Journal of Applied Mathematics

Volume 2014 (2014), Article ID 371924, 12 pages

http://dx.doi.org/10.1155/2014/371924

## Strongly Unforgeable Ring Signature Scheme from Lattices in the Standard Model

CIST (Center for Information Security Technologies), Korea University, Anam-dong, Seongbuk-gu, Seoul 136-713, Republic of Korea

Received 14 November 2013; Accepted 21 April 2014; Published 5 May 2014

Academic Editor: Jongsung Kim

Copyright © 2014 Geontae Noh et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

In a ring signature scheme, a user selects an arbitrary ring to be able to sign a message on behalf of the ring without revealing the signer’s identity. Whistle-blowers especially find this useful. To date, various ring signature schemes have been proposed, all considered to be secure as existentially unforgeable with respect to insider corruption; that is, an adversary who chooses ring-message pairs for which he requests signatures, corrupts honest users, and obtains their signing keys can not produce forgeries for new ring-message pairs. Lattice-based ring signature schemes offer lower computational overhead and security from quantum attacks. In this paper, we offer a lattice-based scheme. We begin by showing that the existing ring signature schemes are not sufficiently secure, because existential unforgeability still permits a signer to potentially produce a new signature on previously signed messages. Furthermore, we show that existing ring signature schemes from lattices are not even existentially unforgeable with respect to insider corruption. We then improve previous schemes by applying, for the first time, the concept of strong unforgeability with respect to insider corruption to a ring signature scheme in lattices. This offers more security than any previous ring signature scheme: adversaries cannot produce new signatures for any ring-message pair, including previously signed ring-message pairs.

#### 1. Introduction

Ring signatures were first introduced by Rivest et al. in 2001 in order to provide anonymity to signers [1]. The classic case of a signer who wishes to remain anonymous would be a whistle-blower, who wants to identify a problem without exposing himself as the source. Anyone seeking to expose wrongdoing or leak a secret would want to remain anonymous. Prior to the advent of the ring signature, group signatures were the best way to achieve this; however, group signatures have a group manager who can identify the signer and so complete anonymity is not possible. By contrast, a signer can select a ring for the signature, and no one can trace which member of the ring is the actual signer.

In 2004, Dodis et al. proposed a ring signature scheme in the random oracle model using the Fiat-Shamir transformation [2, 3]. In 2006, Bender et al. proposed new definitions of anonymity and existential unforgeability and first proposed ring signature schemes in the standard model [4]. In 2007, Shacham and Waters proposed efficient ring signature schemes in the standard model based on bilinear groups [5]. In addition to these, various ring signature schemes have been studied [6–11].

All of these early ring signatures used nonlattice based approaches. These cryptographic systems were based on integer factorization and discrete logarithmic problems based on average case problems. These nonlattice based approaches did not offer security against quantum computing attacks [12]. These early ring signatures also entailed more computational overhead because they require exponentiation, although they did offer existential unforgeability with respect to insider corruption and anonymity against full key exposure. Lattice-based cryptographic systems held promise in reducing computational overhead since they only require linear operations on matrices [13–18].

In order to try to reduce computational overhead and make ring signatures secure against quantum computing attacks, Brakerski and Kalai introduced the first lattice-based system for ring signatures in 2010, using ring trapdoor functions [19]. The lattice-based approach is based on worst-case problems, which offers the sought for security against quantum computing attacks; however, Brakerski-Kalai’s ring signature scheme did not satisfy existential unforgeability with respect to insider corruption. In 2010, Cayrel et al. proposed a threshold ring signature scheme over ideal lattices (ideal lattices are described as ideals of certain polynomial rings; that is, ideal lattices are a special case of lattices) in the random oracle model; however, Cayrel et al.’s threshold ring signature scheme did not satisfy existential unforgeability with respect to insider corruption [20]. In 2011, Wang and Sun proposed two ring signature schemes, one in the random oracle model and one in the standard model, using lattice-based delegation techniques [21]. They claimed their ring signature schemes offered the existential unforgeability that had been lacking in Brakerski-Kalia’s ring signature scheme, but they in fact did not (see Section 3). In 2013, Aguilar Melchor et al. proposed a new ring signature scheme over ideal lattices; however, Aguilar Melchor et al.’s ring signature scheme is only existentially unforgeable with respect to insider corruption in the random oracle model [22]. Table 1 shows the comparison of ring signature schemes.

