?. .. Homomorphic-signature, 6.2.3 Insecurity of HomSig

. .. Succinct-functional-signatures, 147 6.3.1 Definition of Functional Signatures

. .. Universal-signature-aggregators,

, SNARKs with Data Privacy, vol.167

, 170 7.1.1 Ensuring Correctness of Privacy-Preserving Computation, vol.170

. .. New-bivariate-computational-assumptions, 174 7.3.3 SNARK for Bivariate Polynomial (Partial) Evaluation, p.175

?. P. Snark,

. .. Snark-for-simultaneous-evaluations, 181 7.5.2 Succinct Proof of Simultaneous Evaluations in a Point k, p.182

, Proof Systems for Arithmetic Function Evaluation over Polynomial Rings

?. and ?. ]. , Insecurity of HomSig

. .. Universal-signature-aggregators, , pp.162-133

, 1.1 Ensuring Correctness of Privacy-Preserving Computation, p.170

, 174 7.3.3 SNARK for Bivariate Polynomial (Partial) Evaluation, p.175

?. P. Snark,

. .. Snark-for-simultaneous-evaluations, 181 7.5.2 Succinct Proof of Simultaneous Evaluations in a Point k, p.182

, Proof Systems for Arithmetic Function Evaluation over Polynomial Rings

. .. , 190 P ? Z q [X, Y ] in some random point k ? Z q . Our scheme is based on an algebraic property of polynomials. We remark that (X ? k) perfectly divides the polynomial

P. Gen-;-?-,-r)-?-crs-1-;-g,-h-?$-g,-g-?$-g,-?,-s,-t-?$-z-q, 2: g := g ? , h := h ? , g := g ? 3: g ij := g s i t j , g ij := g s i t j ? i < d, j < 4: g 1 := g s , h 1 := h s 5: return crs as in Equation (7.2): crs = ck

C. , C. , ). :=-u, (. , and Q. , = w 2: W := P ? Q /(X ? k) 3: (D, ?) ? Biv.Com(W ) 4:g := h 1 /h k , x, y ?$ Z q 5: U := e(h xgy , g) 6: e ? RO(u, D, U) 7: ? = x ? (? ? ?)e mod q 8: ? = y ? ?e mod q, vol.9

P. Ver-;-crs,-u,-?)-?-b-1-;-c, C. , ). :=-u, and (. , = ? 2: (c, c) := C, ) := C , (d, d) := D 3: b 1 ? Biv.ComVer(C) 4: b 2 ? Biv.ComVer(C ) 5: b 3 ? Biv.ComVer(D) 6: A = e, vol.1

M. Gen-;-?-,-r-m-)-?-crs, On input a security parameter ? ? N and a NP relation R := {(u = ({P j } j , k)

, P j (k) = p j }, define the associated relation

, ) := j=0 P j Y j , Q(Y ) := j=0 p j Y j . Output the common reference string by running crs ? P

M. Prove-;-crs,-u-=-(c, C. , ). , and =. {p-j-}-j, Given crs, the instance u and the witness w, the prover defines new bi-variate polynomials P (X, Y ) := j=0 P j Y j , Q(y) := j=0 p j Y j and compute the proof ? for those: ? ? P.Prove(crs

M. , Ver(crs, u, ?) ? b: Same algorithm as for partial-evaluation P.SNARK

, MultiCom as follows: Write W j = d i=0 w ij X i , then running Uni.Com(ck, {W j } j ) gives the same output (D, ?) as running Biv

C. , C. To-some-polynomials-p-?-z-q-[x, Y. , Q. ?-z-q-;-k, Y. )-=-q(y-),-then et al., SNARK is a public coin argument of knowledge of openings of C and C to a set of polynomials {P j } j ? Z q [X] and a set of scalars {p j } j ? Z q such that P j (k) = p j ?0 ? j <

P. and W. , From the output of this extended machine B * we can further extract {P j := d i=0 p ij X i } j , {p j := q j } j , W j := d i=0 w ij X i } j just by reading the respective coefficients p ij , q j , w ij from the bivariate polynomials P = d, i,j=0 p ij X i Y j , Q = j=0 q j Y j, We first build a knowledge-extractor. This knowledge extractor directly follows from Lemma

. Therefore, there exists an extended machine A * that runs the aggregate machine B * under its output and further returns the same statement and proof as A toghether with an extended witness wit = ({P j } j , ?, {p j } j , ? , {W j }, ?; ?, ?), where P j , W j ? Z q

X. , Y. , and Q. , Suppose there exists an adversary A against the soundness of M.SNARK, with the corresponding associated extended machine A * that outputs a cheating proof ? * that passes the verification check with non-negligible probability. We then build an efficient adversary B against P.SNARK that runs the machine A * to break the protocol with non-negligible probability. B runs A * that outputs the corresponding tuple proof-statement-witness u = (C, C , k), ? * = (D, e, ?, ? ), wit = ({P j } j , ?, {p j } j , ? , {W j }, ?; ?, ?). Then, we can define some corresponding bivariate polynomials as follows and build an extractor for B: We have the corresponding polynomials P ? Z q, Soundness. We reduce the soundness of M.SNARK to the soundness of P.SNARK

