Batch Anonymous MAC Tokens from Lattices

Abstract

Solutions for DDoS protection employed by content delivery networks often burden honest users, especially those using privacy-enhancing tools like VPNs, by forcing them to solve many CAPTCHAs. Helping users avoid repeated CAPTCHAs, anonymous tokens (ATs) now offer a practical alternative to traditional anonymous credentials (ACs). Evolution of ATs, driven by IETF standardization, introduced features like the private metadata bit (Crypto ’20, Eurocrypt ’22), which encrypts challenge results for verifiers, preventing automated CAPTCHA solver. Regrettably, recent designs overlooked the original goal (PoPETS ’18) of batch-issuing tokens along with efficient batch proofs for validation. Moreover, most solutions lack post-quantum security, except a direct adaptation from ACs (ePrint ’23) that lacks private metadata support. Adopting lattice-based cryptography in existing AT designs is non-trivial, as they often employ intricate algebraic structures to ensure efficiency. Notably, a lattice-based AT in the keyed-verification setting that supports both batch proofs and private metadata bit remains absent.

For the first time, we propose a batch anonymous MAC token system from lattices, integrating techniques from verifiable oblivious pseudorandom function (PKC ’21) and practical zero-knowledge proof (Crypto ’22). Extending this design, our AT system supports public metadata (Eurocrypt ’22, FC ’22, PoPETS ’25) with minimal computational overhead. In practice, our AT is only 432 bytes with optimized parameters.

Appendices

A Further Potential Applications

Keyed-verification anonymous tokens are well-suited for scenarios where the token issuer has a vested interest in verifying issued tokens, as well as for relay settings that facilitate delegated verification. For instance, in access control encryption [45] (where the objective is to eliminate subliminal channels created by the client rather than maintaining a single private metadata bit from the issuer), the issuer can manage permissions and revocation by issuing tokens, while intermediary entities like sanitizers can serve as verifiers. Another application is (updatable) anonymous credentials with reputation [18, 35]. Our token could replace BBS+ signatures [6]. However, we need to accommodate additional hidden data, much like how BBS+ extends the original BBS signatures.

Single-tag certification is applicable in various scenarios, notably in anonymous payment systems. In layer-2 cryptocurrency systems such as LDSP [36]—a payment system collectively maintained by merchants who also receive the issued tokens—our anonymous tokens with public metadata can substitute partially blind signatures [17] in LDSP with certain adaptations. Firstly, the keyed-verification setting requires non-issuing recipients to communicate with the issuer immediately, unlike the delayed clearing process in the original LDSP design. Secondly, LDSP employs a distributed issuing process, necessitating the participation of all (of a small group of) distributed issuers for any token issuance.

Anonymous identity-based key issuing [23, 43] also only certifies a single field, which is the user identity. In a privacy-preserving architecture designed to eliminate key escrow in identity-based encryption (IBE) [15, 16], the system comprises an identity-certifying authority (ICA) that oversees and certifies user identities. Upon receiving anonymous proof from the ICA, the key generation center engages in an anonymous private key issuing protocol based on the certified hidden identity. To adapt our lattice-based construction to this framework, we need to instantiate it with a commitment scheme that is efficiently compatible with the associated IBE scheme for the issuance of IBE secret keys for hidden identities.

B Probability Distributions

Discrete Gaussian Distribution. In lattice-based cryptography, secret vectors are often sampled from a discrete Gaussian distribution. Rejection sampling is often used to ensure signatures or proofs are indistinguishable from this distribution.

Definition 8

\(\mathcal {D}_{\textbf{x}, s}^n(\textbf{z})\) below defines the discrete Gaussian distribution on \(\mathcal {R}^n\) centered around \(\textbf{x}\in \mathcal {R}^n\) with standard deviation \(s>0\):

$$\begin{aligned} \mathcal {D}_{\textbf{x}, s}^n(\textbf{z}) = \frac{e^{-\Vert \textbf{z}- \textbf{x}\Vert ^2/2\,s^2}}{\sum _{\textbf{z}' \in \mathcal {R}^n} e^{-\Vert \textbf{z}' \Vert ^2/2\,s^2}}. \end{aligned}$$

For \(\textbf{x}= 0\), we use \(\mathcal {D} _{s}^n\) for short.

Centered Binomial Distribution. Practical applications often use a substitute for the discrete Gaussian distribution. In our protocol, secret and noise vectors are sampled from a centered binomial distribution \(\mathcal {B}_\eta \) instead, defined as:

$$\mathcal {B}_\eta = \left\{ \sum _{i = 1}^{\eta }(a_i - b_i):a_i, b_i \in \{0, 1\} \right\} .$$

Its standard deviation is \(\sqrt{\eta /2}\). For a degree-\((d - 1)\) polynomial \(x \leftarrow \mathcal {B}_{\eta }^d \subset \mathcal {R}\), the Euclidean norm, or \(\ell ^2\)-norm \(||x|| \le \eta \sqrt{d}\). We write \(\mathcal {B}\) for short if \(\eta = 1\).

C ABDLOP Commitment and Proving Its Opening

We recall the ABDLOP commitment scheme [33], which is a combination of the Ajtai commitment [1] and BDLOP commitment [9] schemes.

• \(\textsf{Setup} (1^\lambda ) \rightarrow \textsf{pp} \): Take the security parameter \(1^\lambda \) as input and output the public parameters \(\textsf{pp} = (q, n_1, m_1, m_2, {n_2}, \mathcal {D}_{s_e})\), where \(\mathcal {D}_{s_e}\) is the distribution of \(\textbf{e}\).

• \(\textsf{KeyGen} (\textsf{pp}) \rightarrow \textsf{ck} \): Take the public parameters \(\textsf{pp} \) as input and output the commitment key \(\textsf{ck} \). In detail, it samples the matrices \(\textbf{E}_1 \leftarrow \mathcal {R}_q^{n_1\times m_1}, \textbf{E}_2 \leftarrow \mathcal {R}^{n_1 \times m_2}_q, \textbf{F}_1 \leftarrow \mathcal {R}_q^{{n_2} \times m_2}\) uniformly at random and \(\textsf{ck}:= (\textbf{E}_1, \textbf{E}_2, \textbf{F}_1)\).

• \(\textsf{Com} (\textsf{ck}, (\textbf{m}_1, \textbf{m}_2), \textbf{e}) \rightarrow c\): Take the commitment key \(\textsf{ck} \), the commitment messages \(\textbf{m}_1 \in \mathcal {R}_q^{m_1}, \textbf{m}_2 \in \mathcal {R}_q^{n_2} \), and the randomness \(\textbf{r}_1 \leftarrow \mathcal {D} _{s_r}^{m_2}\) as inputs and output a commitment c such that

  $$\begin{aligned} c := \begin{bmatrix} \textbf{t}_A \\ \textbf{t}_B \end{bmatrix} = \begin{bmatrix} \textbf{E}_1 \\ \textbf{0}\end{bmatrix} \textbf{m}_1 + \begin{bmatrix} \textbf{E}_2 \\ \textbf{F}_1 \end{bmatrix} \textbf{r}_1 + \begin{bmatrix} \textbf{0}\\ \textbf{m}_2 \end{bmatrix}. \end{aligned}$$

• \(\textsf{Open} (\textsf{ck}, c, (\textbf{m}_1, \textbf{m}_2), \textbf{e}) \rightarrow b\): Output \(b = 1\) if and only if

  $$\begin{aligned} c = \begin{bmatrix} \textbf{E}_1 \\ \textbf{0}\end{bmatrix} \textbf{m}_1 + \begin{bmatrix} \textbf{E}_2 \\ \textbf{F}_1 \end{bmatrix} \textbf{r}_1 + \begin{bmatrix} \textbf{0}\\ \textbf{m}_2 \end{bmatrix}; \end{aligned}$$

  otherwise, it outputs \(b = 0\).

