Rank AGS Identification Scheme and Signature Scheme

Abstract

The identification protocol is a type of zero-knowledge proof. One party (the prover) needs to prove his identity to another party (the verifier) without revealing the secret key to the verifier. One can apply the Fiat–Shamir transformation to convert an identification scheme into a signature scheme which can be used for achieving security purposes and cryptographic purposes, especially for authentication. In this paper, we recall an identification protocol, namely the RankID scheme, and show that the scheme is incorrect and insecure. Then, we proposed a more natural approach to construct the rank version of the AGS identification protocol and show that our construction overcomes the security flaws in the RankID scheme. Our proposal achieves better results when comparing the public key size, secret key size, and signature size with the existing identification schemes, such as Rank RVDC and Rank CVE schemes. Our proposal also achieves 90%, 50%, and 96% reduction for the signature size, secret key size, and public key size when compared to the Rank CVE signature scheme.

1. Introduction

1.1. Literature Review

Cryptography refers to the secure communication techniques that are derived from mathematical concepts and algorithms to transform messages in ways that mean it is hard to retrieve back the message. There are well-known cryptosystems, such as RSA, which have been used until today. Nevertheless, this cryptosystem suffers from a few weaknesses that might lead to the vulnerability of attacks, as we can read in [1,2]. The hard problem of RSA, which is the factorization of large prime numbers, could turn out to be its weakness if there exists a quantum computer. Therefore, it is necessary for cryptographers to construct other cryptographic primitives that resist attacks by quantum computers, which are often coined as post-quantum cryptosystems. One of the most common candidates for post-quantum cryptosystems is built based on code-based cryptography. McEliece cryptosystem [3] is one of the most well-known and the first motivation initiated in code-based cryptosystems almost 40 years ago. Digital signature schemes (DSS) under code-based cryptography are also secure as they are able to achieve three goals of cryptography, including data integrity, authenticity, and non-repudiation.

One can consider the construction of code-based DSS via the hash-and-sign approach, such as the CFS scheme proposed by Courtois et al. [4]. In this scheme, the document is repeatedly hashed to the bit-length r until the output becomes a decryptable ciphertext. However, this was one of the weaknesses of this signature apart from having a very large public key size. On the other hand, one can construct a code-based DSS by considering the zero-knowledge protocol approach (ZKP). More specifically, in a zero-knowledge protocol, one party (named Prover $\mathcal{P}$) needs to prove to the other party (named verifier $\mathcal{V}$) that he or she knows the secret key without revealing the value or any information regarding the secret key. Proof of identity as a means of authentication is the most common and secure application of ZKP. One type of ZKP is the identification protocol which can be converted into a signature scheme via the Fiat–Shamir paradigm. Meanwhile, if the person loses his or her data or key, recovery is difficult to be attempted in ZKP. ZKP also has a large signature size due to a large number of repetitions, and it requires a lot of computations since it needs a large number of interactions between the prover and the verifier.

In 1994, Stern designed an identification protocol [5] that worked in the Hamming metric. In this case, let $F_{q^m}$ be a finite field with $q^m$ elements where q is a prime power, and m is an integer. In this scheme, given an error vector e which has weight w and a vector, $s=H{e}^T$ where H is a parity check matrix over $F_2^{(n-k)\times n}$. The prover $\mathcal{P}$ is needed to convince the verifier $\mathcal{V}$ that he or she knows the value of e (the secret key). Stern managed to reduce the cheating probability (the probability where a dishonest prover not knowing e can cheat the verifier in the protocol) from $\frac{2}{3}$ to $\frac{1}{2}$ which led to a reduction in the signature size. Later in 1997, Veron [6] proposed a different formulation of the secret key, $x=mG\oplus e\in F_2^n$ where the matrix $G\in F_2^{k\times n}$ and x are public parameters. Despite the increment of the public key size, Veron succeeded in reducing the communication cost. Since then, various schemes have been invented using different modifications to enhance their schemes from the previous ones. Aguilar, Gaborit, and Schrek [7] proposed a scheme (AGS) utilizing double circulant codes to increase the number of challenges. They also managed to cut down the communication cost in addition to reducing the size of the secret and public keys.

More recently, rank metrics have been considered to construct code-based identification protocols and DSS by extending the constructions from the code-based identification protocols and DSS in the Hamming metric. In 2018, Bellini et al. [8] proposed the rank metric version of the Veron and CVE identification protocols and DSS. However, Lau et al. [9] showed that the rank Veron was insecure, as its secret key could be recovered in polynomial time. Nevertheless, Bellini et al. [10] improved the rank Veron DSS and proposed another scheme, namely the RVDC identification protocol and DSS. Furthermore, in 2019, Ayebie et al. [11] designed a rank metric version of the AGS identification scheme by using random double circulant codes, which is known as the RankID scheme.

1.2. Research Flow

In this paper, we analyzed the RankID scheme. Their construction has errors in correctness, which results in the invalidity of the scheme. The operations defined in the scheme do not ensure the commutativity of the matrices and do not preserve the rank of error vectors. Even if we assume the scheme is correct, we show that the scheme is insecure, as its design leads to the leakage of the secret key. Then, we propose a new rank version of the AGS ID more naturally and show that the new scheme achieves completeness, soundness, and zero-knowledge properties. We also provide parameters achieving 128-bit and 256-bit security levels, the latter is determined by the complexity for solving the Rank Syndrome Decoding (RSD) problem.

1.3. Contribution of This Work

Our Rank AGS scheme parameters can reduce the signature and key size when compared to the Rank CVE [8] and RVDC [10] schemes.

1.4. Paper Organization

This paper is structured as follows: in Section 2, we present the notions and preliminaries that are used throughout the paper. Section 3 provides the analysis of RankID, which shows the errors in RankID that lead to the insecurity of the scheme. Section 4 introduces the explanations and details of our proposed scheme, Rank AGS. Section 5 shows the achievement of our proposed scheme on zero knowledge protocol security properties such as completeness, soundness, and zero knowledge. Additionally, we also provide the signing and verification algorithm of Rank AGS and the comparison of the sizes of the signature, public, and secret key of Rank AGS with the other existing schemes in this section. Furthermore, we also added the percentage of reduction in the key and signatures sizes of Rank AGS with the reference Rank CVE as the original reference. Finally, we finish with a section for the conclusion (Section 6).

2. Preliminaries

In this section, we recall the background on rank metrics and the hard problem used in this paper. We also introduce the specification for AGS and RankID that have been used in [7,11]. Throughout this paper, we will be using the following notations and definitions.

Let q be a prime power and m be an integer. Then, let $F_{q^m}$ be a finite field with $q^m$ elements.

Definition 1. 

An $[n,k]$-linear code C of length n is a linear subspace of $F_{q^m}^n$ with dimension k. A matrix $G\in F_{q^m}^{k\times n}$ is called a generator matrix of code C if its rows form a basis of C. A matrix H is called a parity check matrix of C if $C=\{x\in F_{q^m}^n:H·x^T=0\}$.

Definition 2 

(Rank Support). Let $x=(x_1,\cdots ,x_n)\in F_{q^m}^n$. The support of x, $Supp\left(x\right)$ is an $F_q$-vector space spanned by elements $x_1,\cdots ,x_n$.