, ? , R f ) ? crs 1: gk ? G(1 ? ), Gen, issue.1

H. ?$-g,-g-?$-g;-?,-s,-t-?$-z-q, 2: g := g ? , h := h ? , g := g ? , g 1 := g s , h 1 := h s 3: g i0 := g s i , g i0 := g s i ? 0 ? i ? ? 4: g ij := g s i t j , g ij := g s i t j ? 0 ? i ? d, 1 ? j ? 5: crs C := ck

C. , P. )-:=-x, (. {p-j-}-n-j=1-;-c, P. , C. et al., 6: t = T (k), p j = P j (k), k) 9: ? C ? M.Prove(crs C , u C , w C ), 10: ? ? ?(crs , u = (C , p, r), w ) 11: returns ? =, vol.5

S. Agrawal, D. Boneh, and X. Boyen, Efficient lattice (H)IBE in the standard model, EUROCRYPT 2010, vol.6110, pp.553-572, 2010.

B. Abdolmaleki, K. Baghery, H. Lipmaa, and M. Zajac, A subversion-resistant SNARK, LNCS, pp.3-33, 2017.

M. R. Albrecht, C. Cid, J. Faugère, and L. Perret, Algebraic algorithms for LWE. Cryptology ePrint Archive, 1018.
URL : https://hal.archives-ouvertes.fr/hal-01072721

M. Abdalla, M. Cornejo, A. Nitulescu, and D. Pointcheval, Robust password-protected secret sharing, ESORICS 2016, Part II, vol.9879, pp.61-79, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01380730

B. Applebaum, D. Cash, C. Peikert, and A. Sahai, Fast cryptographic primitives and circular-secure encryption based on hard learning problems, LNCS, vol.5677, pp.595-618, 2009.

M. Abe and S. Fehr, Perfect NIZK with adaptive soundness, LNCS, vol.4392, pp.118-136, 2007.

. Springer, , 2007.

M. R. Albrecht, R. Fitzpatrick, and F. Göpfert, On the efficacy of solving LWE by reduction to unique-SVP, LNCS, vol.13, pp.293-310, 2014.

M. Abadi, J. Feigenbaum, and J. Kilian, On hiding information from an oracle (extended abstract), 19th ACM STOC, pp.195-203, 1987.

S. Arora and R. Ge, New algorithms for learning in presence of errors, ICALP 2011, Part I, vol.6755, pp.403-415, 2011.

A. Akavia, S. Goldwasser, and V. Vaikuntanathan, Simultaneous hardcore bits and cryptography against memory attacks, LNCS, vol.5444, pp.474-495, 2009.

S. Ames, C. Hazay, Y. Ishai, M. Venkitasubramaniam, and . Ligero, Multiparty computation with low communication, computation and interaction via threshold FHE, ACM CCS 17, vol.7237, pp.483-501, 2012.

M. Ajtai, Generating hard instances of lattice problems

, STOC, pp.99-108, 1996.

M. R. Albrecht, On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL, Part, vol.II, pp.103-129, 2017.

S. Arora, C. Lund, R. Motwani, M. Sudan, and M. Szegedy, Proof verification and the hardness of approximation problems, J. ACM, vol.45, issue.3, pp.501-555, 1998.

J. Alperin, -. Sheriff, and C. Peikert, Faster bootstrapping with polynomial error, CRYPTO 2014, Part I, vol.8616, pp.297-314, 2014.

M. R. Albrecht, R. Player, and S. Scott, On the concrete hardness of learning with errors, Cryptology ePrint Archive, 2015.

R. Martin-r-albrecht, S. Player, and . Scott, On the concrete hardness of learning with errors, Journal of Mathematical Cryptology, vol.9, issue.3, pp.169-203, 2015.

S. Arora and S. Safra, Probabilistic checking of proofs; A new characterization of NP, 33rd FOCS, pp.2-13, 1992.

D. Angluin and L. G. Valiant, Fast probabilistic algorithms for hamiltonian circuits and matchings, STOC, pp.30-41, 1977.

L. Babai, Trading group theory for randomness, 17th ACM STOC, pp.421-429, 1985.

W. Banaszczyk, Inequalities for convex bodies and polar reciprocal lattices inr n. Discrete & Computational Geometry, vol.13, pp.217-231, 1995.

B. Barak, How to go beyond the black-box simulation barrier, 42nd FOCS, pp.106-115, 2001.

D. Boneh and X. Boyen, Short signatures without random oracles and the SDH assumption in bilinear groups, Journal of Cryptology, vol.21, issue.2, pp.149-177, 2008.

C. Baum, J. Bootle, A. Cerulli, J. Pino, V. Groth et al., Sub-linear lattice-based zero-knowledge arguments for arithmetic circuits, Lecture Notes in Computer Science, vol.10992, issue.2, pp.669-699, 2018.

M. Backes, M. Barbosa, D. Fiore, and R. M. Reischuk, ADSNARK: Nearly practical and privacy-preserving proofs on authenticated data, 2015 IEEE Symposium on Security and Privacy, pp.271-286, 2015.

