From 0db1043246c60874bb87715eac070fd0ac77d9cd Mon Sep 17 00:00:00 2001
From: Fabrice Mouhartem <fabrice.mouhartem@ens-lyon.org>
Date: Tue, 19 Jun 2018 13:22:22 +0200
Subject: [PATCH] WI and Proof of knowledge

---
 chap-ZK.tex | 27 ++++++++++++++++++++++++++-
 symbols.tex |  1 +
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/chap-ZK.tex b/chap-ZK.tex
index 800936a..947f33d 100644
--- a/chap-ZK.tex
+++ b/chap-ZK.tex
@@ -37,6 +37,31 @@ In this section, we first present the general principles and basic tools to hand
   If the two ensembles in the definition of \textit{zero-knowledge} are the same, then the proof is \textit{perfect zero-knowledge}.
 \end{definition}
 
+\begin{definition}[Proof of knowledge \cite{GMR85,BG92}]
+  \index{Zero Knowledge!Proof of knowledge}
+  Let $\kappa$ be a function from $\bit^\star$ to $[0,1]$. A complete interactive proof system $(P,V)$ is said to be a \textit{proof of knowledge} for the relation $R$ with knowledge error $\kappa$ if it verifies the knowledge soundness property.
+  \begin{description}
+    \item[Knowledge soundness.] There exists a $\ppt$ algorithm $\mathcal E$, called the knowledge extractor. This algorithm takes as input $x$ and rewindable black-box access to the prover, and targets to compute a $w$ such that $(x,w) \in R$.
+      For any prover $\hat{P}$, let $\varepsilon(x)$ be the probability that $V$ accepts on input $x$.
+      There exists a constant $c$ such that, whenever $\varepsilon(x) > \kappa(x)$, $M$ will output a correct $w$ with expected time at most $\frac{|x|^c}{\varepsilon(x) - \kappa(x)},$ where access to $\hat{P}$ counts as one step.
+  \end{description}
+\end{definition}
+
+This extractor represents the fact that an effective prover actually knows the secret (while a zero-knowledge proof only attests the existence of a witness $w$).
+In the following, $\ZKAoK$ denotes \textit{Zero-Knowledge Argument of Knowledge}.
+
+Another useful property that a proof system can have in the context of privacy-preserving cryptography is witness indistinguishability (\textsf{WI}).
+This property states that if a proof system has multiple witnesses, it is impossible to tell apart which one has been used during the proof.
+
+\begin{definition}[Witness indistinguishable proofs~\cite{FS90}]
+  Let $(P,V)$ be a complete interactive proof system for relation $R$. It is said to be \textit{witness indistinguishable} if, for every $\ppt$ algorithm $\hat{V}$ and every two sequences $\{w_x\}_{(x, w_x) \in R}$, $\{w'_x\}_{(x,w'_x) \in R}$, the following ensembles are computationally indistinguishable:
+  \begin{align*}
+    \{ \trans(P(x, w_x), \hat{V}(x) \}_x && \mbox{and} && \{ \trans( P(x, w'_x), \hat{V}(x) \}_x.
+  \end{align*}
+\end{definition}
+
+The \textsf{WI} property is implied by the zero-knowledge property. Whereas the latter, \textit{witness indistinguishability} is preserved through parallel repetitions of the protocol~\cite{FS90}.
+
 \subsection{$\Sigma$-protocols}
 \addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Protocoles $\Sigma$}
 \label{sse:sigma-protocols}
@@ -311,7 +336,7 @@ For efficiency reasons, Schnorr's protocol is used along with Fiat-Shamir heuris
 This methodology has also been adapted to the ideal lattice-setting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct ZK proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorr-lwe}.
 In this description $D_y$ and $D_c$ are the distributions from which $\mathbf{y}_1, \mathbf{y}_2$ and $\mathbf{c}$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf{z}_1, \mathbf{z}_2$ in order not to leak informations about $\mathbf{s}_1, \mathbf{s}_2$.
 The part between brackets is called the \textit{rejection} phase, and ensure that the transmitted $\mathbf{z}_1, \mathbf{z}_2$ will not leak any information about $\mathbf{s}_1,  \mathbf{s}_2$ to V.
-This part induced a noticeable error-rate where the prover aborts the proof. As the protocol is proven \textit{witness indistinguishable}~\cite{Lyu09}, one can run the protocol multiple times in parallel and hope that one of them will not abort~\cite{FS90} (recall that, unlike the zero-knowledge property, witness indistinguishability is preserved under parallel repetitions).
+This part induced a noticeable error-rate where the prover aborts the proof. As the protocol is proven \textit{witness indistinguishable}~\cite{Lyu09}, one can run the protocol multiple times in parallel and hope that one of them will not abort~\cite{FS90}.% (recall that, unlike the zero-knowledge property, witness indistinguishability is preserved under parallel repetitions).
 
 \begin{figure}
   \textbf{Common input:} A public element $\mathbf{a} \in R$ where $R = \ZZ_p[\mathbf{x}]/\langle \mathbf{x}^n + 1 \rangle$.
diff --git a/symbols.tex b/symbols.tex
index 660f63e..d7c6023 100644
--- a/symbols.tex
+++ b/symbols.tex
@@ -31,6 +31,7 @@
   $\ZKAoK$ & Zero-Knowledge Argument of Knowledge                                                          \\
   $\NIZK$  & Non-Interactive Zero-Knowledge                                                                \\
   $\QANIZK$  & Quasi-Adaptive Non-Interactive Zero-Knowledge                                                                \\
+  $\textsf{WI}$ & Witness indistinguishable \\
   $\OT$    & Oblivious Transfer                                                                            \\
   [1ex] \multicolumn{2}{l}{\scbf{Security Notions}}                                                         \\
   $\advantage{\mathrm{E}}{\adv}$ & Advantage of adversary $\adv$ for experiment $\mathrm{E}$ \\