thesis/chap-ZK.tex

380 lines
26 KiB
TeX

A \textit{Zero-Knowledge proof}~\cite{GMR85} (or \textbf{ZK proofs}) is an \textit{interactive proof} between a prover and a verifier at the end of which the verifier should be convinced of the truth of a statement (within some probability, called \emph{soundness error}), while the prover is guaranteed that the verifier learns nothing more that the authenticity of the statement.
One of the early applications of \ZK proofs in cryptography was the design of identification systems~\cite{FS86}.
The goal is for a user $A$ to prove the knowledge of a secret (such as a password) to user $B$ without revealing any piece of information about the secret, otherwise user $B$ would be able to impersonate $A$.
Since then, the use of zero-knowledge proofs is now widespread in privacy-preserving protocols like anonymous credentials~\cite{Cha85,CL01}, revocable group signatures~\cite{NFHF09}, e-cash~\cite{CHL05a}, oblivious transfer~\cite{CDN09} \ldots
If these primitives flourish in the context of number-theory-based cryptography (such as RSA groups or pairing groups), they are still elusive in the lattice world.
In this section, we first present the general principles and basic tools to handle \ZK proofs. Then we will describe two families of \ZK proofs that may prove useful in the context of pairing-based and lattice-based cryptography. Namely, Schnorr-like proofs and Stern-like proofs.
\section{Definitions}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définitions}
\subsection{Zero-Knowledge proofs and arguments}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Preuves et arguments à divulgation nulle de connaissance}
\begin{definition}[Zero-knowledge proofs and arguments]
\label{de:zk-proof} \index{Zero Knowledge!Proofs} \index{Zero Knowledge!Argument}
Let $R = \{ (x, w) \in \mathcal{L} \times \mathcal{R} \}$ be a binary relation.
A \textit{zero-knowledge proof} for a relation $R$ is an interactive protocol between a prover $P(x,w)$ and a verifier $V(x)$ where $V$ outputs a bit $b$ at the end of the interaction.
This is written as $\langle P(x,w) , V(x) \rangle = b$.
The aforementioned protocol should also verify the following properties.
\begin{description}
\item[Completeness.] For any $(x, w) \in R$, $\Pr[ \langle P(x,w), V(x) \rangle = 1 ] \geq 1 - \negl[|\lambda|]$.
\item[Soundness.] For all $x \in \mathcal{L}$, for any $\bar w \in \mathcal{R}$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
$\Pr[\langle P^\star(x, \bar{w}), V(x) \rangle = 1] \leq s < 1-\negl[|x|],$
where $s$ is called the \textit{soundness error}. We want $s$ to be as small as possible, ideally negligible.
\item[Zero-Knowledge.] Let $\trans(\cdot, \cdot)$ be the transcript of the interaction during the proof.
There exists a $\ppt$ simulator $S$ such that for all (possibly cheating) $\ppt$ verifier $V^\star$,
the distributions $\{\trans(P(x, w), V^\star(x))\}_{(x,w) \in R}$ and $\{S^{V^\star}(x)\}_{(x,w) \in R}$ are computationally indistinguishable.
\end{description}
If, in the \textit{soundness} definition, the adversary $P^\star$ is restricted to be a $\ppt$ algorithm, then the proof system is called an \textit{argument} system.
We can notice that the soundness error can be reduced to be negligible by repeating the proof.
If the two ensembles in the definition of \textit{zero-knowledge} are the same, then the proof is \textit{perfect zero-knowledge}.
\end{definition}
\begin{definition}[Proof of knowledge \cite{GMR85,BG92}]
\label{de:pok}
\index{Zero Knowledge!Proof of knowledge}
Let $\kappa$ be a function from $\bit^\star$ to $[0,1]$. A complete interactive proof system $(P,V)$ is said to be a \textit{proof of knowledge} for the relation $R$ with knowledge error $\kappa$ if it verifies the knowledge soundness property.
\begin{description}
\item[Knowledge soundness.] There exists a $\ppt$ algorithm $\mathcal E$, called the knowledge extractor. This algorithm takes as input $x$ and rewindable black-box access to the prover, and targets to compute a $w$ such that $(x,w) \in R$.
For any prover $\hat{P}$, let $\varepsilon(x)$ be the probability that $V$ accepts on input $x$.