D. Boneh, X. Boyen, and E. Goh, Hierarchical identity based encryption with constant size ciphertext, LNCS, vol.3494, pp.440-456, 2005.

G. Brassard, D. Chaum, and C. Crépeau, Minimum disclosure proofs of knowledge, J. Comput. Syst. Sci, vol.37, issue.2, pp.156-189, 1988.

N. Bitansky, R. Canetti, A. Chiesa, S. Goldwasser, H. Lin et al., The hunting of the SNARK. Cryptology ePrint Archive, vol.580, 2014.

N. Bitansky, R. Canetti, A. Chiesa, and E. Tromer, From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again, pp.326-349, 2012.

N. Bitansky, R. Canetti, A. Chiesa, and E. Tromer, Recursive composition and bootstrapping for SNARKS and proof-carrying data, 45th ACM STOC, pp.111-120, 2013.

E. Ben-sasson, A. Chiesa, D. Genkin, E. Tromer, and M. Virza, SNARKs for C: Verifying program executions succinctly and in zero knowledge, CRYPTO 2013, Part II, vol.8043, pp.90-108, 2013.

E. Ben-sasson, A. Chiesa, C. Garman, M. Green, I. Miers et al., Zerocash: Decentralized anonymous payments from bitcoin, 2014 IEEE Symposium on Security and Privacy, pp.459-474, 2014.

N. Bitansky, A. Chiesa, Y. Ishai, R. Ostrovsky, and O. Paneth, Succinct non-interactive arguments via linear interactive proofs, LNCS, vol.7785, pp.315-333, 2013.

N. Bitansky, R. Canetti, O. Paneth, and A. Rosen, On the existence of extractable one-way functions, 46th ACM STOC, pp.505-514, 2014.

, Why "Fiat-Shamir for proofs" lacks a proof, LNCS, vol.7785, pp.182-201, 2013.

J. Boyar, I. Damgård, and R. Peralta, Short non-interactive cryptographic proofs, Journal of Cryptology, vol.13, issue.4, pp.449-472, 2000.

F. Ben-hamouda-guichoux, Diverse modules and zero-knowledge. Theses, 2016.
URL : https://hal.archives-ouvertes.fr/tel-01399476

D. Boneh and M. K. Franklin, Identity-based encryption from the Weil pairing, LNCS, vol.2139, pp.213-229, 2001.

D. Boneh and D. Freeman, Homomorphic signatures for polynomial functions, LNCS, vol.6632, pp.149-168, 2011.

D. Boneh and D. Freeman, Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures, LNCS, vol.6571, pp.1-16, 2011.

D. Boneh, D. Freeman, J. Katz, and B. Waters, Signing a linear subspace: Signature schemes for network coding, Cryptology ePrint Archive, 2008.

M. Blum, P. Feldman, and S. Micali, Non-interactive zero-knowledge and its applications (extended abstract), 20th ACM STOC, pp.103-112, 1988.

M. Bellare, G. Fuchsbauer, and A. Scafuro, NIZKs with an untrusted CRS: Security in the face of parameter subversion, ASIACRYPT 2016, Part II, vol.10032, pp.777-804, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01384384

B. Barak and O. Goldreich, Universal arguments and their applications, SIAM Journal on Computing, vol.38, issue.5, pp.1661-1694, 2008.

S. Bai and S. D. Galbraith, Lattice decoding attacks on binary LWE, LNCS, vol.14, pp.322-337, 2014.

E. Boyle, S. Goldwasser, and I. Ivan, Functional signatures and pseudorandom functions, LNCS, vol.8383, pp.501-519, 2014.

D. Boneh, C. Gentry, B. Lynn, and H. Shacham, Aggregate and verifiably encrypted signatures from bilinear maps. Cryptology ePrint Archive, 2002.

D. Boneh, E. Goh, and K. Nissim, Evaluating 2-DNF formulas on ciphertexts, LNCS, vol.3378, pp.325-341, 2005.

Z. Brakerski, C. Gentry, and V. Vaikuntanathan, Leveled) fully homomorphic encryption without bootstrapping, pp.309-325, 2012.

R. B. Boppana, J. Hastad, and S. Zachos, Does co-np have short interactive proofs?, Information Processing Letters, vol.25, issue.2, pp.127-132, 1987.

D. Boneh, Y. Ishai, A. Sahai, and D. J. Wu, Lattice-based SNARGs and their application to more efficient obfuscation, Part III, vol.10212, pp.247-277, 2017.

D. Boneh, Y. Ishai, A. Sahai, and D. J. Wu, Quasi-optimal snargs via linear multi-prover interactive proofs, Cryptology ePrint Archive, vol.133, 2018.

D. J. Bernstein, T. Lange, and P. Schwabe, On the correct use of the negation map in the pollard rho method, LNCS, vol.6571, pp.128-146, 2011.

B. Barak, Y. Lindell, and S. P. Vadhan, Lower bounds for non-blackbox zero knowledge, 44th FOCS, pp.384-393, 2003.

M. Blum and S. Micali, How to generate cryptographically strong sequences of pseudo random bits, 23rd FOCS, pp.112-117, 1982.

