A \textit{Zero-Knowledge proof}~\cite{GMR85} (or \textbf{ZK proofs}) is an \textit{interactive proof} between a prover and a verifier at the end of which the verifier should be convinced of the truth of a statement (within some probability, called \emph{soundness error}), while the prover is guaranteed that the verifier learns nothing more that the authenticity of the statement.
The goal is for a user $A$ to prove the knowledge of a secret (such as a password) to user $B$ without revealing any piece of information about the secret, otherwise user $B$ would be able to impersonate $A$.
Since then, the use of zero-knowledge proofs is now widespread in privacy-enhancing cryptography:~anonymous credentials, group signatures, electronic voting, e-cash, \ldots
If these primitives flourish in the context of number-theory-based cryptography (such as RSA groups or pairing groups), they are still elusive in the lattice world.
In this section, we first present the general principles and basic tools to handle \ZK proofs. Then we will describe two families of \ZK proofs that may prove useful in the context of pairing and lattice-based cryptography. Namely, the Schnorr-like proofs and the Stern-like proofs.
Let $R =\{(x, w)\in\mathcal L \times\mathcal R \}$ be a binary relation.
A \textit{zero-knowledge proof} for a relation $R$ is an interactive protocol between a prover $P(x,w)$ and a verifier $V(x)$ where $V$ outputs a bit $b$ at the end of the interaction.
This is written as $\langle P(x,w) , V(x)\rangle= b$.
The aforementioned protocol should also verify the following properties.
\begin{description}
\item[Completeness.] For any $(x, w)\in R$, $\Pr[\langle P(x,w), V(x)\rangle=1]\geq1-\negl[|\lambda|]$.
\item[Soundness.] For all $x \in\mathcal L$, for any $\bar w \in\mathcal R$ such that $(x, \bar w)\notin R$, and for any cheating prover $P^\star(x, \bar w)$,
If in the \textit{soundness} definition, the adversary $P^\star$ is restricted to be a $\ppt$ algorithm, then the proof system is called an \textit{argument}.
A way to construct zero-knowledge proofs --\,that will be described with more details in \cref{sse:schnorr}\,-- is a blackbox transformation from a \textit{$\Sigma$-protocol} and a \textit{commitment scheme}~\cite{Dam00,GMY03}. The resulting proof remains secure against malicious verifiers.
Let $R =\{(x,w)\}$ be a binary relation. A \textit{$\Sigma$-protocol} is three-move interactive protocol between $P$ and $V$ that follows Figure~\ref{fig:sigma} and verifies the following properties.
\item[Special soundness.] For any $x$ and any pair of accepting transcripts on input $x$ of the form $(\cmt, \chall, \rsp)$ and $(\cmt, \chall', \rsp')$, there exists a $\ppt$ algorithm $\extr$ that takes as input the two aforementioned transcripts and outputs an element $w$ such that $(x,w)\in R$.
\item[Honest-Verifier Zero-Knowledge.] There exists a $\ppt$ simulator $S$, such that the two probability distributions $\{\trans(P(x,w), V(x))\}$ and $\{S(x)\}$ with honest $P$ and $V$ are the same.
\end{description}
\end{definition}
An example of $\Sigma$-protocol will be given in \cref{sse:schnorr}, and its transformation into a Zero-Knowledge proof using a commitment scheme as well.
Commitment schemes~\cite{Blu81} are the digital equivalent of a safe. The goal is to commit a message $M$ into a commitment $\com$ such that once a message is committed, it is impossible to know what is inside (hiding property), and it is as well impossible to modify a commitment to change the underlying message (binding property).
\item[\textsf{Commit}$(\param, M)$:] From a message $M$ and parameters $\param$, this algorithms outputs a commitment $\com$ and an opening $\open$. The randomness $\rho$ used in the commitment is sometimes made explicit.
\item[\textsf{Verify}$(\param, \com, \open, M)$:] Using parameters $\param$ a message $M$, its commitment $\com$ and its opening $\open$, this algorithms returns bit $b$.