Here, we recall the challenge space [33]. Define \(\mathcal {S}_\kappa = \left\{ x \in \mathcal {R}_q :\Vert x\Vert _{\infty } \le \kappa \right\} \). Fix \(\eta > 0\) and a power-of-two k, then the challenge space is:

$$\begin{aligned} {\mathcal {C}} = \left\{ c \in \mathcal {S}_\kappa :\textsf{Inv}(c) = c, \root 2k \of {\Vert c^{2k} \Vert _1} \le \eta \right\} . \end{aligned}$$

Then, we write \(\bar{{\mathcal {C}}}\) for a subtractive subset \(\bar{{\mathcal {C}}} := \left\{ c - c':(c, c' \in {\mathcal {C}}) \wedge (c \ne c') \right\} \). We set \(\kappa = 2\) and \(\eta = 59\) to implement the challenge space.

Fig. 5.

Rejection sampling

Proving an opening of the commitment is to prove the knowledge of a triple \((\textbf{m}_1, \textbf{m}_2, \textbf{e})\), where the prover calls the rejection sampling algorithm [31] (described as in Fig. 5) to ensure zero-knowledge. Like most previous work in lattice-based proofs, we recall the definition of a relaxed opening as follows.

Definition 9

A relaxed opening of the ABDLOP commitment \(\left( \textbf{t}_A, \textbf{t}_B \right) \) is a tuple \((\textbf{m}_1, \textbf{m}_2, \textbf{e}, c)\) which satisfies:

$$\begin{aligned} &\textbf{E}_1 \textbf{m}_1 + \textbf{E}_2 \textbf{r}_1 = \textbf{t}_A, \textbf{E}_2 \textbf{r}_1 + \textbf{m}_2 = \textbf{t}_B, & c \in \bar{{\mathcal {C}}}, \Vert c \textbf{m}_1 \Vert \le B_1, \Vert c \textbf{r}_1 \Vert \le B_2. \end{aligned}$$

Definition 10

(\(\boldsymbol{\textsf{MSIS}}_{q, \kappa , m, B}\)) Let \(q, \kappa , m > 0\) be integers, and B be a real number with \(0 < B < q\). Given \(\textbf{A}\leftarrow \mathcal {R}_q^{\kappa \times m} \), the module-SIS problem is to find a short solution \(\textbf{z}\in \mathcal {R}_q^m\) such that \(\textbf{Ax} = \textbf{0}\) and \(0< \Vert \textbf{x}\Vert \leqslant B\).

The following lemma shows the above commitment scheme is computationally binding and computationally hiding.

Lemma 1

([33]). The ABDLOP commitment scheme is computationally binding under the assumption that \(\textsf {MSIS} _{q, n_1, m_1 + m_2, B}\) is hard for the bound \(B = 4\eta \sqrt{B_1^2 + B_2^2}\), where \(\Vert c \textbf{m}_1 \Vert \le B_1, \Vert c \textbf{r}_1 \Vert \le B_2\). It is computationally hiding under the assumption that \(\textsf {MLWE} _{q, n_1 + {n_2}, m_2, s_r}\) is hard.

D NIZK Proof \(\varPi _1\)

Here, we describe the full proof for the relation \(R_1\). Its security refers to [33].

Let \(m = 2\lambda /d\) and \(m_1 = 2n + 2\lambda /d + 4 + k_1 + k_2 + k_3\). Let vectors \(w = (\textbf{m}_1, \textbf{m}_2) \in \mathcal {R}_q^{m_1 + n + 2}\), where \(\textbf{m}_1\) and \(\textbf{m}_2\) are defined in Section 4. Define a vector \(\textbf{g}= (g_1, \dots , g_\tau )\) for masking \(f_j\). By linear combination with a tuple of challenge values \((\mu _1, \ldots , \mu _\tau )\), we compile these functions into one:

$$\begin{aligned} f := \sum _{j = 1}^{\tau } \mu _j (g_j + f_j). \end{aligned}$$

(3)

We define message \(\textbf{m}:= (\textbf{m}_1 \Vert \textsf{Inv}(\textbf{m}_1) \Vert (\textbf{m}_2 \Vert \textbf{g}\Vert \textbf{y}_3 \Vert \textbf{y}_4) \Vert \textsf{Inv}(\textbf{m}_2 \Vert \textbf{g}\Vert \textbf{y}_3 \Vert \textbf{y}_4))\) \(\in \mathcal {R}_q^{2m_1 + 2(n + \tau + 512/d)}.\) The quadratic Eq. (3) can be written as \(\textbf{m}^\top \textbf{D}_2 \textbf{m}+ \textbf{d}_1^\top \textbf{m}+ d_0\). In detail, we set \(\textbf{d}_{2, 2}\) to be the second-row block of \(\textbf{D}_2\), and define:

$$\begin{aligned} \textbf{D}_2 := &~ \begin{bmatrix} \textbf{0}\\ \textbf{d}_{2, 2} \\ \textbf{0}\\ \textbf{0}\end{bmatrix}, \quad \textbf{d}_{2, 2}^\top := \begin{bmatrix} \sum \nolimits _{j = 1}^{\tau } \mu _j (\gamma _{j, 2} )\textbf{I}_{n + 1} & \textbf{0}_{m_1 - n - 1} & \\ \textbf{0}_{n + 1} & \sum \nolimits _{j = 1}^{\tau } \mu _j (\gamma _{j, 3} )\textbf{I}_{n + 1} & \textbf{0}\\ \textbf{0}_{2n + 2} & \sum \nolimits _{j = 1}^{\tau } \mu _j (\gamma _{j, 1})\textbf{I}_{2\lambda /d} & \textbf{0}\\ \textbf{0}_{2n + m + 2} & \sum \nolimits _{j = 1}^{\tau } \mu _j (\gamma _{j, 3})\textbf{I}_{k_1 + 1} & \textbf{0}\\ & \textbf{0}\\ \textbf{0}_{m_1 - k_2 - k_3 - 1} & \sum \nolimits _{j = 1}^{\tau } \mu _j (\gamma _{j, 4})\textbf{I}_{k_2 + k_3 + 1} & \textbf{0}\\ & \textbf{0}\end{bmatrix}, \end{aligned}$$

