, Generate the RGSW public and secret keys: PK RGSW and SSK RGSW

, Sample a challenge ? R ? {f ? R 2 | deg f < ?}, compute its encryption C ? = RGSW.Encrypt(PK RGSW , ?

, Output the secret veri cation key SVK = SSK RGSW and the public key PK = (ck

(. Prove and P. K. Pp,

. Com, Commit(ck, µ ? ; r ? ) and c b = Com.Commit(ck, µ ?

. Homomorphically-compute,

, ? C ? the RGSW encryption of ? = ?µ + µ ?

. ?-c-r?, the RGSW encryption of r ? , the randomness of ? = ?µ + µ ?, p.88

, Lattice-based Designated-Veri able NIZK Argument and Application to a Voting Scheme, Chapter

. ?-c-r, 0 the RGSW encryption of r 0 , the randomness of (? ? ?)µ + µ ?

, Output the proof ? = (c ? , c ? , C ? , C r? , C r 0 )

(. Verify, . Pk, C. Svk, and ?. ). , To verify the proof, 1. Compute ? = RGSW.Decrypt(SSK RGSW , C ? )

, Decrypt also C r? and C r 0 , verify that all the randomness are small

. Then and . Rgsw, Decrypt(SSK RGSW , C ? ), verify that: ? · c + c ? = Com.Commit(ck, ?

, In the Setup algorithm, we have to encrypt n/? challenges (? k ) k?[0, n/? ) and denote by C ? k their RGSW encryption. Indeed, we use the extractor of the ?-protocol to be able to show the culpable soundness property of the DVNIZK scheme

M. Abdalla, P. Fouque, V. Lyubashevsky, and M. Tibouchi, Tightly-Secure Signatures from Lossy Identi cation Schemes, Lecture Notes in Computer Science, vol.7237, pp.572-590, 2012.

D. F. Aranha, P. Fouque, C. Qian, M. Tibouchi, and J. Zapalowicz, Selected Areas in Cryptography, vol.8781, pp.20-37, 2014.

M. Ajtai, Generating Hard Instances of Lattice Problems (Extended Abstract), STOC. ACM, p.78, 1996.

M. Abe, M. Ohkubo, and K. Suzuki, 1-out-of-n Signatures from a Variety of Keys, Lecture Notes in Computer Science, vol.2501, p.60, 2002.

L. Babai, On Lovász' lattice reduction and the nearest lattice point problem, Combinatorica 6, vol.1, p.84, 1986.

W. Banaszczyk, New bounds in some transference theorems in the geometry of numbers, Mathematische Annalen, vol.296, p.81, 1993.

D. Boneh and X. Boyen, E cient Selective-ID Secure Identity-Based Encryption Without Random Oracles, Lecture Notes in Computer Science, vol.3027, pp.223-238, 2004.

C. Baum, J. Bootle, A. Cerulli, J. Pino, V. Groth et al., Sub-linear Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits, CRYPTO (2), vol.10992, p.78, 2018.

D. Boneh, X. Boyen, and H. Shacham, Short Group Signatures. In: CRYPTO, vol.3152, p.19, 2004.

. Bibliography,

J. Bootle, A. Cerulli, P. Chaidos, E. Ghada, J. Groth et al., Short Accountable Ring Signatures Based on DDH, ESORICS (1), vol.9326, p.61, 2015.

F. Benhamouda, J. Camenisch, S. Krenn, V. Lyubashevsky, and G. Neven, Better Zero-Knowledge Proofs for Lattice Encryption and Their Application to Group Signatures, ASIACRYPT, Part I, p.78, 2014.

C. Baum, I. Damgård, M. Kasper-green-larsen, and . Nielsen, How to Prove Knowledge of Small Secrets, CRYPTO (3), vol.9816, p.78, 2016.

C. Baum, I. Damgård, S. Oechsner, and C. Peikert, E cient Commitments and Zero-Knowledge Protocols from Ring-SIS with Applications to Lattice-based Threshold Cryptosystems, IACR Cryptology ePrint Archive, p.78, 2016.

M. Blum, P. Feldman, and S. Micali, Non-Interactive Zero-Knowledge and Its Applications (Extended Abstract), STOC. ACM, vol.77, p.52, 1988.

A. Boldyreva, S. Fehr, and A. Neill, On Notions of Security for Deterministic Encryption, and E cient Constructions without Random Oracles, Lecture Notes in Computer Science, vol.5157, p.16, 2008.

D. Boneh, S. Halevi, M. Hamburg, and R. Ostrovsky, Circular-Secure Encryption from Decision Di e-Hellman, Lecture Notes in Computer Science, vol.5157, p.22, 2008.