\end{description}
These algorithms should verify correctness, hiding and binding properties, where $\Exp{\mathrm{hiding}}{\adv, b}$ and $\Exp{\mathrm{binding}}{\adv}$ are described in Figure~\ref{fig:hiding-binding-games}.
\item[Correctness.] For any public parameters $\param\gets\Setup(1^\lambda)$, message $M$, commitment and opening $(\com, \open)\gets\Commit(\param, M)$, it holds that $\Open(\param, \open, M)=1$.
Commitment schemes are thus used to \textit{oblige} the verifier of the $\Sigma$-protocol to be honest: it commits its challenge at the outset of the interaction, and opens it at the challenge phase, so that it cannot change its challenge with respect to the commitment of the prover.
Let $\mathbf{A}\in\Zq^{n \times\ell}$, and let $f_{\mathbf{A}}: \bit^\ell\to\Zq^n$ be the function that maps its input string $x$ into a binary vector $\mathbf{x}\in\Zq^n$ and outputs $\mathbf{A}\mathbf{x}\bmod q \in\Zq^n$.
One can notice that $f_{\mathbf{A}}$ is indeed a collision resistant one-way function under the $\SIS$ assumption, as finding two inputs $x \neq\tilde{x}$ such that $\mathbf{A}\cdot\mathbf{x}=\mathbf{A}\cdot\tilde{\mathbf{x}}\bmod q$ leads to a non-zero vector $\mathbf{x}' =\mathbf{x}-\tilde{\mathbf{x}}\in\ZZ$ such that $\|\mathbf{x}'\|_2\leq\sqrt\ell$.
It is thus possible to apply the \textit{Merkle-Damg{\aa}rd construction}~\cite{Mer79,Mer89,Dam89} on $f_{\mathbf{A}}$ to obtain a \textit{collision resistant hash function}$h_{\mathbf{A}}: \bit^\star\to\Zq^n$ that is secure under $\SIS_{n,\ell, q, \sqrt\ell}$.
\item[\textsf{Setup}$(1^\lambda)$:] Pick two random matrices $\mathbf{A}_M, \mathbf{A}_\rho\in\U(\Zq^{n \times m})$ and define the public parameters as the matrix $\mathbf{A}=[\mathbf{A}_M \mid\mathbf{A}_\rho]$.
\item[$\textsf{Commit}(\mathbf{A}, M; \rho)$:] To commit to a string $M \in\{0,1\}^\star$ under randomness $\rho\in\{0,1\}^{m}$, first parse $\mathbf{A}\in\Zq^{n \times2m}$ as $[\mathbf{A}_M \mid\mathbf{A}_\rho]$ as in the \textsf{\textbf{Setup}} algorithm,
then compute $\com= h_{\mathbf{A}_M}(M)+ f_{\mathbf{A}_\rho}(\rho)\in\Zq^n$,
where $h_{\mathbf{A}_M}$ and $f_{\mathbf{A}_\rho}$ are the hash function and the one-way collision resistant function defined in \cref{de:sis-hash}.
\item[$\textsf{Verify}(\mathbf{A}, \com, \open, M)$:] First parse $\mathbf{A}$ as in the \textsf{\textbf{Setup}} algorithm. Then accept if and only if $\open\in\bit^m$ and $\com= h_{\mathbf{A}_M}(M)+ f_{\mathbf{A}_\rho}(\rho)$.
If $m > 5n \log q$, the above commitment scheme is \emph{statistically hiding} and \emph{binding} under the $\SIS_{n,m,q,\sqrt{m}}$ assumption in the trusted setup model.
\begin{definition}[Non Interactive Zero Knowledge]
\index{Zero Knowledge!NIZK}
\label{de:nizk-proofs}
A \textit{non-interactive zero-knowledge} proof (or \textbf{NIZK proof}) for a relation $R=\{(x,w)\in\mathcal L \times\mathcal R\}$ is a pair of $\ppt$ algorithms $(P, V)$ such that $P$ takes as inputs $x \in\mathcal L$ and $w \in\mathcal R$ and outputs a proof $\pi$, and V takes as inputs $x$ and $\pi$ and outputs a bit $b$. These algorithms should verify the following properties.
\begin{description}
\item[Completeness.] For any $(x, w)\in R$, $\Pr[ V(x, P(x, w))=1]\geq1-\negl[|x|]$.