(4)

$$\begin{aligned} \textbf{d}_1 := &~\textbf{d}_{1, 0} + \textbf{d}_{1, 1} + \textbf{d}_{1, 2},\end{aligned}$$

(5)

$$\begin{aligned} \textbf{d}_{1, 0} := & \begin{bmatrix} \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^{n}\gamma _{j, i + 7 + n}\textbf{a}_i + \sum \nolimits _{i = 1}^{2}\gamma _{j, i + 5}2h_{i, H}^{\textsf{G}} \\ 0\\ \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^{n} \gamma _{j, i + 7 + n} \hat{\textbf{e}}_i + \sum \nolimits _{i = 1}^{2}\gamma _{j, i + 5}2h_{i, L}^{\textsf{G}}\\ 0\\ \sum \nolimits _{j = 1}^{\tau } \mu _j (\gamma _{j, 1} \textbf{1}_{2\lambda /d} + \sum \nolimits _{i = 1}^{n}\gamma _{j, i + 7}2 h_{i, H}^{\textsf{H} _1} + \sum \nolimits _{i = 1}^{k_3}\gamma _{j, i + 5}\lfloor \frac{p}{2} \rceil \hat{e}_i)\\ \sum \nolimits _{j = 1}^{\tau } \mu _j (\sum \nolimits _{i = 1}^{k_2} \gamma _{j, i + 7 + 2n} \textbf{c}_i + \sum \nolimits _{i = 1}^{k_3} \gamma _{j, i + 7 + 2n + k_2} \textbf{d}_i)\\ 0\\ \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^{k_2} \gamma _{j, i + 7 + 2n} \hat{\textbf{e}}_i \\ \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^{k_3} \gamma _{j, i + 7 + 2n + k_2} \hat{\textbf{e}}_i \\ \textbf{0}_{m_1 + 1}\\ \sum \nolimits _{j = 1}^{\tau } \mu _j (\sum \nolimits _{i = 1}^{n} (\gamma _{j, i + 7 + n} + \gamma _{j, 7 + i} ) \hat{\textbf{e}}_i \\ \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^{n} \gamma _{j, i + 7} 2 h_{i, L}^{\textsf{H} _1} \\ \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^{512} \gamma _{j, i + n + k_2 + k_3 + 5} \hat{\textbf{e}}_i \\ \vec {\mu }\\ \textbf{0}_{n + \tau + 512/d} \end{bmatrix}, \nonumber \\ \textbf{d}_{1, 1} := & \begin{bmatrix} \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^{256} \gamma _{j, i + 7 + 2n + k_2 + k_3} \textsf{Inv}(R_{0, j})\\ \textbf{0}_{m_1 + 2(n + \tau + 512/d)} \end{bmatrix}, \nonumber \\ \textbf{d}_{1, 2} := & \begin{bmatrix} \textbf{0}_{2(n + 1) + m + k_1}\\ \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^{256} \gamma _{j, i + 7 + 2n + k_2 + k_3 + 256} \textsf{Inv}(R_{1, j})\\ \textbf{0}_{m_1 + 2(n + \tau + 512/d)} \end{bmatrix}, \nonumber \\ &\begin{aligned} d_0 := & - \sum _{j = 1}^{\tau } \mu _j (h_j + \sum _{i = 1}^{n} \gamma _{j, i + 7 + n} c_{i} + (\gamma _{j, 2} + \gamma _{j, 3}) \beta ^2_r + \gamma _{j, 4} \beta ^2_v + \gamma _{j, 5} \beta ^2_e \\ & + \sum _{i = 1}^{k_2} \gamma _{j, i + 7 + 2n} u_{i} + \sum _{i = 1}^{k_3} \gamma _{j, i + 7 + 2n + k_2} v_{i} + \sum _{i = 1}^{256} \gamma _{j, i + 7 + 2n + k_2 + k_3} z_{3, i} \\ & + \gamma _{j, i + 2n + k_2 + k_3 + 263} z_{4, i}). \end{aligned} \end{aligned}$$

(6)

Define matrix \(\textbf{F}_y\) and vectors \(\textbf{y}\), \(\textbf{t}_y\) and \(\textbf{z}\):

$$\begin{aligned} & \textbf{F}_y := \begin{bmatrix} \textbf{F}_1\\ \textbf{F}_g \\ \textbf{F}_3 \\ \textbf{F}_4 \end{bmatrix}, \textbf{y}:= \begin{bmatrix} \textbf{y}_1 \\ \textsf{Inv}(\textbf{y}_1) \\ - \textbf{F}_y \textbf{y}_2 \\ - \textsf{Inv}(\textbf{F}_y \textbf{y}_2) \end{bmatrix}, \textbf{t}_y := \begin{bmatrix} \textbf{t}_F \\ \textbf{t}_g \\ \textbf{t}_ 3\\ \textbf{t}_4 \end{bmatrix}, \textbf{z}:= \begin{bmatrix} \textbf{z}_1 \\ \textsf{Inv}(\textbf{z}_1) \\ c\textbf{t}_y - \textbf{F}_y \textbf{z}_2 \\ \textsf{Inv}(c\textbf{t}_y - \textbf{F}_y \textbf{z}_2) \end{bmatrix}. \end{aligned}$$

(7)

Now, we describe the full proof, which is non-interactive. For simplicity, we add the number of rounds each time we apply the Fiat-Shamir transform.

\(\textsf{Setup} (1^\lambda )\): On input of \(\lambda \) in unary, choose real numbers \(s_e, y_1, y_2, y_3, y_4\), sample matrices \(\textbf{E}_1 \in \mathcal {R}_q^{n_1 \times m_1}\), \(\textbf{E}_2 \in \mathcal {R}_q^{n_1 \times m_2}\), \(\textbf{F}_1 \in \mathcal {R}_q^{n \times m_2}\), \(\textbf{F}_g \in \mathcal {R}_q^{\tau \times m_2}\), \(\textbf{F}_3 \in \mathcal {R}_q^{(256/d) \times m_2}\), \(\textbf{F}_4 \in \mathcal {R}_q^{(256/d) \times m_2}\), \(\textbf{F}_5 \in \mathcal {R}_q^{3 \times m_2}\), and vector \(\textbf{f}_g\in \mathcal {R}_q^{m_2}\), and define hash functions \(\textsf{H} _1:\{0, 1\} ^* \rightarrow \mathcal {B}^{256 \times (m_1 + k_2 + k_3)d}\), \(\textsf{H} _2:\{0, 1\} ^* \rightarrow \mathbb {Z}_q^{\tau \times (7 + 2n + k_2 + k_3)}\), \(\textsf{H} _3:\{0, 1\} ^* \rightarrow \mathcal {R}_q^\tau \), and \(\textsf{H} _4:\{0, 1\} ^* \rightarrow \mathcal {C}\). Output \({\textsf{crs}}:= (s_e, y_1, y_2, y_3, y_4, \textbf{E}_1, \textbf{E}_2, \textbf{F}_1, \textbf{F}_g, \textbf{F}_3, \textbf{F}_4, \textbf{f}_g)\) and the statement \(x := (\textbf{D}, \textbf{C}, \textbf{A}, (\textbf{u}, \textbf{v}), \textbf{c}, \textsf{hk} ^{\textsf{H} _1}, \textsf{hk} ^{\textsf{G}})\).