F. Böhl, D. Hofheinz, T. Jager, J. Koch, J. H. Seo et al., Practical Signatures from Standard Assumptions. In: EURO-CRYPT, vol.7881, p.28, 2013.

M. Bellare, D. Hofheinz, and S. Yilek, Possibility and Impossibility Results for Encryption and Commitment Secure under Selective Opening, Lecture Notes in Computer Science, vol.5479, pp.1-35, 2009.

Z. Brakerski and Y. T. Kalai, A Framework for E cient Signatures, Ring Signatures and Identity Based Encryption in the Standard Model, IACR Cryptology ePrint Archive 2010, p.60, 2010.

F. Benhamouda, S. Krenn, V. Lyubashevsky, and K. Pietrzak, E cient Zero-Knowledge Proofs for Commitments from Learning with Errors over Rings, pp.305-325, 2015.

A. Bender, J. Katz, and R. Morselli, Ring Signatures: Stronger De nitions, and Constructions Without Random Oracles, Lecture Notes in Computer Science, vol.3876, p.61, 2006.

O. Blazy, E. Kiltz, and J. Pan, Hierarchical) Identity-Based Encryption from A ne Message Authentication, CRYPTO (1), vol.8616, p.35, 2014.

C. Baum and V. Lyubashevsky, Simple Amortized Proofs of Shortness for Linear Relations over Polynomial Rings, IACR ePrint Archive 2017, p.78, 2017.

A. Buldas, P. Laud, and H. Lipmaa, Accountable certi cate management using undeniable attestations, ACM Conference on Computer and Communications Security, p.60, 2000.

J. C. Benaloh and M. De-mare, One-Way Accumulators: A Decentralized Alternative to Digital Sinatures, Extended Abstract). In: EUROCRYPT, vol.765, p.60, 1993.

X. Boyen, Reusable cryptographic fuzzy extractors, ACM Conference on Computer and Communications Security, p.22, 2004.

, Xavier Boyen. Mesh Signatures. In: EUROCRYPT, vol.4515, p.60, 2007.

M. Bellare and P. Rogaway, Random Oracles are Practical: A Paradigm for Designing E cient Protocols, ACM Conference on Computer and Communications Security, vol.57, p.23, 1993.

M. Bellare and P. Rogaway, The Exact Security of Digital Signatures -HOw to Sign with RSA and Rabin, Lecture Notes in Computer Science, vol.1070, p.61, 1996.

J. Black, P. Rogaway, and T. Shrimpton, Encryption-Scheme Security in the Presence of Key-Dependent Messages, Selected Areas in Cryptography, vol.2595, p.19, 2002.

Z. Brakerski and G. Segev, Better Security for Deterministic Public-Key Encryption: The Auxiliary-Input Setting, Lecture Notes in Computer Science, vol.6841, p.16, 2011.

E. Bresson, J. Stern, and M. Szydlo, Threshold Ring Signatures and Applications to Ad-hoc Groups, Lecture Notes in Computer Science, vol.2442, p.60, 2002.

Z. Brakerski and V. Vaikuntanathan, Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages, CRYPTO 2011, vol.6841, p.78, 2011.

X. Boyen and B. Waters, Shrinking the Keys of Discrete-Log-Type Lossy Trapdoor Functions, Lecture Notes in Computer Science, vol.6123, pp.35-52, 2010.

R. Cramer, I. Damgård, and B. Schoenmakers, Proofs of Partial Knowledge and Simpli ed Design of Witness Hiding Protocols, Lecture Notes in Computer Science, vol.839, p.60, 1994.

R. Cramer, I. Damgård, C. Xing, and C. Yuan, Amortized Complexity of Zero-Knowledge Proofs Revisited: Achieving Linear Soundness Slack, EUROCRYPT (1), vol.10210, p.91, 2017.

P. Chaidos and J. Groth, Making Sigma-Protocols Non-interactive Without Random Oracles, In: PKC, vol.9020, pp.91-93, 2015.

I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène, A Homomorphic LWE Based E-voting Scheme, Lecture Notes in Computer Science, vol.9606, p.80, 2016.

N. Chandran, J. Groth, and A. Sahai, Ring Signatures of Sub-linear Size Without Random Oracles, Lecture Notes in Computer Science, vol.4596, p.60, 2007.

D. Chaum and . Eugène-van-heyst, Group Signatures. In: EUROCRYPT, vol.547, p.52, 1991.

P. Camacho, A. Hevia, M. A. Kiwi, and R. Opazo, Strong Accumulators from Collision-Resistant Hashing, vol.5222, p.60, 2008.

