Initially, it was introduced for Syndrome Decoding Problem (\SDP): given a matrix $\mathbf{M}\in\FF_2^{n \times m}$ and a syndrome $\mathbf{v}\in\FF_2^n$, the goal is to find a binary vector $\mathbf{w}\in\FF_2^m$ with fixed hamming weight $w$ such that $\mathbf{M}\cdot\mathbf{w}=\mathbf{v}\bmod2$.
This problem shows similarities with the $\ISIS$ problem defined in \cref{de:sis} where the constraints on the norm of $\mathbf{x}$ is a constraint on Hamming weight, and operations are in $\FF_2$ instead of $\Zq$.
After the first works of Kawachi, Tanaka and Xagawa~\cite{KTX08} that extended Stern's proofs to statements $\bmod q$, the work of Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} enables the use of Stern's protocol to prove general $\SIS$ or $\LWE$ statements (meaning the knowledge of a solution to these problems).
These advances in the expressivity of Stern-like protocols has been used to further improve it and therefore enable privacy-based primitives for which no constructions existed in the post-quantum world, such as dynamic group signatures~\cite{LLM+16}, group encryption~\cite{LLM+16a}, electronic cash~\cite{LLNW17}, etc.
Unlike the Schnorr-like proof we saw in the previous section, Stern's proof is mainly combinatorial and relies on the fact that every permutation on a binary vector $\mathbf{w}\in\bit^m_{}$ leaves its Hamming weight $w$ invariant. As a consequence, for $\pi\in\permutations_m$, $\mathbf{w}$ satisfies these conditions if and only if $\pi(\mathbf{x})$ also does.
We can notice that this can be extended to vectors $\mathbf{w}\in\nbit^m$ of fixed numbers of $-1$ and $1$ that allowed~\cite{LNSW13} to propose the generalization of this protocol to any $\ISIS_{n,m,q,\beta}$ statements.
In \cref{sse:stern-abstraction}, we describes these permutations while abstracting the set of ZK-provable statements as the set $\mathsf{VALID}$ that satisfies conditions~\eqref{eq:zk-equivalence}.
It is worth noticing that this argument on knowledge does not form a $\Sigma$-protocol, as the challenge space is ternary as described in \cref{sse:stern-abstraction}.
Thus standard theorems on $\Sigma$-protocols has to be adapted in this setting.
\item$\mathsf{B}^{2}_{\mathfrak m}$: the set of vectors in $\bit^{2\mathfrak m}$ with Hamming weight $\mathfrak m$.
\item$\mathsf{B}^{3}_{\mathfrak m}$: the set of vectors in $\nbit^{3\mathfrak m}$ which has exactly $\mathfrak m$ coordinates equal to $j$ for each $j \in\nbit$.
The original Stern protocol was designed to prove knowledge of a SDP preimage. That is, to prove the knowledge of a vector $\mathbf{w}\in\bit^m$ that verifies
A first improvement by~\cite{KTX08} was to extend this protocol using a statistically hiding SIS-based commitment scheme as described in~\ref{fig:Interactive-Protocol} to prove in (statistical) zero-knowledge that
\begin{equation}\label{eq:isis-stern-relation}
\mathbf{M}\cdot\mathbf{w} = \mathbf{v}\bmod q.
\end{equation}
The details of this proof is given in \cref{sse:stern-abstraction}, but it can be summarized in the following Lemma.
There exists a statistical \textsf{ZKAoK} with perfect completeness and soundness error 2/3 to prove the knowledge of a secret vector $\mathbf{w}\in\bit^m$ that verifies relation~\eqref{eq:isis-stern-relation} for public input $(\mathbf{M}, \mathbf{v})\in\Zq^{n \times m}\times\Zq^{n}$.
Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} noticed that the \textsf{ZKAoK} of \cref{le:zk-ktx} straightforwardly works to prove knowledge of a vector in $\nbit^m$.