\(\textsf{Prove} ({\textsf{crs}}, x, w)\): Prover \(\mathcal {P} \) performs the following given witness \(w = (\textbf{m}_1, \textbf{m}_2)\):

1. 1.

   First round:

   • Sample \(\textbf{r}_1 \leftarrow \mathcal {D} _{s_r}^{m_2}\), and compute \(\begin{bmatrix} \textbf{t}_E \\ \textbf{t}_F \end{bmatrix} = \begin{bmatrix} \textbf{E}_1 \\ \textbf{0}\end{bmatrix} \textbf{m}_1 + \begin{bmatrix} \textbf{E}_2 \\ \textbf{F}_1 \end{bmatrix} \textbf{r}_1 + \begin{bmatrix} \textbf{0}\\ \textbf{m}_2 \end{bmatrix}.\)

   • Sample \(\textbf{y}_1 \leftarrow \mathcal {D}_{y_1}^{m_1}\) and \(\textbf{y}_2 \leftarrow \mathcal {D}_{y_2}^{m_2}\) and set \(\textbf{w}:= \textbf{E}_1 \textbf{y}_1 + \textbf{E}_2 \textbf{y}_2\).

   • Sample \(\textbf{g}{\mathop {\leftarrow }\limits ^{\$}}\left\{ x \in \mathcal {R}_q:x_0 = 0 \right\} ^{\tau } \) and compute \(\textbf{t}_g := \textbf{F}_g \textbf{r}_1 + \textbf{g}\).

   • Sample \(\textbf{y}_3 \leftarrow \mathcal {D}_{y_3}^{256/d}, \textbf{y}_4 \leftarrow \mathcal {D}_{y_4}^{256/d}\).

   • Compute \(\textbf{t}_3 := \textbf{F}_3 \textbf{r}_1 + \textbf{y}_3, \textbf{t}_4 := \textbf{F}_4 \textbf{r}_1 + \textbf{y}_4\).

2. 2.

   Second round:

   • Define the commitment \(\alpha _1 := (\textbf{t}_3, \textbf{t}_4, \textbf{t}_g, \textbf{t}_E, \textbf{t}_F, \textbf{w})\).

   • Derive the challenge \(R = (R_0, R_1) := \textsf{H} _1 ({\textsf{crs}}, x, \alpha _1)\).

   • Denote \(\textbf{v}' = (\textbf{v}_0, \textbf{v}_1)\).

   • Compute \(\vec {z}_3 := R_0 \vec {m}_1 + \vec {y}_3\) and \(\vec {z}_4 := R_1 \vec {v}' + \vec {y}_4\).

   • Run rejection sampling \(\textsf{Rej}(\vec {z}_3, R_0\vec {m}, y_3)\) and \(\textsf{Rej}(\vec {z}_4, R_1\vec {v}', y_4)\).

3. 3.

   Third round:

   • Define the second response \(\alpha _2 := (\vec {z}_3, \vec {z}_4)\).

   • Compute the challenge \(\varGamma := [\gamma _{j, i}]_{j \in [\tau ], i \in [7 + 2n + k_ 2 + k_3]} = \textsf{H} _2({\textsf{crs}}, x, \alpha _1, \alpha _2).\)

   • Compute \(h_j := g_j + f_j, \forall j \in [1, \tau ]\) with \(f_j\) defined in Eq. (2).

4. 4.

   Fourth round:

   • Define the third response \(\alpha _3 := \textbf{h}= (h_1, \ldots , h_\tau )\).

   • Generate the challenges \(\boldsymbol{\mu } = (\mu _1, \ldots , \mu _\tau ) := \textsf{H} _3({\textsf{crs}}, x, \alpha _1, \alpha _2, \alpha _3)\).

   • Compute \(f := \sum _{j = 1}^{\tau } \mu _j h_j\).

   • Define \(\textbf{D}_2\), \(\textbf{d}_1\), \(d_0\) as in Eqs. (4) to (6).

   • Define \(\textbf{y}\) as in Eq. (7).

   • Compute the garbage term \(g_1 := \textbf{m}^\top \textbf{D}_2 \textbf{y}+ \textbf{y}^\top \textbf{D}_2 \textbf{m}+ \textbf{d}_1^\top \textbf{y}\) and its commitment \(t := \textbf{f}_g^\top \textbf{r}_1 + g_1\).

   • Set \(v := \textbf{y}^\top \textbf{D}_2 \textbf{y}+ \textbf{f}_g^\top \textbf{y}_2\).

5. 5.

   Fifth round:

   • Define the fourth response \(\alpha _4 := (t, v)\).

   • Derive \(c := \textsf{H} _4( {\textsf{crs}}, x, \alpha _1, \alpha _2, \alpha _3, \alpha _4)\).

   • Upon challenge c, compute \(\textbf{z}_1 = c\textbf{m}_1 + \textbf{y}_1\) and \(\textbf{z}_2 = c\textbf{r}_1 + \textbf{y}_2\) and run rejection sampling \(\textsf{Rej}(\textbf{z}_1, c\textbf{m}_1, y_1 )\) and \(\textsf{Rej}(\textbf{z}_2, c\textbf{e}, y_2)\) respectively.

   • Output the proof \(\pi _\textsf{ct}:= (\alpha _1, \alpha _2, \alpha _3, \alpha _4, \textbf{z}_1, \textbf{z}_2)\).

\(\textsf{Verify} ({\textsf{crs}}, x, \pi _\textsf{ct})\):

• Parse \(\pi _\textsf{ct}:= (\textbf{t}_3, \textbf{t}_4, \textbf{t}_g, \textbf{t}_E, \textbf{t}_F, \textbf{w}, \vec {z}_3, \vec {z}_4, \textbf{h}, t, v, \textbf{z}_1, \textbf{z}_2)\).

• Set \(\alpha _1 := (\textbf{t}_3, \textbf{t}_4, \textbf{t}_g, \textbf{t}_E, \textbf{t}_F, \textbf{w})\), \(\alpha _2 := (\vec {z}_3, \vec {z}_4)\), \(\alpha _3 := \textbf{h}\) and \(\alpha _4 := (t, v)\).

• Generate four hash values: \(R := \textsf{H} _1 ({\textsf{crs}}, x, \alpha _1)\), \(\varGamma := \textsf{H} _2({\textsf{crs}}, x, \alpha _1, \alpha _2)\), \(\boldsymbol{\mu } := \textsf{H} _3({\textsf{crs}}, x, \alpha _1, \alpha _2, \alpha _3)\), and \(c := \textsf{H} _4({\textsf{crs}}, x, \alpha _1, \alpha _2, \alpha _3, \alpha _4)\).

• Define \(\textbf{z}\) as in Eq. (7) and compute \(\textbf{D}_2, \textbf{d}_1, d_0\) as above.