Definition 3 

(Rank Metric). Let $x=(x_1,\cdots ,x_n)\in F_{q^m}^n$; the rank weight of x is defined as the dimension of the support of x,

$$w{t}_R\left(x\right)=dim\left(Supp\left(x\right)\right).$$

Let ${\beta }_1,\cdots ,{\beta }_m$ be a basis for $F_{q^m}$. For each $1\le i\le n$, we can write $x_i$ as an $F_q$-linear combination of the basis, i.e., there exists $c_{ji}\in F_q$ such that

$$x_i=\sum _{j=1}^m{c}_{ji}{\beta }_j.$$

When forming an $m\times n$ matrix $M=\left(c_{ji}\right)\in F_q$, and we can rewrite x as:

$$x=(x_1,\cdots ,x_n)=({\beta }_1,\cdots ,{\beta }_m)M,$$

and the rank weight of x also can be defined as the rank of the matrix M, $w{t}_R\left(x\right)=rk\left(M\right)$.

Now, let us define a problem that most of the cryptosystem in the rank metric is based on.

Problem 1 (Rank syndrome decoding problem (RSD)). Given a random matrix $G\in F_{q^m}^{k\times n}$, the random vectors $x\in F_{q^m}^n$, $f\in F_{q^m}^k$ and an integer of $r>0$ can be used as an input. The rank syndrome decoding, $RSD(q,m,n,k,r)$ problem needs to determine the vector $e\in F_{q^m}^n$ such that $rk\left(e\right)=r$ and $fG\oplus e=x$.

Gaborit and Zémor [12] showed that the RSD could be probabilistically reduced to the syndrome decoding problem in the Hamming metric, where the syndrome decoding problem is an NP-complete problem. Therefore, RSD is acceptable as a good candidate for code-based cryptography.

The complexity of solving the rank syndrome decoding problem (RSD) is shown below. We list down the combinatorial and algebraic attacks on $RSD(q,m,n,k,r)$ in

Table 1. Combinatorial attacks on RSD.

Attacks	Complexity
CS [14]	$O\left({(nr+m)}^3{q}^{(m-r)(r-1)}\right)$
GRS-I [15]	$O\left({(n-k)}^3{m}^3{q}^{rmin\{k,\frac{km}{n}\}}\right)$ if $s\ne 0$,
	$O\left({(n-k)}^3{m}^3{q}^{(r-1)min\{k,\frac{km}{n}\}}\right)$ if $s=0$
OJ-I [16]	$O\left(r^3{m}^3{q}^{(r-1)(k+1)}\right)$
OJ-II [16]	$O\left({(k+r)}^3{r}^3{q}^{(m-r)(r-1)}\right)$
GRS-II [15]	$O\left({(n-k)}^3{m}^3{q}^{(r-1)min\{k+1,\frac{(k+1)m}{n}\}}\right)$
AGHT [17]	$O\left({(n-k)}^3{m}^3{q}^{r\frac{(k+1)m}{n}-m}\right)$

and

Table 2. Algebraic attacks on RSD.

Attacks	Conditions	Complexity
FLP [18]	$m=n,{(n-r)}^2=nk$	$O\left(\left(logq\right)n^{3{(n-r)}^2}\right)$
CGK [19]	-	$O\left(k^3{m}^3{q}^{r\frac{km}{n}}\right)$
GRS [15]	$d_{n,r,k}\le 0$	$O\left({((r+1)(k+1)-1)}^3\right)$
	$\left[\frac{d_{n,r,k}}{r}\right]\le k$	$O\left(r^3{k}^3{q}^{r\left[\frac{d_{n,r,k}}{r}\right]}\right)$
BBB [20]	$m{C}_{v_k,r}\ge C_{n,r}$	$O\left({\left(\frac{{\left((m+n)r\right)}^r}{r!}\right)}^w\right)$
	$m{C}_{v_k,r}<C_{n,r}$	$O\left({\left(\frac{{\left((m+n)r\right)}^{r+1}}{(r+1)!}\right)}^w\right)$
BBC [21]	$m{C}_{v_k-p,r}\ge C_{n-p,r}-1$	$O\left(m{C}_{v_k-p,r}{C}_{n-p,r^{w-1}}\right)$
	$m{C}_{v_k,r}\ge C_{n-a,r}-1$	$O\left(q^{ar}m{C}_{v_k,r}{C}_{n-a,r^{w-1}}\right)$
	$A_b-1\le B_b,q=2$	$O\left(B_b{A}_b^{w-1}\right)$

, respectively, from [13] with their corresponding solving complexities.

We used the following notation in Table 2 below.

The constant linear algebra is $w\approx 2.807$, and the integer is $a\ge 0$,

$p:=max\{i:m\left(\genfrac{}{}{0pt}{}{n-i-k-1}{r}\right)\ge \left(\genfrac{}{}{0pt}{}{n-i}{r}\right)-1\}$,

$A_t:={\sum }_{j=1}^t\left(\genfrac{}{}{0pt}{}{n}{r}\right)\left(\genfrac{}{}{0pt}{}{mk+1}{j}\right)$,

$B_t:={\sum }_{j=1}^t(m\left(\genfrac{}{}{0pt}{}{n-k-1}{r}\right)\left(\genfrac{}{}{0pt}{}{mk+1}{j}\right)+{\sum }_{i=1}^j{(-1)}^{i+1}\left(\genfrac{}{}{0pt}{}{n}{r+i}\right)\left(\genfrac{}{}{0pt}{}{m+i-1}{i}\right)\left(\genfrac{}{}{0pt}{}{mk+1}{j-i}\right))$,

$b:=min\{t\in Z:0<t<r+2,A_t\le B_t\}$,

$d_{n,r,k}=(r+1)(k+1)-(n+1)$,

$C_{n,k}=\left(\genfrac{}{}{0pt}{}{n}{k}\right)$, and $v_k=n-k-1$.

Definition 4 

(Circulant matrix). A $k\times k$ matrix is called a circulant matrix if each row is obtained from the previous one by a cyclic shift from one position to the right. In particular, A is generated by a vector $a=(a_0,\cdots ,a_{k-1})$ in the form of:

$$\begin{array}{cc}\hfill A& =\left(\begin{array}{cccc}{a}_0& a_1& \cdots & a_{k-1}\\ a_{k-1}& a_0& \cdots & a_{k-2}\\ & & ⋮& \\ a_1& a_2& \cdots & a_0\end{array}\right)\hfill \end{array}$$

Definition 5 

(Double circulant matrix). A $[2k,k]$-code over $F_{q^m}$ is a double circulant code if it is generated by a matrix $G=\left[A\right|B]$, where A and B are $k\times k$ circulant matrices.

RankID

In this subsection, we first introduce the definitions and operations that have been used in RankID [11]. Then, we identified the errors found in the RankID scheme.

Definition 6. 