E. Boyle and R. Pass, Limits of extractability assumptions with distributional auxiliary input, Cryptology ePrint Archive, 2013.

E. Boyle and R. Pass, Limits of extractability assumptions with distributional auxiliary input, ASIACRYPT 2015, Part II, vol.9453, pp.236-261, 2015.

A. Banerjee, C. Peikert, and A. Rosen, Pseudorandom functions and lattices, EURO-CRYPT 2012, vol.7237, pp.719-737, 2012.

M. Bellare and P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols, ACM CCS 93, pp.62-73, 1993.

M. Bellare and P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, Lecture Notes in Computer Science, vol.4004, pp.409-426, 2006.

E. Ben-sasson, I. Bentov, Y. Horesh, and M. Riabzev, Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, 2018.

D. Boneh, G. Segev, and B. Waters, Targeted malleability: homomorphic encryption for restricted computations, pp.350-366, 2012.

Z. Brakerski and V. Vaikuntanathan, Efficient fully homomorphic encryption from (standard) LWE, editor, 52nd FOCS, pp.97-106, 2011.

Z. Brakerski and V. Vaikuntanathan, Fully homomorphic encryption from ring-LWE and security for key dependent messages, LNCS, vol.6841, pp.505-524, 2011.

Z. Brakerski and V. Vaikuntanathan, Lattice-based FHE as secure as PKE, ITCS 2014, pp.1-12, 2014.

R. Canetti, Y. Chen, J. Holmgren, A. Lombardi, G. N. Rothblum et al., Fiat-shamir from simpler assumptions, IACR Cryptology ePrint Archive, p.1004, 2018.

R. Canetti, Y. Chen, L. Reyzin, and R. D. Rothblum, Fiat-Shamir and correlation intractability from strong KDM-secure encryption, Cryptology ePrint Archive, 2018.

R. Canetti and R. R. Dakdouk, Towards a theory of extractable functions, LNCS, vol.5444, pp.595-613, 2009.

R. Cramer, I. Damgård, and B. Schoenmakers, Proofs of partial knowledge and simplified design of witness hiding protocols, LNCS, vol.839, pp.174-187, 1994.

D. Catalano and D. Fiore, Practical homomorphic MACs for arithmetic circuits, EURO-CRYPT 2013, vol.7881, pp.336-352, 2013.

C. Costello, C. Fournet, J. Howell, M. Kohlweiss, B. Kreuter et al., Geppetto: Versatile verifiable computation, 2015 IEEE Symposium on Security and Privacy, pp.253-270, 2015.

D. Catalano, D. Fiore, and B. Warinschi, Homomorphic signatures with efficient verification for polynomial functions, CRYPTO 2014, Part I, vol.8616, pp.371-389, 2014.

I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène, Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds, ASIACRYPT 2016, Part I, vol.10031, pp.3-33, 2016.
URL : https://hal.archives-ouvertes.fr/cea-01832762

I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène, Faster packed homomorphic operations and efficient circuit bootstrapping for TFHE, ASIACRYPT 2017, Part I, pp.377-408, 2017.
URL : https://hal.archives-ouvertes.fr/cea-01832760

R. Canetti, O. Goldreich, and S. Halevi, The random oracle methodology, revisited (preliminary version), 30th ACM STOC, pp.209-218, 1998.

D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert, Bonsai trees, or how to delegate a lattice basis, Journal of Cryptology, vol.25, issue.4, pp.601-639, 2012.

G. Di-crescenzo and H. Lipmaa, Succinct np proofs from an extractability assumption, Lecture Notes in Computer Science, vol.5028, pp.175-185, 2008.

R. Canetti, A. Lombardi, and D. Wichs, Non-interactive zero knowledge and correlation intractability from circular-secure fhe, IACR Cryptology ePrint Archive, p.1248, 2018.

C. Cachin, S. Micali, and M. Stadler, Computationally private information retrieval with polylogarithmic communication, Lecture Notes in Computer Science, vol.1592, pp.402-414, 1999.

G. Cormode, M. Mitzenmacher, and J. Thaler, Practical verified computation with streaming interactive proofs, pp.90-112, 2012.

G. Couteau, Zero-Knowledge Proofs for Secure Computation. Theses, 2018.
URL : https://hal.archives-ouvertes.fr/tel-01668125

A. Stephen, R. A. Cook, and . Reckhow, Time-bounded random access machines, STOC, pp.73-80, 1972.

I. Damgård, Towards practical public key systems secure against chosen ciphertext attacks, CRYPTO'91, vol.576, pp.445-456, 1992.

I. Damgård, Non-interactive circuit based proofs and non-interactive perfect zero-knowledge with proprocessing, EURO-CRYPT'92, vol.658, pp.341-355, 1993.

I. Damgård, Efficient concurrent zero-knowledge in the auxiliary string model, LNCS, vol.1807, pp.418-430, 2000.

B. Bert-den, Diffie-hillman is as strong as discrete log for certain primes, Lecture Notes in Computer Science, vol.403, pp.530-539, 1988.

G. Danezis, C. Fournet, J. Groth, and M. Kohlweiss, Square span programs with applications to succinct NIZK arguments, ASIACRYPT 2014, Part I, vol.8873, pp.532-550, 2014.