• Accept if and only if all of the following hold:

  • \(\Vert \textbf{z}_1 \Vert \le B_1\), \(\Vert \textbf{z}_2\Vert \le B_2\), \(\Vert \textbf{z}_3\Vert \le B_3\), \(\Vert \textbf{z}_4\Vert _\infty \le B_4\);

  • \(\textbf{E}_1 \textbf{z}_1 + \textbf{E}_2 \textbf{z}_2 = \textbf{w}+ c\textbf{t}_E\);

  • \(\textbf{z}^\top \textbf{D}_2 \textbf{z}+ c\textbf{d}_1^\top \textbf{z}+ c^2d_0 - (ct - \textbf{f}_g^\top \textbf{z}_2) = v\);

  • constant coefficients of \(h_1, \ldots , h_\tau \) are 0s.

E NIZK Proof \(\varPi _2\)

This section describes the full proof for the relation \(R_2\). Let vector \(w = \textbf{m}_1 \in \mathcal {R}_q^{m_1}\), where \(m_1 = 4n + 7\) for short. For \(\textbf{m}:= (\textbf{m}_1 \Vert \textsf{Inv}(\textbf{m}_1) \Vert (\textbf{g}\Vert \textbf{y}_3) \Vert \textsf{Inv}(\textbf{g}\Vert \textbf{y}_3)) \in \mathcal {R}^{2 m_1 + 2\cdot (\tau + 2)}\), define \(\textbf{D}_2, \textbf{d}_1\), and \(d_0\) as follows.

$$\begin{aligned} \textbf{D}_2 \!:=\!& \begin{bmatrix} \textbf{0}\\ \textbf{d}_{2, 2} \\ \textbf{0}\\ \textbf{0}\end{bmatrix}, \textbf{d}_{2, 2}^\top \!:=\! \begin{bmatrix} \sum \nolimits _{j = 1}^{\tau } \mu _j (\gamma _{j, 2n + 8} - \gamma _{j, 2n + 7}) & \textbf{0}& \\ 0 & \!\sum \nolimits _{j = 1}^{\tau } \mu _j (\gamma _{j, 2n + 2} )\textbf{I}_{n + 1} & \textbf{0}\\ \textbf{0}_{n + 2} & \!\sum \nolimits _{j = 1}^{\tau } \mu _j (\gamma _{j, 2n + 3})\textbf{I}_{n + 1} & \textbf{0}\\ \textbf{0}_{2n + 3} & \!\sum \nolimits _{j = 1}^{\tau } \mu _j (\gamma _{j, 2n + 4})\textbf{I}_{n + 1} & \textbf{0}\\ \textbf{0}_{3n + 4} & \!\sum \nolimits _{j = 1}^{\tau } \mu _j (\gamma _{j, 2n + 5})\textbf{I}_{n + 1} & \textbf{0}\\ & \textbf{0}\end{bmatrix} , \end{aligned}$$

(8)

$$\begin{aligned} \textbf{d}_1 := &\! \begin{bmatrix}\! \sum \nolimits _{j = 1}^{\tau } \mu _j (\gamma _{j, 2n + 7}\textbf{1}_2 \!-\! \sum \nolimits _{i = 1}^n\!\gamma _{j, i + 1 + n}t_{i})\!\\ \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^{n}(\gamma _{j, i + 1} \textbf{a}_i + \gamma _{j, 1}\textbf{c})\\ 0\\ \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^{n} \gamma _{j, i + 1} \hat{\textbf{e}}_i\\ 0\\ \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^{n}(\gamma _{j, i + 1 + n} \textbf{a}_i + \gamma _{j, 1}\textbf{b})\\ 0\\ \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^{n} \gamma _{j, i + 1 + n} \hat{\textbf{e}}_i\\ 0\\ \sum \nolimits _{j = 1}^{\tau } \mu _j \gamma _{j, 1}\\ \sum \nolimits _{j = 1}^{\tau } \mu _j \gamma _{j, 1}\\ \textbf{0}\\ \vec {\mu }\\ \textbf{0}_{\tau + 2} \end{bmatrix}+ \begin{bmatrix} \!\sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^{256} \gamma _{j, i + n + 5} \textsf{Inv}(R_{j})\! \\ \textbf{0}_{m_1 + 2(\tau + 2)} \end{bmatrix}, \end{aligned}$$

(9)

$$\begin{aligned} & \begin{aligned} d_0 := & -\sum _{j = 1}^{\tau } \mu _j (h_j + \gamma _{j, 1} h + \sum _{i = 1}^{n} \gamma _{j, i + 1} t_{i} + \sum _{i = 1}^{4}\gamma _{j, i + 2n + 1} \beta ^2_r + \gamma _{j, 2n + 6} \beta ^2_e \\ & + \gamma _{j, 2n + 8} + \sum _{i = 1}^{256} \gamma _{j, n + 4 + i} z_{3, i}). \end{aligned} \end{aligned}$$

(10)

Define matrix \(\textbf{F}_y\) and vectors \(\textbf{y}\), \(\textbf{t}_y\), and \(\textbf{z}\):

$$\begin{aligned} \begin{aligned} & \textbf{F}_y := \begin{bmatrix} \textbf{F}_g \\ \textbf{F}_3 \end{bmatrix}, \textbf{t}_y := \begin{bmatrix} \textbf{t}_g \\ \textbf{t}_3 \end{bmatrix}, \textbf{y}:= \begin{bmatrix} \textbf{y}_1 \\ \textsf{Inv}(\textbf{y}_1) \\ - \textbf{F}_y \textbf{y}_2 \\ - \textsf{Inv}(\textbf{F}_y \textbf{y}_2) \end{bmatrix}, \textbf{z}:= \begin{bmatrix} \textbf{z}_1 \\ \textsf{Inv}(\textbf{z}_1) \\ c\textbf{t}_y - \textbf{F}_y \textbf{z}_2 \\ \textsf{Inv}(\textbf{t}_y - \textbf{F}_y \textbf{z}_2) \end{bmatrix}.\! \end{aligned} \end{aligned}$$

(11)

Below, we describe the non-interactive proof from the Fiat–Shamir transformation. The verification is consistent with that in Appendix D and is omitted. \(\textsf{Setup} (1^\lambda )\): On input of \(\lambda \) in unary, choose real numbers \(s_e, y_1, y_2, y_3\), sample matrices \(\textbf{E}_1 \in \mathcal {R}_q^{n_1 \times m_1}\), \(\textbf{E}_2 \in \mathcal {R}_q^{n_1 \times m_2}\), \(\textbf{F}_g \in \mathcal {R}_q^{\tau \times m_2}\), \(\textbf{F}_3 \in \mathcal {R}_q^{(256/d) \times m_2}\), \(\textbf{F}_4 \in \mathcal {R}_q^{2 \times m_2}\), and vector \(\textbf{f}_g\in \mathcal {R}_q^{m_2}\), and define hash functions \(\textsf{H} _1:\{0, 1\} ^* \rightarrow \mathcal {B}^{256 \times m_1d}\), \(\textsf{H} _2:\{0, 1\} ^* \rightarrow \mathbb {Z}_q^{\tau \times (2n + 264)}\), \(\textsf{H} _3:\{0, 1\} ^* \rightarrow \mathcal {R}_q^\tau \), \(\textsf{H} _4:\{0, 1\} ^* \rightarrow \mathcal {C}\). Output \({\textsf{crs}}:= (s_e, y_1, y_2, y_3, \textbf{E}_1, \textbf{E}_2, \textbf{F}_g, \textbf{F}_3, \textbf{F}_4, \textbf{f}_g)\) and the statement \(x := (h, \textbf{t}, \textbf{t}_0, \textbf{t}_1, \textbf{c}, \textbf{b}, \textbf{A})\).