Let vector $x=(x_1,\cdots ,x_n)\in F_{q^m}^n$ and $M=\left(c_{ji}\right)\in F_q$, as defined in Equation (2). We defined the function ${\mathrm{\Phi }}_{\beta }$ map from $F_q^{m\times n}$ to $F_{q^m}^n$ as ${\mathrm{\Phi }}_{\beta }\left(M\right)=x$. The inverse function, ${\mathrm{\Phi }}_{\beta }^{-1}$ was defined as the mapping for $F_{q^m}^n$ to $F_q^{m\times n}$ and we can rewrite it as ${\mathrm{\Phi }}_{\beta }^{-1}\left(x\right)=\left(M\right)$.

Definition 7 

(Asterisk Product). Let $Q\in F_q^{m\times m}$, $x\in F_{q^m}^n$, $M=\left(c_{ji}\right)\in F_q$ and β be a basis of $F_{q^m}$ over $F_q$. We define the product $Q*x$ by

$$Q*x={\mathrm{\Phi }}_{\beta }\left(QM\right).$$

Let k be an integer such that $k>1$, to any $\alpha \in F_{q^m}^{*}$ we associate the symmetric matrix ${\tilde{\alpha }}_k\in F_{q_m}^{k\times k}$ such that:

$$\begin{array}{cc}\hfill {\tilde{\alpha }}_k& =\left(\begin{array}{cccc}\alpha & & & \\ & {\alpha }^2& & \\ & & \ddots & \\ & & & {\alpha }^k\end{array}\right)\hfill \end{array}$$

(1)

Definition 8 

(Bullet Product). Let α be an element of $F_{q^m}^{*}$, k be an integer such that $k>1$, and $v=\left(v_1\right|\left|v_2\right)$ (where $\left|\right|$ is the concatenation symbol) be a vector of $F_{q^m}^n$ such that $v_1,v_2\in F_{q^m}^k$. We define the product $v•\alpha$ as follows:

$$v•\alpha =v_1{\tilde{\alpha }}_k\left|\right|v_2{\tilde{\alpha }}_k.$$

where ${\tilde{\alpha }}_k$ is as defined in Equation (1).

The RankID scheme [11] utilizes the double circulant matrix from the AGS ID scheme [7] to generate the generator matrix, G as a public key. The hard problem on which the RankID is based is the RSD problem. They introduced the special multiplication law that has been used in their protocol, as we explained in the previous section in definitions (7) and (8).

Their protocol uses a public $k\times n$ (with $n=2k$) random double circulant matrix G over $F_{q^m}$. This matrix G generates an $[n,k]$-linear code over $F_{q^m}$. They considered the matrix of type $G=(I_k,G_1)$ where $G_1$ is a $k\times k$ circulant matrix over $F_{q^m}$ and $I_k$ is the $k\times k$ identity matrix.

Private key:$(e,f)$ with $e\in F_{q^m}^{2k}$ with $rk\left(e\right)=r$ and $f\in F_{q^m}^k$.

Public key:$(G,x,r)$ with $G\in F_{q^m}^{k\times 2k}$, $x=fG\oplus e$.

3. Analysis of RankID

Here, we provide more details regarding the errors that we encountered in the RankID (

Table 3. The identification protocol (RankID).

Prover, $\mathcal{P}$		Verifier, $\mathcal{V}$
$u\in F_{q^m}^k$
$P\in G{L}_{2k}\left(F_q\right)$
$Q\in G{L}_m\left(F_q\right)$
	$\begin{array}{c}{c}_1=h\left(P\right|\left|Q\right||(u{G}_1\oplus f))\\ \stackrel{c_2=h(Q*(u{G}_1\left)P\right)}{\to }\\ \stackrel{\alpha \in F_{q^m}^k}{\leftarrow }\\ \stackrel{c_3=h(Q*(uG\oplus (e•\alpha )\left)P\right)}{\to }\\ \stackrel{g\in \{0,1\}}{\leftarrow }\end{array}$
if $g=0$,
	$\begin{array}{c}u+f{\tilde{\alpha }}_k\\ \stackrel{u{G}_1\oplus f,\left(P\right|\left|Q\right)}{\to }\end{array}$
		$\begin{array}{c}verify:\\ c_1=h\left(P\right|\left|Q\right||(u{G}_1\oplus f)),\\ c_3=h(Q*(uG\oplus (e•\alpha ))P)\end{array}$
if $g=1$,
	$\begin{array}{c}Q*\left(uG\right)P,\\ \stackrel{Q*(e•\alpha )P}{\to }\end{array}$
		$\begin{array}{c}verify:\\ c_2=h(Q*\left(uG\right)P),\\ c_3=h(Q*(uG\oplus (e•\alpha ))P)\\ rk(Q*(e•\alpha )P)\le r\end{array}$

). The authors in [11] claimed that RankID achieved completeness by the following argument.

When $g=0$, then the verifier can compute:

$$\begin{array}{cc}\hfill (u\oplus f{\tilde{\alpha }}_k)G\oplus x•\alpha & =uG\oplus f{\tilde{\alpha }}_{k}G\oplus (fG\oplus e)•\alpha \hfill \\ \hfill & =uG\oplus f{\tilde{\alpha }}_{k}G\oplus fG•\alpha \oplus e•\alpha \hfill \\ \hfill & =uG\oplus f{\tilde{\alpha }}_{k}G\oplus (f{\tilde{\alpha }}_k\left|\right|f{G}_1{\tilde{\alpha }}_k)\oplus e•\alpha \hfill \\ \hfill & =uG\oplus f{\tilde{\alpha }}_{k}G\oplus (f{\tilde{\alpha }}_k\left|\right|f{\tilde{\alpha }}_k{G}_1)\oplus e•\alpha \hfill \\ \hfill & =uG\oplus f{\tilde{\alpha }}_{k}G\oplus f{\tilde{\alpha }}_{k}G\oplus e•\alpha \hfill \\ \hfill & =uG\oplus e•\alpha .\hfill \end{array}$$

(2)

Equation (2) is incorrect because ${\tilde{\alpha }}_k$ and $G_1$ are not commutative. Although ${\tilde{\alpha }}_k$ is symmetric: it does not commute with the matrix $G_1$. Therefore, $f{G}_1{\tilde{\alpha }}_k\ne f{\tilde{\alpha }}_k{G}_1$.

The second error in the scheme is when $g=1$, then we obtain $rk(Q*(e•\alpha \left)P\right)\ne r$. To illustrate $rk(e•\alpha )\ne r$, we provide a counterexample here. Since P and Q are invertible over $F_q$, they preserve the rank of the vector. Therefore, we only require showing that $rk(e•\alpha )\ne r$.

Proof. 

Let z be a primitive element in $F_{q^m}$ and $\{1,z,z^2,\cdots ,z^{m-1}\}$ be a basis of $F_{q^m}$ over $F_q$. Let $q=2,k=4,m=11$, $\alpha =z^2$, $e=(e_1\left|\right|e_2)\in F_{q^m}^{2k}$ where $e_1=(1,z,z^2,z)$ and $e_2=(z,z^2,z,z^2)$ with $rk\left(e\right)=3$.

$$\begin{array}{cc}\hfill rk(e•\alpha )& =rk\left(e_1{\tilde{\alpha }}_k\right|\left|e_2{\tilde{\alpha }}_k\right)\hfill \\ \hfill & =rk(1,z,z^2,z)\left(\begin{array}{cccc}{z}^2& & & \\ & z^4& & \\ & & z^6& \\ & & & z^8\end{array}\right)\hfill \\ \hfill & \left|\right|(z,z^2,z,z^2)\left(\begin{array}{cccc}{z}^2& & & \\ & z^4& & \\ & & z^6& \\ & & & z^8\end{array}\right)\hfill \\ \hfill & =rk(z^2,z^5,z^8,z^9||z^3,z^6,z^7,z^{10})\hfill \\ \hfill & =8.\hfill \end{array}$$

□

From the above counterexample, we obtain $rk(e•\alpha )=8$ which is greater than $rk\left(e\right)=r=3$. Therefore, $rk(Q*(e•\alpha \left)P\right)\ne r$.