There exists a constant $c$ such that, whenever $\varepsilon(x) > \kappa(x)$, $M$ will output a correct $w$ with expected time at most $\frac{|x|^c}{\varepsilon(x) - \kappa(x)},$ where access to $\hat{P}$ counts as one step.
\end{description}
\end{definition}
This extractor represents the fact that an effective prover actually knows the secret (while a zero-knowledge proof only attests the existence of a witness $w$).
In the following, $\ZKAoK$ denotes \textit{Zero-Knowledge Argument of Knowledge}.
Another useful property that a proof system can have in the context of privacy-preserving cryptography is witness indistinguishability (\textsf{WI}).
This property states that if a proof system has multiple witnesses, it is impossible to tell apart which one has been used during the proof.
\begin{definition}[Witness indistinguishable proofs~\cite{FS90}]
\label{de:wi} \index{Zero Knowledge!Witness Indistinguishability}
Let $(P,V)$ be a complete interactive proof system for relation $R$. It is said to be \textit{witness indistinguishable} if, for every $\ppt$ algorithm $\hat{V}$ and every two sequences $\{w_x\}_{(x, w_x) \in R}$, $\{w'_x\}_{(x,w'_x) \in R}$, the following ensembles are computationally indistinguishable:
\begin{align*}
\{ \trans(P(x, w_x), \hat{V}(x) \}_x && \mbox{and} && \{ \trans( P(x, w'_x), \hat{V}(x) \}_x.
\end{align*}
\end{definition}
The \textsf{WI} property is implied by the zero-knowledge property. Whereas the latter, \textit{witness indistinguishability} is preserved through parallel repetitions of the protocol~\cite{FS90}.
\subsection{$\Sigma$-protocols}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Protocoles $\Sigma$}
\label{sse:sigma-protocols}
\begin{figure}
\centering
\footnotesize
\begin{tabular}{ccc}
$P(x,w)$ & & $V(x)$\\
\hline
$(\cmt, \mathsf{st}_P) \gets P_1(x,w)$ & & \\
& $\xrightarrow{\mathmakebox[2cm]{\cmt}}$ & \\
& & $(\chall, \mathsf{st}_V) \gets V_1(x, \cmt)$ \\
& $\xleftarrow{\mathmakebox[2cm]{\chall}}$ & \\
$\rsp \gets P_2(x,w,\chall, \mathsf{st}_P)$ & & \\
& $\xrightarrow{\mathmakebox[2cm]{\rsp}}$ & \\
& & return $b = V_2(x, \chall, \rsp, \mathsf{st}_V)$
\end{tabular}
\caption{Abstract description of a $\Sigma$-protocol.} \label{fig:sigma}
\end{figure}
A way to construct zero-knowledge proofs --\,that will be described with more details in \cref{sse:schnorr}\,-- is a blackbox transformation from a \textit{$\Sigma$-protocol} and a \textit{commitment scheme}~\cite{Dam00,GMY03}. The resulting proof remains secure against malicious verifiers.
\begin{definition}[$\Sigma$-protocol~{\cite{Cra96}}] \index{Zero Knowledge!$\Sigma$-protocol}
\label{de:sigma-protocol}
Let $R = \{(x,w)\}$ be a binary relation. A \textit{$\Sigma$-protocol} is a $3$-move interactive protocol between $P$ and $V$ that follows Figure~\ref{fig:sigma} and verifies the following properties.
\begin{description}
\item[Completeness.] For any $(x,w) \in R$, $P(x,w)$ and $V(x)$ that follows the protocol, the verifier always accepts.
\item[2-Special soundness.] For any $x$ and any pair of accepting transcripts on input $x$ of the form $(\cmt, \chall, \rsp)$ and $(\cmt, \chall', \rsp')$, there exists a $\ppt$ algorithm $\extr$ that inputs the two aforementioned transcripts and outputs an element~$w$ such that~$(x,w) \in R$.
\item[Honest-Verifier Zero-Knowledge.] There exists a $\ppt$ simulator $S$, such that the two probability distributions $\{\trans(P(x,w), V(x))\}$ and $\{S(x)\}$ with honest $P$ and $V$ are statistically indistinguishable.
\end{description}
\end{definition}
An example of $\Sigma$-protocol will be given in \cref{sse:schnorr}, and its transformation into a Zero-Knowledge proof using a commitment scheme as well.
\subsection{Commitment schemes}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Mise en gage cryptographique}
Commitment schemes~\cite{Blu81} are the digital analogue of a safe. The goal is to commit a message $M$ into a commitment string $\com$ that verifies the \textit{hiding} and \textit{binding} properties.
