\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Arguments à divulgation nulle de connaissance}
A \textit{zero-knowledge proof}~\cite{GMR85} (or \textbf{ZK proofs}) is an \textit{interactive proof} between a prover and a verifier at the end of which the verifier should be convinced of the truth of a statement (within some probability, called \emph{soundness error}), while the prover has the insurance that the verifier does not learn anything more that the authenticity of the statement.
One of the early applications of ZK proofs in cryptography was for identification systems~\cite{FS86}.
The goal is for a user $A$ to prove the knowledge of a secret (such as a password) to user $B$ without revealing any piece of information about the secret, otherwise user $B$ would be able to impersonate $A$.
Since then, the use of zero-knowledge proofs is now widespread in privacy-enhancing cryptography:~anonymous credentials, group signatures, electronic voting, e-cash, \ldots
If these primitives flourish in the context of number-theory-based cryptography (such as RSA groups or pairing groups), they are still elusive in the lattice world. In this section, we focus on presenting the different proofs systems in pairing and lattice-based cryptography.
Let $R =\{(x, w)\in\mathcal L \times\mathcal R \}$ be a binary relation.
A \textit{zero-knowledge proof} for a relation $R$ is an interactive protocol between a prover $P(x,w)$ and a verifier $V(x)$ where $V$ outputs a bit $b$ at the end of the interaction.
This is written as $\langle P(x,w) , V(x)\rangle= b$.
The aforementioned protocol should also verify the following properties.
\begin{description}
\item[Completeness.] For any $(x, w)\in R$, $\Pr[\langle P(x,w), V(x)\rangle=1]\geq1-\negl[|\lambda|]$.
\item[Soundness.] For all $x \in\mathcal L$, for any $\bar w \in\mathcal R$ such that $(x, \bar w)\notin R$, and for any cheating prover $P^\star(x, \bar w)$,
$\Pr[\langle P^\star(x), V^\star(x)\rangle=1]\leq s < 1-\negl[|x|],$
where $s$ is called the \textit{soundness error}.
\item[Zero-Knowledge.] Let $\trans(\cdot, \cdot)$ be the transcript of the interaction during the proof.
There exists a $\ppt$ simulator $S$ such that for all $\ppt$ algorithm $V^\star$,
$\{\trans(P(x, w), V^\star(x))\}_{(x,w)\in R}$ and $\{S^{V^\star}(x)\}_{(x,w)\in R}$ are computationally indistinguishable.
\end{description}
If in the soundness definition, the adversary $P^\star$ is restricted to be a $\ppt$ algorithm, then the proof system is called an \textit{argument}.
We can notice that the soundness error can be reduced by repeating the proof.
Zero-knowledge proofs also exists in a non-interactive version.
\begin{definition}[Non Interactive Zero Knowledge]
\index{Zero Knowledge!NIZK}
\label{de:nizk-proofs}
A \textit{non-interactive zero-knowledge} proof (or \textbf{NIZK proof}) for a relation $R=\{(x,w)\in\mathcal L \times\mathcal R\}$ is a pair of $\ppt$ algorithms $(P, V)$ such that $P$ takes as inputs $x \in\mathcal L$ and $w \in\mathcal R$ and outputs a proof $\pi$, and V takes as inputs $x$ and $\pi$ and outputs a bit $b$. These algorithms should verify the following properties.
\begin{description}
\item[Completeness.] For any $(x, w)\in R$, $\Pr[ V(x, P(x, w))=1]\geq1-\negl[|x|]$.
\item[Soundness.] For all $x \in\mathcal L$, for any $\bar w \in\mathcal R$ such that $(x, \bar w)\notin R$, and for any cheating prover $P^\star(x, \bar w)$,
$\Pr[V(x, P^\star(x))=1] < \negl[|x|].$
\item[Zero-Knowledge.] There exists a $\ppt$ simulator $S$ such that the probability ensembles $\{(x, P(x, w))\}_{(x,w)\in R}$ and $\{S(x)\}_{(x, w)\in R}$ are computationally indistinguishable.
\end{description}
\end{definition}
In the random oracle model, it is possible to transform a ZK proof into an NIZK proof. This techniques is called the Fiat-Shamir transform.
Let $(P, V)$ be a three-round zero-knowledge proof for relation $R =\{(x, w)\}$ as in Figure~\ref{fig:sigma} and $\mathcal H$ be a cryptographic hash function.
Let $\hat P$ be the following non-interactive prover that takes as inputs $x$ and $w$:
\begin{enumerate}
\item First run $P_1(x,w)$ to get a random commitment $\cmt$ and a state information $\mathsf{st}_P$;
\item Generate the challenge as $\chall\gets\mathcal H(\cmt)$;
\item Run $\rsp\gets P_2(x, w, \chall, \mathsf{st}_P)$;
\item Return the proof $\pi=(\cmt, \rsp)$.
\end{enumerate}
And let $\hat V$ be the following non-interactive verifier that takes as inputs $x$ and $\pi$:
\begin{enumerate}
\item Parse $\pi$ as $(\cmt, \rsp)$;
\item Generate the challenge $\chall=\mathcal H(\cmt)$;
\item Return $V_2(x, \chall, \rsp, \emptyset)$.
\end{enumerate}
Then $(\hat P, \hat V)$ forms a non-interactive zero-knowledge proof in the \ROM.