A technique to relax the constraints on the \textsf{ZKAoK} of \cref{le:zk-ktx} is the so-called ``Decomposition-Extension'' technique~\cite{LNSW13}\cite{LSS14,ELL+15,LLNW16} as explained in the introduction of this Section (\ref{sse:stern}).
the knowledge of a bounded vector $\mathbf{w}\in[-B,B]^m$ that satisfies relation~\eqref{eq:isis-stern-relation}, the goal is to rewrite $\mathbf{w}$ as $\bar{\mathbf{w}}=\mathbf{K}\cdot\mathbf{w}\bmod q$ with a public transfer matrix $\mathbf{K}$ such that $\bar{\mathbf{w}}\in\nbit^{m'}$ and of known numbers of elements equal to $j$ for $j \in\nbit$.
This reduces to use \cref{le:zk-ktx} to prove the knowledge of $\bar{\mathbf{w}}\in\nbit^{m'}$ for public input $(\mathbf{M}\cdot\mathbf{K}, \mathbf{v})$.
To construct such a transfer matrix $\mathbf{K}$, \cite{LNSW13} showed that \textit{decomposing} a vector $\mathbf{x}\in[-B,B]^m$ as a vector $\tilde{\mathbf{x}}\in\nbit^{m \cdot\delta_B}$ and \textit{extending} the resulting vector into $\bar{\mathbf{x}}\in\mathsf{B}^3_{m \delta_B}$ leads to a new statement that can be proven using the~\cite{KTX08} variant of Stern's protocol.
The resulting matrix $\mathbf{K}=\left[\mathbf{K}_{m,B}^{}\mid\mathbf{0}^{m \times2m\delta_B}\right]\in\ZZ^{m \times3m\delta_B}$, where $\mathbf{K}_{m,B}^{}$ is the \nbit-decomposition matrix $\mathbf{K}_{m,B}=\mathbf{I}_m \otimes\left[B_1\mid\cdots\mid B_{\delta_B}\right]$ with $B_j^{}=\left\lfloor\frac{B +2^{j-1}}{2^j}\right\rfloor$ for all $j \in\{1,\ldots,j\}$ can be computed from public parameters.
Let $K$, $D$, $q$ be positive integers with $D \geq K$ and $q \geq2$, and let $\mathsf{VALID}$ be a subset of $\mathbb{Z}^D$. Suppose that $\mathcal{S}$ is a finite set such that every element $\phi\in\mathcal{S}$ can be associated with a permutation $\Gamma_\phi\in\permutations_D$ satisfying the following conditions:
\text{If }\mathbf{w}\in\mathsf{VALID}\text{ and }\phi\text{ is uniform in }\mathcal{S}, \text{ then }\Gamma_\phi(\mathbf{w}) \text{ is uniform in }\mathsf{VALID}. \quad
\end{cases}
\end{eqnarray}
We aim to construct a statistical Zero-Knowledge Argument of Knowledge (\textsf{ZKAoK}) for the following abstract relation:
\mathbf{w}\in\bit^D: \mathsf{wt}(\mathbf{w}) = k\}$, where $\mathsf{wt}(\cdot)$ denotes the Hamming weight and $k < D$ is a given integer, $\mathcal{S} = \permutations_D$ is the set of all permutations of~$D$ elements and $\Gamma_{\phi}(\mathbf{w}) = \phi(\mathbf{w})$.
The conditions in \eqref{eq:zk-equivalence} play a crucial role in proving in \textsf{ZK} that $\mathbf{w}\in\mathsf{VALID}$. To this end, the prover samples a random $\phi\hookleftarrow\U(\mathcal{S})$ and lets the verifier check that $\Gamma_\phi(\mathbf{w})\in\mathsf{VALID}$ without learning any additional information about $\mathbf{w}$ due to the randomness of $\phi$. Furthermore, to prove in a zero-knowledge manner that the linear equation is satisfied, the prover samples a masking vector $\mathbf{r}_w \hookleftarrow\U(\mathbb{Z}_q^D)$, and convinces the verifier instead that $\mathbf{M}\cdot(\mathbf{w}+\mathbf{r}_w)=\mathbf{M}\cdot\mathbf{r}_w +\mathbf{v}\bmod q.$
The interaction between prover $\mathcal{P}$ and verifier $\mathcal{V}$ is described in Figure~\ref{fig:Interactive-Protocol}. The protocol uses a statistically hiding and computationally binding string commitment scheme \textsf{COM} (e.g., the \textsf{SIS}-based scheme from~\cite{KTX08} described in~\cref{de:sis-commitment}).