In addition to showing that Wang and Sun’s ring signature scheme does not offer existential unforgeability, we introduce a novel lattice-based ring signature scheme that reduces the computational overhead inherent in nonlattice based schemes while successfully offering existential unforgeability with respect to insider corruption. Indeed, we are the first to suggest strong unforgeability for ring signatures, which is stronger than existential unforgeability.

Before the work on strong unforgeability [23–25], if a signature scheme is existentially unforgeable, it has been considered to be secure. In other words, an adversary who chooses messages for which she requests signatures should not be able to produce signatures for new messages. However, in an existentially unforgeable signature scheme, the adversary could potentially produce a new signature on one or more of the previously signed messages. By contrast, if a signature scheme is strongly unforgeable, the adversary cannot ever produce a new signature for any message, including previously signed messages. Strongly unforgeable signature schemes can be especially useful in constructing chosen ciphertext secure encryption schemes and group signature schemes.

Similarly, existentially unforgeable ring signature schemes have been considered to be secure. In other words, an adversary who chooses ring-message pairs for which she requests signatures is not able to produce signatures for new ring-message pairs. In this paper, we are the first to design a securer ring signature scheme, implementing the concept of strong unforgeability and ensuring that the adversary cannot ever produce a new signature for any ring-message pair, including previously signed ring-message pairs. That is, suppose an adversary chooses some ring-message pairs, requests their signatures, and obtains a tuple of ring, message, and signature along with other tuples of rings, messages, and signatures. If the adversary cannot ever produce a new signature for , or any signatures for any of the ring-message pairs, we say that the ring signature scheme is strongly unforgeable.

We accomplish this strong unforgeability using lattices in the standard model. Our ring signature scheme uses new trapdoor algorithms for lattices proposed by Micciancio and Peikert in 2012 [18]. They are much simpler, tighter, faster, and smaller than the existing algorithms. More concretely, their trapdoor algorithms do not run any expensive operation such as matrix inverse computations; their new trapdoor algorithms improved the quality from to for some small and a security parameter ; using their new trapdoor algorithms reduces the lattice dimension from to . Therefore, our ring signature scheme is also much simpler, tighter, faster, and smaller than the existing lattice-based ring signature schemes. In fact, the lattice dimension of our ring signature scheme is for the number of ring users instead of . Our ring signature scheme not only maintains anonymity against full key exposure but also offers strong unforgeability with respect to insider corruption in the standard model.

##### 1.1. Our Contribution

Our work makes three significant contributions. First, we show that all of Wang-Sun’s ring signature schemes are insecure with respect to existential unforgeability. Second, we suggest the concept of strong unforgeability, which is a stronger notion than existential unforgeability, for ring signatures. None of the existing lattice-based ring signature schemes satisfy the conditions of strong unforgeability. Third, based on our new model, we construct a new ring signature scheme from lattices that is both anonymous against full key exposure and strongly unforgeable with respect to insider corruption in the standard model.

##### 1.2. Our Approach

As with most existing ring signature schemes for lattices, we design our ring signature scheme using trapdoor delegation techniques for lattices, which afford anonymity against full key exposure. In addition, in our ring signature scheme, like most of the existing signature schemes from lattices, the “hash-and-sign” paradigm is used. Wang and Sun also used the “hash-and-sign” paradigm, but they did so in a way that failed to ensure the security of their schemes. Both of Wang-Sun’s ring signature schemes only hash the message, so that anyone can add a ring member and add another message, making it possible for anyone to produce a forgery. We address this problem in our ring signature scheme by hashing the message along with the ring and a random number. Because the ring is included in the hash value, an adversary cannot change the ring. We have drawn on the concept of strong unforgeability in signature schemes from lattices to extend strong unforgeability to a ring signature scheme. One of the features of the existing strongly unforgeable signature schemes is that the signature algorithm samples a signature in a coset of the lattice (not in the original lattice). Our ring signature scheme uses this signature algorithm. This is the defining feature that makes our ring signature scheme strongly unforgeable with respect to insider corruption in the standard model.