I. Damgård, S. Faust, and C. Hazay, Secure two-party computation with low communication, LNCS, vol.7194, pp.54-74, 2012.

Y. Dodis, S. Goldwasser, Y. T. Kalai, C. Peikert, and V. Vaikuntanathan, Public-key encryption schemes with auxiliary inputs, TCC 2010, vol.5978, pp.361-381

. Springer, , 2010.

W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory, vol.22, issue.6, pp.644-654, 1976.

L. Ducas and D. Micciancio, FHEW: Bootstrapping homomorphic encryption in less than a second, EUROCRYPT 2015, Part I, vol.9056, pp.617-640

. Springer, , 2015.

A. De-santis, S. Micali, and G. Persiano, Non-interactive zero-knowledge with preprocessing, LNCS, vol.88, pp.269-282, 1990.

T. Elgamal, A public key cryptosystem and a signature scheme based on discrete logarithms, LNCS, vol.84, pp.10-18, 1984.

T. Elgamal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Transactions on Information Theory, vol.31, pp.469-472, 1985.

A. Einstein, B. Podolsky, and N. Rosen, Can quantum-mechanical description of physical reality be considered complete?, Phys. Rev, vol.47, issue.10, pp.777-780, 1935.

H. Feistel, Cryptography and Computer Privacy, Scientific American, 1973.

D. Fiore, R. Gennaro, and V. Pastro, Efficiently verifiable computation on encrypted data, ACM CCS 14, pp.844-855, 2014.

U. Feige, D. Lapidot, and A. Shamir, Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract), 31st FOCS, pp.308-317, 1990.

D. Fiore and A. Nitulescu, On the (in)security of SNARKs in the presence of oracles, TCC 2016-B, Part I, vol.9985, pp.108-138, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01378013

D. Fiore, A. Nitulescu, and D. Pointcheval, Boosting verifiable computation on encrypted data, 2018.

A. Fiat and A. Shamir, How to prove yourself: Practical solutions to identification and signature problems, LNCS, vol.86, pp.186-194, 1987.

G. Fuchsbauer, Subversion-zero-knowledge snarks, IACR International Workshop on Public Key Cryptography, pp.315-347, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01869978

J. Gaarder, Sophie's World: A Novel about the History of Philosophy, 1996.

D. Steven and . Galbraith, Space-efficient variants of cryptosystems based on learning with errors. preprint, 2013.

C. Gentry, Fully homomorphic encryption using ideal lattices, 41st ACM STOC, pp.169-178, 2009.

R. Gennaro, C. Gentry, and B. Parno, Non-interactive verifiable computing: Outsourcing computation to untrusted workers, CRYPTO 2010, vol.6223, pp.465-482, 2010.

R. Gennaro, C. Gentry, B. Parno, and M. Raykova, Quadratic span programs and succinct NIZKs without PCPs, LNCS, vol.7881, pp.626-645, 2013.

O. Goldreich and J. Håstad, On the complexity of interactive proofs with bounded communication, Information Processing Letters, vol.67, issue.4, pp.205-214, 1998.

C. Gentry, S. Halevi, and N. P. Smart, Homomorphic evaluation of the AES circuit, LNCS, vol.7417, pp.850-867, 2012.

Q. Guo, T. Johansson, and P. Stankovski, Coded-BKW: Solving LWE using lattice codes, CRYPTO 2015, Part I, vol.9215, pp.23-42, 2015.

S. Goldwasser and Y. T. Kalai, On the (in)security of the Fiat-Shamir paradigm, 44th FOCS, pp.102-115, 2003.

Y. T. Gkp-+-13]-shafi-goldwasser, R. A. Kalai, V. Popa, N. Vaikuntanathan, and . Zeldovich, How to run turing machines on encrypted data, CRYPTO 2013, Part II, vol.8043, pp.536-553, 2013.

S. Goldwasser and Y. T. Kalai, Chris Peikert, and Vinod Vaikuntanathan. Robustness of the learning with errors assumption, ICS 2010, pp.230-240, 2010.

S. Goldwasser, Y. T. Kalai, and G. N. Rothblum, Delegating computation: interactive proofs for muggles, 40th ACM STOC, pp.113-122, 2008.

S. Goldwasser, H. Lin, and A. Rubinstein, Delegation of computation without rejection problem from designated verifier CS-Proofs. Cryptology ePrint Archive, 2011.

S. Goldwasser and S. Micali, Probabilistic encryption and how to play mental poker keeping secret all partial information, 14th ACM STOC, pp.365-377, 1982.

S. Goldwasser and S. Micali, Probabilistic encryption, Journal of Computer and System Sciences, vol.28, issue.2, pp.270-299, 1984.

J. Groth and M. Maller, Snarky signatures: Minimal signatures of knowledge from simulation-extractable SNARKs, LNCS, pp.581-612, 2017.

R. Gennaro, M. Minelli, A. Nitulescu, and M. Orrù, Latticebased zk-snarks from square span programs, ACM Conference on Computer and Communications Security, pp.556-573, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01743360

S. Goldwasser, S. Micali, and C. Rackoff, The knowledge complexity of interactive proof-systems (extended abstract), 17th ACM STOC, pp.291-304, 1985.

