Non-interactive zero-knowledge proof scheme from RLWE-based key exchange

Lattice-based non-interactive zero-knowledge proof has been widely used in one-way communication and can be effectively applied to resist quantum attacks. However, lattice-based non-interactive zero-knowledge proof schemes have long faced and paid more attention to some efficiency issues, such as proof size and verification time. In this paper, we propose the non-interactive zero-knowledge proof schemes from RLWE-based key exchange by making use of the Hash function and public-key encryption. We then show how to apply the proposed schemes to achieve the fixed proof size and rapid public verification. Compared with previous approaches, our schemes can realize better effectiveness in proof size and verification time. In addition, the proposed schemes are secure from completeness, soundness, and zero-knowledge.


Introduction
With the development of information networks, the concern about privacy of personal data is growing. Users tend to communicate on the Internet without revealing individual data [1][2][3][4][5][6][7], such as users' passwords, personal assets information, personal health condition, and so on. According to cryptography theory, the zero-knowledge(ZK) proof [8] is an essential technique for preserving information protection. In the 1880s, Goldwasser et al. proposed the interactive zero-knowledge proof for the first time. Subsequently, Blum et al. [9] first proposed the noninteractive zero-knowledge proof, which is characterized by only one-time communication between the prover and the verifier. Andre et al. [10] designed the protocol which was based on the public-key cryptosystem RSA-encryption for the proof of ownership. Siamak et al. pointed that the significance of credential ownership proofs and gave the proof by the RSA signature scheme [11]. Over the past three decades, extensive research has been conducted on zero-knowledge proofs in terms of algorithm safety and operational efficiency [12][13][14]. And it is used in various fields such as authentication, ownership, etc. [15][16][17]. a1111111111 a1111111111 a1111111111 a1111111111 a1111111111 Since the non-interactive zero-knowledge proof is suitable for offline operations, it will have more application scenarios. Usually, there are two methods for interactive zero-knowledge proof to achieve non-interactive zero-knowledge proof: Fiat-Shamir heuristic and CRS (Common Reference Strings) model. For the Fiat-Shamir heuristic, it demands to include a random oracle to generate a uniformly random output. For the CRS model, it needs to rely on a trusted third-party or secure multi-party computing to obtain the common reference string. There has been a series of corresponding studies using the Fiat-Shamir heuristic. Lindell et al. [18] and Ciampi et al. [19] have redesigned the scheme to improve security and efficiency based on Fiat-Shamir transform. With the rapid application of cryptocurrency, after Groth [20] proposed the scheme of constant-size proofs, the first zero-knowledge succinct non-interactive argument of knowledge (ZK-SNARK) based on the assumption of a trusted third-party has also been widely studied. The zero-knowledge proof schemes of traditional encryption have been widely used. And they have made great contributions in efficiency, security, and so on. However, researchers have paid less attention to zero-knowledge proof schemes that can resist quantum attacks.
With the surprising development of quantum computers, a series of post-quantum cryptographic algorithms have been studied [21]. The lattice-based cryptographic algorithm could effectively resist quantum attacks. After Ajtai et al. [22] introduced lattice cryptography and gave strict proof from the average case to the worst case for the first time. Due to the security and applicability of lattice-based cryptographic algorithms, extensive research has been conducted. In 2010, RLWE(Ring Learning with Errors), proposed by Lyubashevsky et al. [23], significantly shortened the key length and improved the efficiency of the signature. Lattice-based cryptography theories have also begun extensive research and application. Subsequently, lattice-based zero-knowledge proofs have begun to develop gradually.