##### 1.3. Organization of the Paper

The remainder of our paper is organized as follows. In Section 2, we describe related work and preliminaries. We will describe early ring signature schemes, existing lattice-based schemes, and chameleon hash functions. In Section 3, we analyze Wang-Sun’s ring signature schemes and show that they do not provide existential unforgeability as they purport to do. In Section 4, we address our security model for ring signatures, describing anonymity against full key exposure and our new concept of strong unforgeability. In Section 5, we construct our ring signature scheme and demonstrate that it is secure in both of these respects. In Section 6, we will make our concluding comments.

#### 2. Preliminaries

The security parameter in this paper is . We denote the real numbers and integers by and , respectively. For a positive integer , we let . We denote vectors by lower-case bold letters (e.g., ) and assume that is a column vector. means the Euclidean norm of . We denote matrices by upper-case bold letters (e.g., ) and represent the -by- identity matrix as . We use standard big- notation, and, if for any fixed integer , then we denote . means for some positive integer . If for sufficiently large and any , then a function is negligible. We denote any negligible function by . An overwhelming probability is greater than or equal to , where is a negligible function. When is randomly chosen from a set , we use the notation . The statistical distance between two distributions and over a countable domain is denoted by .

##### 2.1. Lattices

In this paper, we consider -dimensional integer lattices. An -dimensional integer lattice is defined as follows: where is a basis. The dual lattice of is defined as follows:

We use a -ary lattice, which is one of -dimensional integer lattices. For a parity-check matrix , a -ary lattice is defined as follows: where and are positive integers and is a zero vector. Next, we define a coset of . For a syndrome , a coset of is defined as follows: where for .

The (short integer solution) problem in lattices is defined as follows.

*Definition 1. *Given a uniformly random matrix for any desired , the problem is to find a nonzero vector such that and .

The hardness of the problem follows from [13, 26, 27]. For , the problem in the average case is known to be as hard as approximating the (shortest independent vectors problem) under quantum reductions to within factors in the worst case.

We now review Gaussian distributions over lattices. First, we recall the Gaussian function as follows: where is a -dimensional subspace of , , , , and the Gaussian function centered at . The continuous distribution with density function is defined as follows:

Then, the discrete distribution with density function over a lattice is defined as follows: where spans and . Next, we define the Gaussian parameter which is a lattice quantity.

*Definition 2 (see [27, 28]). *For an -dimensional integer lattice and a real number , the Gaussian parameter is the smallest such that , where is the Gaussian function (centered at ) for , spans , and is the dual lattice of .

In this paper, we also use the following fact.

Lemma 3 (see [18, 29]). *For , , and :
**
where is a lattice.*

##### 2.2. Basic Algorithms for Lattices

The trapdoor generation algorithm proposed by Micciancio and Peikert in 2012 [18] has the following properties.

Lemma 4 (see [18]). *There exists a probabilistic polynomial time algorithm that takes a parity-check matrix , an invertible matrix , , , , and outputs a parity-check matrix with its trapdoor such that*(i)* uses some fixed primitive matrix whose columns generate all of ;*(ii)* chooses a matrix , where and ;*(iii)* computes ;*(iv)*the statistical distance between the distribution of and the uniform distribution is negligible;*(v)* holds with an overwhelming probability, where is the maximal singular value of and ;*(vi)* means .**The trapdoor Gaussian sampling algorithm proposed by Micciancio and Peikert in 2012 [18] has the following properties.*

Lemma 5 (see [18]). *There exists a probabilistic polynomial time algorithm that takes a parity-check matrix with its trapdoor , an invertible matrix , a syndrome , (where if is a power of , or otherwise), , , , and outputs a vector such that*(i)* uses some fixed primitive matrix whose columns generate all of ;*(ii)*the statistical distance between the distribution of and the distribution of is negligiblel;*(iii)* means .**The trapdoor delegation algorithm proposed by Micciancio and Peikert in 2012 [18] has the following properties.*

Lemma 6 (see [18]). *There exists a probabilistic polynomial time algorithm that takes a parity-check matrix , a trapdoor corresponding to , an invertible matrix , and , where , , , , and outputs a trapdoor corresponding to such that*(i)* uses some fixed primitive matrix whose columns generate all of ;*(ii)*the statistical distance between the distribution of and the Gaussian distribution with is negligible;*(iii)* holds with an overwhelming probability;*(iv)* works even if the columns of are randomly permuted;*(v)* means .*

##### 2.3. Properties of

We use a set of invertible elements in a certain ring introduced by Micciancio and Peikert in 2012 [18].