The former is, that once a message is committed, it is impossible to know what is inside, while the latter states that, it is impossible to alter a commitment string to modify the underlying message.
\begin{figure}
\centering
\subfloat[Hiding experiments]{
\fbox{\procedure{$\Exp{\mathrm{hiding}}{\adv, b}(\lambda)$}{%
\param \gets \Setup(1^\lambda)\\
(m_0, m_1, \mathsf{st}) \gets \adv(\param, 1^\lambda)\\
(\com, \open) \gets \Commit (m_b)\\
b' \gets \adv(pk, 1^\lambda, \mathsf{com}; \mathsf{st})\\
\pcreturn b'
}}
} \hspace{1cm}
\subfloat[Binding experiment]{
\fbox{
\procedure{$\Exp{\mathrm{binding}}{\adv}(\lambda)$}{
\param \gets \Setup(1^\lambda)\\
(\com, \open, m_0, m_1) \gets \adv(\param)\\
\pcif \Verify(\param, \com, \open, m_0) = 1 \\
\pcind \wedge \Verify(\param, \com, \open, m_1) = 1\\
\!\!\pcthen~
\pcreturn 1\\
\pcelse~
\pcreturn 0
}}
}
\caption{Security experiments for commitment schemes.}
\label{fig:hiding-binding-games}
\end{figure}
\begin{definition}[Commitment schemes] \index{Commitment scheme}
\label{de:commitment}
A \textit{commitment scheme} is given by a triple of algorithms $(\Setup, \Commit, \Verify)$ that act as follows:
\begin{description}
\item[\textsf{Setup}$(1^\lambda)$:] This algorithm outputs the commitment scheme's common public parameters~$\param$.
\item[\textsf{Commit}$(\param, M)$:] From a message $M$ and parameters $\param$, this algorithms outputs a commitment $\com$ and an opening $\open$. The randomness $\rho$ used in the commitment is sometimes made explicit.
\item[\textsf{Verify}$(\param, \com, \open, M)$:] Using parameters $\param$ a message $M$, its commitment $\com$ and its opening $\open$, this algorithms returns bit $b$.
\end{description}
These algorithms should verify correctness, hiding and binding properties, where $\Exp{\mathrm{hiding}}{\adv, b}$ and $\Exp{\mathrm{binding}}{\adv}$ are described in Figure~\ref{fig:hiding-binding-games}.
\begin{description}
\item[Correctness.] For any public parameters $\param \gets \Setup(1^\lambda)$, message $M$, commitment and opening $(\com, \open) \gets \Commit(\param, M)$, it holds that $\Open(\param, \open, M) = 1$.
\item[Hiding.] For any \ppt{} adversary $\adv$ against the hiding experiment, we have that
\[ \hspace{-1cm}
\advantage{\mathrm{hiding}}{\adv}(\lambda) = \left| \Pr\left[\Exp{\mathrm{hiding}}{\adv, 1}(\lambda) = 1\right] - \Pr\left[\Exp{\mathrm{hiding}}{\adv, 0}(\lambda) = 1\right] \right| \leq \negl[\lambda],
\]
over the randomness of $\Commit$.
\item[Binding.] For any $\ppt$ adversary $\adv$ against the binding experiment,
\[
\Pr\left[\Exp{\mathrm{binding}}{\adv}(\lambda) = 1 \right] \leq \negl[\lambda].
\]
\end{description}
\end{definition}
Commitment schemes are thus used to \textit{force} the verifier of the $\Sigma$-protocol to behave honestly:~it commits its challenge at the outset of the interaction, and opens it at the challenge phase, so that it cannot change its challenge with respect to the commitment of the prover.
An example of commitment scheme that will prove useful in \cref{sse:stern} is the Kawachi, Tanaka, Xagawa \SIS-based commitment scheme~\cite{KTX08}.
This construction relies on the following hash function:
\begin{definition}[$\SIS$-based hash function] \label{de:sis-hash}
Let $n,\ell,q \in \ZZ$ be parameters such that the $\SIS_{n,\ell,q, \sqrt \ell}$ assumption holds.
Let $\mathbf{A} \in \Zq^{n \times \ell}$, and let $f_{\mathbf{A}}: \bit^\ell \to \Zq^n$ be the function that maps its input string $x$ into a binary vector $\mathbf{x} \in \Zq^n$ and outputs $\mathbf{A} \mathbf{x} \bmod q \in \Zq^n$.