M. Chase and A. Lysyanskaya, On Signatures of Knowledge, Lecture Notes in Computer Science, vol.4117, p.60, 2006.

J. Coron, On the Exact Security of Full Domain Hash, Lecture Notes in Computer Science, vol.1880, p.61, 2000.

R. Cramer, Modular Design of Secure, yet Practical Cryptographic Protocols, Doctoral thesis, p.11, 1996.

J. Chen and H. Wee, Fully, (Almost) Tightly Secure IBE and Dual System Groups, Lecture Notes in Computer Science, vol.8043, issue.2

I. Damgård, N. Fazio, and A. Nicolosi, Non-interactive Zero-Knowledge from Homomorphic Encryption, In: TCC, vol.3876, p.77, 2006.

Y. Dodis, S. Goldwasser, Y. T. Kalai, C. Peikert, and V. Vaikuntanathan, Public-Key Encryption Schemes with Auxiliary Inputs, In: TCC, vol.5978, p.82, 2010.

W. , D. , and M. E. Hellman, New directions in cryptography, IEEE Trans. Information Theory, vol.22, pp.644-654, 1976.

I. Damgård and M. Jurik, A Generalisation, a Simpli cation and Some Applications of Paillier's Probabilistic Public-Key System, Public Key Cryptography, vol.1992, p.52, 2001.

Y. Dodis, A. Kiayias, A. Nicolosi, and V. Shoup, Anonymous Identi cation in Ad Hoc Groups, Lecture Notes in Computer Science, vol.3027, p.60, 2004.

C. Dwork, M. Naor, O. Reingold, and L. J. Stockmeyer, Magic Functions, FOCS. IEEE Computer Society, p.22, 1999.

Y. Dodis, L. Reyzin, and A. D. Smith, Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data, Lecture Notes in Computer Science, vol.3027, p.22, 2004.

O. David-mandell-freeman, E. Goldreich, A. Kiltz, G. Rosen, and . Segev, More Constructions of Lossy and Correlation-Secure Trapdoor Functions, Public Key Cryptography, vol.6056

P. , A. Fouque, and C. Qian, Fault Attacks on E cient Pairing Implementations, AsiaCCS. ACM, pp.641-650, 2016.

A. Fiat and A. Shamir, How to Prove Yourself: Practical Solutions to Identi cation and Signature Problems, Lecture Notes in Computer Science, vol.263, p.61, 1986.

E. Fujisaki, All-But-Many Encryption -A New Framework for Fully-Equipped UC Commitments, Lecture Notes in Computer Science, vol.8874, issue.2, p.22, 2014.

C. Gentry, Fully homomorphic encryption using ideal lattices, STOC

R. Gay, D. Hofheinz, and L. Kohl, Kurosawa-Desmedt Meets Tight Security, CRYPTO (3), vol.10403

. Bibliography,

R. Gay, D. Hofheinz, E. Kiltz, and H. Wee, Tightly CCA-Secure Encryption Without Pairings, EUROCRYPT (1), vol.9665, p.23, 2016.

J. Eu, S. Goh, and . Jarecki, A Signature Scheme as Secure as the Di e-Hellman Problem, Lecture Notes in Computer Science, vol.2656, p.61, 2003.

J. Groth and M. Kohlweiss, One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin, Lecture Notes in Computer Science, vol.9057, issue.2, pp.57-65, 2015.

A. González, A Ring Signature of size ?(sqrt[3]{n}) without Random Oracles, IACR Cryptology ePrint Archive 2017, p.60, 2017.

J. Groth and A. Sahai, E cient Non-interactive Proof Systems for Bilinear Groups, Lecture Notes in Computer Science, vol.4965

C. Gentry, A. Sahai, and B. Waters, Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based, CRYPTO (1), vol.8042, pp.75-92, 2013.

D. Hofheinz and T. Jager, Tightly Secure Signatures and Public-Key Encryption, Lecture Notes in Computer Science, vol.7417, p.23, 2012.

D. Hofheinz and E. Kiltz, Programmable Hash Functions and Their Applications, Lecture Notes in Computer Science, vol.5157, p.33, 2008.

D. Hofheinz and N. K. Nguyen, On Tightly Secure Primitives in the Multi-instance Setting, Public Key Cryptography (1), vol.11442, p.23, 2019.

