZK for Linear Subspaces Revisited, Eurocrypt, 2015. Citations: § 32, vol.52, p.69
URL : https://hal.archives-ouvertes.fr/hal-01220192

S. Kim and D. J. Wu, Multi-Theorem Preprocessing NIZKs from Lattices, Crypto

A. Kiayias and M. Yung, Group signatures with eecient concurrent join, Eurocrypt, number 3494 in LNCS, vol.96, p.119, 2005.

A. Kiayias and M. Yung, Secure scalable group signature with dynamic joins and separable authorities, Citations: § 43, vol.1, p.99, 2006.

A. Y. Lindell, EEcient fully-simulatable oblivious transfer, CT-RSA, p.146, 2008.

F. Laguillaumie, A. Langlois, B. Libert, and D. Stehlé, Lattice-based group signatures with logarithmic signature size, Asiacrypt, vol.8270, pp.41-61
URL : https://hal.archives-ouvertes.fr/hal-00920420

. Springer, Citations: § 77, vol.78, p.118, 2013.

B. Libert, S. Ling, F. Mouhartem, K. Nguyen, and H. Wang, Signature schemes with eecient protocols and dynamic group signatures from lattice assumptions, Asiacrypt, 2016. Citations: § xx, vol.5, p.169

B. Libert, S. Ling, F. Mouhartem, K. Nguyen, and H. Wang, Zero-knowledge arguments for matrix-vector relations and lattice-based group encryption, Asiacrypt, 2016. Citations: § xx, xxi, vol.5, p.174
URL : https://hal.archives-ouvertes.fr/hal-01394087

B. Libert, S. Ling, F. Mouhartem, K. Nguyen, and H. Wang, Adaptive oblivious transfer with access control from lattice assumptions, Asiacrypt, p.168, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01622197

A. Langlois, S. Ling, K. Nguyen, and H. Wang, Lattice-Based Group Signature Scheme with Veriier-Local Revocation, PKC, vol.8383, p.118, 2014.

B. Libert, S. Ling, K. Nguyen, and H. Wang, Zero-Knowledge Arguments for LatticeBased Accumulators: Logarithmic-size Ring Signatures and Group Signatures Without Trapdoors, Citations: § xix, vol.9666, p.174, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01314642

B. Libert, S. Ling, K. Nguyen, and H. Wang, Zero-Knowledge Arguments for LatticeBased PRFs and Applications to E-Cash, In Asiacrypt, vol.35, p.190, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01621027

V. Lyubashevsky and D. Micciancio, Asymptotically EEcient Lattice-Based Digital Signatures, TCC, p.191, 2008.

B. Libert, F. Mouhartem, T. Peters, and M. Yung, Practical "signatures with eecient protocols" from simple assumptions, AsiaCCS, vol.5, p.16, 2016.

S. Ling, K. Nguyen, D. Stehlé, and H. Wang, Improved Zero-Knowledge Proofs of Knowledge for the ISIS Problem, and Applications, Citations: § 35, vol.7778, p.169, 2013.
URL : https://hal.archives-ouvertes.fr/hal-00767548

S. Ling, K. Nguyen, and H. Wang, Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-Based, Citations: § 43, vol.9020, p.169, 2015.

S. Ling, K. Nguyen, H. Wang, and Y. Xu, Lattice-Based Group Signatures: Achieving Full Dynamicity (and Deniability) with Ease. In ACNS, p.44, 2017.

S. Ling, K. Nguyen, H. Wang, and Y. Xu, Constant-Size Group Signatures from Lattices. In PKC, p.191, 2018.

Y. Lindell and B. Pinkas, An eecient protocol for secure two-party computation in the presence of malicious adversaries, Eurocrypt, p.11, 2007.

B. Libert, T. Peters, M. Joye, and M. Yung, Linearly Homomorphic StructurePreserving Signatures and Their Applications. In Crypto, p.57, 2013.

B. Libert, T. Peters, M. Joye, and M. Yung, Non-malleability from Malleability: Simulation-Sound Quasi-Adaptive NIZK Proofs and CCA2-Secure Encryption from Homomorphic Signatures, Eurocrypt, vol.53, p.54, 2014.
URL : https://hal.archives-ouvertes.fr/hal-00983147

B. Libert, T. Peters, M. Joye, and M. Yung, Compactly Hiding Linear Spans: Tightly Secure Constant-Size Simulation-Sound QA-NIZK Proofs and Applications, Asiacrypt, p.32, 2015.
URL : https://hal.archives-ouvertes.fr/hal-01225363

B. Libert, T. Peters, and C. Qian, Structure-Preserving Chosen-Ciphertext Security with Shorter Veriiable Ciphertexts, PKC, vol.10174, pp.247-276

. Springer, Citations: § xviii and 4, 2017.

B. Libert, T. Peters, and M. Yung, Short group signatures via structure-preserving signatures: Standard model security from simple assumptions, Citations: § xviii, vol.9216, p.69, 2015.
URL : https://hal.archives-ouvertes.fr/hal-01225353

A. Lysyanskaya, R. L. Rivest, A. Sahai, and S. Wolf, Pseudonym Systems, SAC, vol.51, p.75, 1999.

A. Langlois and D. Stehlé, Worst-case to average-case reductions for module lattices. Designs, Codes and Cryptography, p.191, 2014.
URL : https://hal.archives-ouvertes.fr/hal-01091291

P. Q. Nguyen, J. Zhang, and Z. Zhang, Simpler eecient group signatures from lattices, Citations: § 77, vol.9020, p.118, 2015.