Related works
In 2012, Vadim Lyubashevsky used Fiat-Shamir with Aborts technology to design a zeroknowledge proof scheme [24], which proves that s satisfies As = t mod q without revealing the secret value s. The signature size is 16500 bits which can be modified to shorten using the compression technique, where the scheme relies on SIS(Small Integer Solution) problem and LWE (Learning with Errors) problem. The scheme was then applied and extended by Vadim Lyubashevsky and Gregory Neven to a ciphertext-verifiable scheme [25]. At the same time, Fabrice Benhamouda et al. [26] used zero-knowledge to prove that the secret value s satisfies p = as + e and was used in group signature authentication to protect the anonymity of group members. However, the security is based on a lattice-based assumption and the discrete-logarithm problem. Then we should consider how to construct an effective zero-knowledge proof system in terms of the proof size and the security to promote its application.
Most studies on commitment schemes are quite effective practice for zero-knowledge proof, such as [27][28][29][30][31][32][33]. Fabrice Benhamouda et al. [27] constructed a simple efficient string commitment scheme based on RLWE and the zero-knowledge proofs of knowledge for linear relations and multiplicative relations, where the communication complexity is OðMnlogðqÞÞ. In order to achieve a negligible soundness error, the protocol demands run M rounds. Vadim Lyubashevsky et al. [28] proposed splitting the polynomial into multiple factors. This method can improve the computation and more information will be hidden. Baum et al. [29] constructed a novel zero-knowledge proof of preimages scheme which would become a tool against malicious adversaries. Muhammed et al. [30] used the one-shot proof technique for non-linear polynomial relations to improve computing and communication performance. Baum et al. designed the zero-knowledge argument based on the short integer solution assumption for specific languages. The communication complexity of this scheme is ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffiffi mlogðmÞ p , where m is the number of gates [31]. The proof size of Bootle et al. proposed scheme [32] is better than that of Stern type proof, but the efficiency of verification time still needs to be improved. Baum et al. [33] constructed a practical zero-knowledge proof of opening knowledge which is an improvement of the scheme of Fabrice Benhamouda et al. [27]. It has shown that prover does not need to send more proof for part of the calculation process. Obviously, the disadvantage of all these previous commitment schemes is that the commitments also consume calculation and communication in the interactive. Meanwhile, considering that the interactive property and the proof size, the commitment schemes are no longer suitable for the publicly-verifiable scheme. We would adopt non-interactive zeroknowledge proof to design a publicly-verifiable scheme with more short proof size and verification time.
Subsequently, related research has also improved in terms of efficiency and safety [34,35]. Among them, Rafael et al. [34] proposed a scheme that could reduce the proof size. The main idea of this method is to reduce the number of equations in the protocol by increasing the running time of the proof. It is also an interactive scheme that is different from the non-interactive that we would discuss. The non-interactive zero-knowledge proof of LWE based on the SSP (Square Span Programs) in ZK-SNARKs was proposed by Rosario Gennaro et al. [35] and is considered post-quantum secure, and which would be used in the anonymous cryptocurrency Zerocash. The proof size of this scheme is constant which just consists of 5 LWE encodings. Rosario Gennaro et. al. mainly focused on designated-verifier proofs, but we would study the publicly-verifiable proofs. Ding has used the signal function from the RLWE key exchange to design an effective interactive zero-knowledge authentication protocol [36]. They pointed out that the design of the RLWE-based non-interactive zero-knowledge authentication scheme will be future work. Based on the above comparative analysis, we would construct the new non-interactive zero-knowledge proof protocols that can prove ownership with small proof size and high efficiency.

Motivation
Your protected private data can be used in a variety of scenarios, for example, you have a private key, or you have enough money to pay for the transaction, or you know the solution to the problem. In other words, prover should generate the proof for the verifier to prove the secret value for ownership, account balance, Sudoku, etc. Because of the convenience of onetime communication, we study the lattice-based non-interactive zero-knowledge proof against quantum attacks. Considering the wide application of scenarios, the scheme is extended from designated-verifier verification to publicly-verifiable. Because we do not completely trust the trusted third-party, and we want nobody to know our secret value. Therefore, we introduce the semi-trusted third-party assumption, that is, the third-party can only prove the secret value but know nothing about it. This assumption can further enhance the protection of the secret and ensure the security of the scheme.