Security Analysis of RankID

Now, we assumed that RankID was correct even though we found some errors in this scheme. We showed that, based on the information sent through the channels, one could recover the secret of the scheme.

As we know, the adversary can have the public key, which is $(G,r,x)$ and other elements from the scheme such as $(\alpha ,G_1,x,u+f\widetilde{{\alpha }_k},u{G}_1\oplus f,P|\left|Q\right)$ as the adversary can look over the communication channel.

Now, we show how the secret key f was retrieved as follows:

Let $w=u+f{\tilde{\alpha }}_k$ and $v=u{G}_1\oplus f$,

$$\begin{array}{cc}\hfill y& =w{G}_1-v\hfill \\ \hfill & =u{G}_1+f{\tilde{\alpha }}_k{G}_1-u{G}_1-f\hfill \\ \hfill & =f{\tilde{\alpha }}_k{G}_1-f\hfill \\ \hfill & =f[{\tilde{\alpha }}_k{G}_1-I].\hfill \end{array}$$

Now, let $\delta ={\tilde{\alpha }}_k{G}_1-I$ and $\delta$ look random with the random matrix minus the identity matrix. Therefore, we can have the inverse of the matrix, $\delta$, so that f can be retrieved.

$$f=y{\left[\delta \right]}^{-1}.$$

Then, we can also computed the secret u.

$$\begin{array}{cc}\hfill u& =w-f{\tilde{\alpha }}_k\hfill \\ \hfill & =w-y{\left[\delta \right]}^{-1}{\tilde{\alpha }}_k.\hfill \end{array}$$

Since we identified $(f,u)$, we could successfully retrieve the error vector, e. Therefore, RankID is insecure to be used.

4. New Rank AGS Identification Protocol

In this section, we describe our new zero-lnowledge identification protocol, namely the Rank AGS identification protocol. Our technique implements the double circulant structure in the public matrix, G. Our public key is still the same as $(G,r,x)$. Our secret key is $(f,e)$. We modified the secret $\alpha$ that would be sent by the verifier to the prover into $\alpha =\gamma Cir\left(v\right)$ where $\gamma \in F_{q^m}$ and $Cir\left(v\right)$ is a circulant matrix generated by a vector $v\in F_q^k$.

We introduced a new definition of the product, which is defined below.

Definition 9 

(Dot Product,$·$). Let $e=(e_1\left|\right|e_2)\in F_{q^m}^{2k}$ where $e_1,e_2\in F_{q^m}^k$ and let $\alpha \in F_{q^m}^{k\times k}$. We define the product of $e·\alpha$ as follows:

$$\begin{array}{cc}\hfill e·\alpha & =\left(e_1\alpha \right|\left|e_2\alpha \right).\hfill \end{array}$$

4.1. Key Generation

We used the same notation and the same keys as in the scheme of RankID. Our zero-knowledge protocol uses a public $k\times n$ ($n=2k$) random double circulant matrix G over $F_{q^m}$.

4.1.1. Key Generation

Choose $k,m,q$, and r.

• $G\stackrel{\$}{\leftarrow }{F}_{q^m}^{k\times 2k}$
• $e\stackrel{\$}{\leftarrow }{F}_{q^m}^{2k}$ with $rk\left(e\right)=r$.
• $f\stackrel{\$}{\leftarrow }{F}_{q^m}^k$
• $x\leftarrow fG\oplus e$

Public Key = $pk\leftarrow (G,r,x)$, Secret Key = $sk\leftarrow (f,e)$.

4.1.2. Rank AGS ID

In our zero-knowledge protocol, to prove its identity, a prover must prove the knowledge of the secret key $(e,f)$ by using two blinding techniques. The first one is to Xor a random vector to the secret key f, and the second blinding technique uses the “*” and “$·$” products to multiply the secret e to random values. Moreover, the security of our protocol relies on the hardness of the rank syndrome decoding problem (RSD). We modify the $\alpha$ that has been distributed by the verifier to the prover where $\alpha =\gamma Cir\left(v\right)$, where $v\in F_q^k$ and $\gamma \in F_{q^m}$. Notice that the RankID scheme is insecure due to the extra information $u{G}_1+f$ sent by the prover to the verifier. As a result, we considered the original AGS scheme in the Hamming metric and constructed the Rank AGS more naturally. Therefore, the key generation and the algorithm of the Rank AGS are still the same except for the commit, $c_1=h\left(P\right|\left|Q\right)$, and we removed the response $u{G}_1\oplus f$ when the challenge $g=0$ was received. The repaired new scheme is shown in

Table 4. The identification protocol (Rank AGS).

Prover, $\mathcal{P}$		Verifier, $\mathcal{V}$
$u\in F_{q^m}^k$
$P\in G{L}_{2k}\left(F_q\right)$
$Q\in G{L}_m\left(F_q\right)$
	$\begin{array}{c}{c}_1=h\left(P\right|\left|Q\right)\\ \stackrel{c_2=h(Q*(uG\left)P\right)}{\to }\\ \stackrel{\alpha \in F_{q^m}^{k\times k}}{\leftarrow }\\ \stackrel{c_3=h(Q*(uG\oplus (e•\alpha )\left)P\right)}{\to }\\ \stackrel{g\in \{0,1\}}{\leftarrow }\end{array}$
if $g=0$,
	$\begin{array}{c}u+f\alpha ,\\ \stackrel{\left(P\right|\left|Q\right)}{\to }\end{array}$
		$\begin{array}{c}verify:\\ c_1=h\left(P\right|\left|Q\right|\left|\right),\\ c_3=h(Q*(uG\oplus (e•\alpha ))P)\end{array}$
if $g=1$,
	$\begin{array}{c}Q*\left(uG\right)P,\\ \stackrel{Q*(e•\alpha )P}{\to }\end{array}$
		$\begin{array}{c}verify:\\ c_2=h(Q*\left(uG\right)P),\\ c_3=h(Q*(uG\oplus (e•\alpha ))P),\\ rk(Q*(e•\alpha )P)\le r\end{array}$

below:

4.1.3. Algorithm of Rank AGS ID

• A prover $\mathcal{P}$ randomly chooses $u\in F_{q^m}^k,P\in G{L}_{2k}\left(F_q\right),Q\in G{L}_m\left(F_q\right)$. Then, $\mathcal{P}$ sends to a verifier $\mathcal{V}$ the commitments $c_1$ and $c_2$ such that: $c_1=h\left(P\right|\left|Q\right)$ and $c_2=h(Q*\left(uG\right)P)$. Here, h is a hash function.
• A verifier $\mathcal{V}$ sends $\alpha \in F_{q^m}^{k\times k}$ to $\mathcal{P}$.
• A prover $\mathcal{P}$ builds $c_3=h(Q*(uG\oplus \left(e·\alpha \right))P)$ and sends to $\mathcal{V}$.
• A verifier $\mathcal{V}$ sends $g\in \{0,1\}$ to $\mathcal{P}$.
• Two possibilities:
  • If $g=0$: $\mathcal{P}$ reveals $u+f\alpha$ and $P\left|\right|Q$.
  • If $g=1$: $\mathcal{P}$ reveals $Q*\left(uG\right)P$ and $Q*\left(e·\alpha \right)P$.
• Verification step, two possibilities:
  • If $g=0$: $\mathcal{V}$ verifies that $c_1=h\left(P\right|\left|Q\right),c_3=h(Q*(uG\oplus \left(e·\alpha \right))P)$ have been honestly computed;
  • If $g=1$: $\mathcal{V}$ verifies that $c_2=h(Q*\left(uG\right)P),c_3=h(Q*(uG\oplus \left(e·\alpha \right))P)$ have been honestly computed and $rk(Q*(e·\alpha \left)P\right)\le r$.

Now, we provide a simple toy example of the Rank AGS scheme as in

Table 5. Example of identification protocol (Rank AGS).

Prover, P		Verifier, V
$u=(1,z,z^2,z)\in F_{2^3}^4$ $P\in G{L}_8\left(F_2\right)$
$P=\left(\begin{array}{cccccccc}1& 0& 0& 0& 0& 0& 0& 0\\ 1& 0& 0& 1& 0& 1& 0& 0\\ 1& 1& 1& 1& 0& 1& 0& 1\\ 1& 0& 1& 0& 0& 1& 1& 0\\ 1& 0& 0& 1& 1& 1& 0& 0\\ 1& 1& 0& 1& 1& 1& 0& 0\\ 0& 1& 0& 0& 0& 0& 1& 1\\ 0& 1& 1& 1& 0& 0& 1& 1\end{array}\right)$ $Q=\left(\begin{array}{ccc}1& 0& 1\\ 0& 1& 0\\ 1& 0& 0\end{array}\right)\in G{L}_3\left(F_2\right)$
	$\begin{array}{c}{c}_1=h\left(P\right|\left|Q\right)\\ =10101011100011100011000001\\ c_2=hQ*\left(ug\right)P)\\ \stackrel{=11010000100111010011111101}{\to }\\ \stackrel{\alpha =\left(\begin{array}{cccc}1& 0& 1& 0\\ 0& 1& 0& 1\\ 1& 0& 1& 0\\ 0& 1& 0& 1\end{array}\right)\in F_{2^3}^{4\times 4}}{\leftarrow }\\ c_3=h(Q*(uG\oplus (e•\alpha )\left)P\right)\\ \stackrel{=10101010110110010010011011}{\to }\\ \stackrel{g\in \{0,1\}}{\leftarrow }\end{array}$
if $g=0$,
	$\begin{array}{c}u+f\alpha ,\\ =(z,z^2,1+z+z^2,z^2),\\ \stackrel{\left(P\right|\left|Q\right)}{\to }\end{array}$	Assume can be verified as we can receive back:
		$\begin{array}{c}{c}_1=h\left(P\right|\left|Q\right|\left|\right)\\ =10101011100011100011000001,\\ c_3=h(Q*(uG\oplus (e•\alpha ))P)\\ =0101010110110010010011011\end{array}$
if $g=1$,
	$\begin{array}{c}Q*\left(uG\right)P\\ =\left(\begin{array}{cccccccc}0& 1& 1& 0& 1& 0& 1& 1\\ 0& 0& 0& 0& 1& 0& 0& 0\\ 0& 1& 0& 1& 1& 1& 0& 0\end{array}\right),\\ Q*(e•\alpha )P\\ \stackrel{=\left(\begin{array}{cccccccc}0& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0\\ 0& 1& 1& 1& 0& 1& 0& 1\end{array}\right)}{\to }\end{array}$	Assume can be verified as we can receive back:
		$\begin{array}{c}{c}_2=h(Q*\left(uG\right)P)\\ =11010000100111010011111101,\\ c_3=h(Q*(uG\oplus (e•\alpha ))P)\\ =10101010110110010010011011,\\ rk(Q*(e•\alpha )P)\le r\end{array}$

below. Let $q=2,k=4,m=3$. Let z be the primitive element in $F_{2^3}$ and $1,z,z^2$ be the basis of $F_{2^3}$ over $F_2$.

Private key:$e=(1,z,z^2,z||z,z^2,z,z^2)$ with $e\in F_{2^3}^8$ with $rk\left(e\right)=3$ and $f=(1,z,z,z^2)$ with $f\in F_{2^3}^4$.

Public key:$G=\left(\begin{array}{cccccccc}1& z& z& z^2& z& 1& z^2& z\\ z^2& 1& z& z& z& z& 1& z^2\\ z& z^2& 1& z& z^2& z& z& 1\\ z& z& z^2& 1& 1& z^2& z& z\end{array}\right)$ with $G\in F_{2^3}^{4\times 8}$, $r=3$ and $x=fG\oplus e=(1+z+z^2,z,z,z,z+z^2,1+z+z^2,z+z^2,z^2)$.

From the above Rank AGS example, we were able to prove that our Rank AGS scheme works efficiently.

5. Properties and Security of the Rank AGS ID

In this section, we prove the ZK security of our scheme by using the usual zero-knowledge arguments and also consider security properties such as completeness, zero knowledge, and soundness. We also showed that this protocol is zero-knowledge with a cheating probability of around $\frac{1}{2}$.

5.1. Completeness

We obtained the completeness of Rank AGS that has been described in (Table 4) by showing that if an honest prover $\mathcal{P}$ and an honest verifier $\mathcal{V}$ execute our protocol, it always succeeds.

Theorem 1. 

If a prover and a verifier honestly execute Rank AGS, we have for any round

$$Pr[RankAGSI{d}_{P,V}=Accept]=1.$$

Proof. 

$\mathcal{P}$ and $\mathcal{V}$ are supposed to be honest. We can verify $c_3$ in the case that $g=0$, $\mathcal{V}$ can compute:

$$\begin{array}{cc}\hfill (u\oplus f\alpha )G\oplus x·\alpha & =uG\oplus f\alpha G\oplus (fG\oplus e)·\alpha \hfill \\ \hfill & =uG\oplus f\alpha G\oplus fG·\alpha \oplus e·\alpha \hfill \\ \hfill & =uG\oplus f\alpha G\oplus \left(f\right|\left|f{G}_1\right)·\alpha \oplus e·\alpha \hfill \\ \hfill & =uG\oplus f\alpha G\oplus \left(f\alpha \right|\left|f{G}_1\alpha \right)\oplus e·\alpha \hfill \\ \hfill & =uG\oplus f\alpha G\oplus \left(f\alpha \right|\left|f\alpha G_1\right)\oplus e·\alpha \hfill \\ \hfill & =uG\oplus f\alpha G\oplus f\alpha G\oplus e·\alpha \hfill \\ \hfill & =uG\oplus e·\alpha .\hfill \end{array}$$

□

In the case $g=1$, we can check that $rk(Q*(e·\alpha \left)P\right)=r$. The proof is as below when we consider $rk\left(e·\alpha \right)=rk\left(e\right)$.