B. Hemenway and R. Ostrovsky, Extended-DDH and Lossy Trapdoor Functions, Public Key Cryptography, vol.7293, p.16, 2012.

D. Hofheinz, All-But-Many Lossy Trapdoor Functions, Lecture Notes in Computer Science, vol.7237, pp.209-227, 2012.

D. Hofheinz, Circular Chosen-Ciphertext Security with Compact Ciphertexts. In: EUROCRYPT, vol.7881, pp.22-25, 2013.

D. Hofheinz, Algebraic Partitioning: Fully Compact and (almost) Tightly Secure Cryptography, TCC (A1), vol.9562, p.23, 2016.

D. Hofheinz, Lecture Notes in Computer Science, EUROCRYPT (3), vol.10212, p.23, 2017.

S. Charanjit, A. Jutla, and . Roy, Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces, ASIACRYPT (1), vol.8269, p.28, 2013.

A. Khedr, P. G. Gulak, and V. Vaikuntanathan, SHIELD: Scalable Homomorphic Implementation of Encrypted Data-Classi ers, IEEE Trans. Computers, vol.65, p.84, 2016.

A. Saqib, E. Kakvi, and . Kiltz, Optimal Security Proofs for Full Domain Hash, Lecture Notes in Computer Science, vol.7237

S. Kunz, -. , and D. Pointcheval, About the Security of MTI/C0 and MQV, Lecture Notes in Computer Science, vol.4116, pp.156-172, 2006.

H. Krawczyk and T. Rabin, Chameleon Signatures, NDSS. The Internet Society, p.10, 2000.

J. Katz and N. Wang, E ciency improvements for signature schemes with tight security reductions, ACM Conference on Computer and Communications Security, pp.155-164, 2003.

B. Libert, M. Joye, M. Yung, and T. Peters, Concise Multichallenge CCA-Secure Encryption and Signatures with Almost Tight Security, ASIACRYPT (2), vol.8874, p.23, 2014.

B. Libert, S. Ling, K. Nguyen, and H. Wang, Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors, Lecture Notes in Computer Science, vol.9666, issue.2, p.61, 2016.

V. Lyubashevsky and D. Micciancio, Generalized Compact Knapsacks Are Collision Resistant, p.81, 2006.

V. Lyubashevsky and G. Neven, One-Shot Veri able Encryption from Lattices, EUROCRYPT (1, p.78, 2017.

R. Lidl and H. Niederreiter, Introduction to Finite Fields and Their Applications, p.81, 1986.

S. Ling, K. Nguyen, D. Stehlé, and H. Wang, Improved Zero-Knowledge Proofs of Knowledge for the ISIS Problem, and Applications, p.78, 2013.

B. Libert, T. Peters, M. Joye, and M. Yung, Compactly Hiding Linear Spans -Tightly Secure Constant-Size Simulation-Sound QA-NIZK Proofs and Applications, ASIACRYPT (1), vol.9452, p.23, 2015.

B. Libert, T. Peters, and C. Qian, Structure-Preserving Chosen-Ciphertext Security with Shorter Veri able Ciphertexts, Public Key Cryptography (1), vol.10174, pp.247-276, 2017.

B. Libert, T. Peters, and C. Qian, Logarithmic-Size Ring Signatures with Tight Security from the DDH Assumption, Lecture Notes in Computer Science. Springer, vol.11099, issue.2, pp.288-308, 2018.

V. Lyubashevsky, C. Peikert, and O. Regev, A Toolkit for Ring-LWE Cryptography, In: EUROCRYPT, vol.7881, p.82, 2013.

V. Lyubashevsky, C. Peikert, and O. Regev, On Ideal Lattices and Learning with Errors over Rings, J. ACM, vol.60, p.79, 2013.

B. Libert and C. Qian, Lossy Algebraic Filters with Short Tags, Public Key Cryptography, vol.11442, pp.34-65, 2019.

V. Lyubashevsky and G. Seiler, Partially Splitting Rings for Faster Lattice-Based Zero-Knowledge Proofs, IACR ePrint 2017, p.78, 2017.

B. Libert, A. Sakzad, D. Stehlé, and R. Steinfeld, All-But-Many Lossy Trapdoor Functions and Selective Opening Chosen-Ciphertext Security from LWE, CRYPTO (3), vol.10403

A. B. Lewko, A. Sahai, and B. Waters, Revocation Systems with Very Small Private Keys, IEEE Symposium on Security and Privacy, pp.273-285, 2010.

B. Libert and D. Vergnaud, Multi-use unidirectional proxy re-signatures, ACM Conference on Computer and Communications Security, p.13, 2008.