S. Goldwasser, S. Micali, and R. L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks, SIAM Journal on Computing, vol.17, issue.2, pp.281-308, 1988.

S. Goldwasser, S. Micali, and C. Rackoff, The knowledge complexity of interactive proof systems, SIAM Journal on Computing, vol.18, issue.1, pp.186-208, 1989.

O. Goldreich, S. Micali, and A. Wigderson, Proofs that yield nothing but their validity and a methodology of cryptographic protocol design, 27th FOCS, pp.174-187, 1986.

S. Goldwasser, S. Micali, and A. Yao, On signatures and authentication, CRYPTO'82, pp.211-215, 1982.

N. Gama and P. Q. Nguyen, Predicting lattice reduction, LNCS, vol.4965, pp.31-51, 2008.

. Springer, , 2008.

O. Goldreich and Y. Oren, Definitions and properties of zero-knowledge proof systems, Journal of Cryptology, vol.7, issue.1, pp.1-32, 1994.

O. Goldreich, Foundations of cryptography (fragments of a book), Electronic Colloquium on Computational Complexity, 1995.

O. Goldreich, Probabilistic proof systems: A primer, Foundations and Trends® in Theoretical Computer Science, vol.3, issue.1, pp.1-91, 2008.

J. Groth, R. Ostrovsky, and A. Sahai, Non-interactive zaps and new techniques for NIZK, LNCS, vol.4117, pp.97-111, 2006.

J. Groth, R. Ostrovsky, and A. Sahai, Perfect non-interactive zero knowledge for NP, LNCS, vol.4004, pp.339-358, 2006.

C. Gentry, C. Peikert, and V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions. Cryptology ePrint Archive, 2007.

C. Gentry and Z. Ramzan, Single-database private information retrieval with constant communication rate, Luís Caires, Giuseppe F. Italiano, Luís Monteiro, Catuscia Palamidessi, and Moti Yung, vol.3580, pp.803-815, 2005.

J. Groth, Short pairing-based non-interactive zero-knowledge arguments, ASIACRYPT 2010, vol.6477, pp.321-340, 2010.

J. Groth, On the size of pairing-based non-interactive arguments, EUROCRYPT 2016, Part II, vol.9666, pp.305-326, 2016.

J. Groth and A. Sahai, Efficient non-interactive proof systems for bilinear groups, 2007.

J. Groth and A. Sahai, Efficient non-interactive proof systems for bilinear groups, LNCS, vol.4965, pp.415-432, 2008.

C. Gentry, A. Sahai, and B. Waters, Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attributebased, CRYPTO 2013, Part I, vol.8042, pp.75-92, 2013.

T. Granlund, . Development-team, and . Gnu-mp, The GNU Multiple Precision Arithmetic Library, 2012.

O. Goldreich, S. Vadhan, and A. Wigderson, On interactive proofs with a laconic prover, computational complexity, vol.11, issue.1-2, pp.1-53, 2002.

S. Gorbunov, V. Vaikuntanathan, and D. Wichs, Leveled fully homomorphic signatures from standard lattices, 47th ACM STOC, pp.469-477, 2015.

C. Gentry and D. Wichs, Separating succinct non-interactive arguments from all falsifiable assumptions, 43rd ACM STOC, pp.99-108, 2011.

R. Gennaro and D. Wichs, Fully homomorphic message authenticators, ASIACRYPT 2013, Part II, vol.8270, pp.301-320, 2013.

R. Hiromasa, M. Abe, and T. Okamoto, Packing messages and optimizing bootstrapping in GSW-FHE, LNCS, vol.9020, pp.699-715, 2015.

J. Håstad, R. Impagliazzo, L. A. Levin, and M. Luby, A pseudorandom generator from any one-way function, SIAM Journal on Computing, vol.28, issue.4, pp.1364-1396, 1999.

W. Hart, F. Johansson, and S. Pancratz, FLINT: Fast Library for Number Theory, 2013.

S. Hohenberger, V. Koppula, and B. Waters, Universal signature aggregators, EURO-CRYPT 2015, Part II, vol.9057, pp.3-34, 2015.

J. Holmgren and A. Lombardi, Cryptographic hashing from strong one-way functions, Cryptology ePrint Archive, vol.385, 2018.

J. Hoffstein, J. Pipher, and J. H. Silverman, Ntru: A ring-based public key cryptosystem, Lecture Notes in Computer Science, vol.1423, pp.267-288, 1998.

J. Hoffstein, J. Pipher, and J. H. Silverman, An Introduction to Mathematical Cryptography, Undergraduate Texts in Mathematics, 2008.

S. Hada and T. Tanaka, On the existence of 3-round zero-knowledge protocols, LNCS, vol.98, pp.408-423, 1998.

Y. Ishai and A. Paskin, Evaluating branching programs on encrypted data, LNCS, vol.4392, pp.575-594, 2007.

D. P. Jablon, Password authentication using multiple servers, LNCS, vol.2020, pp.344-360, 2001.

D. Kahn, The Codebreakers. The Macmillan Company, 1967.

A. Kerckhoffs, La cryptographie militaire, Journal des Sciences Militaires, pp.161-191, 1883.

J. Kilian, A note on efficient zero-knowledge proofs and arguments (extended abstract), 24th ACM STOC, pp.723-732, 1992.

J. Kilian and E. Petrank, An efficient noninteractive zero-knowledge proof system for NP with general assumptions, Journal of Cryptology, vol.11, issue.1, pp.1-27, 1998.