Contributions
The main contributions in this paper are as follows: 1. We design a non-interactive zero-knowledge proof scheme to ensure that the proof size is constant for the designated-verifier. Then, we prove that this scheme is secure in terms of completeness, soundness, and zero-knowledge.
2. In order to satisfy the fixed proof size and improve verification efficiency, we combine public-key encryption with a semi-trusted third-party assumption to construct a publicly-verifiable scheme and prove the security of the scheme.
3. Compared with the previous scheme with efficiency advantage, we achieve better effectiveness schemes in zero-knowledge proof size and verification time.

Organization
The rest of this paper is organized as follows. In Section 2, we show the essential preliminary for the schemes. In Section 3, we construct a zero-knowledge proof scheme based on keyexchange in designated-verifier and provide the security analysis of the scheme. In Section 4, we construct the non-interactive zero-knowledge proof for publicly-verifiable and also give the security analysis. In Section 5, we compare the efficiency of our schemes with the previous existing protocols. In Section 6, we give a summary of this paper.

Notations
Throughout the paper, following notations would be used in Table 1.

Non-interactive zero-knowledge proof
any polynomial a 2R q , using the coefficient vector {a 0 , a 1 , � � �, a n−1 } in Z q to represent a Zero-knowledge. If the statement is true, the verifier will learn nothing about the secret but the fact that the statement is true.
That is, there is a polynomial-time simulator, for all x 2 L and secret value s, the following two distributions are computationally indistinguishable, where Exp ZK−real = 1 represents the algorithm of the real system and [Exp ZK−sim = 1] represents the algorithm of the simulation system.
Non-interactive. The prover only has one-way communication to the verifiers during the proof phase.

Ring learning with error
Here, we recall informally the Ring Learning with Error assumption, which is a classical hard problem on lattice defined by Regev [37]. And the security of our quantum-resistant schemes rely on the hardness assumption that has been previously used in the literature as follows.  [36,37]: Let n 2 Z be a power of 2 and q be positive integers, and let χ α be the Discrete Gaussian distribution onR q . For a uniformly chosen element s of the polynomial ring R q , let A s;w a be the distribution of the pair (a, as + 2e) 2 R q × R q , where a R q is uniformly chosen and e χ α is independent of a. Then the A s;w a is computationally indistinguishable from the uniform distribution on R q × R q for any probabilistic polynomial time(PPT). Assumption 1 [36] The security of our schemes rely on the Ring-LWE assumption stating that the distribution of (h i , h i s + e i ), where h i is random in R q and s, e i are small polynomials, is indistinguishable from uniform. The search version of Ring-LWE is to modify the above definition by requiring the PPT algorithm to find s rather than distinguish the two distributions.

Signal function
, we introduce the signal function [38] to eliminate the errors caused by Mod 2 function in R q .
, then the signal function Char : Z q ! f0; 1g as the following:

Definition 5
The function Mod 2 : Z q � f0; 1g ! f0; 1g was defined as . Let q > 8 and be an odd prime, x; y 2 Z q such that kx À yk 1 < q 4 and a = Char(x). Then Mod 2 ðx; aÞ ¼ Mod 2 ðy; aÞ: From the Char function as we defined, , Perform mod 2 on both sides of the above equation, then aÞ. Then, signal function and mod 2 function were extended to polynomial ring x 2 R q by applying them for each coefficient x i 2 Z q . Clearly, the result in Lemma 3 still holds when extending to polynomial ring elements. In the following, we use the extend signal function and mod 2 function in the polynomial ring R n�n q . As far as we know, Ding et al. [41] in 2017 pointed out that signal function may leak the secret key when RLWE public-key is reused for the long term. But it does not mean that the signal function cannot be used forever. Gao et al. [42] used a key reuse mode by adding the user ID and a fresh public error against this attack in 2018.