One can notice that $f_{\mathbf{A}}$ is indeed a collision-resistant one-way function under the $\SIS$ assumption, as finding two inputs $x \neq \tilde{x}$ such that $\mathbf{A} \cdot \mathbf{x} = \mathbf{A} \cdot \tilde{\mathbf{x}} \bmod q$ leads to a non-zero vector $\mathbf{x}' =\mathbf{x} - \tilde{\mathbf{x}} \in \ZZ$ such that $\|\mathbf{x}'\|_2 \leq \sqrt \ell$.
It is thus possible to apply the \textit{Merkle-Damg{\aa}rd construction}~\cite{Mer79,Mer89,Dam89} on $f_{\mathbf{A}}$ to obtain a \textit{collision resistant hash function} $h_{\mathbf{A}}: \bit^\star \to \Zq^n$ that is secure under the~$\SIS_{n,\ell, q, \sqrt \ell}$ assumption.
\end{definition}
It is then possible to use this hash function $h_{\mathbf{A}}$ to construct the following string commitment scheme.
\begin{definition}[\SIS-based commitment scheme] \label{de:sis-commitment}
Given parameters $n,m,q \in \ZZ$, let us define the following commitment scheme due to~\cite{KTX08}.
\begin{description}
\item[\textsf{Setup}$(1^\lambda)$:] Pick two random matrices $\mathbf{A}_M, \mathbf{A}_\rho \in \U(\Zq^{n \times m})$ and define the public parameters as the matrix $\mathbf{A} = [ \mathbf{A}_M \mid \mathbf{A}_\rho]$.
\item[$\textsf{Commit}(\mathbf{A}, M; \rho)$:] To commit to a string $M \in \bit^{\star}_{}$ under randomness $\rho \in \{0,1\}^{m}$, first parse $\mathbf{A} \in \Zq^{n \times 2m}$ as $[\mathbf{A}_M \mid \mathbf{A}_\rho]$ as in the \textsf{\textbf{Setup}} algorithm,
then compute $\com = h_{\mathbf{A}_M}(M) + f_{\mathbf{A}_\rho}(\rho) \in \Zq^n$,
where $h_{\mathbf{A}_M}$ and $f_{\mathbf{A}_\rho}$ are the hash function and the one-way collision resistant function described in \cref{de:sis-hash}.
The opening corresponds to the randomness $\rho$ used in the computation.
\item[$\textsf{Verify}(\mathbf{A}, \com, \open, M)$:] First parse $\mathbf{A}$ as in the \textsf{\textbf{Setup}} algorithm. Then accept if and only if $\open \in \bit^m$ and $\com = h_{\mathbf{A}_M}(M) + f_{\mathbf{A}_\rho}(\rho)$.
\end{description}
\end{definition}
\begin{lemma}[{\cite[Le. 3.4]{KTX08}}]
If $m > 2n \log q$, the above commitment scheme is \emph{statistically hiding} and \emph{binding} under the $\SIS_{n,m,q,\sqrt{m}}$ assumption in the trusted setup model.
\end{lemma}
\subsection{Non-Interactive Proofs}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves non interactives}
\label{sse:zk-nizk}
Another useful primitives are the non-interactive version of zero-knowledge proofs.
\begin{definition}[Non Interactive Zero Knowledge]
\index{Zero Knowledge!NIZK}
\label{de:nizk-proofs}
A \textit{non-interactive zero-knowledge} proof (or \textbf{NIZK proof}) for a relation $R=\{(x,w) \in \mathcal{L} \times \mathcal{W}\}$ is a pair of $\ppt$ algorithms $(P, V)$ such that $P$ takes as inputs $x \in \mathcal{L}$ and $w \in \mathcal{W}$ and outputs a proof $\pi$, and V takes as inputs $x$ and $\pi$ and outputs a bit $b$. These algorithms should verify the following properties.
\begin{description}
\item[Completeness.] For any $(x, w) \in R$, $\Pr[ V(x, P(x, w)) = 1 ] \geq 1 - \negl[|x|]$.