\(\textsf{Prove} ({\textsf{crs}}, x, w = \textbf{m}_1 := (\nu \Vert \textbf{s}\Vert a_1 \Vert \textbf{e}\Vert a_2 \Vert \textbf{s}_\textsf{b} \Vert a_3 \Vert \textbf{e}_\textsf{b} \Vert a_4 \Vert e_3 \Vert a_5) \in \mathcal {R}_q^{4n + 7})\):

1. 1.

   First round:

   • Sample \(\textbf{r}_1 \leftarrow \mathcal {D} _{s_r}^{m_2}\) and compute the commitment \(\textbf{t}_E = \textbf{E}_1 \textbf{m}_1 + \textbf{E}_2 \textbf{r}_1 \).

   • Sample \(\textbf{y}_1 \leftarrow \mathcal {D}_{y_1}^{m_1}\) and \(\textbf{y}_2 \leftarrow \mathcal {D}_{y_2}^{m_2}\) and set \(\textbf{w}:= \textbf{E}_1 \textbf{y}_1 + \textbf{E}_2 \textbf{y}_2\).

   • Sample \(\textbf{g}{\mathop {\leftarrow }\limits ^{\$}}\left\{ x \in \mathcal {R}_q:x_0 = 0 \right\} ^{\tau } \) and compute \(\textbf{t}_g := \textbf{F}_g \textbf{r}_1 + \textbf{g}\).

   • Sample \(\textbf{y}_3 \leftarrow \mathcal {D}_{y_3}^{256/d}\) and compute \(\textbf{t}_3 := \textbf{F}_3 \textbf{r}_1 + \textbf{y}_3\).

2. 2.

   Second round:

   • Define \(\alpha _1 := (\textbf{t}_3, \textbf{t}_g, \textbf{t}_E, \textbf{w})\), derive challenge \(R := \textsf{H} _1 ({\textsf{crs}}, x, \alpha _1)\).

   • Compute \(\vec {z}_3 := R \vec {m}_1 + \vec {y}_3\) and run rejection sampling \(\textsf{Rej}(\vec {z}_3, R\vec {m}_1, y_3)\).

3. 3.

   Third round:

   • Define \(\alpha _2 := \vec {z_3}\) and compute the challenge \(\varGamma := [\gamma _{j, i}]_{j \in [\tau ], i \in [2n + 264]} = \textsf{H} _2({\textsf{crs}}, x, \alpha _1, \alpha _2).\)

   • Compute \(h_j := g_j + f_j, \forall j \in [1, \tau ]\) with \(f_j\) defined as \(f_j := \sum _{i = 1}^{n + 4} \gamma _{j, i} G_i\).

4. 4.

   Fourth round:

   • Define \(\alpha _3 := \textbf{h}= (h_1, \ldots , h_\tau )\).

   • Generate the challenges \(\boldsymbol{\mu } = (\mu _1, \ldots , \mu _\tau ) := \textsf{H} _3({\textsf{crs}}, x, \alpha _1, \alpha _2, \alpha _3)\).

   • Compute \(f := \sum _{j = 1}^{\tau } \mu _j h_j\).

   • Define \(\textbf{D}_2\), \(\textbf{d}_1\), and \(d_0\) as in Eqs. (8) to (10).

   • Define \(\textbf{y}\) as in Eq. (11).

   • Compute the garbage term \(g_1 := \textbf{m}^\top \textbf{D}_2 \textbf{y}+ \textbf{y}^\top \textbf{D}_2 \textbf{m}+ \textbf{d}_1^\top \textbf{y}\) and the commitment \(t := \textbf{f}_g^\top \textbf{r}_1 + g_1\).

   • Set \(v := \textbf{y}^\top \textbf{D}_2 \textbf{y}+ \textbf{f}_g^\top \textbf{y}_2\).

5. 5.

   Fifth round:

   • Define \(\alpha _4 := (t, v)\) and \(c := \textsf{H} _4( {\textsf{crs}}, x, \alpha _1, \alpha _2, \alpha _3, \alpha _4)\).

   • Upon challenge c, compute \(\textbf{z}_1 = c\textbf{m}_1 + \textbf{y}_1\) and \(\textbf{z}_2 = c\textbf{r}_1 + \textbf{y}_2\) and run rejection sampling \(\textsf{Rej}(\textbf{z}_1, c\textbf{m}_1, y_1 )\) and \(\textsf{Rej}(\textbf{z}_2, c\textbf{r}_1 , y_2)\), respectively.

   • Output the proof \(\pi _\textsf{ct}:= (\alpha _1, \alpha _2, \alpha _3, \alpha _4, \textbf{z}_1, \textbf{z}_2)\).

F Batching

We first define the following before describing the batch-proof protocol. Let the witness \(w = \textbf{m}_1 := (\vec {\textsf{b}} \Vert \textbf{s}\Vert a_0 \Vert \textbf{e}\Vert a_1 \Vert \textbf{s}_0 \Vert a_2 \Vert \textbf{e}_0 \Vert a_3 \Vert \textbf{s}_1 \Vert a_4 \Vert \textbf{e}_1 \Vert a_5\Vert \textbf{e}_3 \Vert a_6) \in \mathcal {R}_q^{m_1}\), where \(m_1 = 6n + 7 + N\). Define \(N + 3n + 9\) functions \(E_1, \ldots , E_{N + 3n + 9}\) as follows:

$$\begin{aligned} \forall i \in [1, N], & E_i\!=\! \textbf{s}^\top \textbf{c}_i + \textsf{Inv}(\textbf{s}_0)^\top \textbf{b}(1 - \textsf{b} _i)+ \textsf{Inv}(\textbf{s}_1)^\top \textbf{b}\textsf{b} _i + \hat{\textbf{e}}_i^\top \textbf{e}_3 - \textbf{h}_i; \\ \forall i \in [1, n],~& E_{i + N} = \textbf{a}_i^\top \textbf{s}_{0} + \hat{\textbf{e}}_i^\top \textbf{e}_0 - t_{0, i};~ E_{i + n + N} = \textbf{a}_i^\top \textbf{s}_{1} + \hat{\textbf{e}}_i^\top \textbf{e}_1 - t_{1, i}; \\ \forall i \in [1, n],~& E_{i + 2n + N} = \textbf{a}_i^\top \textbf{s}+ \hat{\textbf{e}}_i^\top \textbf{e}- t_{i}; \\ E_{1 + 3n + N} & = \textsf{Inv}(\textbf{s}\Vert a_0)^\top (\textbf{s}\Vert a_0) - \beta _r^2;~ E_{2 + 3n + N} = \textsf{Inv}(\textbf{s}\Vert a_1)^\top (\textbf{s}\Vert a_1) - \beta _r^2; \\ E_{3 + 3n + N} & = \textsf{Inv}(\textbf{s}_0 \Vert a_0)^\top (\textbf{s}_0 \Vert a_0) - \beta _r^2;~ E_{4 + 3n + N} = \textsf{Inv}(\textbf{s}_1 \Vert a_1)^\top (\textbf{s}_1 \Vert a_1) - \beta _r^2; \\ E_{5 + 3n + N} & = \textsf{Inv}(\textbf{e}_0 \Vert a_2)^\top (\textbf{e}_0 \Vert a_2) - \beta _r^2;~E_{6 + 3n + N} = \textsf{Inv}(\textbf{e}_1 \Vert a_3)^\top (\textbf{e}_1 \Vert a_3) - \beta _r^2; \\ E_{7 + 3n + N} & = \textsf{Inv}(\textbf{e}_3 \Vert a_3)^\top (\textbf{e}_3 \Vert a_3) - N\beta _e^2;~E_{8 + 3n + N} = \textsf{Inv}(\textbf{1}- \vec {\textsf{b}})^\top \vec {\textsf{b}}; \\ E_{9 + 3n + N} & = \textsf{Inv}(\vec {\textsf{b}})^\top \vec {\textsf{b}} - N; \end{aligned}$$

where \(\textbf{a}_i, \textbf{c}_i\) are the i-th column of matrix \(\textbf{A}, \textbf{C}\); \(\textbf{h}_i, t_{i}\) denote the i-th entry of \(\textbf{h}, \textbf{t}\), respectively; \(\hat{\textbf{e}}_i\) is a unit vector \(\hat{e}_i\) with its i-th entry being 1.

Define messages: \(\textbf{m}:= (\textbf{m}_1 \Vert \textsf{Inv}(\textbf{m}_1) \Vert (\textbf{g}\Vert \textbf{y}_3) \Vert \textsf{Inv}(\textbf{g}\Vert \textbf{y}_3)) \in \mathcal {R}^{2m_1 + 2\cdot (\tau + 2)}\). The quadratic equation can be written as \(f := \textbf{m}^\top \textbf{D}_2 \textbf{m}+ \textbf{d}_1^\top \textbf{m}+ d_0\) for the following \(\textbf{D}_2, \textbf{d}_1, d_0\), where \(\tilde{N} = N + 3n\) (as a shorthand used in defining \(\textbf{d}_{2, 2}^\top \)).

$$\begin{aligned} \!\textbf{D}_2\!:= & \! \begin{bmatrix} \textbf{0}\\ \!\textbf{d}_{2, 2}\!\\ \textbf{0}\\ \textbf{0}\end{bmatrix}, \textbf{d}_{2, 2}^\top := \begin{bmatrix} \sum \nolimits _{j = 1}^{\tau } \mu _j (\gamma _{j, \tilde{N} + 9} - \gamma _{j, \tilde{N} + 8}) & \textbf{0}\\ 0 & \!\sum \nolimits _{j = 1}^{\tau } \mu _j \gamma _{j, \tilde{N} + 1} \textbf{I}_{n + 1}\! & \textbf{0}\\ \textbf{0}_{n + 2} & \!\sum \nolimits _{j = 1}^{\tau } \mu _j \gamma _{j, \tilde{N} + 2} \textbf{I}_{n + 1}\! & \textbf{0}\\ \textbf{0}_{2n + 3} & \!\sum \nolimits _{j = 1}^{\tau } \mu _j \gamma _{j, \tilde{N} + 3} \textbf{I}_{n + 1}\! & \textbf{0}\\ \textbf{0}_{3n + 4} & \!\sum \nolimits _{j = 1}^{\tau } \mu _j \gamma _{j, \tilde{N} + 4} \textbf{I}_{n + 1}\! & \textbf{0}\\ \textbf{0}_{4n + 5} & \!\sum \nolimits _{j = 1}^{\tau } \mu _j \gamma _{j, \tilde{N} + 5} \textbf{I}_{n + 1}\! & \textbf{0}\\ \textbf{0}_{5n + 6} & \!\sum \nolimits _{j = 1}^{\tau } \mu _j \gamma _{j, \tilde{N} + 6} \textbf{I}_{n + 1}\! & \textbf{0}\\ \textbf{0}_{6n + 7} & \sum \nolimits _{j = 1}^{\tau } \mu _j (\gamma _{j, \tilde{N} + 7}) \textbf{I}_N & \textbf{0}\\ \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^N\gamma _{j, i}\textbf{b}& \textbf{0}\\ - \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^N\gamma _{j, i}\textbf{b}& \textbf{0}\end{bmatrix}, \end{aligned}$$

(12)

$$\begin{aligned} \!\textbf{d}_1\!:= &\!\begin{bmatrix} \sum \nolimits _{j = 1}^{\tau } \mu _j \gamma _{j, 8 + 3n + N} \\ \!\sum \nolimits _{j = 1}^{\tau }\!\mu _j (\sum \nolimits _{i = 1}^N\!\!\gamma _{j, i} \textbf{c}_i\!+\!\sum \nolimits _{i = 1}^n \!\gamma _{j, i + N} \textbf{a}_i)\!\\ 0\\ \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^{n} \gamma _{j, i + N} \hat{\textbf{e}}_i\\ 0\\ \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^n \gamma _{j, i + n + N} \textbf{a}_i\\ 0\\ \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^{n} \gamma _{j, i + n + N} \hat{\textbf{e}}_i\\ 0\\ \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^n \gamma _{j, i + 2n + N} \textbf{a}_i\\ 0\\ \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^{n} \gamma _{j, i + 2n + N} \hat{\textbf{e}}_i\\ 0\\ \sum \nolimits _{j = 1}^{\tau } \mu _j \sum \nolimits _{i = 1}^{N} \gamma _{j, i} \hat{\textbf{e}}_i\\ \textbf{0}_{m_1 + 1} \\ \sum \nolimits _{j = 1}^{\tau }\! \mu _j\! \sum \nolimits _{i = 1}^{256} \gamma _{j, i + 3n + N + 8} \hat{\textbf{e}}_i \\ \vec {\mu }\\ \textbf{0}_{\tau + 2} \end{bmatrix}+ \begin{bmatrix} \!\sum \nolimits _{j = 1}^{\tau }\!\mu _j\!\sum \nolimits _{i = 1}^{256}\!\gamma _{j, i + N + n + 4} \textsf{Inv}(R_{j})\! \\ \textbf{0}_{m_1 + 2(\tau + 2)} \end{bmatrix}, \end{aligned}$$