J. Kilian and P. Rogaway, How to protect des against exhaustive key search (an analysis of desx), J. Cryptology, vol.14, issue.1, pp.17-35, 2001.

Y. T. Kalai, G. N. Rothblum, and R. D. Rothblum, From obfuscation to the security of Fiat-Shamir for proofs, LNCS, pp.224-251, 2017.

A. Kawachi, K. Tanaka, and K. Xagawa, Multi-bit cryptosystems based on lattice problems, LNCS, vol.4450, pp.315-329, 2007.

M. Karchmer and A. Wigderson, On span programs, Proc. of the 8th IEEE Structure in Complexity Theory, pp.102-111, 1993.

S. Kim and D. J. Wu, Multi-theorem preprocessing nizks from lattices, Lecture Notes in Computer Science, vol.10992, issue.2, pp.733-765, 2018.

A. Kate, G. M. Zaverucha, and I. Goldberg, Constant-size commitments to polynomials and their applications, ASIACRYPT 2010, vol.6477, pp.177-194, 2010.

L. Lamport, Constructing digital signatures from a one-way function, 1979.

H. Lipmaa, An oblivious transfer protocol with log-squared communication, LNCS, vol.3650, pp.314-328, 2005.

H. Lipmaa, Progression-free sets and sublinear pairing-based noninteractive zero-knowledge arguments, LNCS, vol.7194, pp.169-189, 2012.

H. Lipmaa, Succinct non-interactive zero knowledge arguments from span programs and linear error-correcting codes, ASIACRYPT 2013, Part I, vol.8269, pp.41-60

. Springer, , 2013.

H. Lipmaa, Prover-efficient commit-and-prove zero-knowledge SNARKs, AFRICACRYPT, vol.16, pp.185-206, 2016.

B. Libert, S. Ling, K. Nguyen, and H. Wang, Lattice-based zero-knowledge arguments for integer relations, Lecture Notes in Computer Science, vol.10992, issue.2, pp.700-732, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01911886

R. Lindner and C. Peikert, Better key sizes (and attacks) for LWEbased encryption, LNCS, vol.6558, pp.319-339, 2011.

V. Lyubashevsky, C. Peikert, and O. Regev, On ideal lattices and learning with errors over rings, Lecture Notes in Computer Science, vol.6110, pp.1-23, 2010.
URL : https://hal.archives-ouvertes.fr/hal-00921792

V. Lyubashevsky, C. Peikert, and O. Regev, On ideal lattices and learning with errors over rings, EUROCRYPT 2010, vol.6110, pp.1-23, 2010.
URL : https://hal.archives-ouvertes.fr/hal-00921792

A. B. Lewko and B. Waters, Why proving HIBE systems secure is difficult, LNCS, vol.8441, pp.58-76, 2014.

M. Ueli and . Maurer, Towards the equivalence of breaking the diffie-hellman protocol and computing discrete algorithms, Lecture Notes in Computer Science, vol.839, pp.271-281, 1994.

M. Ueli and . Maurer, Abstract models of computation in cryptography, 10th IMA International Conference on Cryptography and Coding, vol.3796, pp.1-12, 2005.

R. J. Mceliece, A public-key cryptosystem based on algebraic coding theory, vol.42, pp.114-116, 1978.

R. Charles-merkle, Secrecy, authentication and public key systems, 1979.

D. Micciancio and S. Goldwasser, Complexity of Lattice Problems: a cryptographic perspective, The Kluwer International Series in Engineering and Computer Science, vol.671, 2002.

S. Micali, CS proofs (extended abstracts), 35th FOCS, pp.436-453, 1994.

S. Micali, Computationally sound proofs, SIAM Journal on Computing, vol.30, issue.4, pp.1253-1298, 2000.

D. Micciancio, A first glimpse of cryptography's holy grail, Commun. ACM, vol.53, issue.3, p.96, 2010.

D. Micciancio and O. Regev, Worst-case to average-case reductions based on Gaussian measures, 45th FOCS, pp.372-381, 2004.

M. Naor, On cryptographic assumptions and challenges, Lecture Notes in Computer Science, vol.2729, pp.96-109, 2003.

M. Naor, On cryptographic assumptions and challenges (invited talk), LNCS, vol.2729, pp.96-109, 2003.

. Springer, , 2003.

M. Naor and M. Yung, Universal one-way hash functions and their cryptographic applications, 21st ACM STOC, pp.33-43, 1989.

P. Paillier, Public-key cryptosystems based on composite degree residuosity classes, LNCS, vol.99, pp.223-238, 1999.

C. Peikert, Public-key cryptosystems from the worst-case shortest vector problem, Cryptology ePrint Archive, 2008.

C. Peikert, A decade of lattice cryptography, Cryptology ePrint Archive, vol.939, 2015.

B. Parno, J. Howell, C. Gentry, and M. Raykova, Pinocchio: Nearly practical verifiable computation, 2013 IEEE Symposium on Security and Privacy, pp.238-252, 2013.