\item[Soundness.] For all $x \in \mathcal{L}$, for any $\bar w \in \mathcal{W}$ such that $(x, \bar w) \notin R$, and for any cheating prover $P^\star(x, \bar w)$,
$\Pr[V(x, P^\star(x)) = 1] < \negl[|x|].$
\item[Zero-Knowledge.] There exists a $\ppt$ simulator $S$ such that the probability ensembles $\{(x, P(x, w)) \}_{(x,w) \in R}$ and $\{S(x)\}_{(x, w) \in R}$ are computationally indistinguishable.
\end{description}
\end{definition}
In the random oracle model~\cite{BR93,PS96}, it is possible to transform a ZK proof into an NIZK proof~\cite{FS86}.
This techniques is called the Fiat-Shamir transform.
\begin{definition}[Fiat-Shamir Transform~{\cite{FS86}}]
\index{Zero Knowledge!Fiat-Shamir Transform}
Let $(P, V)$ be a three-move ZK proof system for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal{H}$ be a cryptographic hash function.
Let $\hat P$ be the following non-interactive prover that takes as inputs $x$ and $w$:
\begin{enumerate}
\item First run $P_1(x,w)$ to get a random commitment $\cmt$ and a state information $\mathsf{st}_P$;
\item Generate the challenge as $\chall \gets \mathcal{H}(x,\cmt)$;
\item Run $\rsp \gets P_2(x, w, \chall, \mathsf{st}_P)$;
\item Return the proof $\pi = (\cmt, \rsp)$.
\end{enumerate}
And let $\hat V$ be the following non-interactive verifier that takes as inputs $x$ and $\pi$:
\begin{enumerate}
\item Parse $\pi$ as $(\cmt, \rsp)$;
\item Generate the challenge $\chall = \mathcal{H}(x, \cmt)$;
\item Return $V_2(x, \chall, \rsp, \emptyset)$.
\end{enumerate}
Then $(\hat P, \hat V)$ forms a non-interactive zero-knowledge proof in the \ROM.
\end{definition}
For the sake of completeness, we also mention $\NIZK$ in the standard model, such as Groth-Sahai proofs~\cite{GOS06,GS08} for bilinear groups, but these will not be used in the context of this thesis.
In the trusted setup model (also known as common reference string model) described in \cref{se:games-sim}, there is also another type of $\NIZK$ proofs that is useful for us, for instance in \cref{ch:sigmasig}.
Quasi-adaptive \NIZK (\QANIZK)~\cite{JR13} are \NIZK where the common reference string $\crs$ may depend on the language for which proofs have to be generated (that is, the distribution $\dst_\crs$ is a function of the language we want to prove). A formal definition can be found in~\cite{JR13,KW15,LPJY15}, where completeness, soundness and zero-knowledge properties are adapted to take into account the \crs.
\begin{definition}[Quasi-Adaptive Non-Interactive Zero-Knowledge Argument]
\index{Zero Knowledge!\QANIZK}
\label{de:qa-nizk}
A \textit{Quasi-Adaptive Non-Interactive Zero-Knowledge Argument} argument (or \textbf{\QANIZK}) over a collection of relations $\mathcal{R}=\{ R_\rho \}$ parametrized by a string $\rho$ consists in four $\ppt$ algorithms $(\mathsf{Gen}_0, \mathsf{Gen}_1, P, V)$.
The algorithms $\mathsf{Gen}_0$ and $\mathsf{Gen}_1$ both generate the $\crs$. $\mathsf{Gen}_0$ inputs $1^\lambda$ and outputs~$\Gamma$ the fixed part of the $\crs$ from which $\rho$ is sampled according to a distribution $\dst_\Gamma$, while $\mathsf{Gen}_1$ inputs $\Gamma$ and $\rho$ to output a language-dependent part~$\psi$ (or directly the $\crs = (\Gamma, \psi, \rho)$).
The prover $P$ and the verifier $V$ act as in~\cref{de:nizk-proofs} with the difference that, they also take as input the common reference string $\crs$.
We consider proof systems where the prover and the verifier both take a label $\tau$ as additional input.
Formally, a tuple $(\mathsf{Gen}_0, \mathsf{Gen}_1, P, V)$ of $\ppt$ algorithms is a \QANIZK proof system for $\mathcal{R}$ if, there exists a $\ppt$ simulator $(S_1, S_2)$ such that for any $\ppt$ adversaries $\adv_1, \adv_2$ and $\adv_3$, the following properties hold:
\begin{description}
\item[Quasi-Adaptive Completeness.]
\[ \Pr\left[
\begin{array}{c}
V(\crs, x, \pi, \tau) = 1 \\
\mbox{if } R_\rho(x, w) = 1
\end{array} \left|
\begin{array}{c}
\Gamma \gets \mathsf{Gen}_0(1^\lambda); \rho \gets \dst_\Gamma;\\
\crs \gets \mathsf{Gen}_1(\Gamma, \rho); (x,w,\tau) \gets \adv_1(\crs, \rho) \\
\pi \gets P(\crs, x, w);
\end{array}
\right.