The protocol in Figure~\ref{fig:Interactive-Protocol} is a statistical \emph{\textsf{ZKAoK}} with perfect completeness, soundness error~$2/3$, and communication cost~$\mathcal{O}(D \cdot\log q)$. Namely:
\item There exists a polynomial-time simulator that, on input $(\mathbf{M}, \mathbf{v})$, outputs an accepted transcript statistically close to that produced by the real prover.
\item There exists a polynomial-time knowledge extractor that, on input a commitment $\mathrm{CMT}$ and $3$ valid responses $(\mathrm{RSP}_1,\mathrm{RSP}_2,\mathrm{RSP}_3)$ to all $3$ possible values of the challenge $Ch$, outputs $\mathbf{w}' \in\mathsf{VALID}$ such that $\mathbf{M}\cdot\mathbf{w}' =\mathbf{v}\bmod q.$
\end{itemize}
\end{theorem}
The proof of the theorem relies on standard simulation and extraction techniques for Stern-like protocols~\cite{KTX08,LNSW13,LLM+16}.
Note that, by construction, the protocol is perfectly complete: if an honest prover follows the protocol, then he always gets accepted by the verifier. It is also easy to see that the communication cost is bounded by $\widetilde{\mathcal{O}}(D \cdot\log q)$.
\scbf{Zero-Knowledge Property. } We construct a \textsf{PPT} simulator $\mathsf{SIM}$ interacting with a (possibly dishonest) verifier $\widehat{\mathcal{V}}$, such that, given only the public input, $\mathsf{SIM}$ outputs with probability negligibly close to $2/3$ a simulated transcript that is statistically close to the one produced by the honest prover in the real interaction.
The simulator first chooses a random $\overline{Ch}\in\{1,2,3\}$. This is a prediction of the challenge value that $\widehat{\mathcal{V}}$ will \emph{not} choose.
\smallskip
\noindent
\begin{description}
\item[\textsf{Case} $\overline{Ch}=1$]: Using basic linear algebra over $\mathbb{Z}_q$, $\mathsf{SIM}$ computes a vector $\mathbf{w}' \in\mathbb{Z}_q^D$ such that $\mathbf{M}\cdot\mathbf{w}' =\mathbf{v}\bmod q.$
Next, it samples $\mathbf{r}\hookleftarrow\U(\mathbb{Z}_q^D)$, $\pi\hookleftarrow\U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
Then it sends the commitment $\mathrm{CMT}=\big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where
Receiving a challenge $Ch$ from $\widehat{\mathcal{V}}$, it responds as follows:
\begin{itemize}
\item If $Ch=1$: Send $\mathrm{RSP}$ computed as in the case $(\overline{Ch}=2, Ch=1)$.
\item If $Ch=2$: Send $\mathrm{RSP}$ computed as in the case $(\overline{Ch}=1, Ch=2)$.
\item If $Ch=3$: Output $\bot$ and abort.
\end{itemize}
\end{description}
\smallskip
\noindent
We observe that, in all the above cases, since $\mathsf{COM}$ is statistically hiding, the distribution of the commitment $\mathrm{CMT}$ and the distribution of the challenge~$Ch$ from~$\widehat{\mathcal{V}}$ are statistically close to those in the real interaction. Hence, the probability that the simulator outputs~$\bot$ is negligibly close to~$1/3$. Moreover, one can check that whenever the simulator does not halt, it will provide an accepted transcript, the distribution of which is statistically close to that of the prover in the real interaction. In other words, we have designed a simulator that can successfully emulate the honest prover with probability negligibly far from~$2/3$.
are $3$ valid responses to the same commitment $\mathrm{CMT}=(C_1, C_2, C_3)$, with respect to all $3$ possible values of the challenge. The validity of these responses implies that:
Let $\mathbf{w}' =\mathbf{w}_2-\mathbf{w}_3$, then we have $\Gamma_{\phi_2}(\mathbf{w}')=\mathbf{t}_x \in\mathsf{VALID}$ which implies that $\mathbf{w}' \in\mathsf{VALID}$. Furthermore, we have $\mathbf{M}\cdot\mathbf{w}' =\mathbf{M}\cdot(\mathbf{w}_2-\mathbf{w}_3)=\mathbf{v}\bmod q.$