Lemma 7 (see [18]). *Let be a monic -degree polynomial. Then, one defines as a set of invertible elements in the ring with the following properties:*(i)*an arbitrary subset-sum in is also an invertible element in ;*(ii)*there exists a ring homomorphism that maps from to an invertible matrix ;*(iii)*the number of elements in is at most , where is the smallest prime dividing .*

##### 2.4. Chameleon Hash Function

A family of chameleon hash functions was proposed by Cash et al. in 2010 [15].

Lemma 8 (see [15]). *If the problem for and is hard, the hash function has the trapdoor property and the collision resistance property, where is the bit length of the message, is the bit length of the hash value, is a Gaussian parameter, , , and . The properties of are as follows.*(i)* The trapdoor property. For any and , we can sample with trapdoor information such that .*(ii)

*The collision resistance property*. It is hard to find and without trapdoor information such that and .##### 2.5. Ring Signatures

A ring signature scheme is a triple set of algorithms .(i): on input of a security parameter , this algorithm outputs a signing key and verification key pair.(ii): on input of a signing key , a ring , and a message , this algorithm outputs a ring signature , where is an ordered set of verification keys.(iii): on input of a ring , a message , and a ring signature , this algorithm outputs if the ring signature is valid and otherwise.

*Correctness*. A ring signature scheme is correct if, for any valid ring signature corresponding to , the algorithm outputs with an overwhelming probability.

Generally, ring signatures should be required to satisfy conditions of anonymity and unforgeability. Definitions of anonymity against full key exposure and existential unforgeability with respect to insider corruption were proposed by Bender et al. [4].

#### 3. Related Work

In this section, we review the existing ring signature schemes from lattices. In 2010, Brakerski and Kalai proposed the first ring signature scheme from lattices, using ring trapdoor functions [19]. However, the Brakerski-Kalai’s ring signature scheme is only existentially unforgeable under chosen subring attacks; that is, the Brakerski-Kalai’s ring signature scheme does not guarantee that their scheme is existentially unforgeable with respect to insider corruption, because existential unforgeability under chosen subring attacks is a weaker security notion than the existential unforgeability with respect to insider corruption.

In 2011, Wang and Sun proposed two ring signature schemes in the random oracle model and in the standard model, using lattice-based delegation techniques [21]. They claimed that Wang-Sun’s ring signature schemes offered existential unforgeability with respect to insider corruption, but Wang-Sun’s ring signature schemes in fact did not. In this section, we discuss the definition of existential unforgeability with respect to insider corruption and show that all of Wang-Sun’s ring signature schemes are not existentially unforgeable with respect to insider corruption.

##### 3.1. Existential Unforgeability with respect to Insider Corruption

In 2006, Bender et al. developed the definitions of anonymity and existential unforgeability for ring signatures [4]. Bender et al. developed four kinds of anonymity and three kinds of existential unforgeability, with anonymity against full key exposure and existential unforgeability with respect to insider corruption being the securest of these. The insider corruption means that an adversary can corrupt honest users and obtain their signing keys. Since then, most existing ring signature schemes are based on Bender et al.’s definitions. In 2011, Wang and Sun proposed two ring signature schemes and claimed that these two ring signature schemes were existentially unforgeable with respect to insider corruption, so we now discuss existential unforgeability with respect to insider corruption, before concluding that their ring signature schemes are not existentially unforgeable.

Existential unforgeability with respect to insider corruption for a ring signature scheme is defined by the game between a challenger and a forger as follows.(i)*Setup*. runs times to obtain . sends an ordered set of verification keys to . sets , where is a set of corrupted users.(ii)*Signing Queries*. sends such that to . We note that may not be a subset of . runs to obtain and returns it to .(iii)*Corruption Queries*. sends such that to . returns to and adds to .(iv)*Output*. outputs . If , did not send to , and , then wins the game .

The advantage of in the above game is defined as follows:

##### 3.2. Analysis of Wang-Sun’s Ring Signature Schemes

Here, we show that Wang-Sun’s ring signature schemes are not existentially unforgeable with respect to insider corruption. Wang-Sun’s ring signature scheme in the random oracle model consists of the following algorithms.(i): this algorithm runs the trapdoor generation algorithm to obtain . The signing key is and the verification key is .(ii): on input of , , and , this algorithm computes and constructs , where is a hash function. The algorithm samples and outputs from using the Gaussian sampling algorithm and the trapdoor delegation algorithm with , where is a Gaussian parameter.(iii): on input of , , and , this algorithm constructs . Then, the algorithm outputs if(i);(ii). Otherwise, the algorithm outputs .