Proof. 

Let $({\beta }_1,\cdots ,{\beta }_m)$ be the basis for $F_{q^m}$. Let $M_{e_1}$ and $M_{e_2}$ be the support matrices for $e_1$ and $e_2$ respectively.

$$\begin{array}{cc}\hfill e·\alpha & =e_1\gamma Cir\left(v\right)\left|\right|e_2\gamma Cir\left(v\right)\hfill \\ \hfill & =({\beta }_1,\cdots ,{\beta }_n)M_{e_1}\gamma Cir\left(v\right)\left|\right|({\beta }_1,\cdots ,{\beta }_n)M_{e_2}\gamma Cir\left(v\right)\hfill \\ \hfill & =\gamma ({\beta }_1,\cdots ,{\beta }_n)M_{e_1}Cir\left(v\right)\left|\right|\gamma ({\beta }_1,\cdots ,{\beta }_n)M_{e_2}Cir\left(v\right).\hfill \end{array}$$

Now, we can determine $rk\left(e·\alpha \right)$. Let $M_1^{\prime }=M_{e_1}Cir\left(v\right)$ and $M_2^{\prime }=M_{e_2}Cir\left(v\right)$.

$$\begin{array}{cc}\hfill rk\left(e·\alpha \right)& =rk\left(M_1^{\prime }\right|\left|M_2^{\prime }\right)\hfill \\ \hfill & =rk\left(M_{e_1}Cir\left(v\right)\right|\left|M_{e_2}Cir\left(v\right)\right)\hfill \\ \hfill & =rk\left(\right[M_{e_1}\left|\right|M_{e_2}\left]\left(\begin{array}{cc}Cir\left(v\right)& 0\\ 0& Cir\left(v\right)\end{array}\right)\right)\hfill \\ \hfill & \le min\left\{rk(M_{e_1}\left|\right|M_{e_2}),rk\left(\begin{array}{cc}Cir\left(v\right)& 0\\ 0& Cir\left(v\right)\end{array}\right)\right\}\hfill \\ \hfill & \le rk\left(M_{e_1}\right|\left|M_{e_2}\right)\hfill \\ \hfill & \le rk\left(e\right)=r.\hfill \end{array}$$

□

Therefore, $rk(Q*(e·\alpha \left)P\right)\le r$. The verifier, $\mathcal{V}$ can execute the protocol correctly.

5.2. Zero Knowledge

We used the classical idea of simulation as presented in [22] to ensure zero knowledge. We need to prove that no information can be deduced in polynomial time from the execution of the Rank AGS protocol.

Theorem 2. 

The protocol defined in (Table 4) is a prover-verifier zero-knowledge protocol.

Proof. 

Let S and $\delta$ be a simulator using a dishonest verifier and the number of rounds that are taken by an honest identification process to be executed, respectively. We needed to construct a polynomial-time simulator S of the protocol that, by interacting with the verifier V, could provide a transcript indistinguishable from the original protocol. The simulator S should perform the following steps:

If $g=0$:

S randomly chooses $u^{\prime }\in F_{q^m}^k,P^{\prime }\in F_q^{2k\times 2k}$ and $Q^{\prime }\in F_q^{m\times m}$ and solves the equation $x=fG\oplus e$ without necessarily satisfying the condition $rk\left(e\right)=r$. Then, the computed $c_1=h(P^{\prime }\left|\right|Q^{\prime })$ and $c_2$ is taken as a random value. S simulates the verifier by applying $(c_1,c_2)$ to obtain $\alpha \in F_{q^m}^{k\times k}$. Then, S can compute $c_3=h(Q^{\prime }*(u^{\prime }G\oplus \left(e·\alpha \right))P^{\prime })$. Note that $P^{\prime },Q^{\prime }$, and $u^{\prime }$ are indistinguishable from $P,Q$, and $u+f\alpha$.

If $g=1$:

S randomly chooses $u^{\prime }\in F_{q^m}^k,P^{\prime }\in F_q^{2k\times 2k}$ and $Q^{\prime }\in F_q^{m\times m}$. Now, he randomly chooses $f^{\prime }\in F_{q^m}^k$ and $e^{\prime }\in F_{q^m}^{2k}$ such that $rk\left(e^{\prime }\right)=r$. Then, he computes $c_2=h(Q^{\prime }*\left(u^{\prime }G\right)P^{\prime })$ and $c_1$ is taken as a random value. S simulates the verifier by applying $(c_1,c_2)$ to obtain $\alpha \in F_{q^m}^{k\times k}$ and then S can compute $c_3=h(Q^{\prime }*(u^{\prime }G\oplus \left(e^{\prime }·\alpha \right))P^{\prime })$. Note that $P^{\prime },Q^{\prime },u^{\prime },f^{\prime }$ and $e^{\prime }$ are indistinguishable from $Q^{*}\left(uG\right)P$ and $Q*\left(e·\alpha \right)P$. □

Therefore, S generates a communication transcript that is indistinguishable from another communication transcript which exactly looks similar to an honest identification process execution in $2\delta$ rounds.

5.3. Soundness

The soundness of our scheme can be proven by starting to show that for each round, a dishonest prover can cheat with a probability that does not exceed $\frac{q^{m+k}-q^m-q^k+2}{2(q^{m+k}-q^m-q^k+1)}$. The finite field used is $F_{q^m}$.

$S{t}_1$:

He or she randomly chooses $u^{\prime }$, $P^{\prime }$, $Q^{\prime }$, and solves the equation $x=f^{\prime }G\oplus e^{\prime }$ without necessary satisfying the condition $rk\left(e^{\prime }\right)=r$ where $f^{\prime }\in F_{q^m}^k$ and $e^{\prime }\in F_{q^m}^{2k}$ when receiving $g=0$ as a challenge. Then, he or she computes $c_1=h(P^{\prime }\left|\right|Q^{\prime })$ and sets $c_2$ at random data. Thus, the dishonest prover is able to answer the challenge $g=0$ regardless of the value of $\alpha$ chosen by the verifier.

$S{t}_2$:

He or she randomly chooses $u^{\prime }$, $P^{\prime }$, $Q^{\prime }$, and generates the couple $(f^{\prime },e^{\prime })$ randomly such that $rk\left(e^{\prime }\right)=r$ when receiving $g=1$ as a challenge. Then, he or she can compute $c_2=h(Q^{\prime }*\left(u^{\prime }G\right)P^{\prime })$ and set $c_1$ at random data. In this case, the rank of $e^{\prime }$ is valid. Thus, the dishonest prover can correctly answer the challenge $g=1$ regardless of the value of $\alpha$.

By trying to guess $\alpha$, the above two strategies can be improved. Let ${\alpha }^{\prime }$ be the guessed value of $\alpha$. Thus, the dishonest prover can compute $h\left(x\right)$ where $x=Q*(uG\oplus \left(e·{\alpha }^{\prime }\right))P$.