J. M. Pollard, Monte Carlo methods for index computation mod p. Mathematics of Computation, vol.32, pp.918-924, 1978.

B. Parno, M. Raykova, and V. Vaikuntanathan, How to delegate and verify in public: Verifiable computation from attribute-based encryption, LNCS, vol.7194, pp.422-439, 2012.

. Springer, , 2012.

D. Pointcheval and J. Stern, Security arguments for digital signatures and blind signatures, Journal of Cryptology, vol.13, issue.3, pp.361-396, 2000.

C. Peikert, V. Vaikuntanathan, and B. Waters, A framework for efficient and composable oblivious transfer. Cryptology ePrint Archive, 2007.

C. Peikert and B. Waters, Lossy trapdoor functions and their applications, 40th ACM STOC, pp.187-196, 2008.

R. Rivest, L. Adleman, and M. Dertouzos, On data banks and privacy homomorphisms. Foundations of Secure Computation, pp.169-177, 1978.

O. Regev, On lattices, learning with errors, random linear codes, and cryptography, pp.84-93, 2005.

O. Regev, On lattices, learning with errors, random linear codes, and cryptography, 37th ACM STOC, pp.84-93, 2005.

J. Rompel, One-way functions are necessary and sufficient for secure signatures, 22nd ACM STOC, pp.387-394, 1990.

C. Rackoff and D. R. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, LNCS, vol.576, pp.433-444, 1992.

M. Rückert and M. Schneider, Estimating the security of latticebased cryptosystems, Cryptology ePrint Archive, 2010.

R. L. Rivest, A. Shamir, and L. M. Adleman, A method for obtaining digital signature and public-key cryptosystems, Communications of the Association for Computing Machinery, vol.21, issue.2, pp.120-126, 1978.

C. Schnorr, Efficient identification and signatures for smart cards, LNCS, vol.89, pp.239-252

. Springer, , 1990.

C. E. Shannon, Communication theory of secrecy systems, Bell Systems Technical Journal, vol.28, issue.4, pp.656-715, 1949.

D. Shanks, Class number, a theory of factorization, and genera, of Proceedings of Symposia in Pure Mathematics, vol.20, pp.415-440, 1971.

V. Shoup, Lower bounds for discrete logarithms and related problems, LNCS, vol.1233, pp.256-266

. Springer, , 1997.

W. Peter and . Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM Review, vol.41, issue.2, pp.303-332, 1999.

V. Shoup, Oaep reconsidered, J. Cryptology, vol.15, issue.4, pp.223-249, 2002.

D. Stehlé and R. Steinfeld, Faster fully homomorphic encryption, LNCS, vol.6477, pp.377-394, 2010.

D. Stehlé, R. Steinfeld, K. Tanaka, and K. Xagawa, Efficient public key encryption based on ideal lattices, LNCS, vol.5912, pp.617-635, 2009.

N. P. Smart and F. Vercauteren, Fully homomorphic encryption with relatively small key and ciphertext sizes, PKC 2010, vol.6056, pp.420-443

. Springer, , 2010.

L. G. Valiant, Universal circuits (preliminary report), STOC, pp.196-203, 1976.

P. Valiant, Incrementally verifiable computation or proofs of knowledge imply time/space efficiency, LNCS, vol.4948, pp.1-18, 2008.

C. Marten-van-dijk, S. Gentry, V. Halevi, and . Vaikuntanathan, Fully homomorphic encryption over the integers, EUROCRYPT 2010, vol.6110, pp.24-43, 2010.

M. Jeroen-van-den-hoven, W. Blaauw, M. Pieters, and . Warnier, Privacy and information technology, 2018.

M. Veeningen, Pinocchio-based adaptive zk-SNARKs and secure/correct adaptive function evaluation, AFRICACRYPT 17, pp.21-39

. Springer, , 2017.

H. Wee, ;. Giuseppe, F. Italiano, and L. Monteiro, On round-efficient argument systems, Luís Caires, vol.3580, pp.140-152, 2005.

H. Wee, Lower bounds for non-interactive zero-knowledge, Salil P

. Vadhan, LNCS, vol.4392, pp.103-117, 2007.

A. F. Westin, Privacy and Freedom, 1967.

S. Riad, Y. Wahby, A. J. Ji, A. Blumberg, J. Shelat et al., Full accounting for verifiable outsourcing, ACM CCS 17, pp.2071-2086, 2017.

S. Riad, I. Wahby, A. Tzialla, J. Shelat, M. Thaler et al., Doubly-efficient zkSNARKs without trusted setup, 2018 IEEE Symposium on Security and Privacy, pp.926-943, 2018.

Y. Zhang, D. Genkin, J. Katz, D. Papadopoulos, and C. Papamanthou, vSQL: Verifying arbitrary SQL queries over dynamic outsourced databases, 2017 IEEE Symposium on Security and Privacy, pp.863-880, 2017.