T. Okamoto, An eecient divisible electronic cash scheme, Crypto, vol.963, p.190, 1995.

T. Okamoto, EEcient Blind and Partially Blind Signatures Without Random Oracles, TCC, p.51, 2006.

K. Ohta and T. Okamoto, Universal electronic cash, Crypto, vol.576, p.190, 1991.

P. Paillier, Public-Key Cryptosystems Based on Composite Degree Residuosity Classes, EUROCRYPT 1999, number 1592 in LNCS, p.118, 1999.

T. P. Pedersen, Non-Interactive and Information-Theoretic Secure Veriiable Secret Sharing, Crypto, p.34, 1991.

C. Peikert, Public-key cryptosystems from the worst-case shortest vector problem, STOC, p.25, 2009.

T. Prest, Sharper Bounds in Lattice-Based Cryptography Using the Rényi Divergence, In Asiacrypt, vol.18, p.90, 2017.

D. Pointcheval and J. Stern, Security Proofs for Signature Schemes, Eurocrypt, p.31, 1996.

D. Pointcheval and J. Stern, Security Arguments for Digital Signatures and Blind Signatures, Journal of Cryptology, vol.13, issue.3, p.71, 2000.

D. Poincheval and O. Sanders, Short Randomizable Signatures, CT-RSA, p.75, 2016.

D. Pointcheval and O. Sanders, Reassessing Security of Randomizable Signatures, CT-RSA, p.51, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01903717

C. Papamanthou, E. Shi, R. Tamassia, and K. Yi, Streaming authenticated data structures, Eurocrypt, vol.7881, p.80, 2013.

C. Peikert and V. Vaikuntanathan, Non-interactive statistical zero-knowledge proofs for lattice problems, Citations: § 118, vol.5157, p.190, 2008.

C. Peikert, V. Vaikuntanathan, and B. Waters, A framework for eecient and composable oblivious transfer, Citations: § 146, vol.5157, p.190, 2008.

C. Peikert and B. Waters, Lossy Trapdoor Functions and Their Applications, STOC, p.192, 2008.

M. O. Rabin, Degree of diiculty of computing a function and a partial ordering of recursive sets, p.12, 1960.

M. Rabin, How to exchange secrets by oblivious transfer, Citations: § xvi, p.145, 1981.

O. Regev, On lattices, learning with errors, random linear codes, and cryptography, ACM, 2005. Citations: § xviii, vol.4, p.181

R. D. Rothblum, A. Sealfon, and K. Sotiraki, Towards Non-Interactive ZeroKnowledge for NP from LWE, 2018.

M. Rückert, Lattice-Based Blind Signatures, Asiacrypt, vol.6477, pp.413-430, 2010.

C. P. Schnorr, Security of 2 t-Root Identiication and Signatures, Crypto, vol.3, p.33, 1996.

M. Scott, Authenticated ID-based Key Exchange and remote log-in with simple token and PIN number, 2002.

V. Shoup and R. Gennaro, Securing Threshold Cryptosystems against Chosen Ciphertext Attack, Eurocrypt, p.66, 1998.

P. W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, Citations: § xv and 1, vol.41, pp.303-332, 1999.

V. Shoup, Sequences of Games: A Tool for Taming Complexity in Security Proofs. Tutorial, p.17, 2006.

R. Sakai, K. Ohgishi, and M. Kasahara, Cryptosystems Based on Pairings, Symposium on Cryptography and Information Security, pp.26-28, 2000.

Y. Sakai, J. Schuldt, K. Emura, G. Hanaoka, and K. Ohta, On the security of dynamic group signatures: Preventing signature hijacking, PKC, vol.7293, p.99, 2012.

J. Stern, A new paradigm for public key identiication, Citations: § xvii, vol.42, issue.6, p.88, 1996.

A. Sahai and B. Waters, Fuzzy identity-based encryption, Eurocrypt, number 3494 in LNCS, p.147, 2005.

Y. Tauman-kalai, Smooth projective hashing and two-message oblivious transfer, Eurocrypt'05, number 3494 in LNCS, p.146, 2005.

Y. Tsiounis, EEcient Electronic Cash: New Notions and Techniques, p.190, 1997.

M. Trolin and D. Wikström, Hierarchical Group Signatures, ICALP 2005, vol.3580, p.118, 2005.

M. Vanhoef and F. Piessens, Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2, Citations: § xvii and, pp.1313-1328, 2017.

B. Waters, EEcient identity-based encryption without random oracles, Eurocrypt, pp.114-127, 2005.

X. Xie, R. Xue, and M. Wang, Zero knowledge proofs from Ring-LWE, CANS, vol.8257, p.118, 2013.

A. C. and -. Yao, How to generate and exchange secrets, FOCS, p.11, 1986.

T. H. Yuen, S. S. Chow, C. Zhang, S. M. Yiu, ;. Zhang et al., Oblivious transfer with access control: Realizing disjunction without duplication, Pairing, number 6847 in LNCS, pp.96-115, 2010.

. , Some security games examples

. , A lattice ? with two diierent basis

.. .. Lwe,

. , Abstract description of a ?-protocol

. , Security experiments for commitment schemes

. , The Schnorr ?-protocol for discrete logarithm

-. .. Ring,

.. .. Notations-for-stern-like-protocols,

. , Stern-like ZKAoK for the relation R abstract

, Relations between the protagonists in a dynamic group signature scheme, p.45

. .. , Experiment for security against misidentiication attacks, p.48

. , Experiment for security against framing attacks

. , Security experiments for

, Security experiment for the pseudo-random-ciphertext property for an IBE. . 124 List of Tables

. .. , Comparison between diierent group signature schemes, p.74

, Experimental results for the Pairing-Base group signature scheme, p.75

, Comparison between recent lattice-based group signatures, p.78

, Basic notations and extending/permuting techniques used in our protocols, p.170

, Comparison of the diierent adaptive OT protocols secure in the standard model 186

. , Comparison of the diierent adaptive OT-AC schemes secure in the standard model