\item[Soundness.] For all $x \in\mathcal L$, for any $\bar w \in\mathcal R$ such that $(x, \bar w)\notin R$, and for any cheating prover $P^\star(x, \bar w)$,
\item[Zero-Knowledge.] There exists a $\ppt$ simulator $S$ such that the probability ensembles $\{(x, P(x, w))\}_{(x,w)\in R}$ and $\{S(x)\}_{(x, w)\in R}$ are computationally indistinguishable.
\end{description}
\end{definition}
In the random oracle model, it is possible to transform a ZK proof into an NIZK proof. This techniques is called the Fiat-Shamir transform.
Let $(P, V)$ be a three-move ZK proof system for relation $R =\{(x, w)\}$ as in Figure~\ref{fig:sigma} and $\mathcal H$ be a cryptographic hash function.
For the sake of completeness, we can also mention $\NIZK$ in the standard model, such at Groth-Sahai proofs~\cite{GOS06,GS08} for bilinear groups, but these will not be used in the context of this thesis.
It has been introduced in order to prove the knowledge of a discrete logarithm (which can bee seen at the relation $R_{\mathsf{dlog}}=\{(h, a)\in\GG\times\ZZ_p \mid h = g^a \}$ with $\GG=\langle g \rangle$ be a cyclic group of prime order $p\geq2$) and is described in Figure~\ref{fig:schnorr-dlog}.
An interpretation of this methodology is the following: given a commitment scheme $(\Setup, \Commit, \Verify)$, where the randomness $r$ used in $\Commit$ is made explicit, the first move of the prover $P$ consists in binding the randomness used in the commitment scheme $r$ using the transmitted value $\rho= g^r$, then the verifier asks the prover to commit to a challenge message $c$ using the randomness carried by $\rho$, and the prover sends the opening for this commitment $\open$.
Finally, the verifier accepts if and only if $\Verify(\param, \com, \open, c)=1$.
In the protocol described in Figure~\ref{fig:schnorr-dlog}, the underlying commitment is the Pedersen commitment scheme~\cite{Ped91}: a commitment of a message $M \in\Zp$ is $g^m \cdot h^r \in\GG$ and the opening is the randomness $r$ used to commit.
This methodology has also been adapted in the ideal lattice-setting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct ZK proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorr-lwe}.
In this description $D_y$ and $D_c$ are the distributions from which $\mathbf{y}_1, \mathbf{y}_2$ and $\mathbf{c}$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf{z}_1, \mathbf{z}_2$ in order not to leak informations about $\mathbf{s}_1, \mathbf{s}_2$.
The part under square braces is called the \textit{rejection} phase, and ensure that the transmitted $\mathbf{z}_1, \mathbf{z}_2$ will not leak any information about $\mathbf{s}_1, \mathbf{s}_2$ to V.
This part induced a noticeable error-rate where the prover aborts the proof. As the protocol is proven \textit{witness indistinguishable}~\cite{Lyu09}, one can run the protocol multiple times in parallel and hope that one of them will not abort~\cite{FS90}.
\caption{The Schnorr $\Sigma$-protocol for Ring-SIS.}
\label{fig:schnorr-lwe}
\end{figure}
One can notice that this is not \textit{stricly} a $\Sigma$-protocol as the knowledge extractor outputs \textit{witnesses} that can be up to $\softO(n)$ larger than the actual witness in infinity norm. This behaviour is sometimes called \textit{imperfect soundness}.
However, this method suffers from \textit{expressivity} issues: the relations that can be proved with this proof system are limited to be knowledge of a Ring-SIS secret, which is not sufficient to prove for instance the knowledge of a signature for a committed message. Moreover, the gap in the extraction makes it hard, yet possible, to prove that an underlying message under an encryption is binary~\cite{dPLNS17}.