\right] = 1. \]
\item[Quasi-Adaptive Soundness.]
\[ \Pr\left[\begin{array}{c}
(\forall w: (x, w) \notin R_\rho) \\
\land V(\crs, x, \pi, \tau) = 1
\end{array}
\left|
\begin{array}{c}
\Gamma \gets \mathsf{Gen}_0(1^\lambda); \rho \gets \dst_\Gamma; \\
\crs \gets \mathsf{Gen}_1(\Gamma, \rho); (x, \pi, \tau) \gets \adv_2(\crs)
\end{array}
\right. \right] \leq \negl[\lambda] . \]
\item[Quasi-Adaptive Zero-Knowledge.]
\begin{multline*}
\Pr[\adv_3^{P(\psi, \cdot)}(\Gamma, \psi, \rho) = 1
\mid \Gamma \gets \mathsf{Gen}_0(1^\lambda); \rho \gets \dst_\Gamma; \crs \gets \mathsf{Gen}_1(\Gamma, \rho)
] \\
\approx_s \Pr\left[
\adv_3^{S(\psi, \tau_{sim}, \cdot)}(\Gamma, \psi, \rho) = 1
\left|
\begin{array}{c}
\Gamma \gets \mathsf{Gen}_0(1^\lambda); \rho \gets \dst_\Gamma; \\
(\psi, \tau_{sim}) \gets S_1(\Gamma, \rho)
\end{array}
\right.
\right]
\end{multline*}
Where
\begin{itemize}
\item $P(\psi, \cdot)$ emulates the actual prover. It inputs $(x, w, \tau)$ and outputs a proof $\pi$ if $(x, w) \in R_\rho$. Otherwise, it outputs $\bot$.
\item $S(\psi, \tau_{sim}, \cdot)$ is an oracle that takes as input $(x,w,\tau)$ and outputs a simulated proof $S_2(\psi, \tau_{sim}, x, \tau)$ if $(x,w) \in R_\rho$ and $\bot$ otherwise.
\end{itemize}
\end{description}
\end{definition}
\section{Schnorr Proofs}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves de Schnorr}
\label{sse:schnorr}
\begin{figure}
\textbf{Common input:} A prime-order group $\GG$ of order $p$ with a generator $g$.
\bigskip
\centering
\procedure{Schnorr's Protocol for DLOG}{%
P(h,a) \> \> V(h) \\
r \sample \ZZ_p^\star \> \> \\
\rho = g^r \in \GG \\
\> \sendmessageright*{\rho} \> \\
\> \> c \sample \ZZ_p \\
\> \sendmessageleft*{c} \> \\
d \gets c \cdot a + r \bmod p \\
\> \sendmessageright*{d} \> \\
\> \> \pcif g^d = h^c \cdot \rho \pcthen\\
\>\> \pcind \pcreturn 1\\
\>\> \pcelse \\
\>\> \pcind \pcreturn 0
}
\caption{The Schnorr $\Sigma$-protocol for discrete logarithm.}
\label{fig:schnorr-dlog}
\end{figure}
\index{Zero Knowledge!Schnorr's protocol}
Schnorr's methodology~\cite{Sch96} to construct proofs is based on the $\Sigma$-protocol technique to design zero-knowledge proofs.
It has been introduced in order to prove the knowledge of a discrete logarithm (which can bee seen at the relation $R_{\mathsf{dlog}} = \{ (h, a) \in \GG \times \ZZ_p \mid h = g^a \}$ with $\GG = \langle g \rangle$ be a cyclic group of prime order $p > 2$) and is described in Figure~\ref{fig:schnorr-dlog}.
An interpretation of this methodology is the following: given a commitment scheme $(\Setup, \Commit, \Verify)$, where the randomness $r$ used in $\Commit$ is made explicit, the first move of the prover $P$ consists in binding the randomness used in the commitment scheme $r$ using the transmitted value $\rho = g^r$, then the verifier asks the prover to commit to a challenge message $c$ using the randomness carried by $\rho$, and the prover sends the opening for this commitment $\open$.