Since there are only two strategies ($S{t}_1,S{t}_2$), we have $P(St=S{t}_i)=\frac{1}{2}$. Next, we only have two possibilities of being challenged which are $g\in 0,1$. Therefore, $P(g=i)=\frac{1}{2}$. Meanwhile, the probability of guessing the correct value of $\alpha$ depends on its size. We know that $\alpha =\gamma Cir\left(v\right)$ where $\gamma \in F_{q^m}$ and $v\in F_q^k$. Thus, excluding 0, the size of $\alpha$ is $(q^m-1)(q^k-1)$ and the probability of guessing the correct $\alpha$ is $\frac{1}{(q^m-1)(q^k-1)}$.

Therefore, the success cheating probability of a strategy for one round is given by:

$$\begin{array}{cc}\hfill P& =\sum _{i=0}^{1}P(St=S{t}_i)P(b=i)+P(St=S{t}_i)P(b=1-i)P(\alpha =v^{\prime })\hfill \\ \hfill & =P(St=S{t}_0)P(b=0)+P(St=S{t}_0)P(b=1)P(\alpha =v^{\prime })\hfill \\ \hfill & +P(St=S{t}_1)P(b=1)+P(St=S{t}_1)P(b=0)P(\alpha =v^{\prime })\hfill \\ \hfill & =\left(\frac{1}{2}\right)\left(\frac{1}{2}\right)+\left(\frac{1}{2}\right)\left(\frac{1}{2}\right)\left(\frac{1}{q^{m+k}-q^m-q^k+1}\right)\hfill \\ \hfill & +\left(\frac{1}{2}\right)\left(\frac{1}{2}\right)+\left(\frac{1}{2}\right)\left(\frac{1}{2}\right)\left(\frac{1}{q^{m+k}-q^m-q^k+1}\right)\hfill \\ \hfill & =\left(\frac{1}{4}\right)+\left(\frac{1}{4}\right)\left(\frac{1}{q^{m+k}-q^m-q^k+1}\right)+\left(\frac{1}{4}\right)\hfill \\ \hfill & +\left(\frac{1}{4}\right)\left(\frac{1}{q^{m+k}-q^m-q^k+1}\right)\hfill \\ \hfill & =\frac{1}{2}+\left(\frac{1}{2(q^{m+k}-q^m-q^k+1)}\right)\hfill \\ \hfill & =\frac{q^{m+k}-q^m-q^k+2}{2(q^{m+k}-q^m-q^k+1)}.\hfill \end{array}$$

(3)

If a dishonest prover succeeds in cheating with a probability higher than ${\left(\frac{q^{m+k}-q^m-q^k+2}{2(q^{m+k}-q^m-q^k+1)}\right)}^{\delta }$ where $\delta$ is the number of rounds, then he or she can solve the rank syndrome decoding problem (RSD).

5.4. Rank AGS Signature Scheme

After this, we investigated the signature scheme based on the Rank AGS ID. As mentioned in the introduction, the Fiat–Shamir transform [23] can turn any zero-knowledge identification scheme into a signature scheme by considering the cryptographic hash functions known as the commit-and-challenge approach. The key generation of our signature scheme is the same as in Rank AGS ID. Now, we present the Rank AGS signing and verification algorithm as shown in the following Algorithms 1 and 2 respectively.

Algorithm 1: rank AGS signing algorithm

Input:  msg, message, $\delta$, number of rounds, sk=(f,e)$\leftarrow KGen$, pk=(G,r,x)$\leftarrow KGen$. Output:  Sign(sk,pk,msg,$\delta$)   Step 1: 1: for$i=1$ to $\delta$ do 2:       $u_i\in F_{q^m}^k$ 3:       $P_i\in F_q^{2k\times 2k}$ 4:       $Q_i\in F_q^{m\times m}$ 5:       $c_{i,0}\leftarrow h(P_i\left|\right|Q_i)$ 6:       $c_{i,1}\leftarrow h(Q_i*\left(u_{i}G\right)P_i)$ 7: end for 8: $cm{t}_0\leftarrow c_{1,0}\left|\right|c_{1,1}\left|\right|\cdots \left|\right|c_{\delta ,0}\left|\right|c_{\delta ,1}$   Step 2: 9: $c{h}_1\leftarrow h(cm{t}_0\left|\right|msg)$   Step 3: 10: for$i=1$ to $\delta$ do 11:       ${\gamma }_i=(c{h}_{1,(i-1)m+(i-1)k+1},\cdots ,c{h}_{1,im+(i-1)k})$ 12:       $v_i=(c{h}_{1,im+(i-1)k+1},\cdots ,c{h}_{1,im+ik})$ 13:       ${\alpha }_i={\gamma }_{i}Cir\left(v_i\right)$ 14:       $cm{t}_{1,i}\leftarrow h(Q_i*(u_{i}G\oplus \left(e·{\alpha }_i\right))P_i)$ 15: end for   Step 4: 16: $c{h}_2\leftarrow h\left(\right(cm{t}_1\left|\right|1\left)\right||\cdots |\left|\right(cm{t}_1\left|\right|\ell \left)\right)$   Step 5: 17: for$i=1$ to $\delta$ do 18:       if $c{h}_{2,i}=0,$ then 19:             $rs{p}_i\leftarrow [u_i+f_i{\alpha }_i,(P_i\left|\right|Q_i\left)\right]$ 20:       end if 21:       if $c{h}_{2,i}=1,$ then 22:             $rs{p}_i\leftarrow [(Q_i*\left(u_{i}G\right)P_i),(Q_i*\left(e·{\alpha }_i\right)P_i)]$ 23:       end if 24: end for 25: sgn $\leftarrow [cm{t}_0,c{h}_1,cm{t}_1,c{h}_2,rsp]$ 26: return sgn

Impersonation attack. An attacker executes the Rank AGS with a prover, $\mathcal{P}$, and tries to give answers that the verifier, $\mathcal{V}$, will accept. It is impossible to give commitments that can be opened for two values of g. Without the knowledge of the secret key, e, the probability of success is at most $P{r}_{imp}=\frac{1}{2}$.

5.5. Key Size and Signature Size

Here, we report the key and signature bit size for our Rank AGS ID and Rank AGS Signature scheme, respectively. First, we investigate the key size that we need for Rank AGS ID.

• Our public keys are $(G,x,r)$. $G\in F_{q^m}^{k\times 2k}$ is a systematic double circulant matrix, which requires only a vector to represent it, $2kmlo{g}_2\left(q\right)$. $x\in F_{q^m}^{2k}$ has a size of $kmlo{g}_2\left(q\right)$. Therefore, the public key size is $3kmlo{g}_2\left(q\right)$.
• The secret keys are $(f,e)$ where $f\in F_{q^m}^k$ and $e\in F_{q^m}^{2k}$. If we have f, then we can compute e from $e=x+fG$. Therefore, it suffices for us to store only f as a secret key, which contributes to $kmlo{g}_2\left(q\right)$.
• Based on the Rank AGS signature scheme, we can construct the signature size of our signature scheme. The signature consists of two commitments which are $cm{t}_0$ and $cm{t}_{1,i}$, and have a total length of $3h\delta$. Then, the challenge, $c{h}_1$ is having size of $\delta (k+m)lo{g}_2\left(q\right)$ and $c{h}_2$ is having size of $\delta$. The total size of the response, $rs{p}_i$ for the commit-challenge, is based on the value of the challenge, which is 0 or 1. The size of $rs{p}_i$ is $\frac{1}{2}\delta (5km+4k^2+m^2)lo{g}_2\left(q\right)$. The signature size is based on the total size of the commitment, challenge, and response which is $3h\delta +\delta +\delta (k+m)lo{g}_2\left(q\right)+\frac{1}{2}\delta (5km+4k^2+m^2)lo{g}_2\left(q\right)$.