A. Menezes, P. C. Van-oorschot, and S. A. Vanstone, Handbook of Applied Cryptography, 1996.

D. Micciancio and C. Peikert, Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller, LNCS, vol.7237, p.80, 2012.

D. Micciancio, P. Salil, and . Vadhan, Statistical Zero-Knowledge Proofs with E cient Provers: Lattice Problems and More, p.78, 2003.

M. Naor and O. Reingold, Number-theoretic Constructions of E cient Pseudo-random Functions, FOCS. IEEE Computer Society, vol.46, pp.458-467, 1997.

T. Okamoto, Provably Secure and Practical Identi cation Schemes and Corresponding Signature Schemes, Lecture Notes in Computer Science, vol.740, p.60, 1992.

T. Okamoto and S. Uchiyama, A New Public-Key Cryptosystem as Secure as Factoring, EUROCRYPT. Vol. 1403, p.77, 1998.

P. Paillier, Public-Key Cryptosystems Based on Composite Degree Residuosity Classes, Lecture Notes in Computer Science, vol.1592

. Springer, , pp.223-238, 1999.

R. Del-pino and V. Lyubashevsky, Amortization with Fewer Equations for Proving Knowledge of Small Secrets, pp.365-394, 2017.

V. Rafaël-del-pino, G. Lyubashevsky, G. Neven, and . Seiler, Practical Quantum-Safe Voting from Lattices, CCS. ACM, pp.1565-1581, 2017.

C. Peikert and A. Rosen, E cient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices, Lecture Notes in Computer Science, vol.3876, p.82, 2006.

D. Pointcheval and J. Stern, Security Proofs for Signature Schemes, Lecture Notes in Computer Science, vol.1070, p.61, 1996.

P. Paillier and D. Vergnaud, Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log, Lecture Notes in Computer Science, vol.3788, p.61, 2005.

C. Peikert, V. Vaikuntanathan, and B. Waters, A Framework for E cient and Composable Oblivious Transfer, Lecture Notes in Computer Science, vol.5157, p.59, 2008.

C. Peikert and B. Waters, Lossy trapdoor functions and their applications, STOC. ACM, vol.22, p.16, 2008.

C. Qian, M. Tibouchi, and R. Géraud, Universal Witness Signatures, Lecture Notes in Computer Science. Springer, vol.11049, pp.313-329, 2018.

O. Regev, On lattices, learning with errors, random linear codes, and cryptography, STOC. ACM, pp.84-93, 2005.

O. Regev, On lattices, learning with errors, random linear codes, and cryptography, J. ACM, vol.56, p.78, 2009.

C. Racko and D. R. Simon, Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack, Lecture Notes in Computer Science, vol.576, p.22, 1991.

R. L. Rivest, A. Shamir, and L. M. Adleman, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, Commun. ACM, vol.21, pp.120-126, 1978.

R. L. Rivest, A. Shamir, and Y. Tauman, How to Leak a Secret, Lecture Notes in Computer Science, vol.2248, pp.552-565, 2001.

A. Raghunathan, G. Segev, and S. P. Vadhan, Deterministic Public-Key Encryption for Adaptively Chosen Plaintext Distributions, Lecture Notes in Computer Science, vol.7881, p.16, 2013.

M. Rosca, D. Stehlé, and A. Wallet, On the Ring-LWE and Polynomial-LWE Problems, EUROCRYPT (1), vol.10820, p.82, 2018.

T. Sander, Lecture Notes in Computer Science, E cient Accumulators without Trapdoor Extended Abstracts. In: ICICS, vol.1726, p.60, 1999.

W. Peter and . Shor, Algorithms for Quantum Computation: Discrete Logarithms and Factoring, FOCS. IEEE Computer Society, pp.124-134, 1994.

H. Shacham and B. Waters, E cient Ring Signatures Without Random Oracles, Public Key Cryptography, vol.4450, p.60, 2007.

B. Waters, E cient Identity-Based Encryption Without Random Oracles, Lecture Notes in Computer Science, vol.3494, pp.114-127, 2005.

H. Wee, Dual Projective Hashing and Its Applications -Lossy Trapdoor Functions and More. In: EUROCRYPT, vol.7237, p.16, 2012.

Y. Wen and S. Liu, Robustly Reusable Fuzzy Extractor from Standard Assumptions, ASIACRYPT (3), vol.11274, pp.22-24, 2018.

M. Zhandry, The Magic of ELFs, CRYPTO (1), vol.9814, p.16, 2016.

. ?-{0 and . .. 1}, 62 4.2. ?-protocol for one of (c 0

. .. 1}, 79 5.2. ?-protocol to show that c commits to µ ? {0, Our contributions to build a voting scheme