We now show that we can construct a forger mounting an existential forgery attack with a nonnegligible success probability. Let be a challenger in the game of existential unforgeability. sends to in the* Signing Queries* phase and receives a ring signature corresponding to . Then, makes a forgery such that is a proper (or strict) superset of (i.e.; ).

For example, chooses in the* Signing Queries* phase. In this case, . chooses in the* Output* phase. In this case, . Then, constructs by inserting zeros into , where and . Note that the following equation holds:
Clearly, the Euclidean norms of and are the same, and the tuple satisfies the verification algorithm (i.e.; ). Therefore, Wang-Sun’s ring signature scheme in the random oracle model is not existentially unforgeable with respect to insider corruption. Wang-Sun’s ring signature scheme in the standard model can similarly be broken.

#### 4. Security Model of Ring Signatures

##### 4.1. Anonymity against Full Key Exposure

We first recall the definition of anonymity against full key exposure in [4]. Anonymity against full key exposure for a ring signature scheme is defined by the following game between a challenger and an adversary .(i)*Setup*. runs times to obtain . sends an ordered set of verification keys to . sets , where is a set of corrupted users.(ii)*Signing Queries*. sends such that to . We note that may not be a subset of . runs to obtain and returns to .(iii)*Corruption Queries*. sends such that to . returns to and adds to .(iv)*Challenge*. sends such that and to . We note that may not be a subset of . randomly chooses a bit and returns to .(v)*Output*. guesses and outputs . If , then wins the game . We note that or may be in .

The advantage of in the above game is defined as follows:

##### 4.2. Strong Unforgeability with respect to Insider Corruption

We propose strong unforgeability with respect to insider corruption for ring signatures. This is a stronger condition than existential unforgeability. The strong unforgeability of ring signatures is based on the existential unforgeability defined in [4].

Strong unforgeability with respect to insider corruption for a ring signature scheme is defined by the following game between a challenger and a forger .(i)*Setup*. runs times to obtain . sends an ordered set of verification keys to . sets a set of corrupted users .(ii)*Signing Queries*. For , sends such that to . We note that may not be a subset of . runs to obtain and returns to .(iii)*Corruption Queries*. For , sends such that to . returns to and adds to .(iv)*Output*. outputs . If , is not made for through signing queries, and , then wins the game .

The advantage of in the above game is defined as follows:

Note that can send in the* Signing Queries* phase of the game, whereas cannot send in the existential unforgeability game.

#### 5. Our Construction

##### 5.1. Sets and Parameters

In this section, we propose our ring signature scheme in the standard model. First, we define the following parameters.(i) is a security parameter.(ii) is the dimension of the ring signature, where , , and is the number of ring users.(iii) is the bit length of a hash value, where is the smallest prime dividing . That is, a hash value space is .(iv) is a parameter used in the algorithm and is a parameter used in the algorithm.(v) and are parameters for the problem and .(vi) is a primitive matrix whose columns generate all of .(vii) are public parameters, where , , , and is a hash function.

##### 5.2. Our Ring Signature Scheme

Our ring signature scheme consists of the following algorithms.(i): on input of the security parameter , this algorithm chooses and computes . The signing key is and the verification key is .(ii): on input of , , and , this algorithm computes and , where and is the th element in . The algorithm constructs , where is the ordered concatenation of matrices in . The algorithm samples from using the and algorithms with . The algorithm outputs a ring signature .(iii): on input of , , and , this algorithm computes and , where is the th element in . The algorithm constructs , where is the ordered concatenation of matrices in . Then, the algorithm outputs if(i);(ii). Otherwise, the algorithm outputs .

*Correctness*. We show that our ring signature scheme is correct. The algorithm can sample from a distribution whose statistical distance from is negligible using the and algorithms with such that and with an overwhelming probability [15, 18, 27]. Therefore, our ring signature scheme is correct.

##### 5.3. Anonymity against Full Key Exposure of Our Construction

We now show that our ring signature scheme is anonymous against full key exposure in the standard model.

