thesis/sec-stern.tex

% \section{Stern-like Proofs}
% \addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves à la Stern}
% \label{sse:stern}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

On the other hand, Stern's protocol has been originally introduced in the context of code-base cryptography~\cite{Ste96}.
\index{Syndrome Decoding Problem}
Initially, it was introduced for Syndrome Decoding Problem (\SDP): given a matrix $\mathbf P \in \FF_2^{n \times m}$ and a syndrome $\mathbf v \in \FF_2^n$, the goal is to find a binary vector $\mathbf x \in \FF_2^m$ with fixed hamming weight $w$ such that $\mathbf P \cdot \mathbf x = \mathbf v \bmod 2$.

This problem shows similarities with the $\ISIS$ problem defined in \cref{de:sis} where the constraints on the norm of $\mathbf x$ is a constraint on Hamming weight, and operations are in $\FF_2$ instead of $\Zq$.

After the first works of Kawachi, Tanaka and Xagawa~\cite{KTX08} that extended Stern's proofs to statements $\bmod q$, the work of Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} enables the use of Stern's protocol to prove general $\SIS$ or $\LWE$ statements (meaning the knowledge of a solution to these problems).
These advances in the expressivity of Stern-like protocols has been used to further improve it and therefore enable privacy-based primitives for which no constructions existed in the post-quantum world, such as dynamic group signatures~\cite{LLM+16}, group encryption~\cite{LLM+16a}, electronic cash~\cite{LLNW17}, etc.

Unlike the Schnorr-like proof we saw in the previous section, Stern's proof is mainly combinatorial and relies on the fact that every permutation on a binary vector $\mathbf x \in \bit^m_{}$ leaves its Hamming weight $w$ invariant. As a consequence, for $\pi \in \permutations_m$, $\mathbf x$ satisfies these conditions if and only if $\pi(\mathbf x)$ also does.
Therefore, the randomness of $\pi$ is used to verify these two constraints (being binary and the hamming weight) in a zero-knowledge fashion.
We can notice that this can be extended to vectors $\mathbf x \in \nbit^m$ of fixed numbers of $-1$ and $1$ that allowed~\cite{LNSW13} to propose the generalization of this protocol to any $\ISIS_{n,m,q,\beta}$ statements.
In \cref{sse:stern-abstraction}, we describes these permutations while abstracting the set of ZK-provable statements as the set $\mathsf{VALID}$ that satisfies conditions~\eqref{eq:zk-equivalence}.

It is worth noticing that this argument on knowledge does not form a $\Sigma$-protocol, as the challenge space is ternary as described in \cref{sse:stern-abstraction}.
Thus standard theorems on $\Sigma$-protocols has to be adapted in this setting.

In this Section, we describe in a high-level view how Stern's protocol works, and then we detail it.


\subsection{Abstraction of Stern's Protocol} \label{sse:stern-abstraction}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Abstraction du protocole de Stern}

%%%% TODO
\begin{figure}[t]

  \small
  \begin{enumerate}
    \item \textbf{Commitment:} Prover samples $\mathbf{r}_w \leftarrow U(\mathbb{Z}_q^D)$, $\phi \leftarrow  U(\mathcal{S})$ and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
      Then he sends $\mathrm{CMT}= \big(C_1, C_2, C_3\big)$ to the verifier, where
      \begin{gather*}
        C_1 =  \mathsf{COM}(\phi, \mathbf{M}\cdot \mathbf{r}_w \bmod q; \rho_1), \hspace*{5pt}
        C_2 =  \mathsf{COM}(\Gamma_{\phi}(\mathbf{r}_w); \rho_2), \\
        C_3 =  \mathsf{COM}(\Gamma_{\phi}(\mathbf{w} + \mathbf{r}_w \bmod q); \rho_3).
      \end{gather*}

    \item \textbf{Challenge:} The verifier sends a challenge $Ch \leftarrow U(\{1,2,3\})$ to the prover.
    \item \textbf{Response:} Depending on $Ch$, the prover sends $\mathrm{RSP}$ computed as follows:
      \smallskip
      \begin{itemize}
        \item $Ch = 1$: Let $\mathbf{t}_{w} = \Gamma_{\phi}(\mathbf{w})$, $\mathbf{t}_{r} = \Gamma_{\phi}(\mathbf{r}_w)$, and $\mathrm{RSP} = (\mathbf{t}_w, \mathbf{t}_r, \rho_2, \rho_3)$. \smallskip