Algorithm 2: rank AGS verification algorithm

Input:  msg, message, $\delta$, number of rounds, $sgn=[cm{t}_0,c{h}_1,cm{t}_1,c{h}_2,rsp]$, pk=(G,r,x)$\leftarrow KGen$. Output:  Verify(pk,msg,$\delta$,sgn) 1: for$i=1$ to $\delta$ do 2:       ${\gamma }_i=(c{h}_{1,(i-1)m+(i-1)k+1},\cdots ,c{h}_{1,im+(i-1)k})$ 3:       $v_i=(c{h}_{1,im+(i-1)k+1},\cdots ,c{h}_{1,im+ik})$ 4:       ${\alpha }_i={\gamma }_{i}Cir\left(v_i\right)$ 5:       if $c{h}_{2,i}=0$ then 6:             $c_{i,0}\leftarrow cm{t}_{0,2h(i-1)+1},\cdots ,cm{t}_{0,2h(i-1)+h}$ 7:             if $c_{i,0}\ne h\left(rs{p}_{i,2}\right)\vee$ then 8:                   $cm{t}_{1,i}\ne h(rs{p}_{i,2\left(2\right)}*(rs{p}_{i,1}G\oplus \left(x·{\alpha }_i\right))rs{p}_{i,2\left(1\right)})$ 9:                   return false 10:             end if 11:       end if 12:       if $c{h}_{2,i}=1$, then 13:             $c_{i,1}\leftarrow cm{t}_{0,\left(2h\right(i-1)+h)+1},\cdots ,cm{t}_{0,2hi}$ 14:             if $c_{i,1}\ne h\left(rs{p}_{i,1}\right)\vee cm{t}_{1,i}\ne h(rs{p}_{i,1}\oplus rs{p}_{i,2})\vee rk\left(rs{p}_{i,2}\right)\ne r$ then 15:                   return false 16:             end if 17:       end if true 18: end for 19: return true

Now, we provide the parameter sets achieving 128-bit and 256-bit security levels as shown in

Table 6. Public, secret keys and signature bit sizes for 128-bit and 256-bit security levels.

Parameters $(\mathit{q},\mathit{m},\mathit{n},\mathit{k},\mathit{r},\mathit{\delta },\mathit{h})$	Security Level	Signature Size	Secret Key	Public Key
$(2,43,38,19,$ $8,129,129)$	128 bit	533,931	817	2451
$(2,37,34,17,$ $8,129,129)$	128 bit	422,733	629	1887
$(2,47,46,23,$ $11,257,257)$	256 bit	1,466,699	1081	3243
$(2,53,46,23,$ $11,257,257)$	256 bit	1,634,006	1219	3657

. These security levels are computed based on the complexity of existing known combinatorial and algebraic attacks on the RSD problem. We set $q=2$, m to be a prime number, and $n=2k$. The number of rounds needed to decrease the impersonation probability to our needs. Therefore, we fixed the number of rounds, $\delta =129$ and $\delta =257$ to reach the desired impersonation probability ($2^{-129}$ and $2^{-257}$) to achieve the security level of 128-bits and 256-bits respectively. The hash value, h, is the same as the $\delta$ value according to the Rank AGS signature scheme.

We could achieve the desired security level to solve the rank syndrome decoding problem (RSD) based on the sets of small parameters.

Then, we looked at the key and signature bit sizes for other signature schemes, which are based on rank metrics such as Rank CVE [8] and the double circulant version of Veron (Rank RVDC) [10] identification schemes. Then, we compared the size of public, secret, and signature keys with our Rank AGS as shown in

Table 7. Comparison of keys and signature bit sizes with CVE and RVDC schemes for 128 security level.

Scheme	Parameters $(\mathit{q},\mathit{m},\mathit{n},\mathit{k},\mathit{r},\mathit{\delta },\mathit{h})$	Signature Size	Secret Key	Public Key
Rank CVE	$(2,43,38,19,8,128,256)$	3,313,662	1258	33,969
Rank RVDC	$(2,43,38,19,8,129,256)$	574,953	2451	2454
Rank AGS	$(2,43,38,19,8,129,129)$	533,931	817	2451

and

Table 8. Comparison of keys and signature bit sizes with CVE and RVDC schemes for 256 security level.

Scheme	Parameters $(\mathit{q},\mathit{m},\mathit{n},\mathit{k},\mathit{r},\mathit{\delta },\mathit{h})$	Signature Size	Secret Key	Public Key
Rank CVE	$(2,47,46,23,11,256,512)$	14,161,547	2162	75,673
Rank RVDC	$(2,47,46,23,11,257,512)$	1,645,057	3243	3247
Rank AGS	$(2,47,46,23,11,257,257)$	1,466,699	1081	3243

.

Based on the comparison above, we could observe that all our public, secret key size, and signature sizes were smaller than other schemes. The percentage of the size reduction in the keys or signature is given below in

Table 9. Percentage of size reduction as we consider Rank CVE as the original reference for the 128 security level.

Scheme	Percentage (%)
	Signature Size	Secret Key	Public Key
Rank RVDC	83	−95	93
Rank AGS	84	35	93

and

Table 10. Percentage of size reduction as we consider Rank CVE as the original reference for the 256 security level.

Scheme	Percentage (%)
	Signature Size	Secret Key	Public Key
Rank RVDC	88	−50	96
Rank AGS	90	50	96

as we consider Rank CVE as the original reference for 128 and 256 security levels.

We used the notation of “- %” to indicate that the key size was, in fact, larger than the ones in Rank CVE. In particular, rank RVDC had a larger secret key size compared to Rank CVE. Moreover, Rank AGS reduces drastically in the size of the signature, public key, and secret key compared to Rank CVE.

6. Conclusions

In this paper, we studied and identified the errors in RankID [11]. The operations chosen in the RankID construction did not ensure the commutativity of the matrix multiplication and preserved the rank of the error vector. Furthermore, even if we assume that RankID is correct, it is still insecure because the secret key can be recovered. Therefore, we propose a new scheme: Rank AGS ID based on the hardness of the rank syndrome decoding problem (RSD) by considering the original AGS ID in hamming metric. We provided the correctness of our Rank AGS ID and proved that the rank of the error vector was preserved. Our scheme also achieved zero-knowledge security properties such as completeness, soundness, and zero knowledge. Finally, we showed how that our scheme has a smaller public, secret, and signature key size when compared with other identification schemes=-based signatures, such as Rank CVE and Rank RVDC, for 128-bit and 256-bit security levels.