Finally, the verifier accepts if and only if $\Verify(\param, \com, \open, c) = 1$.
In the protocol described in Figure~\ref{fig:schnorr-dlog}, the underlying commitment is the Pedersen commitment scheme~\cite{Ped91}: a commitment of a message $m \in \Zp$ is $g^m \cdot h^r \in \GG$ and the opening is the randomness $r$ used to commit.
For efficiency reasons, Schnorr's protocol is used along with Fiat-Shamir heuristic in the pairing-based group signature described in~\cref{ch:sigmasig}.
This methodology has also been adapted to the ideal lattice-setting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct ZK proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorr-lwe}.
In this description $D_y$ and $D_c$ are the distributions from which $\mathbf{y}_1, \mathbf{y}_2$ and $\mathbf{c}$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf{z}_1, \mathbf{z}_2$ in order not to leak informations about $\mathbf{s}_1, \mathbf{s}_2$.
The part between brackets is called the \textit{rejection} phase, and ensure that the transmitted $\mathbf{z}_1, \mathbf{z}_2$ will not leak any information about $\mathbf{s}_1, \mathbf{s}_2$ to V.
This part induced a noticeable error-rate where the prover aborts the proof. As the protocol is proven \textit{witness indistinguishable}~\cite{Lyu09}, one can run the protocol multiple times in parallel and hope that one of them will not abort~\cite{FS90}.% (recall that, unlike the zero-knowledge property, witness indistinguishability is preserved under parallel repetitions).
\begin{figure}
\textbf{Common input:} A public element $\mathbf{a} \in R$ where $R = \ZZ_p[\mathbf{x}]/\langle \mathbf{x}^n + 1 \rangle$.
\bigskip
\centering
\procedure{Schnorr's Protocol for Ring-SIS}{%
P(\mathbf{t} = \mathbf{a} \cdot \mathbf{s}_1 + \mathbf{s}_2, (\mathbf{s}_1, \mathbf{s}_2)) \> \> V(\mathbf{t}) \\
\mathbf{y}_1, \mathbf{y}_2 \sample D_y \in R \> \> \\
\mathbf{w} = \mathbf{a} \cdot \mathbf{y}_1 + \mathbf{y}_2 \in R \\
\> \sendmessageright*{\mathbf{w}} \> \\
\> \> \mathbf{c} \sample D_c \in R \mbox{ (small)} \\
\> \sendmessageleft*{\mathbf{c}} \> \\
\mathbf{z}_1 \gets \mathbf{s}_1 \mathbf{c} + \mathbf{y}_1 \in R\\
\mathbf{z}_2 \gets \mathbf{s}_2 \mathbf{c} + \mathbf{y}_2 \in R\\{}
[\pcif \mathbf{z}_1, \mathbf{z}_2 \notin G^2 \pcthen\\
\pcind \mathbf{z}_1, \mathbf{z}_2 \gets \bot, \bot ]\\
\> \sendmessageright*{\mathbf{z}_1, \mathbf{z}_2} \> \\
\> \> \pcif \mathbf{z}_1 \in G \wedge \mathbf{z}_2 \in G \wedge\\
\>\> \pcind \mathbf{a} \cdot \mathbf{z}_1 + \mathbf{z}_2 = \mathbf{t} \mathbf{c} + \mathbf{w} \pcthen\\
\>\> \pcind \pcreturn 1\\
\>\> \pcelse \\
\>\> \pcind \pcreturn 0
}
\caption{The Schnorr $\Sigma$-protocol for Ring-SIS.}
\label{fig:schnorr-lwe}
\end{figure}
One can notice that this is \textit{not} a $\Sigma$-protocol in the strict sense as the knowledge extractor outputs \textit{witnesses} that can be up to $\softO(n)$ larger than the actual witness in infinity norm. This behavior is sometimes called ``\textit{imperfect soundness}'' or ``\textit{soundness slack}''.
However, this method suffers from \textit{limited expressiveness}: the relations that can be proved with this proof system are essentially restricted to be knowledge of a Ring-\SIS secret, which is not sufficient to prove, for instance, the knowledge of a signature on a committed message. Moreover, the gap in the extraction makes it hard, although, to prove that an underlying message under an encryption is binary~\cite{dPLNS17}.
\section{Stern-like Proofs}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves à la Stern}
\label{sse:stern}
\input sec-stern