Theorem 9. * is anonymous against full key exposure in the standard model.*

*Proof of Theorem 9. *Recall that is sent by in the* Challenge* phase of the game of anonymity. A challenge signature is then returned to .

The signing algorithm with samples from a distribution whose statistical distance from is negligible. Therefore, the statistical distance between the distribution of and the distribution of is negligible. We also note that the distributions of and are the same. Therefore, the advantage of is negligible.

##### 5.4. Strong Unforgeability with respect to Insider Corruption of Our Construction

We now show that our ring signature scheme is strongly unforgeable with respect to insider corruption in the standard model.

Theorem 10. *If the problem for and and and is hard, the ring signature scheme proposed here is strongly unforgeable with respect to insider corruption in the standard model, where is the ring size and is the message bit length.*

*Proof of Theorem 10. *We show that, if a forger exists with a nonnegligible probability, we can construct an algorithm solving the problem.

Assume that outputs a forgery in the game of strong unforgeability. Then, there exist three cases.(1) for some such that , , or .(2) for some such that , , and .(3) for all .

Note that the number of signing queries is at most , and are used in the th signing queries.

For the first case, we can construct conducting a collision attack on using . simulates the game of strong unforgeability with as follows.(i)* Setup*. takes a hash function as input and chooses at random. For , chooses and computes . sends to , where and . sets , where is a set of corrupted users.(ii)* Signing Queries*. sends such that to . chooses and computes . is represented as , where is the ordered concatenation of matrices in , , and is the th element in . The maximal singular value of (where ) is as follows:
calculates , where . Then, the maximal singular value of is as follows:
calculates from a distribution whose statistical distance from is negligible, where . returns to .(iii)* Corruption Queries*. sends such that to . returns to and adds to .(iv)* Output*. outputs . For any , , where , , or . outputs two pairs as a collision on .

To reduce the average-case problem to the worst-case in lattices, should hold. Therefore,

Naturally,

For the second case, we can construct attacking the problem using . Assume that the number of corrupted users is at most . simulates the game of strong unforgeability with as follows.(i)* Setup*. chooses a primitive matrix . takes as input as an instance and parses as , where , , and . chooses a chameleon hash function with trapdoor information and distinct hash values , where for . randomly selects . For , computes as follows:
where is the th element in and is a ring homomorphism. For , chooses and computes the following:
If , , where is the th element in . Otherwise, is an invertible matrix. chooses and computes , where and is the th element in . randomly chooses such that the number of s in is . If for , sets for in turn. Otherwise, chooses and computes . sends to , where and . sets , where is a set of corrupted users.(ii)* Signing Queries*. For , sends such that to . samples with trapdoor information such that .(1)For : if , aborts. Otherwise, returns to . Note that the distributions of and are the same.(2)For : is represented as , where and . The maximal singular value of is as follows:
calculates , where . Then, the maximal singular value of is as follows:
calculates from a distribution whose statistical distance from is negligible, where . returns to .(iii)* Corruption Queries*. If asks for , where , aborts. Otherwise, returns and adds to .(iv)* Output*. outputs . If , aborts. Otherwise, , where and . Therefore, we obtain the following equation:
From the above equation, we have that
Let be and let be . Then, and
outputs as a solution to .The Euclidean norm of is as follows:

Because and , .

To reduce the average-case problem to the worst-case in lattices, should hold. Therefore,

We note that succeeds in its forgery if it correctly guesses and . The probability of correctly guessing is , and the probability of correctly guessing is . Therefore,
where is the number of users and is the upper bound of the number of corrupted users.

For the third case, we can construct attacking the problem using . Assume that the number of corrupted users is at most . simulates the game of strong unforgeability with as follows.(i)* Setup*. chooses a primitive matrix . takes as input as a instance and parses as , where , , and . chooses a chameleon hash function with trapdoor information and distinct hash values , where for . constructs a set of all shortest strings such that each element of has no as a prefix. There exists an efficient algorithm for computing , and the number of elements in is at most [15, 17, 18]. chooses from at random. , where is the bit length of . For , computes as follows:
where is the th element in and is a ring homomorphism. For , chooses and computes the following:
If any has as a prefix, , where is the th element in . Otherwise, is an invertible matrix. randomly chooses such that the number of s in is . If for , sets for in turn. Otherwise, chooses and computes . sends to , where