DVNIZK scheme
Firstly, we describe the designated-verifier non-interactive zero-knowledge proof scheme (DVNIZK) which is based on RLWE key exchange. As we know, only the designated-verifier can effectively check the proof in the DVNIZK scheme. This scheme is just a one-time proof. That is to say, a new session will be built for the different designated-verifier. At the same time, the prover will generate fresh errors for different verifiers. Therefore, this scheme can against signal function leakage attacks.
This scheme involves two objects: prover and verifier. Prover generates the proof for the verifier to prove the user of secret value for ownership, account balance, Sudoku, etc, which is illustrated in Fig 1. In the first scheme, we provide the security model for the designated-verifier non-interactive zero-knowledge proof using the random oracle model, similar to the security model proposed in [36]. Our first scheme is composed of three algorithms: Setup, Proof, Verify. Specifically, we demonstrate it as follows, shown in Fig 2. 1.Setup: • The public parameters q, n, α be generated, where q > 8 is prime.
• Let M be a uniformly random matrix M R n�n q .

PLOS ONE
Non-interactive zero-knowledge proof scheme from RLWE-based key exchange which i and j range from 1 to n). s ij is sampled from the Discrete Gaussian distribution with parameter σ. Clearly, S A can be expressed as a n × n dimensional matrix. And e A is the same as above S A . It is stated here that all the multiplication operations of the elements in the polynomial ring must undergo modulo q and modulo the irreducible polynomial x n + 1 operations.
are also n × n dimensional. S B and e B are also same as above S A .
• P sends K, ω to V.

PLOS ONE
Non-interactive zero-knowledge proof scheme from RLWE-based key exchange • Upon receiving K, ω, only verifier could do the following:

Security analysis
Security is the most important factor of the zero-knowledge proof schemes. The first scheme for designated-verifier only can be used as the one-time proof. It satisfies the properties of the zero-knowledge proof: Completeness, Soundness, Zero-knowledge. We will supply a simple security analysis in the following. Lemma 4 Let q > 16σ 2 n α3/2 , then Mod 2 (x, ω) = Mod 2 (y, ω), except with negligible probability.
By lemma 3, we obtain kx i;j À y i;j k 1 < 4s 2 n 3=2 < q 4 . Then, q > 16σ 2 n α3/2 with probability 1 − 2 −n . 1) Completeness. The form of the proof is shown as follows: The verifier owns S B , P A , K, ω after receiving the proof, it will follow from straightforward calculations H(J) where J = Mod 2 (y, ω).
If S A is true, by the lemma 4, Mod 2 (x, ω) = Mod 2 (y, ω). That means W = J. Finally, K = H (W) will be equal to H(J). Then the verifier will be convinced that the prover owns the secret.
2) Soundness. Assuming that P would be a adversary and as an oracle that generate the valid proof for the honest verifier with non-negligible probability in the following.
Game 0 : this game is the original scheme. According to the scheme, P A = M � S A + 2e A mod q, P B = M T � S B + 2e B mod q, then W, ω, K, J is generated, and output b d which is the determination of the verifier. Among which b d = 1 means the verifier accepts and b d = 0 respects he rejects.
Game 1 : this game is equal to Game 0 except that P A is chosen uniformly. A cannot generate the valid proofs for the chosen uniform P A with negligible probability.
Lemma 5 If prover as the adversary A who could generate a valid proof for P A = M � S A + 2e A mod q without the secret of S A to convince the honest verifier with non-negligible probability, then there is a distinguisher for P A from uniform with the same probability.
Proof 0.3 Assuming that B be a RLWE distinguisher. Considering that interaction between A and B as the role of honest verifier. When B sends the challenge (M, P A ) from the RLWE challenger to A, A would do the following. If P A = M � S A + 2e A mod q, the interaction between A and B is equal to Game 0 , then B outputs 1. If P A is chosen uniformly, the interaction between A and B is equal to Game 1 , then B outputs 0.
Suppose A can generate a valid proof for the chosen uniform P A with non-negligible probability, then B would not be successful from the above defined. That means the adversary can solve the search version of the Ring-LWE problem with the same probability. Suppose A can generate K and ω which are accepted by the honest verifier for P A without the secret of S A . In our first scheme, the crucial verify are J = Mod 2 (y, ω). It means that the valid proof only could be obtained by guessed or correctly calculated Char(y) and Mod 2 (y, Char(y)).