        \item $Ch = 2$: Let $\phi_2 = \phi$, $\mathbf{w}_2 = \mathbf{w} + \mathbf{r}_w \bmod q$, and
          $\mathrm{RSP} = (\phi_2, \mathbf{w}_2, \rho_1, \rho_3)$. \smallskip
        \item $Ch = 3$: Let $\phi_3 = \phi$, $\mathbf{w}_3 = \mathbf{r}_w$, and
          $\mathrm{RSP} = (\phi_3, \mathbf{w}_3, \rho_1, \rho_2)$.
      \end{itemize}
  \end{enumerate}
  \textbf{Verification:}  Receiving $\mathrm{RSP}$, the verifier proceeds as follows:
  \smallskip
  \begin{itemize}
    \item $Ch = 1$: Check that
      \begin{gather*}
        \mathbf{t}_w \in \mathsf{VALID},\\
        C_2 = \mathsf{COM}(\mathbf{t}_r; \rho_2), \qquad
        {C}_3 = \mathsf{COM}(\mathbf{t}_w + \mathbf{t}_r \bmod q; \rho_3).
      \end{gather*}

    \item $Ch = 2$: Check that 
      \[
        C_1 = \mathsf{COM}(\phi_2, \mathbf{M}\cdot \mathbf{w}_2 - \mathbf{v} \bmod q; \rho_1),\qquad
        {C}_3 = \mathsf{COM}(\Gamma_{\phi_2}(\mathbf{w}_2); \rho_3).
      \]

    \item $Ch = 3$: Check that
      \[
        C_1 =  \mathsf{COM}(\phi_3, \mathbf{M}\cdot \mathbf{w}_3; \rho_1), \qquad
        C_2 =  \mathsf{COM}(\Gamma_{\phi_3}(\mathbf{w}_3); \rho_2).
      \]

  \end{itemize}
  In each case, the verifier outputs $1$ if and only if all the conditions hold.
  \caption{Stern-like \textsf{ZKAoK} for the relation $\mathrm{R_{abstract}}$.}
  \label{Figure:Interactive-Protocol}
\end{figure}


Let $K$, $D$, $q$ be positive integers with $D \geq K$ and $q \geq 2$, and let $\mathsf{VALID}$ be a subset of $\mathbb{Z}^D$. Suppose that $\mathcal{S}$ is a finite set such that   every $\phi \in \mathcal{S}$ can be associated with a permutation $\Gamma_\phi \in \permutations_D$ satisfying the following conditions:
\begin{eqnarray}\label{eq:zk-equivalence}
\begin{cases}
\mathbf{w} \in \mathsf{VALID} ~ \iff ~ \Gamma_\phi(\mathbf{w}) \in \mathsf{VALID}, \\
\text{If } \mathbf{w} \in \mathsf{VALID} \text{ and } \phi \text{ is uniform in } \mathcal{S}, \text{ then }  \Gamma_\phi(\mathbf{w}) \text{ is uniform in } \mathsf{VALID}. \quad
\end{cases}
\end{eqnarray}
We aim to construct a statistical Zero-Knowledge Argument of Knowledge (\textsf{ZKAoK}) for the following abstract relation:
\begin{eqnarray*}
\mathrm{R_{abstract}} = \big\{ \big((\mathbf{M}, \mathbf{v}), \mathbf{w} \big) \in \mathbb{Z}_q^{K \times D} \times \mathbb{Z}_q^D \times \mathsf{VALID}: \mathbf{M}\cdot \mathbf{w} = \mathbf{v} \bmod q.\big\}
\end{eqnarray*}

Note that, Stern's original protocol corresponds to the special case when the set
$\mathsf{VALID} = \{
\mathbf{w} \in \{0,1\}^D: \mathsf{wt}(\mathbf{w}) = k\}$, where $\mathsf{wt}(\cdot)$ denotes the Hamming weight and $k < D$ is a given integer, $\mathcal{S} = \mathcal{S}_D$ is  the set of all permutations of~$D$ elements and $\Gamma_{\phi}(\mathbf{w}) = \phi(\mathbf{w})$.