(13)

$$\begin{aligned} \begin{aligned} d_0 := &-\!\sum _{j = 1}^{\tau } \mu _j( \sum _{i = 1}^N \gamma _{j, i} \textbf{h}_{i} +\!\sum _{i = 1}^n \gamma _{j, N + i} t_{i} - h_j +\!\sum _{i = 1}^7 \gamma _{j, N + 3n + i} \beta ^2_r + \sum _{i = 1}^n \gamma _{j, N + n + i} t_{0, i} \\ + & \sum _{i = 1}^n \gamma _{j, N + 2n + i} t_{1, i} + \gamma _{j, N + 2n + 5} N\beta ^2_e + \gamma _{j, N + 2n + 9} N +\!\sum _{i = 1}^{256} \gamma _{j, 2n + 5 + N + i} z_{3, i}). \end{aligned} \end{aligned}$$

(14)

\(\textsf{Setup} (1^\lambda )\): On input of the security parameter \(\lambda \) in unary, choose real numbers \(s_e, y_1, y_2, y_3\), sample \(\textbf{E}_1 \in \mathcal {R}_q^{n_1 \times m_1}\), \(\textbf{E}_2 \in \mathcal {R}_q^{n_1 \times m_2}\), \(\textbf{F}_g \in \mathcal {R}_q^{\tau \times m_2}\), \(\textbf{F}_3 \in \mathcal {R}_q^{(256/d) \times m_2}\), and \(\textbf{f}_g\in \mathcal {R}_q^{m_2}\). Define hash functions \(\textsf{H} _1:\{0, 1\} ^* \rightarrow \mathcal {B}^{256 \times m_1 d}\), \(\textsf{H} _2:\{0, 1\} ^* \rightarrow \mathbb {Z}_q^{\tau \times (N + 3n + 9 + 256)}\), \(\textsf{H} _3:\{0, 1\} ^* \rightarrow \mathcal {R}_q^\tau \), and \(\textsf{H} _4:\{0, 1\} ^* \rightarrow \mathcal {C}\). Output \({\textsf{crs}}:= (\textbf{E}_1, \textbf{E}_2, \textbf{F}_g, \textbf{F}_3, \textbf{f}_g)\) and the statement \(x := (h, \textbf{t}, \textbf{t}_0, \textbf{t}_1, \textbf{b}, \textbf{c}, \textbf{A})\).

\(\textsf{Prove} ({\textsf{crs}}, x, w)\): Given the witness \(w = \textbf{m}_1 := (\vec {\textsf{b}} \Vert \textbf{s}\Vert a_0 \Vert \textbf{e}\Vert a_1 \Vert \textbf{s}_0 \Vert a_2 \Vert \textbf{e}_0 \Vert a_3 \Vert \textbf{s}_1 \Vert a_4 \Vert \textbf{e}_1 \Vert a_5\Vert \textbf{e}_3 \Vert a_6) \in \mathcal {R}_q^{m_1}\), prover \(\mathcal {P} \) does:

1. 1.

   First round:

   • Set \(\textbf{m}_1' := (\textbf{m}_1 \Vert \textbf{b})\) and compute the commitment \(\textbf{t}_E = \textbf{E}_1 \textbf{m}_1' + \textbf{E}_2 \textbf{e}\).

   • Sample \(\textbf{y}_1 \leftarrow \mathcal {D}_{y_1}^{m_1}\) and \(\textbf{y}_2 \leftarrow \mathcal {D}_{y_2}^{m_2}\), and set \(\textbf{w}:= \textbf{E}_1 \textbf{y}_1 + \textbf{E}_2 \textbf{y}_2\).

   • Sample \(\textbf{g}{\mathop {\leftarrow }\limits ^{\$}}\left\{ x \in \mathcal {R}_q:x_0 = 0 \right\} ^{\tau }\), \(\textbf{r}_1 \leftarrow \mathcal {D} _{s_r}^{m_2}\), and compute \(\textbf{t}_g := \textbf{F}_g \textbf{r}_1 + \textbf{g}\).

   • Sample \(\textbf{y}_3 \leftarrow D_{y_3}^{256/d}\) and compute \(\textbf{t}_3 := \textbf{F}_3 \textbf{r}_1 + \textbf{y}_3\).

2. 2.

   Second round:

   • Define \(\alpha _1 := (\textbf{t}_3, \textbf{t}_g, \textbf{t}_E, \textbf{w})\), derive challenge \(R := \textsf{H} _1 ({\textsf{crs}}, x, \alpha _1)\).

   • Compute \(\vec {z}_3 := R \vec {m}_1 + \vec {y}_3\) and run rejection sampling \(\textsf{Rej}(\vec {z}_3, R\vec {m}_1, y_3)\).

3. 3.

   Third round:

   • Define \(\alpha _2 := \vec {z_3}\).

   • Derive the challenge \(\varGamma = [\gamma _{j, i}]_{j \in [\tau ], i \in [N + 3n + 9 + 256]}\) from \(\textsf{H} _2({\textsf{crs}}, x, \alpha _1, \alpha _2).\)

   • Compute \(h_j := g_j + f_j, \forall j \in [1, \tau ]\) where \(f_j := \sum _{i = 1}^{N + n + 4} \gamma _{j, i} E_i\).

4. 4.

   Fourth round:

   • Define \(\alpha _3 := \textbf{h}= (h_1, \ldots , h_\tau )\).

   • Generate the challenges \(\boldsymbol{\mu } = (\mu _1, \ldots , \mu _\tau )\) from \(\textsf{H} _3({\textsf{crs}}, x, \alpha _1, \alpha _2, \alpha _3)\).

   • Compute \(f := \sum _{j = 1}^{\tau } \mu _j h_j\)

   • Define \(\textbf{y}\) as in Eq. (11).

   • Define \(\textbf{D}_2\), \(\textbf{d}_1\), and \(d_0\) as in Eqs. (12) to (14).

   • Compute the garbage term \(g_1 := \textbf{m}^\top \textbf{D}_2 \textbf{y}+ \textbf{y}^\top \textbf{D}_2 \textbf{m}+ \textbf{d}_1^\top \textbf{y}\).

   • Compute the commitment \(t := \textbf{f}_g^\top \textbf{r}_1 + g_1\).

   • Set \(v := \textbf{y}^\top \textbf{D}_2 \textbf{y}+ \textbf{f}_g^\top \textbf{y}_2\).

5. 5.

   Fifth round:

   • Define \(\alpha _4 := (t, v)\) and \(c := \textsf{H} _4( {\textsf{crs}}, x, \alpha _1, \alpha _2, \alpha _3, \alpha _4)\).

   • Upon challenge c, compute \(\textbf{z}_1 = c\textbf{m}_1 + \textbf{y}_1\) and \(\textbf{z}_2 = c\textbf{r}_1 + \textbf{y}_2\) and run rejection sampling \(\textsf{Rej}(\textbf{z}_1, c\textbf{m}_1, y_1 )\) and \(\textsf{Rej}(\textbf{z}_2, c\textbf{r}_1 , y_2)\) respectively.

   • Output the proof \(\pi _\textsf{ct}:= (\alpha _1, \alpha _2, \alpha _3, \alpha _4, \textbf{z}_1, \textbf{z}_2)\).