On the one hand, the valid proof that the probability of being brutally guessed is negligible.
On the other hand, the adversary wants to calculate Char(y) and Mod 2 (y, Char(y)) correctly. Considering that this scheme is used as a one-time proof, there is no sign function leakage attack that makes the secret value leak. Therefore, in order to calculate the correct Char(y) and Mod 2 (y, Char(y)), A needs to know the secret value S B . However, if A knows the secret value S B , it means that it can solve the search version of the Ring-LWE problem. In fact, the search version of Ring-LWE is to modify the above definition by requiring the PPT algorithm to find s rather than distinguish the two distributions in Assumption 1. Therefore, the adversary can generate a valid proof for the chosen uniform P A and would be accepted by the designated-verifier with the same probability which can solve the search version of the Ring-LWE problem.
In summary, in DVNIZK-KE Scheme, the adversary cannot convince the verifier to believe him with negligible probability without knowing the secret value. Then the soundness error of our is negligible.
3) Honest-verifier zero-knowledge. Lemma 6 Honest-verifier Zero-knowledge [26] means that there be a probabilistic polynomial-time simulator taking P A and S 0 B as input, that outputs (K 0 , ω 0 ) is indistinguishable from an accepting protocol transcript generated by a real scheme run.
Proof 0.4 Then we assume a probabilistic polynomial-time simulator S would access to the random oracle H. Then we construct Exp ZK−sim to make zero-knowledge proof in the random oracle model. Let Exp ZK−real = 1 denotes the output of the interactive scheme between the real prover and the designated-verifier. Exp ZK−sim = 1 means the simulator's output. The simulator S for our first scheme described in Fig 1 is constructed: query the random oracle H with input S 0 B and output K 0 ¼ HðW

According to the construction, we claim that the outputs from a probabilistic polynomial-time simulator are indistinguishable from an accepting protocol transcript generated by a real scheme run.
Considering the scheme of expandability, the prover would send K = H(W) and ω encrypted with a symmetric key K PV between prover and verifier. So no one can get the proof and the secret from the proof, except for the designated-verifier. At the same time, the verifier cannot obtain secret information except proof. We send K = H(W) and ω with encryption in security communication for resisting the replay attack and man-in-the-middle attack.

Syntax
We consider zero-knowledge proof in publicly-verifiable scenario for ownership with three participants: the third-party(T) who is curious-but-honest, prover(P) who provides the proof without revealing the secret, verifier(V) who verifies the prove in Fig 3. A non-interactive zero-knowledge scheme based key exchange from lattice includes a set of five polynomial-time algorithms(Setup, Register, Proof, Verify, Update). Then we briefly describe the process followed by five polynomial-time algorithms, shown in

Security model
In this subsection, we provide the security model for the publicly-verifiable non-interactive zero-knowledge proof Although the definition of non-interactive zero-knowledge remains unchanged, a semi-trusted third-party is introduced. Our security model is based on the curious-but-honest model and a random oracle model in federated learning [36,43]. The semitrusted third-party is curious-but-honest which means it does not deviate from the defined but tends to obtain all possible information from the legitimately received messages. In other words, the semi-trusted third-party only attempts to know the secret key of the prover, but he will not deceive other users with the proof he knows. Therefore, we can divide potential adversaries into the following: 1. An external adversary who is able to obtain public information. He attempts to give valid proof before the semi-trusted party issue.
2. The semi-trusted party as an internal adversary not only obtain the information from the phase of Register and Proof, but also possess the update key for all signers in the system.

PLOS ONE
In our second scheme, for the prover, he cannot forge an effective proof to deceive the semi-trusted third party and verifiers. For a semi-trusted third-party, he cannot obtain the secret key of the prover. For the verifier, he can neither obtain the secret key nor forge the proof of the secret value. Through the above analysis, it is clear that the security can be guaranteed if and only if the scheme satisfies the definition of zero-knowledge.