The conditions in \eqref{eq:zk-equivalence} play a crucial role in proving in \textsf{ZK} that $\mathbf{w} \in \mathsf{VALID}$. To this end, the prover samples a random $\phi \hookleftarrow U(\mathcal{S})$ and lets the verifier check that $\Gamma_\phi(\mathbf{w}) \in \mathsf{VALID}$ without learning any additional information about $\mathbf{w}$ due to the randomness of $\phi$. Furthermore, to prove in a zero-knowledge manner that the linear equation is satisfied, the prover samples a masking vector $\mathbf{r}_w \hookleftarrow U(\mathbb{Z}_q^D)$, and convinces the verifier instead that $\mathbf{M}\cdot (\mathbf{w} + \mathbf{r}_w) = \mathbf{M}\cdot \mathbf{r}_w + \mathbf{v} \bmod q.$


The interaction between prover $\mathcal{P}$ and verifier $\mathcal{V}$ is described in Figure~\ref{Figure:Interactive-Protocol}. The protocol uses a statistically hiding and computationally binding string commitment scheme \textsf{COM} (e.g., the \textsf{SIS}-based scheme from~\cite{KTX08}).

\begin{theorem}\label{Theorem:zk-protocol}
The protocol in Figure~\ref{Figure:Interactive-Protocol} is a statistical \emph{\textsf{ZKAoK}} with perfect completeness, soundness error~$2/3$, and communication cost~$\mathcal{O}(D\log q)$. Namely:
\begin{itemize}
\item There exists a polynomial-time simulator that, on input $(\mathbf{M}, \mathbf{v})$, outputs an accepted transcript statistically close to that produced by the real prover.
\item There exists a polynomial-time knowledge extractor that, on input a commitment $\mathrm{CMT}$ and $3$ valid responses $(\mathrm{RSP}_1,\mathrm{RSP}_2,\mathrm{RSP}_3)$ to all $3$ possible values of the challenge $Ch$, outputs $\mathbf{w}' \in \mathsf{VALID}$ such that $\mathbf{M}\cdot \mathbf{w}' = \mathbf{v} \bmod q.$
\end{itemize}
\end{theorem}
The proof of the theorem relies on standard simulation and extraction techniques for Stern-like protocols~\cite{KTX08,LNSW13,LLM+16}.
\vspace{-0.1 cm}


%%%% END TODO

%%%%%%%%%%%%%%%%%%%%%
%%%% Recap Table %%%%
%%%%%%%%%%%%%%%%%%%%%
\begin{figure}
  \begin{itemize}
    \item $\mathsf B^{2}_{\mathfrak m}$: the set of vectors in $\bit^{2\mathfrak m}$ with Hamming weight $\mathfrak m$.
    \item $\mathsf B^{3}_{\mathfrak m}$: the set of vectors in $\nbit^{3\mathfrak m}$ which has exactly $\mathfrak m$ coordinates equal to $j$ for each $j \in \nbit$.
  \end{itemize}
  \caption{Notations for Stern-like protocols.}
  \label{fig:stern-notations}
\end{figure}

\subsection{The Decomposition-Extension Framework}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Méthode de décomposition-extension}

A method used in~\cite{LNSW13} to prove knowledge of an \ISIS preimage consists in first \textit{decomposing} the secret $\mathbf{x} = (x_1, \ldots, x_m)  \in [-B,B]^m$ into a vector $\tilde{\mathbf x}$ of $\nbit^{m \delta_B}$ such that $\tilde{\mathbf x} = [ \tilde{\mathbf u}_1^{T} \mid \cdots \mid \tilde{\mathbf u}_{\delta_B}^T]^T$ and for all $j \in \{1, \ldots, m\}$, $(1, 2, \ldots, 2^{\delta_B - 1})^T \cdot \tilde{\mathbf u}_j^{} = x_j$.
Once that is done, we fix the hamming weight of the resulting vector by \textit{extending} its components $\tilde{\mathbf u}_j^{}$ into $\mathbf u_j \in \mathsf B^3_{m}$.