Zero-Knowledge Proof of Equality between RSA Modulus and Prime Order Group

TL,DR: a conjuction of simple $\Sigma$-protocols can prove this compound statement in zero-knowledge. However, the proof is somewhat large.

First, let's break down your compound statement into simpler statements. Observe that essentially you want to prove in zero knowledge for $C_1=m^e$ and $C_2=g^m$ that the following relation $\mathcal{R}(x,\omega)$ ($x$ is the public parameter and $\omega$ is the witness) holds: $$\mathcal{R}=\{((C_1,C_2),(m,l)):m\in QR_{N}\land C_1=m^e\bmod{N}\land C_2=g^m\bmod{p}\}, $$ where $l$ is the square root of $m\bmod{N}$, i.e., the witness is the $(m,l)$ pair. For the sake of simplicity let's use the following notation for the elementary statements: $$\mathcal{R}_1=\{((C_1,C_2),(m,l)):m\in QR_{N}\}, $$ $$\mathcal{R}_2=\{((C_1,C_2),(m,l)): C_1=m^e\bmod{N}\}, $$ $$\mathcal{R}_3=\{((C_1,C_2),(m,l)):C_2=g^m\bmod{p}\}. $$

Note that both elementary statements $\mathcal{R}_2$ and $\mathcal{R}_3$ are easy to prove with $\Sigma$-protocols, since both of the relations prove knowledge of a preimage under a group homomorphism (i.e., of $w$ satisfying $x=\phi(w)$). In the case of $\mathcal{R}_2$ the group homomorphism $\phi(\omega)=\omega^e$, while in $\mathcal{R}_3$, the homomorphism is $\phi(\omega)=g^{\omega}$. These are quite standard statements and you can find how to prove the preimage of a homomorphism in Bangerter et al. or in the Boneh-Shoup book, among many others.

To prove $\mathcal{R}_1$ is a little bit tricky at the first sight, since $m$ needs to be kept secret and we want to prove that $m$ is a quadratic residue, i.e., $m\in QR_N$. In almost all deployments of the RSA cryptosystem $e$ is odd (I assume this is also the case in your application), so $C_1=m^e\in QR_{N} \iff m\in QR_{N}$. I also assume that the encryptor knows $l$, one of the square roots of $m$, since the factorization is unknown. If the encryptor does not know such an $l$, then it cannot prove that it is a quadratic residue, because it does not know the factorization. Given this discussion, now $\mathcal{R}_1$ essentially entails proving the following statement: $$\mathcal{R}_1=\{((C_1),(l)):C_1=l^{2e}\bmod{N}\}, $$ which is again a proof of the knowledge of a preimage of a group homomorphism. We know how to prove this statement.

To combine all these to obtain a zero-knowledge proof for the compound statement $\mathcal{R}$, the verifier just needs to send the same random challenge for all the elementary statements (the random challenge is different across the repetitions of the protocol though!).

What's the size of the proof? For $\Sigma$-protocols in groups of unknown order, the soundness error is high, so one needs to repeat the $\Sigma$-protocol many times to obtain reasonable levels of soundness. In each repetition, the soundness error decreases by $\approx 1/2$. Hence, the protocol must be repeated sequentially to get a sufficiently small knowledge error (e.g., $80$ sequential repetitions are required to obtain a knowledge error of $1/2^{80}$). This would result in a proof consisting of $2*2*80=320$ group elements for the $3$ elementary statements (2 of the statements occur in an RSA group, hence we need to repeat many times).

To circumvent this efficiency limitation you need to use a common reference string in order to reduce the proof size. See Bangerter et al.

Hopefully, this helps! Let me know if I left any grey area in the answer!