The scheme in detail
The system first generates the public parameters q, n, α, where q > 8 is an odd prime. Let M be a uniformly random matrix M R n�n q . Let H 1 : {0, 1} n×n ! {0, 1} n and H 2 : {0, 1} n×n ! {0, 1} n be random oracles. The secret information owner P has P A = M � S A + 2e A mod q where S A , e A χ α are n × n dimensional same as above mentioned and S A is secret information. Meanwhile, its public key is P C = M � S C + 2e C mod q where S C , e C χ α are n × n dimensional and S B is its secret key. Similarly for the third-party T, its public key for P is P B = M T � S B + 2e B mod q while S B is its secret key. P A , S A , P B , S B , P C , S C are used to create the zero-knowledge proof for

PLOS ONE
verifiers V. Otherwise, T has a list for public and a symmetric key K PT between prover and verifier.
The second scheme is composed of four algorithms except Setup algorithm: Register, Proof, Verify and Update. We specify it in full detail: 1.Register: The secret information owner P does the following: where ω = Char(x) and υ = Char(x).
• P sends C to T.
Upon receiving C, T does the following: • T computes ðP A ; P C ; K; o; uÞ D K PT ðCÞ.
• T checks if P A 2 list, reject. If P A = 2 list and P is a certified legal user by T, T adds it to the list.
• T saves (P A , I, W) and opens (P A , P B , J, ID P ) Where ID P is the identity of prover.

2.Proof:
• T computes K H 1 (Mod 2 (X, ω)) as the zero-knowledge proof. In fact, Mod 2 (X, ω) could be computed in the Register algorithm. The Proof algorithm only needs to calculate a hash operation.

3.Verify:
Upon receiving (P A , K, J), everyone could do the following especially verifiers: • After checking information is issued by ID P , then it computes H 2 (K) firstly.
• P samples S D , e D χ α and computes P D = M � S D + 2e D mod q.
• Let X 1 ¼ S T A � P B � P D , P computes ω 1 = Char(X 1 ) and C 1 E K PT ðP A ; I 0 ; P D ; o 1 Þ.
• P sends C 1 to T.
Upon receiving C 1 , T does the following: T checks if I 0 is equal to I. If they are equal, then it outputs W 1 H 1 (Mod 2 (Y 1 , ω)) and J 1 H 2 (W 1 ).

Security analysis
In this subsection, we prove that our zero-knowledge proof-based key exchange scheme is security over LWE in public under the hardness assumption from the following aspects. Lemma 7 Let R ¼ Z½x�=ðx n þ 1Þ, for any a, b, c 2 R, we can easily obtain ka � b � ck � n � kak � kbk � kck and ka � b � ck 1 � kak 1 � kbk 1 � kck 1 by Lemma 1.
Proof 0.5 Firstly, we know that Prove similarly to Lemma 4, X; Y 2 R n�n q , then we just show that kX i;j À Y i;j k 1 < q 4 by Lemma 3, where i, j 2 {1, � � �, q}. After simplification, combining with Lemma 2 and Lemma 7, we have that By Lemma 3, we obtain kX i;j À Y i;j k 1 < 4s 3 n 5=2 < q 4 . Then, q > 16σ 3 n 5/2 with probability 1 − 2 −n . 1) Completeness. The proof from prover is as follows: Since K = H 1 (Mod 2 (X, ω)), Mod 2 (X, ω) could be calculated in the previous Register algorithm, then K is only obtained by the hash operation as the proof for verifier.
The verifier gets the verification value J from the third-party and verifies K whether it is true or not by the hash function J = H 2 (K).
Then, we have that Finally, if K is true, H 2 (K) will be equal to J with probability 1 − 2 −n , where J = H 2 (W). Then the verifier will be convinced that the prover owns the secret. That means, for 8P A ; P B ; P C 2 L, if the prover has the secret value S T A , then Pr ½K PðS T A ; P A ; P B ; P C Þ : VðJ ðP A ;P B ;P C Þ ; KÞ ¼ 1� � 1 À 2 À n : 2) Soundness. Soundness means that the adversary has no secret value S A and convinces the honest verifier that the secret value is true with negligible probability. In other words, if the prover has no secret value S A , for 9P A , P B , P C , then Its analysis is similar to the soundness of the designated-verifier scheme in Fig 1. According to the second scheme in Fig 2, there are three participants: the third-party(T) who is curiousbut-honest, prover(P), and verifier(V). Then we should consider this property from the thirdparty and the verifier.
• Between a malicious prover and the third-party.
Assume prover as the adversary that can register without the secret S A with the non-negligible probability. This analysis is similar to the soundness of the designated-verifier scheme in Fig 1. According to Lemma 5, we can get the following Lemma 9 easily. Then the adversary cannot register successfully the verifier to believe him without knowing the secret value with negligible probability.
Lemma 9 If prover as the adversary A who could register successfully using P A = M � S A + 2e A mod q without the secret of S A in the curious-but-honest third-party with non-negligible probability, then there is a distinguisher for P A from uniform with the same probability.
• Between a malicious prover and the verifiers.
Assume prover as the adversary that can make a valid proof K without the secret S A with the non-negligible probability. According to the second scheme in Fig 2, the adversary only gets valid proof from P A or J. Since the analysis of the above, we have already known that the prover is the adversary who only has P A without S A to convince the verifiers with negligible probability. Then the malicious prover only makes a valid proof from J. As the scheme described in Fig 2, we know that J = H 2 (K). That means the adversary can calculate the inverse of the hash function output J. However, one of the important hash function properties is that if H is collision-resistant, then H(x) is hard to invert.
Lemma 10 If prover as the adversary A who could who could generate a valid proof K for P A = M � S A + 2e A mod q without the secret of S A with non-negligible probability, then there is a distinguisher for P A from uniform with the same probability, or the adversary can calculate the inverse of the hash function output.
Above all considering, we believe that the adversary cannot successfully deceive the verifier without S A , then we have that Pr ½K Adversaryð; P A ; P B ; P C Þ : VðJ ðP A ;P B ;P C Þ ; KÞ ¼ 1� ¼ negl: 3) Zero-knowledge. In the second scheme, S A as the secret value, it must not be a leak in the whole process of proof. Because the proof can be verified by anyone especially the verifier, so we consider this property from the verifier and the third-party.
• For the verifier: From the scheme beginning to the end, the verifier can only obtain P A , K, J, where From Eq (1), we can see that S A will not be obtained from P A under the Ring-LWE assumption. Since K and J are the results of hash function operation from equations Eqs (2) and (3), where K and J are n bits value, the secret value S A will not be disclosed. According to the above analysis of soundness, the verifier can not get the secret value or a valid proof.
• For the third-party:

PLOS ONE
T, who is curious-but-honest, acts as the intermediary between the prover and the verifier. T has more values including S B , P B , ω, υ, I, W except S A . o ¼ CharðXÞ u ¼ CharðxÞ ð4Þ In fact, the third-party has known the proof before the prover announced it. T is curiousbut-honest means that T is eager to know the secret value of S A and can not reveal any other values. From equations Eqs (4)-(6), we can make our second scheme is zero-knowledge for the third-party according to the above Lemma 6. Then this scheme is the honest-verifier zeroknowledge for the third-party.
Based on the above discussion, we can get the conclusion that there is no secret value leakage. Assume that there is a polynomial-time simulator, for all P A , P B , P C 2 L and secret value S A , the following two distributions are computationally indistinguishable kPr ½Exp ZKÀ real ¼ 1� À Pr ½Exp ZKÀ sim ¼ 1� k ¼ negl: The prover sends K with encryption in security communication for resisting the brute force attack and man-in-the-middle attack. In order to resist the replay attacks, the third-party opens ID P except P A , J.

Efficiency analysis
According to existing post-quantum schemes, we analyze the efficiency of the zero-knowledge proof schemes from the prover runtime, verification time, CRS size, and proof size [44]. Since the proof can be given off-line in advance, the prover's operation time is no longer considered here. Meanwhile, our schemes based on lattice key exchange do not involve CRS, so the size of CRS can be considered to be zero. Therefore, our proposed scheme is only compared with the previous study [27,[31][32][33][34][35] in verification time and proof size, which is described in more detail in Table 2.
In previous studies, the proof size in [27] is more than 4nMlog(q) bits, where n is a security parameter in the ring Z q and M means the number of protocol rounds. And the ploy(n) means that the verification time is polynomial-time which is used in the following. In [31], the proof size is ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi mlogðmÞ p and the verification time is m, where m is the number of gates. In [32], the proof size is more than 1024t bits, where t means repeating the protocol times. The proof size in [34] is larger than 512 + n 1 (8log(4αn 1 ) + 2048log(2α))bits, where n 1 is the number of secrets, α is the security parameter. In Table 1, c 1 is used to represent a number greater than 8log (4αn 1 ) + 2048log(2α). The proof size and the verification time in [35] are constant. Here, k 1 = 5(a + 1)log(q) represents the proof size, where a is the number of elements in the vector, which is also a security parameter. And l 1 represents the verification time. However, this scheme is based on ZK-SNARKs from SSP, the proof size is still large and the cost of computation is relatively expensive. At this time, the CRS size is more than (3d + 2)log(q), where d is the degree of SSP. The proof size in [33] is n 2 � k � log(6σ) + n 2 � ℓ � log(q) which is replaced by c 2 n 2 . Where n 2 and q are security parameters, n 2 is also the bit number of secrets, k is the width of the commitment matrices over R q , σ is the standard deviation. The commitments are a guarantee condition sent by the prover to the verifier in commitment scheme [33]. when the width of the commitment matrices over R q is equal to 1, the commitment size is n 2 � log(q). Our schemes combine the key-exchange based on RLWE with the hash function so that proof size is only the output length of the hash function. k 2 represents the proof size of our schemes. Verification time is expressed as l 2 , which is a hash function operation for the publicly-verifiable scenario. Furthermore, Table 2 shows a comparison of other properties, including CRS or interactive, untrusted-Setup and assumptions, where q-PKE is the q-power knowledge of exponent assumption, (R)SIS is (Ring) short integer solution problem and SVP means shortest vector problem.
As shown in the result, our proof is the output of the hash function which its size does not change due to the size of secret values. In other words, the proof size does not become as large as the size of secret values increases. The commitment will be sent to the verifier along with the proof, as a condition for verification like a CRS. Therefore, we also give the corresponding commitment size in [33] and the CRS size in [35]. Given the security parameter is 1024, q is 2 32 , d is 2 15 , and the fixed output of the hash function is 512 bits. To intuitively show the performance of our second scheme, we compared the proof size of our second scheme, the optimal scheme of Baum et al. [33], and the scheme of [35] in Table 3 and in Fig 5. And the result indicates that our second scheme proof size is much smaller and constant.
For the verification time, our second scheme has only one hash operation time. However, the scheme of Baum et al. takes polynomial time to verify a matrix polynomial. For the scheme of [35], the verifier needs to encode several polynomials before calculating three polynomials during verification. Obviously, both of the above schemes take more time than our second scheme.
We have compared our second scheme with the related schemes in zero-knowledge proof size and verification time. Since the proof is the output of the hash function, our proof size is constant. So its size is smaller than that of other compared schemes in zero-knowledge proof size. In addition, the verifiers' runtime of our scheme for publicly-verifiable only involves the hash operation, so its computation is lower than that of other compared schemes in verification time.

Conclusion
With the surprising development of quantum computers, it is an urgent requirement to construct efficient quantum-secure zero-knowledge proof schemes. In this paper, we have proposed a non-interactive zero-knowledge proof scheme for the designated-verifier to guarantee less proof size. We have also designed the scheme of RLWE-based key exchange from lattice for the publicly-verifiable scenario to ensure better effectiveness. Moreover, our schemes are secure from completeness, soundness, and zero-knowledge. Furthermore, compared with other previous schemes, we find that our schemes have more advantages in proof size and verification time. In the future, based on the abundant theoretical basis of lattice cryptography, we will design better performed zero-knowledge proof schemes for multiple applications.
Supporting information S1